[Federal Register Volume 81, Number 26 (Tuesday, February 9, 2016)]
[Proposed Rules]
[Pages 6988-7024]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01841]



[[Page 6987]]

Vol. 81

Tuesday,

No. 26

February 9, 2016

Part III





Department of Health and Human Services





-----------------------------------------------------------------------





42 CFR Part 2





 Confidentiality of Substance Use Disorder Patient Records; Proposed 
Rule

  Federal Register / Vol. 81 , No. 26 / Tuesday, February 9, 2016 / 
Proposed Rules  

[[Page 6988]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

42 CFR Part 2

[SAMHSA-4162-20]
RIN 0930-AA21


Confidentiality of Substance Use Disorder Patient Records

AGENCY: Substance Abuse and Mental Health Services Administration 
(SAMHSA), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule addresses changes to the Confidentiality of 
Alcohol and Drug Abuse Patient Records regulations. This proposal was 
prompted by the need to update and modernize the regulations. These 
laws and regulations governing the confidentiality of substance abuse 
records were written out of great concern about the potential use of 
substance abuse information against an individual, preventing those 
individuals with substance use disorders from seeking needed treatment. 
The last substantive update to these regulations was in 1987. Over the 
last 25 years, significant changes have occurred within the U.S. health 
care system that were not envisioned by the current regulations, 
including new models of integrated care that are built on a foundation 
of information sharing to support coordination of patient care, the 
development of an electronic infrastructure for managing and exchanging 
patient information, and a new focus on performance measurement within 
the health care system. SAMHSA wants to ensure that patients with 
substance use disorders have the ability to participate in, and benefit 
from new integrated health care models without fear of putting 
themselves at risk of adverse consequences. These new integrated models 
are foundational to HHS's triple aim of improving health care quality, 
improving population health, and reducing unnecessary health care 
costs. SAMHSA strives to facilitate information exchange within new 
health care models while addressing the legitimate privacy concerns of 
patients seeking treatment for a substance use disorder. These concerns 
include: The potential for loss of employment, loss of housing, loss of 
child custody, discrimination by medical professionals and insurers, 
arrest, prosecution, and incarceration. This proposal is also an effort 
to make the regulations more understandable and less burdensome. We 
welcome public comment on this proposed rule.

DATES: To be assured consideration, comments must be received at one of 
the ADDRESSES provided below, no later than 5 p.m. on April 11, 2016.

ADDRESSES: In commenting, please refer to file code SAMHSA 4162-20.
    Because of staff and resource limitations, we cannot accept 
comments by facsimile (FAX) transmission.
    You may submit comments in one of four ways (to avoid duplication, 
please submit your comments in only one of the ways listed):
    1. Electronically: Federal eRulemaking Portal. You may submit 
comments electronically to http://www.regulations.gov. Follow the 
``Submit a comment'' instructions.
    2. By regular mail. Written comments mailed by regular mail must be 
sent to the following address ONLY: The Substance Abuse and Mental 
Health Services Administration, Department of Health and Human 
Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, Room 13N02B, 
Rockville, Maryland 20857.

Please allow sufficient time for mailed comments to be received before 
the close of the comment period.
    3. By express or overnight mail. Written comments sent by express 
or overnight mail must be sent to the following address ONLY: The 
Substance Abuse and Mental Health Services Administration, Department 
of Health and Human Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, 
Room 13N02B, Rockville, Maryland 20852.
    4. By hand or courier. Written comments delivered by hand or 
courier must be delivered to the following address ONLY: The Substance 
Abuse and Mental Health Services Administration, Department of Health 
and Human Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, Room 
13N02B, Rockville, Maryland 20857.
    For information on viewing public comments, see the beginning of 
the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Kate Tipping, 240-276-1652, Email 
address: [email protected].

SUPPLEMENTARY INFORMATION:
    Inspection of Public Comments: ALL COMMENTS received before the 
close of the comment period are available for viewing by the public, 
including any personally identifiable and/or confidential information 
that is included in a comment. We post all comments received as soon as 
possible after they have been received on the following Web site: 
http://www.regulations.gov. Follow the search instructions on that Web 
site to view public comments.
    Comments received before the close of the comment period will also 
be available for public inspection, generally beginning approximately 3 
weeks after publication of a document, at the headquarters of the 
Substance Abuse and Mental Health Services Administration, 5600 Fishers 
Lane, Rockville, Maryland 20857, Monday through Friday of each week 
from 8:30 a.m. to 4 p.m. To schedule an appointment to view public 
comments, phone 240-276-1660.
    We will consider all comments we receive by the date and time 
specified in the DATES section of this preamble, and will respond to 
the comments in the preamble of the final rule.
    Effective date of proposed Sec.  2.13(d): As discussed in the 
preamble, the proposed Sec.  2.13(d) shall not go into effect until two 
years after the effective date of the final rule.

Table of Contents

    To assist readers in referencing sections contained in this 
preamble, we are providing a table of contents.

I. Executive Summary
    A. Purpose
    B. Summary of the Major Provisions
    C. Summary of Impacts
II. Background
    A. Significant Technology Changes
    B. Statutory and Rulemaking History
III. Provisions of This Proposed Rule
    A. Reports of Violations (Sec.  2.4)
    1. Overview
    2. Proposed Revisions
    B. Definitions (Sec.  2.11)
    1. Overview
    2. Proposed Revisions
    a. New Definitions
    i. Part 2 Program
    ii. Part 2 Program Director
    iii. Substance Use Disorder
    iv. Treating Provider Relationship
    v. Withdrawal Management
    b. Existing Definitions
    i. Central Registry
    ii. Disclose or Disclosure
    iii. Maintenance Treatment
    iv. Member Program
    v. Patient
    vi. Patient Identifying Information
    vii. Person
    viii. Program
    ix. Qualified Service Organization
    x. Records
    xi. Treatment
    c. Terminology Changes
    C. Applicability (Sec.  2.12)
    1. Overview
    2. Proposed Revisions
    D. Confidentiality Restrictions and Safeguards (Sec.  2.13)
    1. Overview
    2. Proposed Revisions
    E. Security for Records (Sec.  2.16)
    1. Overview
    2. Proposed Revisions
    F. Disposition of Records by Discontinued Programs (Sec.  2.19)

[[Page 6989]]

    1. Overview
    2. Proposed Revisions
    G. Notice to Patients of Federal Confidentiality Requirements 
(Sec.  2.22)
    1. Overview
    2. Proposed Revisions
    H. Consent Requirements (Sec.  2.31)
    1. Overview
    2. Proposed Revisions
    a. To Whom
    i. Overview
    ii. Proposed Revisions
    b. Amount and Kind
    i. Overview
    ii. Proposed Revisions
    c. From Whom
    i. Overview
    ii. Proposed Revisions
    d. New Requirements
    i. Overview
    ii. Proposed Revisions
    I. Prohibition on Re-disclosure (Sec.  2.32)
    1. Overview
    2. Proposed Revisions
    J. Disclosures to Prevent Multiple Enrollments (Sec.  2.34)
    1. Overview
    2. Proposed Revisions
    K. Medical Emergencies (Sec.  2.51)
    1. Overview
    2. Proposed Revisions
    L. Research (Sec.  2.52)
    1. Overview
    2. Proposed Revisions
    M. Audit and Evaluation (Sec.  2.53)
    1. Overview
    2. Proposed Revisions
IV. Collection of Information Requirements
V. Response to Comments
VI. Regulatory Impact Analysis
    A. Statement of Need
    B. Overall Impact
    1. Direct Costs of Implementing the Proposed Regulations
    a. Staff Training
    b. Updates to Consent Forms
    c. List of Disclosures Costs
    d. IT Updates
    C. Conclusion

Acronyms

ACO Accountable Care Organization
ABAM American Board of Addiction Medicine
ADAMHA Alcohol, Drug Abuse and Mental Health Administration
ANSI American National Standards Institute
ARRA American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)
ATR Access to Recovery
CCO Coordinated Care Organization
CFR Code of Federal Regulations
CHIP Children's Health Insurance Program
CMS Centers for Medicare & Medicaid Services
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
FAX Facsimile
FDA Food and Drug Administration
FR Federal Register
FWA Federalwide Assurance
HHS Department of Health and Human Services
HIE Health Information Exchange
HIPAA Health Insurance Portability and Accountability Act of 1996 
(Pub. L. 104-191)
HITECH Health Information Technology for Economic and Clinical 
Health
HL7 Health Level 7
IG Implementation Guide
IT Information Technology
IRB Institutional Review Board
NPRM Notice of Proposed Rulemaking
N-SSATS National Survey of Substance Abuse Treatment Services
OECD Organization for Economic Cooperation and Development
OHRP Office for Human Research Protections
OMB Office of Management and Budget
ONC Office of the National Coordinator for Health Information 
Technology
PDMP Prescription Drug Monitoring Program
QE Qualified Entity
QSO Qualified Service Organization
QSOA Qualified Service Organization Agreement
RFA Regulatory Flexibility Act
SAMHSA Substance Abuse and Mental Health Services Administration
S&I Standards and Interoperability
TEDS Treatment Episode Data Set
U.S.C. United States Code
VA Department of Veterans Affairs

I. Executive Summary

A. Purpose

    This proposed rule would revise title 42 of the Code of Federal 
Regulations part 2 (42 CFR part 2), Confidentiality of Alcohol and Drug 
Abuse Patient Records regulations. The authorizing statute (Title 42, 
United States Code, Section 290dd-2) protects the confidentiality of 
the identity, diagnosis, prognosis, or treatment of any patient records 
which are maintained in connection with the performance of any 
federally assisted program or activity relating to substance abuse 
education, prevention, training, treatment, rehabilitation, or 
research. Title 42 of the CFR part 2 was first promulgated in 1975 (40 
FR 27802) and last substantively updated in 1987 (52 FR 21796).
    The laws and regulations governing the confidentiality of substance 
abuse records were written out of great concern about the potential use 
of substance abuse information against individuals, causing individuals 
with substance use disorders to not seek needed treatment. The 
disclosure of records of individuals with substance use disorders has 
the potential to lead to a host of negative consequences including: 
Loss of employment, loss of housing, loss of child custody, 
discrimination by medical professionals and insurers, arrest, 
prosecution, and incarceration. The purpose of the regulations at 42 
CFR part 2 is to ensure that a patient receiving treatment for a 
substance use disorder in a part 2 program is not made more vulnerable 
by reason of the availability of their patient record than an 
individual with a substance use disorder who does not seek treatment. 
Under the current regulations, a federally assisted substance use 
disorder program generally may only release identifiable information 
related to substance use disorder diagnosis, treatment, or referral for 
treatment with the individual's express consent. Now over 25 years 
later, this proposed rule would make policy changes to the regulations 
to better align them with advances in the U.S. health care delivery 
system while retaining important privacy protections.
    Unless otherwise noted, these changes would be applicable beginning 
180 days after the publication of the final rule. If programs that were 
required to comply with 42 CFR part 2 prior to the effective date of 
the final rule continue to fall within the scope of 42 CFR part 2 as 
outlined in the final rule, they would be required to come into 
compliance with any revised regulations by the effective date of the 
final rule. However, signed consent forms in place prior to the 
effective date of the final rule would be valid until they expire. 
Nonetheless, part 2 programs may update signed consent forms consistent 
with the final rule, prior to the effective date of the final rule if 
they so choose. Consents obtained after the effective date would need 
to comply with the final rule, regardless of whether the consents 
involve patient identifying information obtained prior to or after the 
effective date of the final rule.

B. Summary of the Major Provisions

    This proposed rule is intended to modernize the 42 CFR part 2 (part 
2) rules by facilitating the electronic exchange of substance use 
disorder information for treatment and other legitimate health care 
purposes while ensuring appropriate confidentiality protections for 
records that might identify an individual, directly or indirectly, as 
having or having had a substance use disorder. To achieve this goal, we 
propose the following modifications.
    We propose, in Section III.A., Reports of Violations (Sec.  2.4), 
to revise the requirement for reporting violations of these regulations 
by methadone programs (now referred to as opioid treatment programs) to 
the Food and Drug Administration (FDA) because the authority over these 
programs was transferred from the FDA to Substance Abuse and Mental 
Health Services Administration (SAMHSA) in 2001.

[[Page 6990]]

    In Section III.B., Definitions (Sec.  2.11), we propose to revise 
some existing definitions, add new definitions of key terms that apply 
to 42 CFR part 2, and consolidate all but one of the definitions that 
are currently in other sections in Sec.  2.11. We propose to revise the 
definitions of ``Central registry,'' ``Disclose or disclosure,'' 
``Maintenance treatment,'' ``Member program,'' ``Patient,'' ``Patient 
identifying information,'' ``Person,'' ``Program,'' ``Qualified service 
organization (QSO),'' ``Records,'' and ``Treatment.'' We also propose 
to add definitions of ``Part 2 program,'' ``Part 2 program director,'' 
``Substance use disorder,'' ``Treating provider relationship,'' and 
``Withdrawal management.'' Some of these new definitions replace 
existing definitions. In addition, we propose to revise the regulatory 
text to use terminology in a consistent manner.
    In Section III.C., Applicability (Sec.  2.12), SAMHSA proposes to 
continue to apply the 42 CFR part 2 regulations to a program that is 
federally assisted and holds itself out as providing, and provides, 
substance use disorder diagnosis, treatment, or referral for treatment, 
but, where currently paragraph (1) of the definition of ``Program'' 
does not apply to general medical facilities, SAMHSA now proposes that 
paragraph (1) would not apply to either general medical facilities or 
general medical practices. The proposed language goes on to clarify 
that paragraph (2) and (3) of the definition of Program would apply to 
``general medical facilities'' and ``general medical practices'' under 
certain conditions. For example, an identified unit within a general 
medical facility or general medical practice will be subject to part 2 
if it holds itself out as providing, and provides, substance use 
disorder diagnosis, treatment, or referral for treatment, or if the 
primary function of medical personnel or other staff in the general 
medical facility or general medical practice is the provision of such 
services and they are identified as providing such services.
    In Section III.D., Confidentiality Restrictions and Safeguards 
(Sec.  2.13), SAMHSA proposes to add a requirement that, upon request, 
patients who have included a general designation in the ``To Whom'' 
section of their consent form (see Sec.  2.31) must be provided a list 
of entities to which their information has been disclosed pursuant to 
the general designation.
    In Section III.E., Security for Records (Sec.  2.16), SAMHSA 
proposes to clarify that this section requires both part 2 programs and 
other lawful holders of patient identifying information to have in 
place formal policies and procedures addressing security, including 
sanitization of associated media, for both paper and electronic 
records.
    In Section III.F., Disposition of Records by Discontinued Programs 
(Sec.  2.19), we propose to address both paper and electronic records. 
SAMHSA also is proposing to add requirements for sanitizing associated 
media.
    In Section III.G., Notice to Patients of Federal Confidentiality 
Requirements (Sec.  2.22), we propose to clarify that the written 
summary of federal law and regulations may be provided to patients in 
either paper or electronic format. SAMHSA also proposes to require the 
statement regarding the reporting of violations include contact 
information for the appropriate authorities.
    In Section III.H., Consent Requirements (Sec.  2.31), SAMHSA is 
proposing to allow, in certain circumstances, a patient to include a 
general designation in the ``To Whom'' section of the consent form, in 
conjunction with requirements that: (1) The consent form include an 
explicit description of the amount and kind of substance use disorder 
treatment information that may be disclosed; and (2) the ``From Whom'' 
section of the consent form specifically name the part 2 program or 
other lawful holder of the patient identifying information permitted to 
make the disclosure. SAMHSA also is proposing to require the part 2 
program or other lawful holder of patient identifying information to 
include a statement on the consent form that the patient understands 
the terms of their consent and, when using a general designation in the 
``To Whom'' section of the consent form, that they have a right to 
obtain, upon request, a list of entities to which their information has 
been disclosed pursuant to the general designation (see Sec.  2.13). In 
addition, SAMHSA is proposing to permit electronic signatures to the 
extent that they are not prohibited by any applicable law.
    In Section III.I., Prohibition on Re-disclosure (Sec.  2.32), we 
propose to clarify that the prohibition on re-disclosure only applies 
to information that would identify, directly or indirectly, an 
individual as having been diagnosed, treated, or referred for treatment 
for a substance use disorder, such as indicated through standard 
medical codes, descriptive language, or both, and allows other health-
related information shared by the part 2 program to be re-disclosed, if 
permissible under other applicable laws.
    In Section III.J., Disclosures to Prevent Multiple Enrollments 
(Sec.  2.34), we propose to modernize the terminology and definitions 
and move the definitions to Sec.  2.11, Definitions.
    In Section III.K., Medical Emergencies (Sec.  2.51), we propose to 
revise the medical emergency exception to make it consistent with the 
statutory language and to give providers more discretion to determine 
when a ``bona fide medical emergency'' exists.
    In Section III.L., Research (Sec.  2.52), SAMHSA proposes to revise 
the research exception to permit data protected by 42 CFR part 2 to be 
disclosed to qualified personnel for the purpose of conducting 
scientific research by a part 2 program or any other individual or 
entity that is in lawful possession of part 2 data if the researcher 
provides documentation of meeting certain requirements related to other 
existing protections for human research. SAMHSA also is proposing to 
address data linkages to enable researchers holding part 2 data to link 
to data sets from federal data repositories, and is seeking comment on 
expanding this provision to non-federal data repositories.
    We propose, in Section III.M., Audit and Evaluation (Sec.  2.53), 
to modernize the requirements to include provisions for governing both 
paper and electronic patient records. SAMHSA also proposes to permit an 
audit or evaluation necessary to meet the requirements of a Centers for 
Medicare & Medicaid Services (CMS)-regulated accountable care 
organization (CMS-regulated ACO) or similar CMS-regulated organization 
(including a CMS-regulated Qualified Entity (QE)), under certain 
conditions.

C. Summary of Impacts

    Our goal in modernizing the part 2 regulations is to increase 
opportunities for individuals with substance use disorders to 
participate in new and emerging health and health care models and 
health information technology (IT). Our intent is to facilitate the 
sharing of information within the health care system to support new 
models of integrated health care which, among other things, improve 
patient safety while maintaining or strengthening privacy protections 
for individuals seeking treatment for substance use disorders. We 
expect the proposed changes to 42 CFR part 2 to result in a decrease in 
the burdens associated with several aspects of this rule, including 
consent requirements. Moreover, as patients are allowed, in certain 
circumstances, to include a general designation in the ``To Whom'' 
section of the consent form, we anticipate there

[[Page 6991]]

would be more individuals with substance use disorders participating in 
organizations that facilitate the exchange of health information (e.g., 
health information exchanges (HIEs)) and organizations that coordinate 
care (e.g., accountable care organizations (ACOs) and coordinated care 
organizations (CCOs)), leading to increased efficiency and quality in 
the provision of health care for this population.
    When estimating the total costs associated with changes to the 42 
CFR part 2 regulations, we assumed five sets of costs: Updates to 
health IT system costs, costs for staff training and updates to 
training curricula, costs to update patient consent forms, costs 
associated with providing patients a list of entities to which their 
information has been disclosed pursuant to a general designation on the 
consent form (i.e., the List of Disclosures requirement), and 
implementation costs associated with the List of Disclosure 
requirements. We assumed that costs associated with modifications to 
existing health IT systems, staff training costs associated with 
updating staff training materials, and costs to update consent forms 
would be one-time costs the first year the final rule is in effect and 
would not carry forward into future years. Staff training costs other 
than those associated with updating training materials are assumed to 
be ongoing annual costs to part 2 programs, also beginning in the first 
year that the final rule is in effect. The List of Disclosures costs 
are assumed to be ongoing annual costs to entities named on a consent 
form that disclose patient identifying information to their 
participants under the general designation. The List of Disclosures 
requirement, however, does not go into effect until two years after the 
final rule is in effect. Therefore, in years 1 and 2, the costs 
associated with the List of Disclosures provision are limited to 
implementation costs for entities that chose to upgrade their health IT 
systems in order to comply with the List of Disclosure requirements.
    We estimate, therefore, that in the first year that the final rule 
is in effect, the costs associated with updates to 42 CFR part 2 would 
be $74,217,979. In year two, we estimate that costs would be 
$47,021,182. In years 3 through 10, we estimate the annual costs would 
be $14,835,444. Over the 10-year period 2015-2024, the total 
undiscounted cost of the proposed changes would be $239,922,716 in 2015 
dollars. When future costs are discounted at 3 percent or 7 percent per 
year, the total costs become approximately $220.9 million or $200.9 
million, respectively.
    Based on data from the 2013 National Survey of Substance Abuse 
Treatment Services (N-SSATS), we estimate that 12,034 hospitals, 
outpatient treatment centers, and residential treatment facilities are 
covered by part 2. N-SSATS is an annual survey of U.S. substance abuse 
treatment facilities. Data is collected on facility location, 
characteristics, and service utilization. Not all treatment providers 
included in N-SSATs are believed to be under the jurisdiction of the 
part 2 regulations. The 12,034 number is a subset of the 14,148 
substance abuse treatment facilities that responded to the 2013 N-
SSATS, and includes all federally operated facilities, facilities that 
reported receiving public funding other than Medicare and Medicaid, 
facilities that reported accepting Medicare, Medicaid, TRICARE, and/or 
Access to Recovery (ATR) voucher payments, or were SAMHSA-certified 
Opioid Treatment Programs.
    If an independently practicing clinician does not meet the 
requirements of paragraph (1) of the definition of Program (an 
individual or entity (other than a general medical facility or general 
medical practice) who holds itself out as providing and provides 
substance use disorder diagnosis, treatment or referral for treatment), 
they may be subject to 42 CFR part 2 if they constitute an identified 
unit within a general medical facility or general medical practice 
which holds itself out as providing, and provides, substance use 
disorder diagnosis, treatment, or referral for treatment, or if their 
primary function in the facility or practice is the provision of such 
services and they are identified by the facility or practice as 
providing such services. Due to data limitations, it was not possible 
to estimate the costs for independently practicing providers covered by 
part 2 that did not participate in the 2013 N-SSATS. For example, data 
from the American Board of Addiction Medicine (ABAM) provides the 
number of physicians since 2000, who have active ABAM certification. 
However, there is no source for the number of physicians who have not 
participated in the ABAM certification process. In addition, it is not 
possible to determine which ABAM-certified physicians practice in a 
general medical setting rather than in a specialty treatment facility 
that was already counted in the N-SSATS data.
    Several provisions in the Notice of Proposed Rulemaking (NPRM) 
reference other lawful holders of patient identifying information in 
combination with part 2 programs. These other lawful holders must 
comply with part 2 requirements with respect to information they 
maintain that is covered by part 2 regulations. However, because this 
group is not clearly defined with respect to the range of organizations 
it may include, we are unable to include estimates regarding the number 
and type of these organizations and are only including part 2 programs 
in this analysis.
    In addition to the part 2 programs described above, entities named 
on a consent form that disclose patient identifying information to 
their participants under the general designation must provide patients, 
upon request, a list of entities to which their information has been 
disclosed pursuant to a general designation. These entities primarily 
would include organizations that facilitate the exchange of health 
information (e.g., HIEs), and also may include organizations 
responsible for care coordination (e.g., ACOs, CCOs, and patient-
centered medical homes (sometimes called health homes)). While these 
types of organizations were the primary focus of this provision on the 
consent form, other types of entities, such as research institutions, 
also may disclose patient identifying information to their participants 
(e.g., clinical researchers) pursuant to the general designation on the 
consent form. Because there are no definitive data sources for this 
potential range of organizations, we are not associating List of 
Disclosures requests with any particular type of organization. Instead, 
we chose to estimate the number of organizations that must respond to 
List of Disclosures requests based on the total number of requests each 
year.

II. Background

A. Significant Technology Changes

    Since the promulgation of 42 CFR part 2, significant technology 
changes have impacted the delivery of health care. The Office of the 
National Coordinator for Health Information Technology (ONC) was 
established as an office within the Department of Health and Human 
Services (HHS) under Executive Order 13335 on April 27, 2004. 
Subsequently, on February 17, 2009, the Health Information Technology 
for Economic and Clinical Health Act (HITECH Act) of the American 
Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) expanded 
the Department's health IT work, including the expansion of ONC's 
authority and the provision of federal funds for ONC's activities 
consistent with the

[[Page 6992]]

development of a nationwide health IT infrastructure. This work 
included the certification of health IT; the authorization of CMS' 
Electronic Health Record (EHR) Incentive Program, including payments to 
eligible providers for the adoption and meaningful use of certified EHR 
technology; and numerous other federal agencies' programs--all of which 
served the objective of ensuring patient health information is secure, 
private, accurate, and available where and when needed.
    SAMHSA has played a role in encouraging the use of health IT by 
behavioral health (substance use disorders and mental health) 
providers. SAMHSA's efforts included collaborating with ONC to develop 
two sets of Frequently Asked Questions and convening a number of 
stakeholder meetings to provide guidance on the application of 42 CFR 
part 2 within HIE models. In addition, SAMHSA funded a one-year pilot 
project in 2012 with five state HIEs to support the exchange of health 
information among behavioral health and physical health providers. 
SAMHSA also worked with ONC and other federal agencies on several 
projects to support behavioral health and health information exchange.
    The Data Segmentation for Privacy (DS4P) initiative within ONC's 
Standards and Interoperability (S&I) Framework facilitated the 
development of standards to improve the interoperability of EHRs 
containing sensitive information that must be protected to a greater 
degree than other health information due to 42 CFR part 2 and similar 
state laws. The DS4P initiative met its two goals, which were to: 
Demonstrate how standards can be used to support current privacy 
policies for sharing sensitive health information across organizational 
boundaries; and develop standards that will enable sensitive electronic 
health information to flow more freely to authorized users while 
improving the ability of health IT systems to implement current privacy 
protection requirements for certain types of health care data, such as 
substance use disorder patient records. The S&I Framework is a 
collaborative community of contributors from the public and private 
sectors who are focused on providing the tools, services, and guidance 
to facilitate the electronic exchange of health information. The DS4P 
initiative involved 344 volunteers, including, but not limited to, 
federal and state government agencies, behavioral health providers, EHR 
and other IT companies, health information exchanges, patient advocacy 
groups, professional societies/associations, consultants, health 
systems, health insurers, and universities.
    Through the DS4P initiative, federal and community stakeholders 
developed standards and guidelines for enabling data segmentation and 
managing patient consent preferences. The technical approach outlined 
in the DS4P Implementation Guide (IG) is based on the experience of the 
six pilot projects and the solutions they developed to meet the DS4P 
project requirements. The DS4P IG is an American National Standards 
Institute (ANSI) approved standard. It was also voted on and approved 
at the highest level to become what Health Level 7 (HL7) calls a 
normative standard (a foundational part of the technology needed to 
meet the global challenge of integrating health care information). The 
HL7 balloting process included 155 stakeholders, including HL7 
affiliates, vendors, consultants, payers, providers, non-profit 
organizations, and federal government representatives. The HL7 standard 
is the currently acceptable standard for data segmentation and consent 
management. In addition, it is in compliance with 42 CFR part 2.
    The six DS4P IG use case pilot projects that were conducted in 
accordance with ONC's S&I Framework included the Department of Veterans 
Affairs (VA)/Substance Abuse and Mental Health Services Administration 
(SAMHSA) Pilot. The VA/SAMHSA Pilot implemented all the DS4P use cases 
and passed all conformance tests. The VA/SAMHSA Pilot was also the 
first application to show that managing consents and patient 
directives, as well as segmenting structured data in a patient record, 
can be done. SAMHSA used these DS4P standards to develop the 
application branded Consent2Share, an open-source health IT solution 
which assists in consent management and data segmentation. 
Consent2Share validates that the DS4P IG can be used to build a 
production-based application to manage the patient consent lifecycle 
electronically. The Consent2Share software is currently being used by 
the Prince Georges County (Maryland) Health Department to manage 
patient consent directives while sharing substance use disorder 
information with an HIE. While this technology is not perfect, it 
provides a foundational standard and shows promise for sharing 
substance use disorder information while complying with 42 CFR part 2.
    Notwithstanding these efforts, SAMHSA is aware that technology 
adoption is an ongoing process and the majority of current EHR and HIE 
applications may not have the capability to support the DS4P 
initiative. In addition, paper records are still used today in some 
part 2 programs and shared through facsimile (FAX). Despite SAMHSA's 
efforts to clarify the part 2 regulations through guidance and to 
demonstrate that exchange of sensitive health information can be 
accomplished through pilot projects that adhere to the regulations, 
some stakeholders continued to request modernization of 42 CFR part 2. 
These stakeholders are concerned that part 2, as currently written, 
continues to be a barrier to the integration of substance use disorder 
treatment and physical health care. For example, some substance use 
disorder treatment centers cannot participate in integrated care models 
because they have not implemented data segmentation and consent 
management functionalities necessary to comply with the part 2 rules. 
Further, under the current regulations, the part 2 program director is 
the only individual authorized to release of information for scientific 
research purposes. In addition, under the current regulatory framework, 
absent consent, organizations that store patient health data, including 
data that are subject to part 2, do not have the authority to disclose 
part 2 data for scientific research purposes to qualified researchers 
or research organizations. This could hinder a full understanding of 
impacts of treatment for addiction and other health issues. Finally, 
some stakeholders continue to request modernization of the part 2 
rules, in media and other public and private forums.

B. Statutory and Rulemaking History

    The Confidentiality of Alcohol and Drug Abuse Patient Records 
regulations, 42 CFR part 2, implement section 543 of the Public Health 
Service Act, 42 United States Code (U.S.C.) Sec.  290dd-2, as amended 
by section 131 of the Alcohol, Drug Abuse and Mental Health 
Administration Reorganization Act (ADAMHA Reorganization Act), Pub. L. 
102-321 (July 10, 1992). The regulations were promulgated as a final 
rule on July 1, 1975 (40 FR 27802). In 1980, the Department invited 
public comment on 15 substantive issues arising out of its experience 
interpreting and implementing the regulations (45 FR 53). More than 450 
public responses to that invitation were received and taken into 
consideration in the preparation of a 1983 NPRM (48 FR 38758). 
Approximately 150 comments were received in response to the NPRM and 
were taken into consideration in the preparation of the final rule 
released on June 9, 1987 (52 FR 21798).

[[Page 6993]]

    The Department published a NPRM again in the Federal Register (FR) 
on August 18, 1994 (59 FR 42561), which proposed a clarification of the 
definition of ``Program'' in the regulations. Specifically, the 
Department proposed to clarify that, as to general medical care 
facilities, these regulations cover only specialized individuals or 
units in such facilities that hold themselves out as providing and 
provide alcohol or drug abuse diagnosis, treatment, or referral for 
treatment and which are federally assisted, directly or indirectly. On 
May 5, 1995, the final rule was released (60 FR 22296).
    SAMHSA posted a document in the Federal Register on May 12, 2014, 
(79 FR 26929) announcing a public Listening Session planned for June 
11, 2014, to solicit feedback on the Confidentiality of Alcohol and 
Drug Abuse Patient Records regulations, 42 CFR part 2. SAMHSA accepted 
written comments until June 25, 2014.
    In the Federal Register notification for the public Listening 
Session (79 FR 26929), SAMHSA invited general comments, as well as 
comments on six key provisions of 42 CFR part 2: Applicability, Consent 
requirements, Re-disclosure, Medical emergency, QSO, and Research. In 
addition, SAMHSA solicited input on electronic prescribing and 
Prescription Drug Monitoring Programs (PDMPs), areas that could 
potentially impact part 2 programs. Approximately 1,800 individuals 
participated in the listening session, either in person or by phone. 
During the session, 112 oral comments were made, while another 635 
written comments were submitted during the written comment period. The 
Listening Session comments are posted on the SAMHSA Web site at http://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations. In general, commenters supported updating 
the regulations or opposed it. Some commenters proposed aligning 42 CFR 
part 2 with the Health Insurance Portability and Accountability Act of 
1996 (HIPAA) regulations. However, due to its targeted population, part 
2 provides more stringent federal protections than most other health 
privacy laws, including HIPAA. We are choosing not to address any 
specific comments or summarize comments in detail in this proposed 
rule. However, all the feedback received from the Listening Session was 
considered and helped to inform the development of this NPRM. In 
addition, SAMHSA collaborated with its federal partner experts in 
developing this NPRM.
    SAMHSA decided not to address issues pertaining to e-prescribing 
and PDMPs in this NPRM. SAMHSA concluded that the part 2 program e-
prescribing and PDMPs are not ripe for rulemaking at this time due to 
the state of technology and because the majority of part 2 programs are 
not prescribing controlled substances electronically. SAMHSA intends to 
monitor developments in this area to see whether further action may be 
warranted in the future.

III. Provisions of This Proposed Rule

    The intent of this NPRM is to propose revisions to key provisions 
of 42 CFR part 2 to modernize the regulations adopted in the June 1987 
final rule and amended by the May 1995 final rule. This modernization 
is necessary because behavioral health, including substance use 
disorder treatment, is essential to overall health; the costs of 
untreated substance use disorders, both personal and societal, are 
substantial; and there continues to be a need for confidentiality 
protections that encourage patients to seek treatment without fear of 
compromising their privacy.
    Individuals seeking treatment for substance use disorders often are 
met with a host of negative reactions including discrimination and harm 
to their reputations and relationships. In addition, there is a 
potential for serious civil and criminal consequences for the 
disclosure of patient identifying information associated with substance 
use disorders beyond the health care context. We are mindful of the 
intent of the governing statute (42 U.S.C. 290dd-2) and regulations at 
42 CFR part 2, which is to protect the confidentiality of substance 
abuse patient records so as not to make an individual receiving 
treatment for a substance use disorder in a part 2 program more 
vulnerable by virtue of seeking treatment than an individual with a 
substance use disorder who does not seek treatment. SAMHSA strives to 
facilitate information exchange within new and emerging health and 
health care models, which promote integrated care and patient safety, 
while respecting the legitimate privacy concerns of patients seeking 
treatment for a substance use disorder due to the potential for 
discrimination, harm to their reputations and relationships, and 
serious civil and criminal consequences. SAMHSA also is mindful that 
any regulatory changes contemplated must be consistent with the 
authorizing legislation (42 U.S.C. 290dd-2) and its statutory intent.
    This proposed rule also proposes editorial changes. SAMHSA deleted 
references to 42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3 in Sec.  2.1, 
Statutory authority for confidentiality of drug abuse patient records, 
and Sec.  2.2, Statutory authority for confidentiality of alcohol abuse 
patient records. Sections 290dd-3 and 290ee-3 were omitted by Public 
Law 102-321 and combined and renamed into Sections 290dd-2, 
Confidentiality of records. We also combined Sec. Sec.  2.1 and 2.2 and 
propose to rename the new Sec.  2.1 (Statutory authority for 
confidentiality of substance abuse patient records) and re-designate 
Sec. Sec.  2.2-2.5. In addition, we deleted references to laws and 
regulations that have been repealed in Sec.  2.21. Finally, we made 
editorial changes throughout the regulations to increase clarity and 
consistency.
    Along with proposing substantive revisions to various sections of 
42 CFR part 2, SAMHSA has proposed a number of technical, non-
substantive changes for clarity and consistency that are reflected 
throughout the regulations. For the convenience of the public, SAMHSA 
is reprinting the text of 42 CFR part 2 in its entirety, which includes 
the proposed modifications incorporated into the existing provisions. 
SAMHSA, however, is only seeking comment on the proposed changes to the 
regulations that are discussed in the preamble of this NPRM. Sections 
of 42 CFR part 2 that have not been proposed for revision are not 
subject to review or comment under this NPRM.

A. Reports of Violations (Sec.  2.4)

1. Overview
    In the current regulations, methadone programs are required to 
report violations of these regulations to the FDA.
2. Proposed Revisions
    We propose to revise the requirement (Sec.  2.5(b)) of reporting 
violations of these regulations by a methadone program to the FDA. The 
authority over methadone programs (now referred to as opioid treatment 
programs) was transferred from the FDA to SAMHSA in 2001 (66 FR 4076). 
Suspected violations of 42 CFR part 2 by opioid treatment programs may 
be reported to the U.S. Attorney's Office for the judicial district in 
which the violation occurred, as well as the SAMHSA office responsible 
for opioid treatment program oversight.

[[Page 6994]]

B. Definitions (Sec.  2.11)

1. Overview
    Certain defined terms in the current regulations are used 
inconsistently. SAMHSA also received inquiries regarding certain terms 
and how they apply to new health care models. In addition, the current 
regulations include definitions in four different sections (Sec. Sec.  
2.11, 2.12, 2.14 and 2.34).
2. Proposed Revisions
    SAMHSA proposes to consolidate all of the definitions, with the 
exception the definition of the term ``Federally assisted,'' in a 
single section at Sec.  2.11. SAMHSA proposes to retain the definition 
of the term ``Federally assisted'' in the Applicability provision at 
Sec.  2.12 for the purpose of clarity because it is key to 
understanding the applicability of 42 CFR part 2. We encourage readers 
to review all of the definitions, since a clear understanding of the 
regulations builds on an understanding of the definitions and their 
inter-relationships.
a. New Definitions
i. Part 2 Program
    The current regulations define ``Federally assisted'' separately 
from the term ``Program'' but do not define the term ``Part 2 
program.'' In addition, the terms ``Program'' and ``federally assisted 
alcohol or drug abuse program'' are used interchangeably. Therefore, 
SAMHSA proposes to define a ``Part 2 program'' as a federally assisted 
program (federally assisted as defined in Sec.  2.12(b) and program as 
defined in Sec.  2.11). See Sec.  2.12(e)(1) for examples.
    We proposed to retain the examples provided in Sec.  2.12(e)(1) of 
the current regulations, with a clarification, because they explain the 
part 2 applicability and coverage.
    SAMHSA proposes to replace the term ``Program'' with ``Part 2 
program,'' where appropriate. For example, we propose to revise the 
definition of QSO, including replacing ``Program'' with ``Part 2 
program,'' which is discussed in depth below (see Section III.B.2.b., 
Existing Definitions). We also propose to replace ``Program'' with 
``Part 2 program'' in several other definitions, while making no 
additional changes.
ii. Part 2 Program Director
    Because of the addition of the ``Part 2 program'' definition, we 
also are proposing to define a ``Part 2 program director'' as:
     In the case of a part 2 program which is an individual, 
that individual, and
     In the case of a part 2 program which is an entity, the 
individual designated as director or managing director, or individual 
otherwise vested with authority to act as chief executive officer of 
the part 2 program.
    We propose to delete the definition of ``Program director.''
iii. Substance Use Disorder
    SAMHSA proposes to refer to alcohol abuse and drug abuse 
collectively as ``Substance use disorder'' and, when referring to the 
authorizing statute, use ``substance abuse'' since that is the term 
used in Title 42, United States Code, Section 290dd-2. SAMHSA also uses 
the term ``substance abuse'' when referencing information from other 
publications that use that term. SAMHSA proposes to use the term 
``Substance use disorder'' to be consistent with recognized 
classification manuals, current diagnostic lexicon, and commonly used 
descriptive terminology, and, for consistency, proposes to revise the 
title of 42 CFR part 2 from ``Confidentiality of Alcohol and Drug Abuse 
Patient Records'' to ``Confidentiality of Substance Use Disorder 
Patient Records.''
    While SAMHSA proposes to delete the definitions of ``Alcohol 
abuse'' and ``Drug abuse,'' we continue to use the terms ``Alcohol 
abuse'' and ``Drug abuse'' when referring to 42 U.S.C. 290dd-3 and 42 
U.S.C. 290ee-3 (omitted by Pub. L. 102-321 and combined and renamed 
into Section 290dd-2), respectively, because they are the terms used in 
the outdated statutes. See Sec.  2.11 of the current regulations for 
definitions of the terms ``Alcohol abuse'' and ``Drug abuse''.
    SAMHSA proposes to define the term ``Substance use disorder'' in 
such a manner as to cover substance use disorders that can be 
associated with altered mental status that has the potential to lead to 
risky and/or socially prohibited behaviors, including, but not limited 
to, substances such as, alcohol, cannabis, hallucinogens, inhalants, 
opioids, sedatives, hypnotics, anxiolytics, and stimulants. In 
addition, SAMHSA proposes to clarify that, for the purposes of these 
regulations, the definition excludes both tobacco and caffeine.
iv. Treating Provider Relationship
    As noted in more detail in Section III.H., Consent Requirements, 
SAMHSA has heard a number of concerns from stakeholders regarding the 
current consent requirements in Sec.  2.31 of the regulations. SAMHSA 
is proposing to revise the consent requirements to permit, in certain 
circumstances, a more general description of the individuals or 
entities to which a disclosure is made, but only if the individuals or 
entities have a treating provider relationship with the patient whose 
information is being disclosed. This change, therefore, creates a need 
to define a treating provider relationship.
    A treating provider relationship begins when an individual seeks 
health-related assistance from an individual or entity who may provide 
assistance. However, the relationship is clearly established when the 
individual or entity agrees to undertake diagnosis, evaluation and/or 
treatment of the patient, or consultation with the patient, and the 
patient agrees to be treated, whether or not there has been an actual 
in-person encounter between the individual or entity and patient. A 
treating provider relationship with a patient may be established by a 
health care provider or another member of a health care team as long as 
the relationship meets the definition of ``Treating provider 
relationship.''
    A treating provider relationship means that, regardless of whether 
there has been an actual in-person encounter:
     A patient agrees to be diagnosed, evaluated and/or treated 
for any condition by an individual or entity, and
     The individual or entity agrees to undertake diagnosis, 
evaluation and/or treatment of the patient, or consultation with the 
patient, for any condition.
    The term ``agrees'' as used in the definition does not necessarily 
imply a formal written agreement. An agreement might be evidenced, 
among other things, by making an appointment or by a telephone 
consultation.
v. Withdrawal Management
    SAMHSA proposes to update the terminology in Sec.  2.34. We propose 
to delete the definition of ``Detoxification treatment'' and replace it 
with the definition of the currently acceptable term, ``Withdrawal 
management.'' We also propose to move this definition from Sec.  2.34 
to Sec.  2.11 to consolidate definitions in one section of the 
regulations.
b. Existing Definitions
    SAMHSA proposes to update terminology in existing definitions to 
accurately convey the meaning of terms and increase the 
understandability of the proposed rule. In addition, SAMHSA proposes to 
consolidate all but one of the defined terms in Sec.  2.11.
i. Central Registry
    SAMHSA proposes to update the terminology in Sec.  2.34 and move 
this

[[Page 6995]]

definition from Sec.  2.34 to Sec.  2.11 to consolidate definitions.
    We are proposing to revise the definition to incorporate currently 
accepted terminology.
ii. Disclose or Disclosure
    We propose to define only one word, ``Disclose,'' since it is 
implied that the same definition applies to other forms of the word. We 
also propose to update terminology and make the definition clearer.
iii. Maintenance Treatment
    SAMHSA proposes to update the terminology in Sec.  2.34 and move 
this definition from Sec.  2.34 to Sec.  2.11 to consolidate 
definitions.
iv. Member Program
    SAMHSA proposes to update the terminology in Sec.  2.34 and move 
this definition from Sec.  2.34 to Sec.  2.11 to consolidate 
definitions.
v. Patient
    To emphasize that the term ``Patient'' refers to both current and 
former patients, SAMHSA proposes to revise the definition to provide 
that a patient is any individual who has applied for or been given 
diagnosis, treatment, or referral for treatment for a substance use 
disorder at a part 2 program. Patient includes any individual who, 
after arrest on a criminal charge, is identified as an individual with 
a substance use disorder in order to determine that individual's 
eligibility to participate in a part 2 program. This definition 
includes both current and former patients.
vi. Patient Identifying Information
    SAMHSA proposes to clarify that ``Patient,'' as used in this 
definition, is a defined term in Sec.  2.11. In addition, SAMHSA 
deleted the words ``and speed.'' If the information could identify the 
patient, the speed with which it identifies the patient is not 
relevant.
vii. Person
    The current definition of ``Person'' includes both individuals and 
entities. For the purpose of this proposed regulation, SAMHSA considers 
an ``individual'' to be a human being. SAMHSA proposes to revise the 
definition of ``Person'' to clearly indicate that ``Person'' is also 
referred to as individual and/or entity.
viii. Program
    SAMHSA is proposing to make the following changes to the 
``Program'' definition. First, because the current definition of 
``Program'' includes both the terms ``general medical care facility'' 
and ``general medical facility,'' and because these terms are used 
interchangeably, we are proposing to consistently use the term 
``general medical facility.''
    Second, more substance use disorder treatment services are 
occurring in general health care and integrated care settings, which 
are typically not covered under the current regulations. Providers who 
in the past offered only general or specialized health care services 
(other than substance use disorder services) now, on occasion, provide 
substance use disorder treatment services, but only as incident to the 
provision of general health care. Therefore, SAMHSA proposes to make 
clear that paragraph (1) of the definition of ``Program'' would not 
apply to ``general medical facilities'' and ``general medical 
practices.'' However, paragraphs (2) and (3) of the definition of 
``Program'' would apply to ``general medical facilities'' and ``general 
medical practices.'' Finally, SAMHSA is proposing to move the reference 
to examples from the definition of ``Program'' to the definition of 
``Part 2 program'' because 42 CFR part 2 would apply only to ``Part 2 
programs'' as defined in the proposed regulations.
    The inclusion of general medical practices with general medical 
facilities is consistent with SAMHSA's intention to ensure 
confidentiality protections and access to treatment for individuals 
whose identity as substance use disorder patients would be compromised 
if records of the specialized programs from which they seek treatment 
were not covered by these regulations while not unnecessarily imposing 
requirements on general medical facilities or practices in an overly 
broad manner.
    Consistent with the definition of ``Program'':
    1. If a provider is not a general medical facility or general 
medical practice, then the provider meets the part 2 definition of a 
``Program'' if it is an individual or entity who holds itself out as 
providing, and provides substance use disorder diagnosis, treatment, or 
referral for treatment.
    2. If the provider is an identified unit within a general medical 
facility or general medical practice, it is a ``Program'' if it holds 
itself out as providing, and provides, substance use disorder 
diagnosis, treatment or referral for treatment.
    3. If the provider consists of medical personnel or other staff in 
a general medical facility or general medical practice, it is a 
``Program'' if its primary function is the provision of substance use 
disorder diagnosis, treatment, or referral for treatment and is 
identified as such specialized medical personnel or other staff by the 
general medical facility or general medical practice.
    While the term ``general medical facility'' is not defined at 42 
CFR 2.11 (Definitions), hospitals, trauma centers, or federally 
qualified health centers would generally be considered ``general 
medical facilities.'' Therefore, primary care providers who work in 
such facilities would only be covered by the part 2 definition of a 
``Program'' if: (1) They work in an identified unit within such general 
medical facility that holds itself out as providing, and provides, 
substance use disorder diagnosis, treatment or referral for treatment, 
or (2) the primary function of the providers is substance use disorder 
diagnosis, treatment or referral for treatment and they are identified 
as providers of such services by the general medical facility.
    In addition, a practice comprised of primary care providers could 
be considered a ``general medical practice.'' As such, an identified 
unit within that general medical practice that holds itself out as 
providing and provides substance use disorder diagnosis, treatment, or 
referral for treatment would be considered a ``Program'' as defined in 
Sec.  2.11 of these regulations. In addition, medical personnel or 
staff within that general medical practice whose primary function is 
the provision of substance use disorder services and who are identified 
as such providers by the general medical practice would qualify as a 
``Program'' under the definition in these part 2 regulations.
    Finally, ``Holds itself out'' is currently not defined in Sec.  
2.11, Definitions. SAMHSA has previously published guidance relative to 
the term and proposes to add an explanation of ``Holds itself out'' to 
the Preamble discussion in Sec.  2.12, Applicability. Consistent with 
that guidance, ``Holds itself out'' means any activity that would lead 
one to reasonably conclude that the individual or entity provides 
substance use disorder diagnosis, treatment, or referral for treatment 
including but not limited to:
     Authorization by the state or federal government (e.g. 
licensed, certified, registered) to provide, and provides, such 
services,
     Advertisements, notices, or statements relative to such 
services, or
     Consultation activities relative to such services.
    As is the case throughout these regulations, understanding all 
defined terms is important. In the case of the definition of 
``Program'' and how it

[[Page 6996]]

relates to the applicability of these regulations (see Sec.  2.12), two 
other definitions are particularly relevant: ``Diagnosis,'' and 
``Treatment.'' See Sec.  2.11 of the proposed regulations for the 
definitions of ``Diagnosis'' and ``Treatment.''
ix. Qualified Service Organization
    A qualified service organization (QSO) is an individual or entity 
(see definition of ``Person,'' above) that provides a service to a part 
2 program consistent with a qualified service organization agreement 
(QSOA). A QSOA is a two-way agreement between a part 2 program and the 
individual or entity providing the desired service. Under the current 
statutory authority, patient records pertaining to substance abuse may 
be shared only with the prior written consent of the patient or under a 
few limited exceptions that are specifically enumerated in 42 U.S.C. 
290dd-2. However, Sec.  2.12(c)(4) indicates that these restrictions on 
disclosure do not apply to communications between a part 2 program and 
a QSO regarding information needed by the QSO to provide services to 
the part 2 program consistent with the QSOA. Accordingly, SAMHSA has 
consistently articulated in applicable guidance that a QSO would be 
permitted to disclose the part 2 information to a contract agent if it 
needs to do so in order to provide the services described in the QSOA, 
and as long as the agent only discloses the information back to the QSO 
or the part 2 program from which the information originated. If a 
disclosure is made by the QSO to an agent acting on its behalf to 
perform the service, both the QSO and the agent are bound by the part 2 
regulations, and neither organization can disclose the information 
except as permitted by part 2 and SAMHSA's interpretive guidance.
    Recognizing the importance of population health management, SAMHSA 
proposes to revise the definition of QSO to include population health 
management in the list of examples of services a QSO may provide. 
Population health management refers to increasing desired health 
outcomes and conditions through monitoring and identifying individual 
patients within a group. To achieve the best outcomes, providers must 
supply proactive, preventive, and chronic care to all of their 
patients, both during and between encounters with the health care 
system. For patients with substance use disorders, who often have 
comorbid conditions, proactive, preventive, and chronic care is 
important to achieving desired outcomes.
    Any QSOA executed between a part 2 program and an organization 
providing population health management services would be limited to the 
office or unit responsible for population health management in the 
organization (e.g., the ACO, CCO, patient-centered medical home 
(sometimes called health home), or managed care organization), not the 
entire organization and not its participants (e.g., case managers, 
physicians, addiction counselors, hospitals, and clinics). Once a QSOA 
is in place, 42 CFR part 2 permits the part 2 program to communicate 
information from patients' records to the organization providing 
population health management services as long as it is limited to 
information needed by the organization to provide such services to the 
part 2 program. An organization providing population health management 
services may disclose part 2 information that it has received from a 
part 2 program to its participants (other than the originating part 2 
program) only if the patient signs a part 2-compliant consent form 
agreeing to those disclosures.
    SAMHSA's proposal to add population health management to the list 
of examples of the services that may be offered by a QSO is consistent 
with the Affordable Care Act (Patient Protection and Affordable Care 
Act of 2010 (Pub. L. 111-148)) and the HHS Strategic Plan FY 2014-2018 
which includes the goals of improving health care and population health 
through meaningful use of health IT. We believe this revision would 
benefit patients' health, safety, and quality of life while maintaining 
the confidentiality protections that attach to the part 2 program's 
patient records.
    SAMHSA also proposes to revise the term ``medical services'' as 
listed in the examples of permissible services offered by a QSO to 
clarify that it is limited to ``medical staffing services.'' SAMHSA 
proposes to make this revision to emphasize that QSOAs should not be 
used to avoid obtaining patient consent. Accordingly, a QSOA could be 
used by a part 2 program to contract with a provider of on-call 
coverage services (previously clarified in guidance) or other medical 
staffing services but could not be used to disclose John Doe's patient 
identifying information to his primary care doctor for the purpose of 
treatment (other than that provided under a QSOA for medical staffing 
services). However, an individual or entity who is prohibited from 
providing treatment to an individual patient under a QSOA, may still 
meet the requirements of having a treating provider relationship (based 
on the definition in Sec.  2.11) with respect to the Consent 
Requirements in Sec.  2.31. Likewise, care coordination was not added 
to the list of examples of permissible services offered by a QSO 
because care coordination has a patient treatment component.
x. Records
    Consistent with the goal of modernizing the regulations, SAMHSA 
proposes to revise the definition of ``Records'' to include any 
information, whether recorded or not, received or acquired by a part 2 
program relating to a patient. For the purpose of these regulations, 
records include both paper and electronic records.
xi. Treatment
    As part of its effort to modernize these regulations, SAMHSA is 
proposing to delete the term, ``management,'' from the ``Treatment'' 
definition. In today's health care environment, ``management'' has a 
much broader meaning than it did when the regulations were last 
revised.
c. Terminology Changes
    In addition to proposing changes to several definitions, we propose 
the following terminology changes. These changes are intended to ensure 
consistency in the use of terms throughout the regulations, and to 
increase the understandability of the proposed rule.
    The current regulations use a variety of terms to refer to law 
enforcement (e.g., ``office,'' ``agency or official,'' and 
``authorities'') as well as using related terms (e.g., ``persons or 
individuals within the criminal justice system''. We propose to 
consistently refer to law enforcement as ``law enforcement agencies or 
officials.'' In addition, the current regulations use the terms 
``organization'' and ``entity.'' Neither term is defined but ``entity'' 
is included in both the definition of ``Program'' and ``Person.'' For 
this reason, we propose to use the term ``entity'' instead of 
``organization'' wherever possible. Finally, because we have revised 
the definition of ``Patient'' to clarify that it includes both current 
and former patients, we have revised the grammar, where appropriate.
    For the purposes of this regulation, we also propose that the term 
``written'' include both paper and electronic documentation. In 
addition, we propose to use the phrase ``part 2 program or other lawful 
holder of patient identifying information'' to refer to a part 2 
program or other individual or entity that is in lawful possession of 
patient identifying information. A

[[Page 6997]]

``lawful holder'' of patient identifying information is an individual 
or entity who has received such information as the result of a part 2-
compliant patient consent (with a re-disclosure notice) or as a result 
of one of the limited exceptions to the consent requirements specified 
in the regulations and, therefore, is bound by 42 CFR part 2. Examples 
of such ``lawful holders'' of patient identifying information include a 
patient's treating provider, a hospital emergency room, an insurance 
company, an individual or entity performing an audit or evaluation, or 
an individual or entity conducting scientific research. We are not 
making any specific proposals with regard to ``unlawful holders'' of 
patient identifying information in this NPRM because unlawful holders 
are addressed in Sec.  2.3 Criminal penalty for violation.
    A patient who has obtained a copy of their records or a family 
member who has received such information from a patient would not be 
considered a ``lawful holder of patient identifying information'' in 
this context. As stated in Sec.  2.23(a), the regulations do not 
prohibit a part 2 program from giving a patient access to their own 
records, including the opportunity to inspect and copy any records that 
the part 2 program maintains about the patient. The part 2 program is 
not required to obtain a patient's written consent or other 
authorization under these regulations in order to provide such access 
to the patient or their legal representative.

C. Applicability (Sec.  2.12)

1. Overview
    The 1987 regulations (52 FR 21798) limited the applicability of 42 
CFR part 2 to specialized programs, (i.e., to those federally assisted 
programs that hold themselves out as providing and which actually 
provide alcohol or drug abuse diagnosis, treatment, and referral for 
treatment). HHS took the position that limiting the applicability to 
specialized programs would simplify the administration of the 
regulations without significantly affecting the incentive to seek 
treatment provided by the confidentiality protections. Applicability to 
specialized programs lessened the adverse economic impact on a 
substantial number of facilities that provided substance use disorder 
care only as an incident to the provision of general medical care.
2. Proposed Revisions
    SAMHSA considered options for defining what information is covered 
by 42 CFR part 2, including the option of defining covered information 
based on the type of substance use disorder treatment services provided 
instead of the type of facility providing the services. SAMHSA, 
however, rejected that approach because more substance use disorder 
treatment services are occurring in general health care and integrated 
care settings, which typically are not covered under the current 
regulations. Providers who in the past offered only general or 
specialized health care services (other than substance use disorder 
services) now, on occasion, provide substance use disorder treatment 
services, but only as incident to the provision of general health care.
    As discussed in Section III.B.2.b., Existing Definitions, we 
propose to revise the definition of ``Program'' to align it more 
closely with current health care delivery models. SAMHSA proposes to 
make clear that paragraph (1) of the definition of ``Program'' would 
not apply to ``general medical facilities'' and ``general medical 
practices.'' However, paragraphs (2) and (3) of the definition of 
``Program'' would apply to ``general medical facilities'' and ``general 
medical practices.''
    SAMHSA also proposes to include the term ``Part 2 program,'' as 
discussed in Section III.B.2.a.i. The definition of ``Program'' in 
Sec.  2.11 did not explicitly include ``Federally assisted as defined 
in Sec.  2.12(b)''. As a result, we are proposing to add a definition 
of ``Part 2 program.'' We propose to define the term and to use the 
term ``Part 2 program,'' where appropriate, throughout the proposed 
regulations.
    This approach is consistent with the approach taken in 1987 because 
it essentially limits the applicability of 42 CFR part 2 to specialized 
programs, which simplifies the administration of the regulations 
without significantly affecting the incentive to seek treatment 
provided by the confidentiality protections. We do not foresee that the 
exclusion from part 2 coverage of health care providers who work in 
general medical practices and provide substance use disorder treatment 
services as incident to the provision of general health care would act 
as a deterrent to individuals seeking assistance for substance use 
disorders.
    In addition, in the current regulation, Sec.  2.12(d)(2)(iii), 
restrictions on disclosures apply to individuals or entities who have 
received patient records directly from part 2 programs. SAMHSA proposes 
to revise Sec.  2.12(d)(2)(iii) so that restrictions on disclosures 
also apply to individuals or entities who receive patient records 
directly from other lawful holders of patient identifying information. 
This change is consistent with the discussion of ``other lawful holder 
of patient identifying information'' in the preamble discussion in 
Terminology Changes in Section III.B.2.c. and the proposed inclusion of 
this term in other sections of this NPRM. Patient records subject to 
these regulations include patient records maintained by part 2 programs 
as well as those records in the possession of ``other lawful holders of 
patient identifying information.''

D. Confidentiality Restrictions and Safeguards (Sec.  2.13)

1. Overview
    Currently, 42 CFR part 2 does not include a way for patients to 
determine to whom their records have been disclosed.
2. Proposed Revisions
    As discussed in Section G., Consent Requirements (Sec.  2.31), 
SAMHSA proposes to permit, in certain circumstances, the inclusion of a 
general designation in the ``To Whom'' section of the consent form. 
Specifically, in the case of an entity that does not have a treating 
provider relationship with the patient whose information is being 
disclosed, SAMHSA proposes to permit the designation of the name(s) of 
the entity(-ies) and a general designation of an individual or entity 
participant(s) or a class of participants that must be limited to those 
participants who have a treating provider relationship with the patient 
whose information is being disclosed. An entity without a treating 
provider relationship includes, for example, an entity that facilitates 
the exchange of health information (e.g., HIE). The consent form, 
therefore, could designate the HIE (an entity that does not have a 
treating provider relationship with the patient whose information is 
being disclosed) and ``my treating providers'' (a general designation 
of a class of individual and/or entity participants with a treating 
provider relationship with that same patient). Under this proposal, the 
consent form could not, however, include the general function ``HIE'' 
without specifying the name of the HIE entity used by the treating 
provider. Under this proposal, merely listing a function is not 
sufficient for consent because it would not sufficiently identify the 
recipient of the patient identifying information. Since SAMHSA is 
proposing to allow a general designation in the circumstances discussed 
above, we are proposing that, upon request, patients who have included 
a general

[[Page 6998]]

designation in the ``To Whom'' section of their consent form must be 
provided, by the entity without a treating provider relationship that 
serves as an intermediary (see Sec.  2.31(a)(4)(iv)), a list of 
entities to which their information has been disclosed pursuant to the 
general designation (List of Disclosures).
    SAMHSA is proposing to require that the list of disclosures include 
a list of the entities to which the information was disclosed pursuant 
a general designation. However, if entities that are required to comply 
with the List of Disclosures requirement wish to include individuals on 
the list of disclosures, in addition to the required data elements 
which are outlined in Sec.  2.13(d)(2)(ii), nothing in this proposed 
rule prohibits it.
    SAMHSA considered requiring both individuals and entities to be 
included on the list of disclosures but, after reviewing the Health 
Information Technology Privacy Committee's recommendations, decided to 
require, at a minimum, a list of entities. These recommendations 
addressed the HITECH requirement that HIPAA covered entities and 
business associates account for disclosures for treatment, payment, and 
health care operations made through an EHR. The Committee recommended, 
``that the content of the disclosure report be required to include only 
an entity name rather than a specific individual as proposed in the 
NPRM.'' In addition, the report noted that the Organization for 
Economic Cooperation and Development (OECD) principles, the Fair Credit 
Reporting Act, and the Privacy Act of 1974 do not require that the 
names of individuals be provided.
    SAMHSA proposes that individuals who received patient identifying 
information pursuant to the general designation on a consent form 
should be included on the List of Disclosures based on an entity 
affiliation, such as the name of their practice or place of employment. 
Patients who wish to know the name of the individual to whom their 
information was disclosed may ask the entity on the List of Disclosures 
to provide that information, however, 42 CFR part 2 would not require 
the entity to comply with a patient's request.
    In order to allow time to develop, test, and implement advanced 
technology to more efficiently comply with this requirement, SAMHSA is 
proposing that the List of Disclosures requirement become effective two 
years after the effective date of the final rule. Some entities may be 
able to comply with this requirement without developing and 
implementing new technologies. In addition, entities that use and 
disclose primarily paper records could easily implement a system, if 
one does not already exist, such as a sign-out/sign-in log, that could 
be used to generate such a list. SAMHSA anticipates that there will be 
few requests based on the relatively small number of accounting 
requests that most covered entities have received to date under the 
HIPAA Accounting for Disclosures rule, according to some anecdotal 
reports.
    SAMHSA is proposing that patient requests for a list of entities to 
which their information has been disclosed must be in writing and 
limited to disclosures made within the past two years. Consistent with 
the preamble discussion of terminology (Sec.  2.11, Definitions), 
``written'' includes both paper and electronic documentation. A request 
letter addressed to the entity that disclosed the information might 
include language such as: ``I am writing to request a list of the 
entities to which my information has been disclosed within the past two 
years. This request is consistent with 42 CFR 2.13, which also includes 
the requirements for your response. Thank you for your assistance.''
    In addition, SAMHSA is proposing that entities named on the consent 
form that disclose information to their participants under the general 
designation (entities without a treating provider relationship that 
serve as intermediaries) must respond to requests for a list of 
disclosures in 30 or fewer calendar days of receipt of the request. 
Responses sent to the patient electronically may be sent by encrypted 
transmission (e.g., email), or by unencrypted email at the request of 
the patient, so long as the patient has been informed of the potential 
risks associated with unsecured transmission. Patients should be 
notified that there may be some level of risk that the information in 
an unencrypted email could be read by a third party. If patients are 
notified of the risks and still prefer unencrypted email, the patient 
has the right to receive the information in that way, and entities are 
not responsible for unauthorized access of the information while in 
transmission to the patient based on the patient's request.
    Before using an unsecured method to respond to a request for a list 
of disclosures, an entity should take certain precautions, such as 
checking an email address for accuracy before sending it or sending an 
email alert to the patient for address confirmation to avoid unintended 
disclosures. Patients may also request that the entity communicate with 
them by an alternative means or at an alternative location. Responses 
sent by mail may be sent by United States Postal Service first class 
mail, an equivalent service, or a service with additional security 
features (e.g., tracking). The response must include the name of the 
entity to which each disclosure was made, the date of the disclosure, 
and a brief description of the information disclosed. The brief 
description of the information disclosed must have sufficient 
specificity to be understandable to the patient. An example of a brief 
description of the information disclosed is a copy of the written 
request for disclosure. This requirement to provide a list of 
disclosures cannot be satisfied by providing patients with a list (or 
web address) of entities that potentially could receive their patient 
identifying information.
    This proposed revision would facilitate patients' participation in 
advances in the health care delivery system by increasing their 
confidence that they could be informed, upon request, of who received 
their information pursuant to a general designation on the consent 
form.
    In addition, confirming the identity of an individual who is not 
and has never been a patient while remaining silent on the identity of 
an actual patient could, by inference, compromise patient privacy. For 
example, if a reporter is inquiring about five individuals and only Mr. 
Smith is not and never has been a patient, by confirming that Mr. Smith 
is not and never has been a patient and remaining silent on the other 
four individuals, the part 2 program could enable the reporter to 
conclude that the other four individuals either are patients or have 
been patients. Therefore, SAMHSA is proposing to remove the concept 
from Sec.  2.13(c)(2) that the regulations do not restrict a disclosure 
that an identified individual is not and never has been a patient. If 
confirming the identity of an individual who is not and never has been 
a patient, caution should be used so as not to make an inadvertent 
disclosure with respect to one or more other individuals. This proposed 
rule does not prohibit entities that receive a request for information 
about an individual from refusing to disclose any information 
regardless of whether the individual is or ever has been a patient(s).

E. Security for Records (Sec.  2.16)

1. Overview
    Currently, the Security for Written Records section in Sec.  2.16 
addresses the maintenance, disclosure, access to, and

[[Page 6999]]

use of written records. This section, however, addresses paper, but not 
electronic records.
2. Proposed Revisions
    SAMHSA is proposing to modernize this section to address both paper 
and, in light of the steady increase in the adoption of health IT, 
electronic records. Specifically, SAMHSA proposes to revise the heading 
by deleting the word ``written'' so that it now reads: Security for 
Records. SAMHSA also proposes to clarify that this section requires 
both part 2 programs and other lawful holders of patient identifying 
information to have in place formal policies and procedures for the 
security of both paper and electronic records. These formal policies 
and procedures are intended to ensure protection of patient identifying 
information when records are exchanged electronically using health IT 
as well as when they are exchanged using paper records. The formal 
policies and procedures must reasonably protect against unauthorized 
uses and disclosures of patient identifying information and protect 
against reasonably anticipated threats or hazards to the security of 
patient identifying information. The formal policies and procedures 
must address, among other things, the sanitization of hard copy and 
electronic media, which is addressed in the preamble discussion of 
Disposition of Records by Discontinued Programs (Sec.  2.19). Suggested 
resources for part 2 programs and other lawful holders developing 
formal policies and procedures include materials from the HHS Office 
for Civil Rights (e.g., Guidance Regarding Methods for De-
identification of Protected Health Information in Accordance with the 
Health Insurance Portability and Accountability Act (HIPAA) Privacy 
Rule), and the National Institute of Standards and Technology (NIST) 
(e.g., the most current version of the Special Publication 800-88, 
Guidelines for Media Sanitization).
    The proposed regulations provide further guidance for these 
policies and procedures. Finally, we are proposing to replace language 
in other sections of the proposed rule with a reference to the policies 
and procedures established under Sec.  2.16, where applicable.

F. Disposition of Records by Discontinued Programs (Sec.  2.19)

1. Overview
    As with Sec.  2.16, the Disposition of Records by Discontinued 
Programs section in the current regulations do not address electronic 
records.
2. Proposed Revisions
    SAMHSA proposes to modernize this section to address both paper and 
electronic records. Specifically, we propose to address the disposition 
of both paper and electronic records by discontinued programs, and add 
requirements for sanitizing paper and electronic media. By sanitizing 
paper or electronic media, we mean to render the data stored on the 
media non-retrievable. Sanitizing electronic media is distinctly 
different from deleting electronic records and may involve clearing 
(using software or hardware products to overwrite media with non-
sensitive data) or purging (degaussing or exposing the media to a 
strong magnetic field in order to disrupt the recorded magnetic 
domains) the information from the electronic media. If circumstances 
warrant the destruction of the electronic media prior to disposal, 
destruction methods may include disintegrating, pulverizing, melting, 
incinerating, or shredding the media. Because failure to ensure total 
destruction of patient identifying information may lead to the 
unauthorized disclosure of sensitive information regarding a patient's 
substance use disorder history, SAMHSA expects the process of 
sanitizing paper (including printer and FAX ribbons, drums, etc.) or 
electronic media to be permanent and irreversible, so that there is no 
reasonable risk that the information may be recovered. This result is 
best achieved by sanitizing the paper or electronic media in a manner 
consistent with the most current version of the NIST Special 
Publication 800-88, Guidelines for Media Sanitization. SAMHSA also is 
proposing to reference the formal security policies and procedures for 
both paper and electronic records established under Sec.  2.16.

 G. Notice to Patients of Federal Confidentiality Requirements (Sec.  
2.22)

1. Overview
    Currently, Sec.  2.22 lists the requirements of a notice to 
patients of the federal confidentiality requirements, including giving 
the patient a summary in writing of the federal law and regulations. As 
with other sections in the current regulations, this section requires 
that the notice to patients be in writing, but does not address 
electronic formats.
2. Proposed Revisions
    SAMHSA proposes to continue to require that patients be given a 
summary in writing of the federal law and regulations. Consistent with 
the Preamble discussion in Terminology Changes in Section III.B.2.c., 
the term ``written'' includes both paper and electronic documentation. 
We, therefore, propose to permit the notice to patients to be either on 
paper or in an electronic format. SAMHSA also proposes to require the 
statement regarding the reporting of violations to include contact 
information for the appropriate authorities. The reporting of any 
violation of these regulations may be directed to the U.S. Attorney for 
the judicial district in which the violation occurs and the report of 
any violation of these regulations by an opioid treatment program may 
also be directed to the SAMHSA office responsible for opioid treatment 
program oversight (see Sec.  2.4 of the proposed rule). SAMHSA is 
considering whether to issue guidance at a later date that includes a 
sample notice.
    Although it is not a proposed requirement, SAMHSA encourages the 
part 2 program to be sensitive to the cultural composition of its 
patient population when considering whether the notice should also be 
provided in a language(s) other than English (e.g., Spanish).

H. Consent Requirements (Sec.  2.31)

1. Overview
    SAMHSA has heard a number of concerns from individuals regarding 
the current consent requirements of 42 CFR part 2. In particular, 
stakeholders expressed concern that the current requirements for 
sharing patient records covered by part 2 deter patients from 
participating in HIEs, ACOs, CCOs, and similar organizations. While 
technical solutions for managing consent collection, such as data 
segmentation, are possible, they are not widely incorporated into 
existing systems.
2. Proposed Revisions
    SAMHSA examined the consent requirements in Sec.  2.31 to explore 
options for facilitating the sharing of information within the health 
care context while ensuring the patient is fully informed and the 
necessary protections are in place. As a result, we propose several 
changes to this section. First, we propose to revise the section 
heading from ``Form of written consent'' to ``Consent requirements.'' 
SAMHSA also proposes to make revisions in three sections of the consent 
form requirements: The ``To Whom'' section, the ``Amount and Kind'' 
section, and the ``From Whom'' section. SAMHSA also is proposing to 
require a part 2 program or other lawful holder of patient identifying 
information to obtain written confirmation from the patient

[[Page 7000]]

that they understand both the terms of their consent and, when using a 
general designation in the ``To Whom'' section of the consent form (see 
Section III.H.2.a., To Whom, below), that they have the right to 
obtain, upon request, a list of entities to which their information has 
been disclosed pursuant to the general designation. In addition, SAMHSA 
is proposing to permit electronic signatures to the extent that they 
are not prohibited by any applicable law. SAMHSA is considering whether 
to issue guidance at a later date that includes a sample consent form.
    As mentioned in Section III.C.2.a., New Definitions, SAMHSA is 
proposing to include a new definition of ``Treating provider 
relationship'' in Sec.  2.11. Finally, as a result of these proposed 
revisions, we renumbered the subsections accordingly.
a. To Whom
i. Overview
    Section 2.31(a)(2) of the current regulations requires that a 
consent form include the name or title of the individual or the name of 
the organization to which disclosure is to be made as part of the 
patient's written consent to the disclosure of their records regulated 
by 42 CFR part 2. The intent of the specificity required in the ``To 
Whom'' section was for the patient to be able to identify, at the point 
of consent, exactly who they are authorizing to receive their 
information.
    Some stakeholders have reported that the requirement in 42 CFR 
2.31(a)(2) for the name of the individual or organization that will be 
the recipient of the patient identifying information makes it difficult 
to include programs covered by the regulations in organizations that 
facilitate the exchange of health information or coordinate care (e.g., 
HIEs, ACOs, and CCOs). These organizations have a large and growing 
number of participants and may not have consent management 
capabilities. Under the current regulations, if a new participant joins 
an HIE, ACO, CCO, or other similar entity after a consent is signed, 
and a patient later goes to that new participant for treatment, part 2 
would require that the new participant obtain the patient's consent to 
receive the patient's information. Because of the reported burdens 
associated with the collection of updated consent forms whenever new 
participants join one of these organizations, some stakeholders have 
indicated that they are currently not including substance use disorder 
treatment information in their systems.
ii. Proposed Revisions
    SAMHSA is proposing to move the current Sec.  2.31(a)(2), ``To 
Whom,'' to Sec.  2.31(a)(4). In the following discussion of the ``To 
Whom'' section of the consent form and in the regulatory text, SAMHSA 
makes a distinction between individuals and entities who have a 
treating provider relationship with the patient and those who do not. 
As discussed in Sec.  2.11, SAMHSA proposes to define the term 
``Treating provider relationship'' to provide that regardless of 
whether there has been an actual in-person encounter, (a) a patient 
agrees to be diagnosed, evaluated and/or treated for any condition by 
an individual or entity and (b) the individual or entity agrees to 
undertake diagnosis, evaluation and/or treatment of the patient, or 
consultation with the patient, for any condition.
    Based on this definition, SAMHSA considers an entity to have a 
treating provider relationship with a patient if the entity employs or 
privileges one or more individuals who have a treating provider 
relationship with the patient.
    SAMHSA is continuing to permit the name(s) of the individual(s) to 
whom a disclosure is to be made to be designated in the ``To Whom'' 
section of the consent form (e.g., Jane Doe, MD; John Doe; or George 
Jones, JD). Because SAMHSA also is proposing to allow, in certain 
circumstances, a general designation, we propose to eliminate the 
current option of designating only a title of an individual (e.g., 
Chief of Pediatrics at Lakeview County Hospital). SAMHSA also proposes 
to revise the requirements for designating the name of an entity, as 
discussed below.
    In the case of an entity that has a treating provider relationship 
with the patient whose information is being disclosed, SAMHSA is 
proposing to permit the designation of the name of the entity without 
requiring any further designations (as is required for an entity that 
does not have a treating provider relationship with the patient whose 
information is being disclosed, see below). For example, the consent 
form could specify any of the following names of entities: Lakeview 
County Hospital, ABC Health Care Clinic, or Jane Doe & Associates 
Medical Practice.
    In the case of an entity that does not have a treating provider 
relationship with the patient whose information is being disclosed and 
is a third-party payer that requires patient identifying information 
for the purpose of reimbursement for services rendered to the patient 
by the part 2 program, SAMHSA proposes to permit the designation of the 
name of the entity (e.g., Medicare).
    In the case of an entity that does not have a treating provider 
relationship with the patient whose information is being disclosed and 
is not covered by Sec.  2.31(a)(4)(iii) (i.e., the provision regarding 
third-party payers), SAMHSA proposes to permit the designation of the 
name(s) of the entity(-ies) and at least one of the following: (1) The 
name(s) of an individual participant(s); (2) the name(s) of an entity 
participant(s) that has a treating provider relationship with the 
patient whose information is being disclosed; or (3) a general 
designation of an individual or entity participant(s) or a class of 
participants that must be limited to those participants who have a 
treating provider relationship with the patient whose information is 
being disclosed. Examples of an entity without a treating provider 
relationship include an entity that facilitates the exchange of health 
information (e.g., HIE) or a research institution. The consent form, 
therefore, could designate the HIE (an entity that does not have a 
treating provider relationship with the patient whose information is 
being disclosed) and Drs. Jones and Smith, and County Memorial Hospital 
(all participants in the HIE with a treating provider relationship with 
that same patient). Likewise, the consent form could designate the HIE 
(an entity that does not have a treating provider relationship with the 
patient whose information is being disclosed) and ``my treating 
providers'' (a general designation of an individual or entity) 
participant(s) or a class of individual and/or entity participants with 
a treating provider relationship with the patient whose information is 
being disclosed).
    In the case of a research institution, a ``participant'' could be a 
clinical researcher with a treating provider relationship with the 
patient whose information is being disclosed, or a general researcher 
who does not have a treating provider relationship with the patient 
whose information is being disclosed. The clinical researcher could be 
included as ``my treating provider'' in a general designation on the 
consent form, whereas the general researcher would have to be named on 
the consent form. Alternatively, a research institution could obtain 
patient identifying information without consent if it meets the 
requirements in Sec.  2.52.
    If a general designation is used, the entity must have a mechanism 
in place to determine whether a treating provider relationship exists 
with the patient whose information is being disclosed.

[[Page 7001]]

We encourage innovative solutions to implement this provision. For 
example, the HIE in the aforementioned example could have a policy in 
place requiring their participating providers to attest to having a 
treating provider relationship with the patient. Likewise, the HIE 
could provide a patient portal that permits patients to designate 
treating providers as members of ``my health care team'' or ``my 
treating providers.''
    Improving the quality of substance use disorder care depends on 
effective collaboration of mental health, substance use disorder, 
general health care, and other service providers in coordinating 
patient care. However, the composition of a health care team varies 
widely among entities. Because SAMHSA wants to ensure that patient 
identifying information is only disclosed to those individuals and 
entities on the health care team with a need to know this sensitive 
information, we are limiting a general designation to those individuals 
or entities with a treating provider relationship. Patients may further 
designate their treating providers as ``past,'' ``current,'' and/or 
``future'' treating providers. In addition, a patient may designate, by 
name, one or more individuals on their health care team with whom they 
do not have a treating provider relationship.
    SAMHSA proposes to balance the flexibility afforded by the general 
designation in the ``To Whom'' section by adding a new confidentiality 
safeguard: List of Disclosures (Sec.  2.13(d)). The List of Disclosures 
provision allows patients who have included a general designation in 
the ``To Whom'' section of their consent form to request and be 
provided a list of entities to which their information has been 
disclosed pursuant to the general designation. In addition, when using 
a general designation, a statement must be included on the consent form 
noting that, by signing the consent form, the patient confirms their 
understanding of the List of Disclosures provision.
    Many new integrated care models rely on interoperable health IT and 
these proposed changes are expected to support the integration of 
substance use disorder treatment into primary and other specialty care, 
improving the patient experience, clinical outcomes, and patient safety 
while at the same time ensuring patient choice, confidentiality, and 
privacy.
    The following table provides an overview of the options permitted 
when completing the designation in the ``To Whom'' section of the 
proposed consent form.

Designating Individuals and Organizations in the ``To Whom'' Section of 
the Consent Form

----------------------------------------------------------------------------------------------------------------
                                                      Treating
                                                      provider
                                  Individual or     relationship
          42 CFR 2.31            entity to whom     with patient     Primary designation         Additional
                                disclosure is to        whose                                   designation
                                     be made       information is
                                                   being disclosed
----------------------------------------------------------------------------------------------------------------
(a)(4)(i).....................  Individual......  Yes.............  Name of individual(s)  None.
                                                                     (e.g., Jane Doe, MD).
(a)(4)(i).....................  Individual......  No..............  Name of individual(s)  None.
                                                                     (e.g., John Doe).
(a)(4)(ii)....................  Entity..........  Yes.............  Name of entity (e.g.,  None.
                                                                     Lakeview County
                                                                     Hospital).
(a)(4)(iii)...................  Entity..........  No..............  Name of entity that    None.
                                                                     is a third-party
                                                                     payer as specified
                                                                     under Sec.
                                                                     2.31(a)(4)(iii)
                                                                     (e.g., Medicare).
(a)(4)(iv)....................  Entity..........  No..............  Name of entity that    At least one of the
                                                                     is not covered by      following:
                                                                     Sec.                  1. The name(s) of an
                                                                     2.31(a)(4)(iii)        individual
                                                                     (e.g., HIE, or         participant(s) (e.g.
                                                                     research               Jane Doe, MD, or
                                                                     institution).          John Doe).
                                                                                           2. The name(s) of an
                                                                                            entity
                                                                                            participant(s) with
                                                                                            a treating provider
                                                                                            relationship with
                                                                                            the patient whose
                                                                                            information is being
                                                                                            disclosed (e.g.,
                                                                                            Lakeview County
                                                                                            Hospital).
                                                                                           3. A general
                                                                                            designation of an
                                                                                            individual or entity
                                                                                            participant(s) or a
                                                                                            class of
                                                                                            participants limited
                                                                                            to those
                                                                                            participants who
                                                                                            have a treating
                                                                                            provider
                                                                                            relationship with
                                                                                            the patient whose
                                                                                            information is being
                                                                                            disclosed (e.g., my
                                                                                            current and future
                                                                                            treating providers).
----------------------------------------------------------------------------------------------------------------

    SAMHSA is seeking public comment on an alternative approach to the 
proposed required elements for the ``To Whom'' section of the consent 
form. The current part 2 required elements for the ``To Whom'' section 
of written consent are the name or title of the individual or the name 
of the organization to which the disclosure is to be made. The term 
``organization'' is not defined in the current regulations, but SAMHSA 
has interpreted the term narrowly in guidance to mean that information 
can be sent to a lead organization but the information cannot flow from 
the lead organization to organization members or participants. 
Historically, that meant that all members or participants of an 
organization would need to be listed on the consent form and a new 
consent form would need to be obtained each time a new provider joined 
the organization.
    SAMHSA's alternative approach reflects the same policy goal as the 
proposed regulation text (i.e., allowing more flexibility in the ``To 
Whom'' section of the consent form) while attempting to simplify the 
language that would appear on the consent form. This alternative 
approach would not change the existing language in the ``To Whom'' 
section of the consent form.
    Under this alternative approach, SAMHSA would add a definition of 
``organization'' to Sec.  2.11. Organization would mean, for purposes 
of Sec.  2.31, (a) an organization that is a treating provider of the 
patient whose

[[Page 7002]]

information is being disclosed; or (b) an organization that is a third-
party payer that requires patient identifying information for the 
purpose of reimbursement for services rendered to the patient by a part 
2 program; or (c) an organization that is not a treating provider of 
the patient whose information is being disclosed but that serves as an 
intermediary in implementing the patient's consent by providing patient 
identifying information to its members or participants that have a 
treating provider relationship, as defined in Sec.  2.11, or as 
otherwise specified by the patient.
    Paragraph (a) of this definition relies on the definition of 
``Treating provider relationship'' as defined in Sec.  2.11. SAMHSA 
considers an organization to be a treating provider of a patient if the 
organization employs or privileges one or more individuals who have a 
treating provider relationship(s) with the ``patient.''
    Paragraph (b) of this definition refers to an organization that is 
not a treating provider of the patient whose information is being 
disclosed but that requires patient identifying information in 
connection with its role as a third-party payer for the purpose of 
reimbursement for services rendered to the patient (e.g., Medicare).
    Paragraph (c) of this definition refers to an organization that is 
not a treating provider of the patient whose information is being 
disclosed but that serves as an intermediary in implementing the 
patient consent. It permits these organizations to further disclose 
patient identifying information to its members or participants that 
have a treating provider relationship with the patient. It also allows 
the patient to specify further instructions for re-disclosure to the 
organization's members or participants.
    In all instances, patient identifying information should only be 
disclosed to those individuals and organizations in accordance with the 
purpose stated by the patient on the signed consent form and only to 
those individuals with a need to know this sensitive information.
    SAMHSA is seeking public comment on the advantages and 
disadvantages of this alternative approach as compared to SAMHSA's 
proposed approach. If commenters believe the definition of 
``organization'' in the alternative approach should be broader, please 
include proposals for alternate or additional required elements for the 
consent form that facilitate the sharing of information within the 
health care context while ensuring the patient is fully informed of the 
individuals and organizations that potentially could receive their 
patient identifying information and that the necessary protections are 
in place.
    To consider this alternative approach, SAMHSA would require 
resolution of several issues. Therefore, SAMHSA is also seeking public 
comment on the following questions:
    (1) To allow patients to determine which specific members or 
participants are authorized to receive their information from an 
organization that serves an intermediary in paragraph (c) of the 
proposed organization definition in SAMSHA's alternative approach, what 
additional elements would need to be required on the consent form?
    (2) How would the List of Disclosures requirement be applied under 
a broad definition of organization? Should the requirement be applied 
only to paragraph (c) of the proposed organization definition in 
SAMHSA's alternative approach or should different safeguards replace or 
supplement the List of Disclosures requirement?
b. Amount and Kind
i. Overview
    Section 2.31(a)(5) currently requires the consent to include how 
much and what kind of information is to be disclosed. Because we are 
proposing to allow the ``To Whom'' section of the consent form to 
include a general designation under certain circumstances, we want 
patients to be aware of the information they are authorizing to 
disclose when they sign the consent form.
ii. Proposed Revisions
    SAMHSA is proposing to move the current Sec.  2.31(a)(5), ``Amount 
and Kind,'' to Sec.  2.31(a)(3) and revise the provision to require the 
consent form to explicitly describe the substance use disorder-related 
information to be disclosed. The types of information that might be 
requested include diagnostic information, medications and dosages, lab 
tests, allergies, substance use history summaries, trauma history 
summary, employment information, living situation and social supports, 
and claims/encounter data. The designation of the ``Amount and Kind'' 
of information to be disclosed must have sufficient specificity to 
allow the disclosing program or other entity to comply with the 
request. For example, the description may include: ``medications and 
dosages, including substance use disorder-related medications,'' or 
``all of my substance use disorder-related claims/encounter data.'' 
Examples of unacceptable descriptions would be ``all of my records'' 
(does not address the substance use disorder-related information to be 
disclosed) and ``only my substance use disorder records my family knows 
about'' (lacks specificity).
c. From Whom
i. Overview
    Section 2.31 currently requires the specific name or general 
designation of the program or person permitted to make the disclosure. 
In 1987, the requirement for the ``From Whom'' section of the consent 
form was broadened to the current requirement to permit a patient to 
consent to either a disclosure from a category of facilities or from a 
single specified program.
ii. Proposed Revisions
    SAMHSA is proposing to move the current Sec.  2.31(a)(1), ``From 
Whom,'' to Sec.  2.31(a)(2). Because SAMHSA is now allowing, in certain 
instances, a general designation in the ``To Whom'' section of the 
consent form, we propose to require the ``From Whom'' section of the 
consent form to specifically name the part 2 program(s) or other lawful 
holder(s) of the patient identifying information permitted to make the 
disclosure. This revision would avoid any unintended consequences of 
including general designations in both the ``From Whom'' and ``To 
Whom'' sections. For example, the patient may be unaware of possible 
permutations of combining the two broad designations to which they are 
consenting, especially if these designations include future unnamed 
treating providers.
d. New Requirements
i. Overview
    Currently, the consent requirements do not include any requirement 
that the patient confirms their understanding of the information on the 
consent form.
ii. Proposed Revisions
    As discussed in the proposed revisions to the ``To Whom'' section, 
SAMHSA proposes to add two new requirements related to the patient's 
signing of the consent form. The first would require the part 2 program 
or other lawful holder of patient identifying information to include a 
statement on the consent form that the patient understands the terms of 
their consent. The second would require the part 2 program or other 
lawful holder of patient identifying information to include a statement 
on the consent form that the patient understands their right, pursuant 
to Sec.  2.13(d), to request and be provided a list of entities to 
which their

[[Page 7003]]

information has been disclosed when the patient includes a general 
designation on the consent form. In addition, the part 2 program or 
other lawful holder of patient identifying information would have to 
include a statement on the consent form that the patient confirms their 
understanding of the terms of consent and Sec.  2.13(d) by signing the 
consent form.

I. Prohibition on Re-disclosure (Sec.  2.32)

1. Overview
    There is confusion on the part of some providers as to how much of 
a patient's record is subject to 42 CFR part 2, which often leads to a 
decision to protect the entire record.
2. Proposed Revisions
    SAMHSA proposes to clarify that the prohibition on re-disclosure 
provision (Sec.  2.32) only applies to information that would identify, 
directly or indirectly, an individual as having been diagnosed, 
treated, or referred for treatment for a substance use disorder, such 
as indicated through standard medical codes, descriptive language, or 
both, and allows other health-related information shared by the part 2 
program to be re-disclosed, if permissible under the applicable law. 
For example, if an individual receives substance use disorder treatment 
from a part 2 program and also receives treatment for a health 
condition such as high blood pressure, the individual's record would 
include information unrelated to their substance use disorder (i.e., 
high blood pressure). Part 2 does not prohibit re-disclosure of the 
information related to the high blood pressure as long as it does not 
include information that would identify the individual as having or 
having had a substance use disorder.
    However, illnesses that are brought about by drug or alcohol abuse 
may reveal that a patient has a substance use disorder. For example, 
cirrhosis of the liver or pancreatitis could reveal a substance use 
disorder. Also, if a prescription for a medication used for substance 
use disorder treatment is revealed without further clarification of a 
non-substance disorder use (e.g., methadone used for the treatment of 
cancer), it would suggest that the individual has a substance use 
disorder and also would be prohibited.
    If data provenance (the historical record of the data and its 
origins) reveals information that would identify, directly or 
indirectly, and individual as having or having had a substance use 
disorder, the information would be prohibited from being re-disclosed. 
For example, if the treatment location is a substance use disorder 
treatment clinic, this information would identify an individual as 
having had a substance use disorder and is therefore prohibited.
    SAMHSA also proposed to clarify that the federal rules restrict any 
use of the information to criminally investigate or prosecute any 
patient with a substance use disorder, except as provided in Sec.  
2.12(c)(5).

J. Disclosures To Prevent Multiple Enrollments (Sec.  2.34)

1. Overview
    In the current regulations, special rules are included for 
disclosures to prevent multiple enrollments in detoxification and 
maintenance treatment programs because these types of disclosure 
necessitate some adjustment of the basic written consent procedures in 
order to ensure maximum protection for patients. Under Sec.  2.34, the 
timing, content, and use of the patient information is strictly limited 
in accordance with the purpose of the disclosure.
2. Proposed Revisions
    SAMHSA proposes to modernize section Sec.  2.34 by updating 
terminology and revising corresponding definitions. SAMHSA also 
proposes to consolidate definitions by moving definitions from this 
section to Definitions in Sec.  2.11, as discussed in Section III.B., 
Definitions.

K. Medical Emergencies (Sec.  2.51)

1. Overview
    SAMHSA is considering aligning the regulatory language with the 
statutory language regarding the medical emergency exception of 42 CFR 
part 2 (Sec.  2.51). The current regulations state that information may 
be disclosed without consent for the purpose of treating a condition 
which poses an immediate threat to the health of any individual and 
which requires immediate medical intervention. The statute, however, 
states that records may be disclosed ``to medical personnel to the 
extent necessary to meet a bona fide medical emergency.''
2. Proposed Revisions
    SAMHSA proposes to adapt the medical emergency exception to give 
providers more discretion to determine when a ``bona fide medical 
emergency'' (42 U.S.C. 290dd-2(b)(2)(A)) exists. The proposed language 
states that patient identifying information may be disclosed to medical 
personnel to the extent necessary to meet a bona fide medical 
emergency, in which the patient's prior informed consent cannot be 
obtained.
    SAMHSA proposes to continue to require the part 2 program to 
immediately document, in writing, specific information related to the 
medical emergency. Before a part 2 program enters into an affiliation 
with an HIE, it should consider whether the HIE has the capability to 
comply with all part 2 requirements, including the capacity to 
immediately notify the part 2 program when its records have been 
disclosed pursuant to a medical emergency. To promote compliance, 
SAMHSA recommends that the notification include all the information 
that the part 2 program is required to document in the patient's 
records (e.g., date and time of disclosure, the nature of the 
emergency). Similarly, SAMHSA recommends that the part 2 program 
consider whether the HIE has the technology, rules, and procedures to 
appropriately protect patient identifying information.

L. Research (Sec.  2.52)

1. Overview
    Under the current regulations at Sec.  2.52, only the program 
director (part 2 program director) may authorize the disclosure of 
patient identifying information for scientific research purposes to 
qualified personnel. Part 2 data may be derived from a variety of 
sources, including federal or state agencies that administer Medicare, 
Medicaid, or Children's Health Insurance Program (CHIP), part 2 
programs, or other individuals or entities that have lawfully obtained 
the information and may wish to facilitate a sharing of the information 
for purposes of scientific research that would ultimately benefit 
substance use disorder patients/beneficiaries.
    Along with fifteen other federal departments and agencies, HHS has 
announced proposed revisions to the regulations for protection of human 
subjects in research (Common Rule). An NPRM was published in the 
Federal Register on September 8, 2015. In this part 2 NPRM, SAMHSA 
proposes certain revisions that are predicated on the current version 
of the Common Rule (45 CFR part 46, Protection of Human Subjects, 
promulgated in 1991). Although SAMHSA does not anticipate that the 
Common Rule provisions referenced in this part 2 NPRM will change 
substantially during the Common Rule rulemaking process, should 
conflicting policies be created, SAMHSA will take appropriate action 
(e.g., issue an NPRM or technical correction).

[[Page 7004]]

2. Proposed Revisions
    First, we propose to revise the section heading by deleting the 
word ``activities'' (Sec.  2.52, Research). SAMHSA also proposes to 
revise the research exception to permit data protected by 42 CFR part 2 
to be disclosed to qualified personnel for the purpose of conducting 
scientific research by a part 2 program or any other individual or 
entity that is in lawful possession of part 2 data (lawful holder of 
part 2 data). For example, these lawful holders of part 2 data could 
include third-party payers, HIEs, ACOs, and CCOs. Qualified personnel 
are those individuals who meet the requirements specified in the 
Research provision to receive part 2 data for the purpose of conducting 
scientific research. SAMHSA examined the existing regulations that 
protect human subjects in research and concluded that, if those 
requirements were fulfilled, 42 CFR part 2 would ensure confidentiality 
protections consistent with the Congressional intent, while providing 
the expanded authority for disclosing patient identifying information.
    Under 42 CFR part 2, part 2 programs or other lawful holders of 
part 2 data are permitted to disclose patient identifying information 
for research with patient consent, or without patient consent under 
limited circumstances. SAMHSA is proposing to allow patient identifying 
information to be disclosed for purposes of scientific research: (1) If 
the researcher is a HIPAA covered entity or business associate and 
provides documentation that the researcher obtained research 
participants' authorization, or a waiver of research participants' 
authorization by an Institutional Review Board (IRB) or privacy board, 
for use or disclosure of information about them for research purposes 
consistent with the HIPAA Privacy Rule, (45 CFR 164.512(i)); or (2) if 
the researcher is subject to just the HHS Common Rule (45 CFR part 46, 
subpart A) and provides documentation that the researcher is in 
compliance with the requirements of the HHS Common Rule, including 
requirements relating to informed consent or a waiver of consent (45 
CFR 46.111 and 46.116); or (3) if the researcher is both a HIPAA 
covered entity or business associate and subject to the HHS Common 
Rule, the researcher has met the requirements of both (1) and (2).
    IRBs that are designated by an institution under an assurance of 
compliance approved for Federalwide use (referred to as Federalwide 
Assurance, or FWA) by HHS Office for Human Research Protections (OHRP) 
under Sec.  46.103(a) and that review research involving human subjects 
conducted or supported by HHS must be registered with HHS. The FWA is 
the assurance from an institution engaging in HHS-conducted or -
supported human subjects research regarding compliance with 45 CFR part 
46. An institution must have an FWA to receive HHS support for research 
involving human subjects, and the FWA has to designate an IRB 
registered with OHRP, whether it is an internal or external IRB.
    A privacy board is a review body that may be established to act 
upon requests for a waiver or an alteration of the requirement under 
the HIPAA Privacy Rule to obtain an individual's authorization for uses 
and disclosures of protected health information for a particular 
research study. Like an IRB, a privacy board may waive or alter all or 
part of the HIPAA authorization requirements for a specified research 
project or protocol, provided certain conditions are met as provided in 
45 CFR 164.512(i).
    Currently, much research involving human subjects operates under 
the HHS Common Rule (45 CFR part 46, subpart A). These regulations, 
which apply to HHS-conducted or -supported research or to institutions 
that have voluntarily extended their FWA to apply to all research 
regardless of funding, include protections to help ensure 
confidentiality. Under this rule, IRBs determine that, when 
appropriate, there are adequate provisions to protect the privacy of 
subjects and to maintain the confidentiality of data before approving 
the research (45 CFR 46.111(a)(7)). IRBs can therefore address the 
requirements under the HIPAA Privacy Rule and the HHS Common Rule, 
which contain somewhat similar, but different sets of requirements. The 
proposed part 2 rules set out the requirements for a researcher 
conducting research with patient identifying information. Compliance 
with the HIPAA Privacy Rule and/or federal human subjects research 
protections, as set forth in the HHS Common Rule, where they apply, as 
well as the specific additional requirements in Sec.  2.52(b) discussed 
below, is sufficient to meet the requirements for research disclosures 
under part 2.
    SAMHSA also is proposing to address data linkages because the 
process of linking two or more streams of data opens up new research 
opportunities. For example, the practice of requesting data linkages 
from other data sources to study the longitudinal effects of treatment 
on patients is becoming widespread. SAMHSA is interested in affording 
patients protected by 42 CFR part 2 the same opportunity to benefit 
from these advanced research protocols while continuing to safeguard 
their privacy.
    We propose to permit researchers to request to link data sets that 
include patient identifying information if: (1) The data linkage uses 
data from a federal data repository; and (2) the project, including a 
data protection plan, is reviewed and approved by an IRB registered 
with OHRP in accordance with 45 CFR part 46. This permissible 
disclosure would allow a researcher to disclose patient identifying 
information to a federal data repository and permit the federal data 
repository to link the patient identifying information to data held by 
that repository and return the linked data file back to the researcher. 
It would also ensure that patient privacy is considered, that the 
disclosure and use of identifiable data is justified, and that the 
research protocol includes an appropriate data protection plan. SAMHSA 
is proposing to limit the data repositories from which a researcher may 
request data for data linkages purposes to federal data repositories 
because federal agencies that maintain data repositories have policies 
and procedures in place to protect the security and confidentiality of 
the patient identifying information that must be submitted by a 
researcher in order to link the data sets. For example, in addition to 
meeting requirements under the HIPAA Rules and/or the HHS Common Rule, 
as applicable, requests for ``research identifiable files'' data from 
CMS require a Data Use Agreement and are reviewed by CMS's Privacy 
Board. CMS also has internal policies to protect the privacy and 
security of data received from the researcher, including the retention 
and destruction of that data. In addition, all federal agencies must 
comply with directives that protect sensitive data such as Office of 
Management and Budget Circular No. A-130, Appendix III--Security of 
Federal Automated Information and NIST Federal Information Processing 
Standard 200 entitled Minimum Security Requirements for Federal 
Information and Information Systems.
    SAMHSA is soliciting public input regarding whether to expand the 
data linkages provision beyond federal data repositories, what 
confidentiality, privacy, and security safeguards are in place for 
those non-federal data repositories, and whether those safeguards are 
sufficient to protect the security and confidentiality of the patient 
identifying information.
    We invite stakeholders to provide input and recommendations on the 
specific policies, procedures, and other safeguards that non-federal 
data

[[Page 7005]]

repositories should have in place including, but not limited to:
    1. Data use agreements (e.g., a data use agreement or contract 
between the researcher and the data repository with written provisions 
to uphold security and confidentiality of the data and provide for 
sanctions or penalties for breaches of confidentiality);
    2. A review by a privacy board or other regulatory body(-ies);
    3. Internal security and privacy protections (both physical and 
electronic) for the confidentiality and security of data, including the 
retention and destruction of data received for data linkage purposes 
(e.g., a requirement to destroy, in a manner to render the data non-
retrievable, all patient identifying information provided by the 
researcher for data linkage purposes after performing the match).
    4. Security and privacy protections (both physical and electronic) 
for receiving and linking data (e.g., a requirement that transmission 
of data between the researcher and the data repository must occur 
through the use of secure methods and use the most current encryption 
technology, such as the most current version of the Advanced Encryption 
Standard (NIST Federal Information Processing Standards (FIPS 197)).
    5. Internal confidentiality agreements for staff members who have 
access to patient identifying information and other confidential data;
    6. Laws and regulations governing functions and operations, 
including those that address security and privacy;
    7. Capability to perform data linkages according to recognized 
standards; and
    8. Other relevant safeguards.
    SAMHSA also is requesting public comment on the following three 
sets of questions:
    First, should state government, local government, private, and/or 
other non-federal data repositories (please address separately) that 
meet the criteria above be permitted to conduct data linkages?
    Second, are there additional or alternative criteria that should be 
included in the list above? Are there specific categories of data 
repositories that are already required to provide similar safeguards? 
When providing categories of data repositories, please describe the 
safeguards that are already in place for those entities.
    Third, how could it be ensured that data repositories providing 
data linkages are in compliance with criteria or standards concerning 
confidentiality, privacy, and security safeguards? Are there any 
regulatory or oversight bodies (including non-governmental and 
governmental) that currently oversee compliance with criteria or 
standards concerning confidentiality, privacy, and security safeguards 
of data in non-federal repositories?
    A researcher may report findings in aggregate form from patient 
information that has been rendered non-identifiable as long as there 
are assurances in place that the information cannot be re-identified 
and possibly serve as an unauthorized means to identify a patient, 
directly or indirectly, as having or having had a substance use 
disorder.
    SAMHSA is proposing to require any individual or entity conducting 
scientific research using patient identifying information to meet 
additional requirements to ensure compliance with confidentiality 
provisions under part 2. Among these are a provision (Sec.  2.52(b)(1)) 
that requires researchers to be fully bound by these regulations and, 
if necessary, to resist in judicial proceedings any efforts to obtain 
access to patient records except as permitted by these regulations. 
This requirement means that researchers involved in a judicial 
proceeding are only required to disclose patient identifying 
information pursuant to a subpoena that is accompanied by a court 
order. In addition, we have included a provision (Sec.  2.52(b)(2)) 
prohibiting researchers from re-disclosing patient identifying 
information except back to the individual or entity from whom that 
patient identifying information was obtained or as permitted under 
Sec.  2.52(b)(4), the data linkages provision. With respect to this re-
disclosure provision, an individual or entity from whom the patient 
identifying information was obtained does not refer to patients.
    Finally, SAMHSA is proposing to address, in addition to the 
maintenance of part 2 data, the retention and disposal of such 
information used in research. SAMHSA is proposing to do so by expanding 
the provisions in Sec.  2.16, Security for Records and referencing the 
policies and procedures established under Sec.  2.16 in this section.
    These proposed revisions would allow additional scientific research 
to be conducted that would facilitate continual quality improvement of 
part 2 programs and the important services they offer. In doing so, 
SAMHSA proposes to incorporate existing protections for human subjects 
research that are widely accepted.

M. Audit and Evaluation (Sec.  2.53)

1. Overview
    Under the current Medicare or Medicaid audit or evaluation section 
at Sec.  2.53, an audit or evaluation is limited to a civil 
investigation or administrative remedy by any federal, state, or local 
agency responsible for oversight of the Medicare or Medicaid program. 
It also includes administrative enforcement, against the program by the 
agency, or any remedy authorized by law to be imposed as a result of 
the findings of the investigation.
2. Proposed Revisions
    First, we propose to revise the section heading by deleting the 
word ``activities'' (Sec.  2.53, Audit and Evaluation). SAMHSA also 
proposes to modernize this section to include provisions for governing 
both paper and electronic patient records. In addition, we propose to 
revise the requirements for destroying patient identifying information 
by citing the expanded Security for Records section (Sec.  2.16). 
Furthermore, we propose to update the Medicare or Medicaid audit or 
evaluation subsection title to include CHIP and, in subsequent 
language, refer to Medicare, Medicaid and CHIP (SAMHSA has always 
applied this section to CHIP and is proposing to explicitly refer to it 
in the proposed regulation text).
    SAMHSA proposes to permit the part 2 program, not just the part 2 
program director, to determine who is qualified to conduct an audit or 
evaluation of the part 2 program in paragraph (a)(2). SAMHSA also 
proposes to permit an audit or evaluation necessary to meet the 
requirements of a CMS-regulated ACO or similar CMS-regulated 
organization (including a CMS-regulated QE), under certain conditions. 
To ensure that patient identifying information is protected, the CMS-
regulated ACO or similar CMS-regulated organization (including a CMS-
regulated QE) that is the subject of, or is conducting, the audit or 
evaluation must have a signed Participation Agreement with CMS which 
provides that the CMS-regulated ACO or similar CMS-regulated 
organization (including a CMS-regulated QE) must comply with all 
applicable provisions of 42 U.S.C 290dd-2 and 42 CFR part 2.

IV. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 60-day notice in the Federal Register and solicit 
public comment before a collection of information requirement is 
submitted to the Office of Management and Budget (OMB) for review and 
approval. Currently, the information collection is approved under OMB 
Control No. 0930-0092. In

[[Page 7006]]

order to fairly evaluate whether changes to an information collection 
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires 
that we solicit comment on the following issues: (a) Whether the 
information collection is necessary and useful to carry out the proper 
functions of the agency; (b) The accuracy of the agency's estimate of 
the information collection burden; (c) The quality, utility, and 
clarity of the information to be collected; and (d) Recommendations to 
minimize the information collection burden on the affected public, 
including automated collection techniques.
    Under the PRA, the time, effort, and financial resources necessary 
to meet the information collection requirements referenced in this 
section are to be considered in rule making. We explicitly seek, and 
will consider, public comment on our assumptions as they relate to the 
PRA requirements summarized in this section.
    This proposed rule includes changes to information collection 
requirements, that is, reporting, recordkeeping or third-party 
disclosure requirements, as defined under the PRA (5 CFR part 1320). 
Some of the provisions involve changes from the information collections 
set out in the previous regulations. Information collection 
requirements are: (1) Section 2.13(d)--Disclosure: Requires entities 
named on a consent form that disclose patient identifying information 
to their participants under the general designation to make a 
disclosure, to each patient who requests a list of disclosures, in the 
form of a list of entities to which their information has been 
disclosed pursuant to the general designation, (2) Section 2.22--
Disclosure: Requires each program to make public disclosure in the form 
of communication to each patient that federal law and regulations 
protect the confidentiality of each patient and includes a written 
summary of the effect of this law and these regulations, (3) Section 
2.51--Recordkeeping: This provision requires the program to document a 
disclosure of a patient record to authorized medical personnel in a 
medical emergency. The regulation is silent on retention period for 
keeping these records as this will vary according to state laws. It is 
expected that these records will be kept as part of the patients' 
health records. Annual burden estimates for these requirements are 
summarized in the table below:

                                                               Annualized Burden Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                          Annual  number
                                                of        Responses  per       Total         Hours per      Total hour      Hourly wage     Total hour
                                            respondents      respondent      responses       response         burden           cost            cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Disclosures
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.13 (d).........................      \1\ 19,548               1          19,548       \2\ 4.15           81,124    \3\ $36.9175      $2,994,895
42 CFR 2.22.............................      \4\ 12,034             155   \5\ 1,861,693            .20        372,338.6       \6\ 40.26      14,990,352
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.51.............................          12,034               2          24,068            .167           4,019       \7\ 34.16         137,289
                                         ---------------------------------------------------------------------------------------------------------------
    Total...............................      \8\ 31,582  ..............       1,905,309  ..............         457,482  ..............      18,122,536
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the
  total number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests
  equal the average of the total number of requests for a 0.1% request rate and a 2% request rate.
\2\ The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3
  hours for entities that produce such a list from paper records. Because 90% of entities are estimated to collect the information electronically using
  an audit log and 10% are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 x 4 hours) +
  (0.1 x 3 hours)]. Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, the total estimated time for
  providing a patient a list of disclosures is 4.15 hours (3.9 hours + 0.25 hours).
\3\ The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of
  disclosures. The hourly rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of
  disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor
  Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29-2071,
  31-9092) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\4\ The number of publicly funded alcohol and drug facilities based on SAMHSA's 2013 National Survey of Substance Abuse Treatment Services (N-SSATS).
\5\ The average number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS).
\6\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
  Classification code (21-1011) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\7\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
  Classification code (43-0000) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\8\ The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of
  disclosures.

    As described in greater detail in Section VI., Regulatory Impact 
Analysis, the respondents for the collection of information under 42 
CFR 2.22 and 2.51 are publicly (federal, state, or local) funded, 
assisted, or regulated substance use disorder treatment programs. The 
estimate of the number of such programs (respondents) is based on the 
results of the 2013 N-SSATS, and the average number of annual total 
responses is based on 2010-2012 information on patient admissions 
reported to the Treatment Episode Data Set (TEDS), approved under OMB 
Control No. 0930-0106 and OMB Control No. 0930-0335.
    The respondents for the collection of information under 42 CFR 
2.13(d) are entities named on the consent form that disclose 
information to their participants pursuant to the general designation. 
These entities primarily would be organizations that facilitate the 
exchange of health information (e.g., HIEs) or coordinate care (e.g., 
ACOs, CCOs, and patient-centered medical homes (sometimes called health 
homes)), but other organizations, such as research institutions, also 
may disclose patient identifying information to their participants 
(e.g., clinical researchers) pursuant to the general

[[Page 7007]]

designation on the consent form. Because there are no definitive data 
sources for this potential range of organizations, we are not 
associating requests for a list of disclosures with any particular type 
of organization. Consequently, the number of organizations that must 
respond to list of disclosures requests is based on the total number of 
requests each year.

V. Response to Comments

    Because of the large number of public comments, we anticipate 
receiving on this Federal Register document, we are not going to be 
able to acknowledge or respond to them individually. We will consider 
all comments we receive by the date and time specified in the DATES 
section of this proposed rule, and, when we proceed with a subsequent 
document, we will respond to the comments in the preamble to that 
document.

VI. Regulatory Impact Analysis

A. Statement of Need

    This proposed rule is necessary to modernize the Confidentiality of 
Alcohol and Drug Abuse Patient Records regulations at 42 CFR part 2. 
The last substantive update to 42 CFR part 2 was in 1987. The part 2 
laws were written out of great concern about the potential use of 
substance use disorder treatment information causing individuals with 
substance use disorders from seeking needed treatment. Over the last 25 
years, significant changes have occurred within the U.S. health care 
system that were not envisioned by the current regulations, including 
new models of integrated care that are built on a foundation of 
information sharing to support coordination of patient care, the 
development of an electronic infrastructure for managing and exchanging 
patient data, and a new focus on performance measurement within the 
health care system. The goal of this proposed rule is to update 42 CFR 
part 2, and clarify the requirements associated with information 
exchange in these new health care models.

B. Overall Impact

    We have examined the impacts of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993), 
Executive Order 13563 on Improving Regulation and Regulatory Review 
(January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 
1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, 
section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 
1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 
1999) and the Congressional Review Act (5 U.S.C. 804(2)). Executive 
Orders 12866 and 13563 direct agencies to assess all costs and benefits 
of available regulatory alternatives and, if regulation is necessary, 
to select regulatory approaches that maximize net benefits (including 
potential economic, environmental, public health and safety effects, 
distributive impacts, and equity). Section 3(f) of Executive Order 
12866 defines a ``significant regulatory action'' as an action that is 
likely to result in a rule: (1) Having an annual effect on the economy 
of $100 million or more in any 1 year, or adversely and materially 
affecting a sector of the economy, productivity, competition, jobs, the 
environment, public health or safety, or state, local or tribal 
governments or communities (also referred to as ``economically 
significant''); (2) creating a serious inconsistency or otherwise 
interfering with an action taken or planned by another agency; (3) 
materially altering the budgetary impacts of entitlement grants, user 
fees, or loan programs or the rights and obligations of recipients 
thereof; or (4) raising novel legal or policy issues arising out of 
legal mandates, the President's priorities, or the principles set forth 
in the Executive Order.
    A regulatory impact analysis must be prepared for major rules with 
economically significant effects ($100 million or more in any 1 year). 
This rule does not reach the economic threshold and thus is not 
considered a major rule.
    When estimating the total costs associated with changes to the 42 
CFR part 2 regulations, we assumed five sets of costs: updates to 
health IT systems costs, costs for staff training and updates to 
training curriculum, costs to update patient consent forms, costs 
associated with providing patients a list of entities to which their 
information has been disclosed pursuant to a general designation on the 
consent form (i.e., the List of Disclosures requirement), and 
implementation costs associated with the List of Disclosure 
requirements. We assumed that costs associated with modifications to 
existing health IT systems, staff training costs associated with 
updating staff training materials, and costs to update consent forms 
would be one-time costs the first year the final rule is in effect and 
would not carry forward into future years. Staff training costs other 
than those associated with updating training materials are assumed to 
be ongoing annual costs to part 2 programs, also beginning in the first 
year that the final rule is in effect. The List of Disclosures costs 
are assumed to be ongoing annual costs to entities named on a consent 
form that disclose patient identifying information to their 
participants under the general designation. The List of Disclosures 
requirement, however, does not go into effect until two years after the 
final rule is in effect. Therefore, in years 1 and 2, the costs 
associated with the List of Disclosures provision are limited to 
implementation costs for entities that chose to upgrade their health IT 
systems in order to comply with the List of Disclosure requirements.
    We estimate, therefore, that in the first year that the final rule 
is in effect, the costs associated with updates to 42 CFR part 2 would 
be $74,217,979. In year two, we estimate that costs would be 
$47,021,182. In years 3 through 10, we estimate the annual costs would 
be $14,835,444. Over the 10-year period of 2015-2024, the total 
undiscounted cost of the proposed changes would be $239,922,716 in 2015 
dollars. When future costs are discounted at 3 percent or 7 percent per 
year, the total costs become approximately $220.9 million or $200.9 
million, respectively. These costs are presented in the tables below.

                                      Total Cost of 42 CFR Part 2 Revisions
                                                 [2015 dollars]
----------------------------------------------------------------------------------------------------------------
                                  Staff training   Consent form       List of        Health IT
              Year                     costs          updates       disclosures        costs        Total costs
                                             (A)             (B)             (C)             (D)             (E)
----------------------------------------------------------------------------------------------------------------
2015............................     $14,881,443        $204,786     $10,995,750     $48,136,000     $74,217,979
2016............................      11,834,782               0      35,186,400               0      47,021,182
2017............................      11,834,782               0       3,000,662               0      14,835,444

[[Page 7008]]

 
2018............................      11,834,782               0       3,000,662               0      14,835,444
2019............................      11,834,782               0       3,000,662               0      14,835,444
2020............................      11,834,782               0       3,000,662               0      14,835,444
2021............................      11,834,782               0       3,000,662               0      14,835,444
2022............................      11,834,782               0       3,000,662               0      14,835,444
2023............................      11,834,782               0       3,000,662               0      14,835,444
2024............................      11,834,782               0       3,000,662               0      14,835,444
                                 -------------------------------------------------------------------------------
    Total.......................     121,394,485         204,786      70,187,445      48,136,000     239,922,716
----------------------------------------------------------------------------------------------------------------


                            Total Cost of 42 CFR Part 2 Revisions--Annual Discounting
                                                 [2015 dollars]
----------------------------------------------------------------------------------------------------------------
                                                                     Total with 3%   Total with 7%
                       Year                           Total costs       annual          annual
                                                                      discounting     discounting
                                                               (E)             (F)             (G)
----------------------------------------------------------------------------------------------------------------
2015..............................................     $74,217,979     $74,217,979     $74,217,979
2016..............................................      47,021,182      45,651,633      43,945,030
2017..............................................      14,835,444      13,983,829      12,957,852
2018..............................................      14,835,444      13,576,533      12,110,142
2019..............................................      14,835,444      13,181,100      11,317,889
2020..............................................      14,835,444      12,797,185      10,577,467
2021..............................................      14,835,444      12,424,451       9,885,483
2022..............................................      14,835,444      12,062,574       9,238,769
2023..............................................      14,835,444      11,711,237       8,634,364
2024..............................................      14,835,444      11,370,133       8,069,499
                                                   -------------------------------------------------------------
    Total.........................................     239,922,716     220,976,654     200,954,473
----------------------------------------------------------------------------------------------------------------

    The costs associated with the proposed revisions stem from staff 
training and updates to training curriculum, updates to patient consent 
forms, compliance with the List of Disclosures requirement (including 
implementation costs), and updates to health IT infrastructure for 
information exchange. Based on data from the 2013 N-SSATS, we estimate 
that 12,034 hospitals, outpatient treatment centers, and residential 
treatment facilities are covered by part 2. N-SSATS is an annual survey 
of U.S. substance abuse treatment facilities. Data is collected on 
facility location, characteristics, and service utilization. Not all 
treatment providers included in N-SSATs are believed to be under the 
jurisdiction of the part 2 regulations. The 12,034 number is a subset 
of the 14,148 substance abuse treatment facilities that responded to 
the 2013 N-SSATS, and includes all federally operated facilities, 
facilities that reported receiving public funding other than Medicare 
and Medicaid, facilities that reported accepting Medicare, Medicaid, 
TRICARE, and/or ATR voucher payments, or were SAMHSA-certified Opioid 
Treatment Programs. If a facility did not have at least one of these 
conditions, it was interpreted not to have received any federal funding 
and, therefore, not included in the estimate.
    If an independently practicing clinician does not meet the 
requirements of paragraph (1) of the definition of Program (an 
individual or entity (other than a general medical facility or general 
medical practice) who holds itself out as providing and provides 
substance use disorder diagnosis, treatment or referral for treatment), 
they may be subject to 42 CFR part 2 if they constitute an identified 
unit within a general medical facility or general medical practice 
which holds itself out as providing, and provides, substance use 
disorder diagnosis, treatment, or referral for treatment or if their 
primary function in the facility or practice is the provision of such 
services and they are identified as providing such services. Due to 
data limitations, it was not possible to estimate the costs for 
independently practicing providers covered by part 2 that did not 
participate in the 2013 N-SSATS. For example, data from ABAM provides 
the number of physicians since 2000 who have active ABAM certification. 
However, there is no source for the number of physicians who have not 
participated in the ABAM certification process. In addition, it is not 
possible to determine which ABAM-certified physicians practice in a 
general medical setting rather than in a specialty treatment facility 
that was already counted in the N-SSATS data.
    Several provisions in the draft NPRM reference ``other lawful 
holders of patient identifying information'' in combination with part 2 
programs. These other lawful holders must comply with part 2 
requirements with respect to information they maintain that is covered 
by part 2 regulations. However, because this group could encompass a 
wide range of organizations, depending on whether they received part 2 
data via patient consent or as a result of one of the limited 
exceptions to the consent requirement specified in the regulations, we 
are unable to include estimates regarding the number and type of these 
organizations and are only including part 2 programs in this analysis.

[[Page 7009]]

    In addition to the part 2 programs described above, entities named 
on a consent form that disclose patient identifying information to 
their participants under the general designation must provide patients, 
upon request, a list of entities to which their information has been 
disclosed pursuant to a general designation. These entities primarily 
would include organizations that facilitate the exchange of health 
information (e.g., HIEs), and may also include organizations 
responsible for care coordination (e.g., ACOs, CCOs, and patient-
centered medical homes (sometimes called health homes)). The most 
recent estimates of these types of entities are 67 functional, publicly 
funded HIEs and 161 functional, privately funded HIEs in 2013.\1\ As of 
January 2015, there were an estimated 744 ACOs covering approximately 
23.5 million individuals.\2\ Finally, in 2014, the Accreditation 
Association for Ambulatory Health Care, Inc., reported that 7,000 
medical practices have been accredited as patient-centered medical 
homes.\3\ While these types of organizations were the primary focus of 
this provision on the consent form, other types of entities, such as 
research institutions, may also disclose patient identifying 
information to their participants (e.g., clinical researchers) pursuant 
to the general designation on the consent form. Because there are no 
definitive data sources for this potential range of organizations, we 
are not associating requests for lists of disclosures with any 
particular type of organization. We, instead, chose to estimate the 
number of organizations that must respond to list of disclosures 
requests based on the total number of requests each year.
---------------------------------------------------------------------------

    \1\ Trends in Health Information Exchanges (Trends in Health 
Information Exchanges) https://innovations.ahrq.gov/perspectives/trends-health-information-exchanges#3.
    \2\ Muhlestein, D. (2015). Growth and Dispersion of Accountable 
Care Organizations in 2015. Health Affairs Blog, 19.
    \3\ Accreditation Association for Ambulatory Health Care. ``The 
Medical Home--Avoiding the Rush to Judgment, Growing Model is a 
Transformative Process Requiring Perseverance, Patience . . . and 
Time, Body of Evidence Illustrating Success is Surging'' White 
Paper.
---------------------------------------------------------------------------

1. Direct Costs of Implementing the Proposed Regulations
    There is no known baseline estimate of the current costs associated 
with 42 CFR part 2 compliance. Instead, SAMHSA estimated these cost 
based on a range of published costs associated with HIPAA 
implementation and compliance.4 5
---------------------------------------------------------------------------

    \4\ Kilbridge, P. (2003). The cost of HIPAA compliance. New 
England Journal of Medicine, 348(15), 1423-1477.
    \5\ Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., 
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs 
and patient perceptions of privacy safeguards at Mayo Clinic. Joint 
Commission Journal on Quality and Patient Safety, 34(1), 27-35.
---------------------------------------------------------------------------

a. Staff Training
    A Standard HIPAA training that meets or exceeds the federal 
training requirements is, on average, one hour long.\6\ Therefore, we 
also estimated one hour of training per staff to achieve proficiency in 
the 42 CFR part 2 regulations. To estimate the labor costs associated 
with staff training, we averaged the average hourly costs for 
counseling staff in specialty treatment centers ($19.48 \7\), hospital 
treatment centers ($21.47 \8\), and solo practice offices ($22.61 \9\). 
The resulting blended rate was $21.19 per hour. In order to account for 
benefits and overhead costs associated with staff time, we multiplied 
the blended hourly rate by two. These estimates are only for training 
costs associated with counseling staff, who we assume will have primary 
responsibility for executing the functions associated with the NPRM 
revisions.
---------------------------------------------------------------------------

    \6\ 65 FR 82462, 82770 (Dec. 28, 2000) (Standards for Privacy of 
Individually Identifiable Health Information).
    \7\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed May 2, 2015] 
Outpatient Mental Health and Substance Abuse Centers (NAICS code 
621420), Standard Occupations Classification code (211011) 
[www.bls.gov/oes/].
    \8\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed May 2, 2014] 
Psychiatric and Substance Abuse Hospitals (NAICS code 622200), 
Standard Occupations Classification code (211011) [www.bls.gov/oes/
].
    \9\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed September 23, 2014] 
Offices of Mental Health Practitioners (except Physicians) (NAICS 
code 621330), Standard Occupations Classification code (211011) 
[www.bls.gov/oes/].
---------------------------------------------------------------------------

    With regard to training materials, most part 2 programs are assumed 
to already have training curricula in place that covers current 42 CFR 
part 2 regulations, and, therefore, these facilities would only need to 
update existing training materials rather than develop new materials. 
The American Hospital Association estimated that the costs for the 
development of Privacy and Confidentiality training, which would 
include the development of training materials and instructor labor 
costs, was $16 per employee training hour in 2000.\10\ Because we 
assumed that part 2 programs would be updating rather than developing 
training materials, we estimated the cost of training development to be 
one-half of the cost of developing new materials, or $8 per employee. 
Adjusted for inflation,\11\ training development costs in 2015 would be 
$10.91 per employee.
---------------------------------------------------------------------------

    \10\ These estimates are not HHS estimates nor are they HHS-
endorsed cost estimates of HIPAA implementation and compliance.
    \11\ Calculated using the Consumer Price Index.
---------------------------------------------------------------------------

    Using SAMHSA's 2010-2012 TEDS average annual number of treatment 
admissions (n=1,861,693) as an estimate of the annual number of 
patients at part 2 programs and calculated staffing numbers based on a 
range of counseling staff-to-client ratios (i.e., 1 to 10 \12\ and 1 to 
5 \13\). Based on these assumptions, staff training costs associated 
with part 2 patient consent procedures were projected to range from 
$9.9 million to $19.8 million in 2015. We averaged the two estimated 
costs for staff training to determine the final overall estimate of 
$14,881,443. We assumed the costs associated with updating training 
materials will be a one-time cost. Therefore, in subsequent years, we 
assumed the costs associated with staff training will be a function of 
the blended hourly rate (multiplied by two to account for benefits and 
overhead costs) and the estimated number of staff (developed based on 
the same two staff-to-client ratios described above multiplied by 
estimated patient counts). Staff training costs associated with part 2 
revisions are projected to range from $7.9 million to $15.8 million 
after 2015. We averaged the two estimated costs for staff training to 
determine the final overall estimate of $11,834,782.
---------------------------------------------------------------------------

    \12\ North Carolina NC Administrative Code [accessed September 
23, 2014]. [http://reports.oah.state.nc.us/ncac/title%2010a%20-%20health%20and%20human%20services/chapter%2013%20-%20nc%20medical%20care%20commission/subchapter%20b/10a%20ncac%2013b%20.5203.pdf.]
    \13\ Commonwealth of Pennsylvania--Department of Health Staffing 
Requirements for Drug and Alcohol Treatment Activities [accessed 
September 23, 2014]. [http://www.pacode.com/secure/data/028/chapter704/s704.12.html.]
---------------------------------------------------------------------------

b. Updates to Consent Forms
    Updates to the 42 CFR part 2 regulations will need to be reflected 
in patient consent forms. Results from a 2008 study from the Mayo 
Clinic Health Care Systems \14\ reported actuarial costs for HIPAA 
implementation activities. The reported cost to update

[[Page 7010]]

authorization forms was $0.10 per patient. Adjusted for inflation, 
costs associated with updating the patient consent forms in 2015 would 
be $0.11 per patient. We used the average number of substance abuse 
treatment admissions from SAMHSA's 2010-2012 TEDS as our estimate of 
the number of clients treated on an annual basis by part 2 facilities. 
The total cost burden associated with updating the consent forms to 
reflect to the updated 42 CFR part 2 regulations would be $204,786 
(1,861,693 * $0.11).
---------------------------------------------------------------------------

    \14\ Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., 
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs 
and patient perceptions of privacy safeguards at Mayo Clinic. Joint 
Commission Journal on Quality and Patient Safety, 34(1), 27-35.
---------------------------------------------------------------------------

c. List of Disclosures Costs
    The updated part 2 regulations allow patients who have consented to 
disclose their identifying information using a general designation to 
request a list of entities to which their information has been 
disclosed pursuant to the general designation. Under this proposed 
rule, entities named on a consent form that disclose patient 
identifying information to their participants under the general 
designation would be required to provide a list of disclosures after 
receiving a patient request. Under the List of Disclosure requirements, 
a patient could make a request, for example, to an organization that 
facilitates the exchange of health information (e.g., an HIE) or an 
organization responsible for coordinating care (e.g., an ACO) for a 
list of disclosures that would include the name of the entity to whom 
each disclosure was made, the date of the disclosure, and a brief 
description of the patient identifying information disclosed, and 
include this information for all entities to whom the patient 
identifying information has been disclosed pursuant to the general 
designation in the past two years.
    For purposes of this analysis, we assumed that entities disclosing 
patient identifying information to their participants pursuant to a 
patient's general designation on a consent form are already collecting 
the information necessary to comply with the List of Disclosure 
requirement, in some form, either electronically or using paper 
records. We also assumed that these entities could comply with the List 
of Disclosures requirement by either collecting this information 
electronically by using audit logs to obtain the required information 
or by keeping a paper record. However, to address possible concerns 
about technical feasibility and other implementation issues, SAMHSA is 
proposing that the List of Disclosures requirement become effective two 
years after the effective date of the final rule to allow entities 
collecting this information time to review their operations and 
business processes and to decide whether technological solutions are 
needed to enable them to more efficiently comply with the requirement.
    In order to make preliminary estimates of the implementation costs, 
we first estimated the number of potentially impacted entities based on 
the anticipated number of patient requests for a disclosure report in a 
calendar year. We used the average number of substance abuse treatment 
admissions from SAMHSA's 2010-2012 TEDS (n = 1,861,693) as the number 
of patients treated annually by part 2 programs. We then used the 
average of a 0.1 and 2 percent patient request rate as our estimate of 
the number of impacted entities (n = 19,548).
    From there, we assumed ten percent of the impacted entities would 
use paper records to comply with the disclosure reporting requirements 
(n = 1,995) and would have minimal implementation costs in years 1 and 
2. Among the remaining entities, many may be able to comply with the 
disclosure reporting requirements without developing or implementing 
new technologies. For entities that do choose to either update their 
existing capabilities or develop and implement new technologies to 
facilitate compliance, we assumed two sets of costs: (1) Planning and 
policy development costs in year 1 and (2) system update costs in year 
2.
    Absent any data on the number of facilities that would require new 
technology or the type of technology to be implemented, we assumed that 
twenty-five percent (n = 4,398) of the remaining entities would choose 
to upgrade their existing health IT systems. The actual system upgrade 
costs will vary considerably based on the type of upgrades that are 
required. Some entities may only require minor system updates to 
streamline the reporting requirements, while others may choose to 
implement an entirely new system. Given these data limitations, we 
assumed an average, per-entity cost, of $2,500 for planning development 
costs in year 1 and an average, per-entity cost, of $8,000 for system 
upgrades in year 2. The implementation costs for List of Disclosure 
reporting compliance across are estimated to be $10,995,750 in year 1 
(4,398 * $2,500) and $35,186,400 (4,398 * $8,000) in year 2.
    Once the disclosure reporting requirements go into effect, we 
assumed that the majority of the costs associated with the List of 
Disclosures requirement would primarily come from staff time needed to 
prepare a list of disclosures upon a patient's request. We also assumed 
that the information would need to be converted to a format that is 
accessible to patients.
    For those entities with a health IT system, we expected that 
disclosure information would be available in the system's audit log. We 
also assumed that, unless the audit log has some sort of electronic 
filtering system, it would contain information above and beyond the 
requirements for complying with a request for a list of disclosures. We 
have also assumed that the staff accessing and filtering an audit log 
to compile the information for lists of disclosures would be health 
information technicians. The average hourly rate for health information 
technicians is $18.68 an hour.\15\ In order to account for benefits and 
overhead costs associated with staff time, we multiplied the hourly 
wage rate by two. Absent any existing information on the amount of time 
associated with producing a list of disclosures from an audit log, we 
assumed it would take a health information technician half a day (or 
four hours) on average, to produce the list from an audit log.
---------------------------------------------------------------------------

    \15\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed June 3, 2015], 
Standard Occupations Classification code (29-2071) [www.bls.gov/oes/
].
---------------------------------------------------------------------------

    For entities using paper records to track disclosures, we expected 
that a staff member would need to gather and aggregate the requested 
list of disclosures from paper records. We assumed medical record 
technicians would be the staff with the primary responsibility for 
compiling the information for a list of disclosures. The average hourly 
rate for medical record technicians is $18.68 an hour.\16\ In order to 
account for benefits and overhead costs associated with staff time, we 
multiplied the hourly wage rate by two. Absent any existing information 
on the amount of time associated with producing a list of disclosures 
from paper records, we assumed it would take a medical record 
technician three hours, on average, to produce the list from paper 
records.\17\
---------------------------------------------------------------------------

    \16\ IBID.
    \17\ For facilities that maintain paper records, consent forms 
would indicate who has been given access to the record. By contrast, 
our understanding of health IT audit logs is that they include a 
record of all instances in which a record has been accessed. The 
audit log will include a record of who accessed the system, the date 
the record was accessed, and what operations were performed. The 
audit logs, therefore, will include considerably more data than what 
we would anticipate finding in paper records. Unless the audit log 
has an electronic filtering system, we are assuming that a health 
information technician will need to manually review all records in 
an audit log in order to compile the necessary information for a 
list of disclosures.

---------------------------------------------------------------------------

[[Page 7011]]

    The number of requests for a list of disclosures will determine the 
overall burden associated with the List of Disclosures reporting 
requirements. However, because this is a new requirement, there were no 
data on which to base an estimated number of requests per year. We 
expect that the rate of requests will be relatively low. We therefore 
calculated the total costs for two rates, 0.1 percent and 2 percent of 
patients per year.
    We used the average number of substance abuse treatment admissions 
from SAMHSA's 2010-2012 TEDS as the number of patients treated annually 
by part 2 programs. Assuming that 10 percent of patients making 
requests (n = 186.17 to n = 3,723.39) would request a list of 
disclosures from entities that track disclosures through paper records 
and 90 percent of patients making requests (n = 1,675.52 to n = 
33,510.47) would make such a request of entities that track disclosures 
through health IT audit logs, the estimated costs to develop lists of 
disclosures range from $20,865.86 to $417,317.10 for entities using 
paper records, and $250,390.26 to $5,007,805.23 for entities using 
audit logs. (These ranges reflect the costs based on the two estimated 
patient rates of request referenced above (i.e., 0.1 percent and 2 
percent of patients per year)).
    Once a list of disclosures has been produced, it can be returned to 
the patient either by email or mail. Since the method of sending the 
list of disclosures depends on patient preference, we assumed that 50 
percent of the lists of disclosures would be sent by email and 50 
percent by first-class mail. We assumed that mailing and supply costs 
related to list of disclosures notifications were $0.10 supply cost per 
notification and $0.49 postage cost per mailing. We also estimated that 
it would take an administrative staff member 15 minutes to prepare each 
list of disclosures for mailing and/or transmitting, and that staff 
preparing the letters earn $15.01 \18\ per hour. In order to account 
for benefits and overhead costs associated with staff time, we 
multiplied the hourly wage rate by two. The estimated costs for list of 
disclosures notifications range from $7,535.20 to $150,704.05 for 
notifications sent by first-class mail, and $6,986 to $139,720.06 for 
notifications sent by email.
---------------------------------------------------------------------------

    \18\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed June 3, 2015], 
Standard Occupations Classification code (31-9092) [www.bls.gov/oes/
].
---------------------------------------------------------------------------

    To produce the final overall cost estimate, we took the average of 
the minimum and maximum estimated costs to develop lists of disclosures 
by entities collecting the information electronically by using an audit 
log, and the average of the minimum and maximum estimated costs to 
develop lists of disclosures by entities using paper records. We then 
added the averages together to produce our estimate of the total cost 
to entities to develop lists of disclosures. Next we took the average 
of the minimum and maximum estimated costs for list of disclosures 
notifications sent via email and the minimum and maximum estimated 
costs for such notifications sent via first-class mail. We then added 
these two averages together to produce our estimate of the total cost 
to entities for list of disclosures notifications. Finally, the 
development and notification costs for these lists of disclosures were 
added together for the final estimate of costs associated with 
complying with List of Disclosure reporting requirements. The total 
cost for List of Disclosure reporting compliance across all entities 
was $3,000,661.88 in 2015 dollars. Complying with List of Disclosure 
requirements is assumed to be an ongoing, annual activity. Across the 
ten-year period, the total costs associated with the List of Disclosure 
reporting includes $10,995,750 in year 1, $35,186,400 in year 2, and 
$3,000,662 annually in years 3-10 for a total cost of $70,187,445 
across the ten-year period.

                                    Total Disclosure Reporting Costs in 2015
----------------------------------------------------------------------------------------------------------------
                                                                      Minimum         Maximum         Average
                                                                  estimated cost  estimated cost  estimated cost
----------------------------------------------------------------------------------------------------------------
Facilities with a Health IT System..............................        $250,390      $5,007,805      $2,629,098
Facilities without a Health IT System...........................          20,865         417,317         219,091
                                                                 -----------------------------------------------
    Total Costs.................................................  ..............  ..............       2,848,189
Average Number of Facilities....................................  ..............  ..............          19,548
----------------------------------------------------------------------------------------------------------------


                                   Total Disclosure Notification Costs in 2015
----------------------------------------------------------------------------------------------------------------
                                                                      Minimum         Maximum         Average
                                                                  estimated cost  estimated cost  estimated cost
----------------------------------------------------------------------------------------------------------------
Email Notification..............................................          $6,986        $139,720         $73,353
First Class Mail Notification...................................           7,535         150,704          79,120
                                                                 -----------------------------------------------
    Total Costs.................................................  ..............  ..............         152,473
----------------------------------------------------------------------------------------------------------------

d. IT Updates
    SAMHSA, in collaboration with ONC and Federal and community 
stakeholders, has developed Consent2Share which is an open source tool 
for consent management and data segmentation that is designed to 
integrate with existing EHR and HIE systems. The Consent2Share 
architecture has a front-end, patient facing system known as Patient 
Consent Management and a backend control system known as Access Control 
Services. Communications with EHR vendors indicate that the cost to 
facilities of purchasing and installing additional functionality to 
existing electronic medical records applications, such as 
Consent2Share, typically range from $2,500 to $5,000. Because the add-
on systems for part 2 programs may be more complex than standard 
patient monitoring systems, we estimate that the cost of adding the new 
functionality would be approximately $8,000 per facility. We also 
assumed that this

[[Page 7012]]

would be a one-time expense, rather than a recurring cost, for each 
provider.
    Furthermore, national estimates indicated that no more than 50 
percent of substance use disorder treatment facilities have an 
operational ``computerized administrative information system.'' \19\ 
We, therefore, estimated that only half of the 12,034 part 2 programs 
(i.e., 6,017 facilities) would have operational health IT systems that 
would require modifications to account for the changes to 42 CFR part 
2. With 6,017 part 2 programs with operational information systems, we 
estimated that each facility would need to spend $8,000 to modify their 
health IT system, which would lead to a total burden for updating 
health IT systems of $48,136,000. Updating health IT systems would be a 
one-time cost, and maintenance costs should be part of general health 
IT maintenance costs in later years. The proposed rules do not require 
that part 2 programs adopt health IT systems so there are no health IT 
costs associated with the estimated 50 percent of substance use 
disorder treatment facilities that continue to use paper records.
---------------------------------------------------------------------------

    \19\ McLellan, AT, Kathleen Meyers, K, Contemporary addiction 
treatment: A review of systems problems for adults and adolescents, 
Biological Psychiatry, Volume 56, Issue 10, 15 November 2004, Pages 
764-770, ISSN 0006-3223, http://dx.doi.org/10.1016/j.biopsych.2004.06.018.
---------------------------------------------------------------------------

    The RFA requires agencies to analyze options for regulatory relief 
of small entities. For purposes of the RFA, small entities include 
small businesses, nonprofit organizations, and small governmental 
jurisdictions. Most hospitals and most other providers are small 
entities, either by nonprofit status or by having revenues of less than 
$7.5 million to $38.5 million in any 1 year. Individuals and states are 
not included in the definition of a small entity. We are not preparing 
an analysis for the RFA because we have determined, and the Secretary 
certifies, that this proposed rule would not have a significant 
economic impact on a substantial number of small entities. While the 
changes in the regulations would apply to all part 2 programs, the 
impact on these entities would be quite small. Specifically, as 
described in the Overall Impact section, the cost to part 2 programs 
associated with updates to 42 CFR part 2 in the first year that the 
final rule is in effect would be $74,217,979, a figure that, due to a 
number of one-time updates, is the highest for any of the 10 years 
estimated. The per-entity economic impact in the first year would be 
approximately $6,167 ($74,217,979 / 12,034), a figure that is unlikely 
to represent 3% of revenues for 5% of impacted small entities. 
Consequently, it has been determined that the proposed regulations 
would not have a significant economic impact on small entities.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 603 of the RFA. For 
purposes of section 1102(b) of the Act, we define a small rural 
hospital as a hospital that is located outside of a Metropolitan 
Statistical Area for Medicare payment regulations and has fewer than 
100 beds. We are not preparing an analysis for section 1102(b) of the 
Act because we have determined, and the Secretary certifies, that this 
proposed rule would not have a significant impact on the operations of 
a substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. In 2014, that 
threshold is approximately $141 million. This rule would have no 
consequential effect on state, local, or tribal governments or on the 
private sector.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts state law, or otherwise has Federalism 
implications. Since this rule does not impose any costs on state or 
local governments, the requirements of Executive Order 13132 are not 
applicable.
    SAMHSA is proposing to modernize 42 CFR part 2. With respect to our 
proposal to revise the regulations, we do not believe that this 
proposal would have a significant impact as it gives more flexibility 
to individuals and entities covered by 42 CFR part 2 but also adds 
privacy protections within the consent requirements for the patient. We 
are making this proposal in response to concerns that 42 CFR part 2 is 
outdated and burdensome.
    Executive Order 13132 on Federalism (August 4, 1999) establishes 
certain requirements that an agency must meet when it promulgates a 
proposed rule (and subsequent final rule) that imposes substantial 
direct requirement costs on state and local governments, preempts state 
law, or otherwise has Federalism implications. We have reviewed this 
proposed rule under the threshold criteria of Executive Order 13132, 
Federalism, and have determined that it would not have substantial 
direct effects on the rights, roles, and responsibilities of states, 
local or tribal governments.

C. Conclusion

    SAMHSA is proposing to modernize 42 CFR part 2. With respect to our 
proposal to revise the regulations, we do not believe that this 
proposal would have a significant impact as it gives more flexibility 
to individuals and entities covered by 42 CFR part 2 but also increases 
privacy protections within the consent requirements and adds an 
additional confidentiality safeguard for patients. This proposed rule 
does not reach the economic threshold for requiring a regulatory impact 
by Executive Orders 12866 and 13563 and thus is not considered a major 
rule. Likewise, we are not preparing an analysis for the RFA because we 
have determined, and the Secretary certifies, that this proposed rule 
would not have a significant economic impact on a substantial number of 
small entities. We are not preparing an analysis for section 1102(b) of 
the RFA because we have determined, and the Secretary certifies, that 
this proposed rule would not have a significant impact on the 
operations of a substantial number of small rural hospitals. This 
proposed rule would have no consequential effect on state, local, or 
tribal governments or on the private sector. Since this rule does not 
impose any costs on state or local governments, the requirements of 
Executive Order 13132 on federalism are not applicable.
    We invite public comments on this section and request any 
additional data that would help us determine more accurately the impact 
on individuals and entities by the proposed rule. In accordance with 
the provisions of Executive Order 12866, this rule was reviewed by the 
OMB.

List of Subjects in 42 CFR Part 2

    Alcohol abuse, Alcoholism, Drug abuse, Grant programs-health, 
Health records, Privacy, Reporting, and Recordkeeping requirements.

Regulations Text

    For the reasons stated in the preamble of this proposed rule, 42 
CFR part 2 is proposed to be revised as follows:

[[Page 7013]]

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

Subpart A--Introduction
Sec.
2.1 Statutory authority for confidentiality of substance use 
disorder patient records.
2.2 Purpose and effect.
2.3 Criminal penalty for violation.
2.4 Reports of violations.
Subpart B--General Provisions
2.11 Definitions.
2.12 Applicability.
2.13 Confidentiality restrictions and safeguards.
2.14 Minor patients.
2.15 Incompetent and deceased patients.
2.16 Security for records.
2.17 Undercover agents and informants.
2.18 Restrictions on the use of identification cards.
2.19 Disposition of records by discontinued programs.
2.20 Relationship to state laws.
2.21 Relationship to federal statutes protecting research subjects 
against compulsory disclosure of their identity.
2.22 Notice to patients of federal confidentiality requirements.
2.23 Patient access and restrictions on use.
Subpart C--Disclosures with Patient Consent
2.31 Consent requirements.
2.32 Prohibition on re-disclosure.
2.33 Disclosures permitted with written consent.
2.34 Disclosures to prevent multiple enrollments.
2.35 Disclosures to elements of the criminal justice system which 
have referred patients.
Subpart D--Disclosures without Patient Consent
2.51 Medical emergencies.
2.52 Research.
2.53 Audit and evaluation.
Subpart E--Court Orders Authorizing Disclosure and Use
2.61 Legal effect of order.
2.62 Order not applicable to records disclosed without consent to 
researchers, auditors and evaluators.
2.63 Confidential communications.
2.64 Procedures and criteria for orders authorizing disclosures for 
noncriminal purposes.
2.65 Procedures and criteria for orders authorizing disclosure and 
use of records to criminally investigate or prosecute patients.
2.66 Procedures and criteria for orders authorizing disclosure and 
use of records to investigate or prosecute a part 2 program or the 
person holding the records.
2.67 Orders authorizing the use of undercover agents and informants 
to criminally investigate employees or agents of a part 2 program.

    Authority: 42 U.S.C. 290dd-2.

Subpart A--Introduction


Sec.  2.1  Statutory authority for confidentiality of substance use 
disorder patient records.

    Title 42, United States Code, Section 290dd-2(g) authorizes the 
Secretary to prescribe regulations. Such regulations may contain such 
definitions, and may provide for such safeguards and procedures, 
including procedures and criteria for the issuance and scope of orders, 
as in the judgment of the Secretary are necessary or proper to 
effectuate the purposes of this statute, to prevent circumvention or 
evasion thereof, or to facilitate compliance therewith.


Sec.  2.2  Purpose and effect.

    (a) Purpose. Under the statutory provisions quoted in Sec.  2.1, 
these regulations impose restrictions upon the disclosure and use of 
substance abuse patient records which are maintained in connection with 
the performance of any part 2 program. The regulations specify in:
    (1) Subpart B of this part: General Provisions, including 
definitions, applicability, and general restrictions;
    (2) Subpart C of this part: Disclosures with Patient Consent, 
including disclosures which require patient consent and the consent 
form requirements;
    (3) Subpart D of this part: Disclosures without Patient Consent, 
including disclosures which do not require patient consent or an 
authorizing court order; and
    (4) Subpart E of this part: Court Orders Authorizing Disclosure and 
Use, including disclosures and uses of patient records which may be 
made with an authorizing court order and the procedures and criteria 
for the entry and scope of those orders.
    (b) Effect. (1) These regulations prohibit the disclosure and use 
of patient records unless certain circumstances exist. If any 
circumstance exists under which disclosure is permitted, that 
circumstance acts to remove the prohibition on disclosure but it does 
not compel disclosure. Thus, the regulations do not require disclosure 
under any circumstances.
    (2) These regulations are not intended to direct the manner in 
which substantive functions such as research, treatment, and evaluation 
are carried out. They are intended to ensure that a patient receiving 
treatment for a substance use disorder in a part 2 program is not made 
more vulnerable by reason of the availability of their patient record 
than an individual with a substance use disorder who does not seek 
treatment.
    (3) Because there is a criminal penalty (a fine--see 42 U.S.C. 
290dd-2(f) and Sec.  2.3) for violating the regulations, they are to be 
construed strictly in favor of the potential violator in the same 
manner as a criminal statute (see M. Kraus & Brothers v. United States, 
327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)).


Sec.  2.3  Criminal penalty for violation.

    Under 42 U.S.C. 290dd-2(f), any person who violates any provision 
of that statute or these regulations shall be fined not more than $500 
in the case of a first offense, and not more than $5,000 in the case of 
each subsequent offense.


Sec.  2.4  Reports of violations.

    (a) The report of any violation of these regulations may be 
directed to the United States Attorney for the judicial district in 
which the violation occurs.
    (b) The report of any violation of these regulations by an opioid 
treatment program may be directed to the United States Attorney for the 
judicial district in which the violation occurs as well as to the 
Substance Abuse and Mental Health Services Administration (SAMHSA) 
office responsible for opioid treatment program oversight.

Subpart B--General Provisions


Sec.  2.11  Definitions.

    For purposes of these regulations:
    Central registry means an organization which obtains from two or 
more member programs patient identifying information about individuals 
applying for withdrawal management or maintenance treatment for the 
purpose of avoiding an individual's concurrent enrollment in more than 
one treatment program.
    Diagnosis means any reference to an individual's substance use 
disorder or to a condition which is identified as having been caused by 
that substance use disorder which is made for the purpose of treatment 
or referral for treatment.
    Disclose means to communicate any information identifying a patient 
as having or having had a substance use disorder either directly, by 
reference to publicly available information, or through verification of 
such identification by another person.
    Federally assisted-- see Sec.  2.12(b).
    Informant means an individual:
    (1) Who is a patient or employee of a part 2 program or who becomes 
a patient or employee of a part 2 program at the request of a law 
enforcement agency or official; and
    (2) Who at the request of a law enforcement agency or official 
observes

[[Page 7014]]

one or more patients or employees of the part 2 program for the purpose 
of reporting the information obtained to the law enforcement agency or 
official.
    Maintenance treatment means pharmacotherapy for individuals with 
substance use disorders which reduces the pathological pursuit of 
reward and/or relief and supports remission of substance use disorder-
related symptoms.
    Member program means a withdrawal management or maintenance 
treatment program which reports patient identifying information to a 
central registry and which is in the same state as that central 
registry or is not more than 125 miles from any border of the state in 
which the central registry is located.
    Minor, as used in these regulations, means an individual who has 
not attained the age of majority specified in the applicable state law, 
or if no age of majority is specified in the applicable state law, the 
age of eighteen years.
    Part 2 program means a federally assisted program (federally 
assisted as defined in Sec.  2.12(b) and program as defined in this 
section). See Sec.  2.12(e)(1) for examples.
    Part 2 program director means:
    (1) In the case of a part 2 program which is an individual, that 
individual.
    (2) In the case of a part 2 program which is an entity, the 
individual designated as director or managing director, or individual 
otherwise vested with authority to act as chief executive officer of 
the part 2 program.
    Patient means any individual who has applied for or been given 
diagnosis, treatment, or referral for treatment for a substance use 
disorder at a part 2 program. Patient includes any individual who, 
after arrest on a criminal charge, is identified as an individual with 
a substance use disorder in order to determine that individual's 
eligibility to participate in a part 2 program. This definition 
includes both current and former patients.
    Patient identifying information means the name, address, social 
security number, fingerprints, photograph, or similar information by 
which the identity of a patient, as defined in this section, can be 
determined with reasonable accuracy either directly or by reference to 
other publicly available information. The term does not include a 
number assigned to a patient by a part 2 program, if that number does 
not consist of, or contain numbers (such as a social security, or 
driver's license number) which could be used to identify a patient with 
reasonable accuracy from sources external to the part 2 program.
    Person means an individual, partnership, corporation, federal, 
state or local government agency, or any other legal entity, (also 
referred to as individual and/or entity).
    Program means:
    (1) An individual or entity (other than a general medical facility 
or general medical practice) who holds itself out as providing, and 
provides, substance use disorder diagnosis, treatment, or referral for 
treatment; or
    (2) An identified unit within a general medical facility or general 
medical practice that holds itself out as providing, and provides, 
substance use disorder diagnosis, treatment, or referral for treatment; 
or
    (3) Medical personnel or other staff in a general medical facility 
or general medical practice whose primary function is the provision of 
substance use disorder diagnosis, treatment, or referral for treatment 
and who are identified as such providers.
    Qualified service organization means an individual or entity who:
    (1) Provides services to a part 2 program, such as data processing, 
bill collecting, dosage preparation, laboratory analyses, or legal, 
accounting, population health management, medical staffing, or other 
professional services, or services to prevent or treat child abuse or 
neglect, including training on nutrition and child care and individual 
and group therapy, and
    (2) Has entered into a written agreement with a part 2 program 
under which that individual or entity:
    (i) Acknowledges that in receiving, storing, processing, or 
otherwise dealing with any patient records from the part 2 program, it 
is fully bound by these regulations; and
    (ii) If necessary, will resist in judicial proceedings any efforts 
to obtain access to patient identifying information related to 
substance use disorder diagnosis, treatment, or referral for treatment 
except as permitted by these regulations.
    Records means any information, whether recorded or not, received or 
acquired by a part 2 program relating to a patient. For the purpose of 
these regulations, records include both paper and electronic records.
    Substance use disorder means a cluster of cognitive, behavioral, 
and physiological symptoms indicating that the individual continues 
using the substance despite significant substance-related problems such 
as impaired control, social impairment, risky use, and pharmacological 
tolerance and withdrawal. For the purposes of these regulations, this 
definition does not include tobacco or caffeine use. (Also referred to 
as substance abuse.)
    Third-party payer means a person who pays, or agrees to pay, for 
diagnosis or treatment furnished to a patient on the basis of a 
contractual relationship with the patient or a member of their family 
or on the basis of the patient's eligibility for federal, state, or 
local governmental benefits.
    Treating provider relationship means that, regardless of whether 
there has been an actual in-person encounter:
    (1) A patient agrees to be diagnosed, evaluated and/or treated for 
any condition by an individual or entity; and
    (2) The individual or entity agrees to undertake diagnosis, 
evaluation and/or treatment of the patient, or consultation with the 
patient, for any condition.
    Treatment means the care of a patient suffering from a substance 
use disorder, a condition which is identified as having been caused by 
the substance use disorder, or both, in order to reduce or eliminate 
the adverse effects upon the patient.
    Undercover agent means any federal, state, or local law enforcement 
agency or official who enrolls in or becomes an employee of a part 2 
program for the purpose of investigating a suspected violation of law 
or who pursues that purpose after enrolling or becoming employed for 
other purposes.
    Withdrawal management means the use of pharmacotherapies to treat 
or attenuate the problematic signs and symptoms arising when heavy and/
or prolonged substance use is reduced or discontinued.


Sec.  2.12  Applicability.

    (a) General--(1) Restrictions on disclosure. The restrictions on 
disclosure in these regulations apply to any information, whether or 
not recorded, which:
    (i) Would identify a patient as having or having had a substance 
use disorder either directly, by reference to publicly available 
information, or through verification of such identification by another 
person; and
    (ii) Is drug abuse information obtained by a federally assisted 
drug abuse program after March 20, 1972 (part 2 program), or is alcohol 
abuse information obtained by a federally assisted alcohol abuse 
program after May 13, 1974 (part 2 program); or if obtained before the 
pertinent date, is maintained by a part 2 program after that date as 
part of an ongoing treatment episode which extends past that date; for 
the purpose of treating a substance use disorder, making a diagnosis 
for that

[[Page 7015]]

treatment, or making a referral for that treatment.
    (2) Restriction on use. The restriction on use of information to 
initiate or substantiate any criminal charges against a patient or to 
conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c)) 
applies to any information, whether or not recorded which is drug abuse 
information obtained by a federally assisted drug abuse program after 
March 20, 1972 (part 2 program), or is alcohol abuse information 
obtained by a federally assisted alcohol abuse program after May 13, 
1974 (part 2 program); or if obtained before the pertinent date, is 
maintained by a part 2 program after that date as part of an ongoing 
treatment episode which extends past that date; for the purpose of 
treating a substance use disorder, making a diagnosis for the 
treatment, or making a referral for the treatment.
    (b) Federal assistance. A program is considered to be federally 
assisted if:
    (1) It is conducted in whole or in part, whether directly or by 
contract or otherwise by any department or agency of the United States 
(but see paragraphs (c)(1) and (2) of this section relating to the 
Department of Veterans Affairs and the Armed Forces);
    (2) It is being carried out under a license, certification, 
registration, or other authorization granted by any department or 
agency of the United States including but not limited to:
    (i) Participating provider in the Medicare program;
    (ii) Authorization to conduct maintenance treatment or withdrawal 
management; or
    (iii) Registration to dispense a substance under the Controlled 
Substances Act to the extent the controlled substance is used in the 
treatment of substance use disorders;
    (3) It is supported by funds provided by any department or agency 
of the United States by being:
    (i) A recipient of federal financial assistance in any form, 
including financial assistance which does not directly pay for the 
substance use disorder diagnosis, treatment, or referral for treatment; 
or
    (ii) Conducted by a state or local government unit which, through 
general or special revenue sharing or other forms of assistance, 
receives federal funds which could be (but are not necessarily) spent 
for the substance use disorder program; or
    (4) It is assisted by the Internal Revenue Service of the 
Department of the Treasury through the allowance of income tax 
deductions for contributions to the program or through the granting of 
tax exempt status to the program.
    (c) Exceptions--(1) Department of Veterans Affairs. These 
regulations do not apply to information on patients receiving substance 
use disorder treatment who are maintained in connection with the 
Department of Veterans Affairs provisions of hospital care, nursing 
home care, domiciliary care, and medical services under Title 38, 
U.S.C. Those records are governed by 38 U.S.C. 7332 and regulations 
issued under that authority by the Secretary of Veterans Affairs.
    (2) Armed Forces. These regulations apply to any information 
described in paragraph (a) of this section which was obtained by any 
component of the Armed Forces during a period when the patient was 
subject to the Uniform Code of Military Justice except:
    (i) Any interchange of that information within the Armed Forces; 
and
    (ii) Any interchange of that information between the Armed Forces 
and those components of the Department of Veterans Affairs furnishing 
health care to veterans.
    (3) Communication within a part 2 program or between a part 2 
program and an entity having direct administrative control over that 
part 2 program. The restrictions on disclosure in these regulations do 
not apply to communications of information between or among personnel 
having a need for the information in connection with their duties that 
arise out of the provision of diagnosis, treatment, or referral for 
treatment of patients with substance use disorders if the 
communications are:
    (i) Within a part 2 program; or
    (ii) Between a part 2 program and an entity that has direct 
administrative control over the program.
    (4) Qualified service organizations. The restrictions on disclosure 
in these regulations do not apply to communications between a part 2 
program and a qualified service organization of information needed by 
the qualified service organization to provide services to the program.
    (5) Crimes on part 2 program premises or against part 2 program 
personnel. The restrictions on disclosure and use in these regulations 
do not apply to communications from part 2 program personnel to law 
enforcement agencies or officials which:
    (i) Are directly related to a patient's commission of a crime on 
the premises of the part 2 program or against part 2 program personnel 
or to a threat to commit such a crime; and
    (ii) Are limited to the circumstances of the incident, including 
the patient status of the individual committing or threatening to 
commit the crime, that individual's name and address, and that 
individual's last known whereabouts.
    (6) Reports of suspected child abuse and neglect. The restrictions 
on disclosure and use in these regulations do not apply to the 
reporting under state law of incidents of suspected child abuse and 
neglect to the appropriate state or local authorities. However, the 
restrictions continue to apply to the original substance use disorder 
patient records maintained by the part 2 program including their 
disclosure and use for civil or criminal proceedings which may arise 
out of the report of suspected child abuse and neglect.
    (d) Applicability to recipients of information--(1) Restriction on 
use of information. The restriction on the use of any information 
subject to these regulations to initiate or substantiate any criminal 
charges against a patient or to conduct any criminal investigation of a 
patient applies to any person who obtains that information from a part 
2 program, regardless of the status of the person obtaining the 
information or whether the information was obtained in accordance with 
these regulations. This restriction on use bars, among other things, 
the introduction of that information as evidence in a criminal 
proceeding and any other use of the information to investigate or 
prosecute a patient with respect to a suspected crime. Information 
obtained by undercover agents or informants (see Sec.  2.17) or through 
patient access (see Sec.  2.23) is subject to the restriction on use.
    (2) Restrictions on disclosures--(i) Third-party payers, 
administrative entities, and others. The restrictions on disclosure in 
these regulations apply to:
    (A) Third-party payers with regard to records disclosed to them by 
part 2 programs;
    (B) Entities having direct administrative control over part 2 
programs with regard to information that is subject to these 
regulations communicated to them by the part 2 program under paragraph 
(c)(3) of this section; and
    (C) Individuals or entities who receive patient records directly 
from a part 2 program or other lawful holder of patient identifying 
information and who are notified of the prohibition on re-disclosure in 
accordance with Sec.  2.32.
    (ii) [Reserved]
    (e) Explanation of applicability--(1) Coverage. These regulations 
cover any information (including information on referral and intake) 
about patients receiving a diagnosis, treatment, or referral for 
treatment for a substance use

[[Page 7016]]

disorder obtained by a part 2 program. Coverage includes, but is not 
limited to, those treatment or rehabilitation programs, employee 
assistance programs, programs within general hospitals, school-based 
programs, and private practitioners (other than general medical 
practices) who hold themselves out as providing, and provide substance 
use disorder diagnosis, treatment, or referral for treatment. However, 
these regulations would not apply, for example, to emergency room 
personnel who refer a patient to the intensive care unit for an 
apparent overdose, unless the primary function of such personnel is the 
provision of substance use disorder diagnosis, treatment, or referral 
for treatment and they are identified as providing such services or the 
emergency room has promoted itself to the community as a provider of 
such services.
    (2) Federal assistance to program required. If a patient's 
substance use disorder diagnosis, treatment, or referral for treatment 
is not provided by a part 2 program, that patient's record is not 
covered by these regulations. Thus, it is possible for an individual 
patient to benefit from federal support and not be covered by the 
confidentiality regulations because the program in which the patient is 
enrolled is not federally assisted as defined in paragraph (b) of this 
section. For example, if a federal court placed an individual in a 
private for-profit program and made a payment to the program on behalf 
of that individual, that patient's record would not be covered by these 
regulations unless the program itself received federal assistance as 
defined by paragraph (b) of this section.
    (3) Information to which restrictions are applicable. Whether a 
restriction is on use or disclosure affects the type of information 
which may be available. The restrictions on disclosure apply to any 
information which would identify a patient as having or having had a 
substance use disorder. The restriction on use of information to bring 
criminal charges against a patient for a crime applies to any 
information obtained by the part 2 program for the purpose of 
diagnosis, treatment, or referral for treatment of patients with 
substance use disorders. (Note that restrictions on use and disclosure 
apply to recipients of information under paragraph (d) of this 
section.)
    (4) How type of diagnosis affects coverage. These regulations cover 
any record of a diagnosis identifying a patient as having or having had 
a substance use disorder which is prepared in connection with the 
treatment or referral for treatment of a patient with a substance use 
disorder. A diagnosis prepared for the purpose of treatment or referral 
for treatment but which is not so used is covered by these regulations. 
The following are not covered by these regulations:
    (i) Diagnosis which is made solely for the purpose of providing 
evidence for use by law enforcement agencies or officials; or
    (ii) A diagnosis of drug overdose or alcohol intoxication which 
clearly shows that the individual involved does not have a substance 
use disorder (e.g., involuntary ingestion of alcohol or drugs or 
reaction to a prescribed dosage of one or more drugs).


Sec.  2.13  Confidentiality restrictions and safeguards.

    (a) General. The patient records subject to these regulations may 
be disclosed or used only as permitted by these regulations and may not 
otherwise be disclosed or used in any civil, criminal, administrative, 
or legislative proceedings conducted by any federal, state, or local 
authority. Any disclosure made under these regulations must be limited 
to that information which is necessary to carry out the purpose of the 
disclosure.
    (b) Unconditional compliance required. The restrictions on 
disclosure and use in these regulations apply whether or not the part 2 
program or other lawful holder of the patient identifying information 
believes that the person seeking the information already has it, has 
other means of obtaining it, is a law enforcement agency or official or 
other government official, has obtained a subpoena, or asserts any 
other justification for a disclosure or use which is not permitted by 
these regulations.
    (c) Acknowledging the presence of patients: Responding to requests. 
(1) The presence of an identified patient in a health care facility or 
component of a health care facility which is publicly identified as a 
place where only substance use disorder diagnosis, treatment, or 
referral for treatment is provided may be acknowledged only if the 
patient's written consent is obtained in accordance with subpart C of 
this part or if an authorizing court order is entered in accordance 
with subpart E of this part. The regulations permit acknowledgement of 
the presence of an identified patient in a health care facility or part 
of a health care facility if the health care facility is not publicly 
identified as only a substance use disorder diagnosis, treatment, or 
referral for treatment facility, and if the acknowledgement does not 
reveal that the patient has a substance use disorder.
    (2) Any answer to a request for a disclosure of patient records 
which is not permissible under these regulations must be made in a way 
that will not affirmatively reveal that an identified individual has 
been, or is being, diagnosed or treated for a substance use disorder. 
An inquiring party may be provided a copy of these regulations and 
advised that they restrict the disclosure of substance use disorder 
patient records, but may not be told affirmatively that the regulations 
restrict the disclosure of the records of an identified patient.
    (d) List of disclosures. Upon request, patients who have consented 
to disclose their patient identifying information using a general 
designation pursuant to Sec.  2.31(a)(4)(iv)(C) must be provided a list 
of entities to which their information has been disclosed pursuant to 
the general designation.
    (1) Under this paragraph (d), patient requests:
    (i) Must be made in writing; and
    (ii) Are limited to disclosures made within the past two years;
    (2) Under this paragraph (d), the entity named on the consent form 
that discloses information pursuant to a patient's general designation 
(the entity without a treating provider relationship that serves as an 
intermediary, as described in Sec.  2.31(a)(4)(iv)) must:
    (i) Respond in 30 or fewer days of receipt of the written request; 
and
    (ii) Provide, for each disclosure, the name(s) of the entity(-ies) 
to which the disclosure was made, the date of the disclosure, and a 
brief description of the patient identifying information disclosed.


Sec.  2.14  Minor patients.

    (a) State law not requiring parental consent to treatment. If a 
minor patient acting alone has the legal capacity under the applicable 
state law to apply for and obtain substance use disorder treatment, any 
written consent for disclosure authorized under subpart C of this part 
may be given only by the minor patient. This restriction includes, but 
is not limited to, any disclosure of patient identifying information to 
the parent or guardian of a minor patient for the purpose of obtaining 
financial reimbursement. These regulations do not prohibit a part 2 
program from refusing to provide treatment until the minor patient 
consents to the disclosure necessary to obtain reimbursement, but 
refusal to provide treatment may be prohibited under a state or local 
law requiring the program to furnish the service irrespective of 
ability to pay.

[[Page 7017]]

    (b) State law requiring parental consent to treatment. (1) Where 
state law requires consent of a parent, guardian, or other individual 
for a minor to obtain treatment for a substance use disorder, any 
written consent for disclosure authorized under subpart C of this part 
must be given by both the minor and their parent, guardian, or other 
individual authorized under state law to act in the minor's behalf.
    (2) Where state law requires parental consent to treatment, the 
fact of a minor's application for treatment may be communicated to the 
minor's parent, guardian, or other individual authorized under state 
law to act in the minor's behalf only if:
    (i) The minor has given written consent to the disclosure in 
accordance with subpart C of this part; or
    (ii) The minor lacks the capacity to make a rational choice 
regarding such consent as judged by the part 2 program director under 
paragraph (c) of this section.
    (c) Minor applicant for services lacks capacity for rational 
choice. Facts relevant to reducing a threat to the life or physical 
well-being of the applicant or any other individual may be disclosed to 
the parent, guardian, or other individual authorized under state law to 
act in the minor's behalf if the part 2 program director judges that:
    (1) A minor applicant for services lacks capacity because of 
extreme youth or mental or physical condition to make a rational 
decision on whether to consent to a disclosure under subpart C of this 
part to their parent, guardian, or other individual authorized under 
state law to act in the minor's behalf; and
    (2) The applicant's situation poses a substantial threat to the 
life or physical well-being of the applicant or any other individual 
which may be reduced by communicating relevant facts to the minor's 
parent, guardian, or other individual authorized under state law to act 
in the minor's behalf.


Sec.  2.15  Incompetent and deceased patients.

    (a) Incompetent patients other than minors--(1) Adjudication of 
incompetence. In the case of a patient who has been adjudicated as 
lacking the capacity, for any reason other than insufficient age, to 
manage their own affairs, any consent which is required under these 
regulations may be given by the guardian or other individual authorized 
under state law to act in the patient's behalf.
    (2) No adjudication of incompetency. In the case of a patient, 
other than a minor or one who has been adjudicated incompetent, that 
for any period suffers from a medical condition that prevents knowing 
or effective action on their own behalf, the part 2 program director 
may exercise the right of the patient to consent to a disclosure under 
subpart C of this part for the sole purpose of obtaining payment for 
services from a third-party payer.
    (b) Deceased patients--(1) Vital statistics. These regulations do 
not restrict the disclosure of patient identifying information relating 
to the cause of death of a patient under laws requiring the collection 
of death or other vital statistics or permitting inquiry into the cause 
of death.
    (2) Consent by personal representative. Any other disclosure of 
information identifying a deceased patient as having a substance use 
disorder is subject to these regulations. If a written consent to the 
disclosure is required, that consent may be given by an executor, 
administrator, or other personal representative appointed under 
applicable state law. If there is no such applicable state law 
appointment, the consent may be given by the patient's spouse or, if 
none, by any responsible member of the patient's family.


Sec.  2.16  Security for records.

    (a) The part 2 program or other lawful holder of patient 
identifying information must have in place formal policies and 
procedures to reasonably protect against unauthorized uses and 
disclosures of patient identifying information and to protect against 
reasonably anticipated threats or hazards to the security of patient 
identifying information. These formal policies and procedures must 
address:
    (1) Paper records, including:
    (i) Transferring and removing such records; and
    (ii) Destroying such records, including sanitizing the hard copy 
media associated with the paper printouts, to render the patient 
identifying information non-retrievable; and
    (iii) Maintaining such records in a secure room, locked file 
cabinet, safe, or other similar container, or storage facility when not 
in use; and
    (iv) Using and accessing workstations, secure rooms, locked file 
cabinets, safes, or other similar containers, and storage facilities 
that use or store such information; and
    (v) Rendering patient identifying information non-identifiable in a 
manner that creates a very low risk of re-identification (e.g., 
removing direct identifiers).
    (2) Electronic records, including:
    (i) Copying, downloading, forwarding, transferring, and removing 
such records; and
    (ii) Destroying such records, including sanitizing the electronic 
media on which it was stored, to render the patient identifying 
information non-retrievable; and
    (iii) Maintaining such records; and
    (iv) Using and accessing electronic records or other electronic 
media containing patient identifying information; and
    (v) Rendering the patient identifying information non-identifiable 
in a manner that creates a very low risk of re-identification (e.g., 
removing direct identifiers).
    (b) [Reserved]


Sec.  2.17  Undercover agents and informants.

    (a) Restrictions on placement. Except as specifically authorized by 
a court order granted under Sec.  2.67, no part 2 program may knowingly 
employ, or enroll as a patient, any undercover agent or informant.
    (b) Restriction on use of information. No information obtained by 
an undercover agent or informant, whether or not that undercover agent 
or informant is placed in a part 2 program pursuant to an authorizing 
court order, may be used to criminally investigate or prosecute any 
patient.


Sec.  2.18  Restrictions on the use of identification cards.

    No person may require any patient to carry in their immediate 
possession while away from the part 2 program premises any card or 
other object which would identify the patient as having a substance use 
disorder. This section does not prohibit a person from requiring 
patients to use or carry cards or other identification objects on the 
premises of a part 2 program.


Sec.  2.19  Disposition of records by discontinued programs.

    (a) General. If a part 2 program discontinues operations or is 
taken over or acquired by another program, it must remove patient 
identifying information from its records or destroy its records, 
including sanitizing any associated hard copy or electronic media, to 
render the patient identifying information non-retrievable in a manner 
consistent with the policies and procedures established under Sec.  
2.16, unless:
    (1) The patient who is the subject of the records gives written 
consent (meeting the requirements of Sec.  2.31) to a transfer of the 
records to the acquiring program or to any other program designated in 
the consent (the manner of obtaining this consent must minimize the 
likelihood of a disclosure of patient identifying information to a 
third party); or

[[Page 7018]]

    (2) There is a legal requirement that the records be kept for a 
period specified by law which does not expire until after the 
discontinuation or acquisition of the part 2 program.
    (b) Special procedure where retention period required by law. If 
paragraph (a)(2) of this section applies:
    (1) Records, which are paper, must be:
    (i) Sealed in envelopes or other containers labeled as follows: 
``Records of [insert name of program] required to be maintained under 
[insert citation to statute, regulation, court order or other legal 
authority requiring that records be kept] until a date not later than 
[insert appropriate date]''; and
    (A) All hard copy media from which the paper records were produced, 
such as printer and facsimile ribbons, drums, etc., must be sanitized 
to render the data non-retrievable; and
    (B) [Reserved]
    (ii) Held under the restrictions of these regulations by a 
responsible person who must, as soon as practicable after the end of 
the retention period specified on the label, destroy the records and 
sanitize any associated hard copy media to render the patient 
identifying information non-retrievable in a manner consistent with the 
discontinued program's or acquiring program's policies and procedures 
established under Sec.  2.16.
    (2) Records, which are electronic, must be:
    (i) Transferred to a portable electronic device with implemented 
encryption to encrypt the data at rest so that there is a low 
probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key; and
    (A) All electronic media on which the patient records or patient 
identifying information resided prior to being transferred to the 
device, including email and other electronic communications, must be 
sanitized to render the patient identifying information non-retrievable 
in a manner consistent with the discontinued program's or acquiring 
program's policies and procedures established under Sec.  2.16; and
    (B) The device must be:
    (1) Sealed in a container along with any equipment needed to read 
or access the information, and labeled as follows: ``Records of [insert 
name of program] required to be maintained under [insert citation to 
statute, regulation, court order or other legal authority requiring 
that records be kept] until a date not later than [insert appropriate 
date];'' and
    (2) Held under the restrictions of these regulations by a 
responsible person who must store the container in a manner that will 
protect the information (e.g., climate controlled environment); and
    (C) The responsible person must be included on the access control 
list and be provided a means for decrypting the data. The responsible 
person must store the decryption tools on a device or at a location 
separate from the data they are used to encrypt or decrypt; and
    (D) As soon as practicable after the end of the retention period 
specified on the label, the portable electronic device must be 
sanitized to render the patient identifying information non-retrievable 
consistent with the policies established under Sec.  2.16.
    (ii) [Reserved]


Sec.  2.20  Relationship to state laws.

    The statute authorizing these regulations (42 U.S.C. 290dd-2) does 
not preempt the field of law which they cover to the exclusion of all 
state laws in that field. If a disclosure permitted under these 
regulations is prohibited under state law, neither these regulations 
nor the authorizing statute may be construed to authorize any violation 
of that state law. However, no state law may either authorize or compel 
any disclosure prohibited by these regulations.


Sec.  2.21  Relationship to federal statutes protecting research 
subjects against compulsory disclosure of their identity.

    (a) Research privilege description. There may be concurrent 
coverage of patient identifying information by these regulations and by 
administrative action taken under section 502(c) of the Controlled 
Substances Act (21 U.S.C. 872(c) and the implementing regulations at 21 
CFR part 1316); or section 301(d) of the Public Health Service Act (42 
U.S.C. 241(d) and the implementing regulations at 42 CFR part 2a). 
These research privilege statutes confer on the Secretary of Health and 
Human Services and on the Attorney General, respectively, the power to 
authorize researchers conducting certain types of research to withhold 
from all persons not connected with the research the names and other 
identifying information concerning individuals who are the subjects of 
the research.
    (b) Effect of concurrent coverage. These regulations restrict the 
disclosure and use of information about patients, while administrative 
action taken under the research privilege statutes and implementing 
regulations protects a person engaged in applicable research from being 
compelled to disclose any identifying characteristics of the 
individuals who are the subjects of that research. The issuance under 
subpart E of this part of a court order authorizing a disclosure of 
information about a patient does not affect an exercise of authority 
under these research privilege statutes.


Sec.  2.22  Notice to patients of federal confidentiality requirements.

    (a) Notice required. At the time of admission to a part 2 program 
or as soon thereafter as the patient is capable of rational 
communication, each part 2 program shall:
    (1) Communicate to the patient that federal law and regulations 
protect the confidentiality of substance use disorder patient records; 
and
    (2) Give to the patient a summary in writing of the federal law and 
regulations.
    (b) Required elements of written summary. The written summary of 
the federal law and regulations must include:
    (1) A general description of the limited circumstances under which 
a part 2 program may acknowledge that an individual is present or 
disclose outside the part 2 program information identifying a patient 
as having or having had a substance use disorder.
    (2) A statement that violation of the federal law and regulations 
by a part 2 program is a crime and that suspected violations may be 
reported to appropriate authorities consistent with Sec.  2.4, along 
with contact information.
    (3) A statement that information related to a patient's commission 
of a crime on the premises of the part 2 program or against personnel 
of the part 2 program is not protected.
    (4) A statement that reports of suspected child abuse and neglect 
made under state law to appropriate state or local authorities are not 
protected.
    (5) A citation to the federal law and regulations.
    (c) Program options. The part 2 program must devise a notice to 
comply with the requirement to provide the patient with a summary in 
writing of the federal law and regulations. In this written summary, 
the part 2 program also may include information concerning state law 
and any of the part 2 program's policies that are not inconsistent with 
state and federal law on the subject of confidentiality of substance 
use disorder patient records.


Sec.  2.23  Patient access and restrictions on use.

    (a) Patient access not prohibited. These regulations do not 
prohibit a part 2 program from giving a patient access to their own 
records, including the opportunity to inspect and copy any records that 
the part 2 program

[[Page 7019]]

maintains about the patient. The part 2 program is not required to 
obtain a patient's written consent or other authorization under these 
regulations in order to provide such access to the patient.
    (b) Restriction on use of information. Information obtained by 
patient access to their patient record is subject to the restriction on 
use of this information to initiate or substantiate any criminal 
charges against the patient or to conduct any criminal investigation of 
the patient as provided for under Sec.  2.12(d)(1).

Subpart C--Disclosures With Patient Consent


Sec.  2.31  Consent requirements.

    (a) Required elements for written consent. A written consent to a 
disclosure under these regulations may be paper or electronic and must 
include:
    (1) The name of the patient.
    (2) The name of the part 2 program(s) or other lawful holder(s) of 
the patient identifying information permitted to make the disclosure.
    (3) How much and what kind of information is to be disclosed, 
including an explicit description of the substance use disorder 
information that may be disclosed.
    (4)(i) The name(s) of the individual(s) to whom a disclosure is to 
be made; or
    (ii) If the entity has a treating provider relationship with the 
patient whose information is being disclosed, such as a hospital, a 
health care clinic, or a private practice, the name of that entity; or
    (iii) If the entity does not have a treating provider relationship 
with the patient whose information is being disclosed and is a third-
party payer that requires patient identifying information for the 
purpose of reimbursement for services rendered to the patient by the 
part 2 program, the name of the entity; or
    (iv) If the entity does not have a treating provider relationship 
with the patient whose information is being disclosed and is not 
covered by paragraph (a)(4)(iii) of this section, such as an entity 
that facilitates the exchange of health information or a research 
institution, the name(s) of the entity(-ies); and
    (A) The name(s) of an individual participant(s); or
    (B) The name(s) of an entity participant(s) that has a treating 
provider relationship with the patient whose information is being 
disclosed; or
    (C) A general designation of an individual or entity participant(s) 
or class of participants that must be limited to a participant(s) who 
has a treating provider relationship with the patient whose information 
is being disclosed.
    (1) When using a general designation, a statement must be included 
on the consent form that the patient (or other individual authorized to 
sign in lieu of the patient), confirms their understanding that, upon 
their request and consistent with this part, they must be provided a 
list of entities to which their information has been disclosed pursuant 
to the general designation (see Sec.  2.13(d)).
    (2) [Reserved]
    (5) The purpose of the disclosure.
    (6) A statement that the patient (or other individual authorized to 
sign in lieu of the patient) confirms their understanding of the terms 
of their consent.
    (7) A statement that the consent is subject to revocation at any 
time except to the extent that the part 2 program or other lawful 
holder of patient identifying information that is permitted to make the 
disclosure has already acted in reliance on it. Acting in reliance 
includes the provision of treatment services in reliance on a valid 
consent to disclose information to a third-party payer.
    (8) The date, event, or condition upon which the consent will 
expire if not revoked before. This date, event, or condition must 
ensure that the consent will last no longer than reasonably necessary 
to serve the purpose for which it is provided.
    (9) The signature of the patient and, when required for a patient 
who is a minor, the signature of an individual authorized to give 
consent under Sec.  2.14; or, when required for a patient who is 
incompetent or deceased, the signature of an individual authorized to 
sign under Sec.  2.15. Electronic signatures are permitted to the 
extent that they are not prohibited by any applicable law.
    (10) The date on which the consent is signed.
    (b) Expired, deficient, or false consent. A disclosure may not be 
made on the basis of a consent which:
    (1) Has expired;
    (2) On its face substantially fails to conform to any of the 
requirements set forth in paragraph (a) of this section;
    (3) Is known to have been revoked; or
    (4) Is known, or through reasonable diligence could be known, by 
the individual or entity holding the records to be materially false.


Sec.  2.32  Prohibition on re-disclosure.

    (a) Notice to accompany disclosure. Each disclosure made with the 
patient's written consent must be accompanied by the following written 
statement:


This information has been disclosed to you from records protected by 
federal confidentiality rules (42 CFR part 2). The federal rules 
prohibit you from making any further disclosure of information in this 
record that identifies a patient as having or having had a substance 
use disorder either directly, by reference to publicly available 
information, or through verification of such identification by another 
person unless further disclosure is expressly permitted by the written 
consent of the individual whose information is being disclosed or as 
otherwise permitted by 42 CFR part 2. A general authorization for the 
release of medical or other information is NOT sufficient for this 
purpose. The federal rules restrict any use of the information to 
criminally investigate or prosecute any patient with a substance use 
disorder, except as provided at Sec.  2.12(c)(5).

    (b) [Reserved]


Sec.  2.33  Disclosures permitted with written consent.

    If a patient consents to a disclosure of their records under Sec.  
2.31, a program may disclose those records in accordance with that 
consent to any person identified in the consent, except that 
disclosures to central registries and in connection with criminal 
justice referrals must meet the requirements of Sec. Sec.  2.34 and 
2.35, respectively.


Sec.  2.34  Disclosures to prevent multiple enrollments.

    (a) Restrictions on disclosure. A part 2 program, as defined in 
Sec.  2.11, may disclose patient records to a central registry or to 
any withdrawal management or maintenance treatment program not more 
than 200 miles away for the purpose of preventing the multiple 
enrollment of a patient only if:
    (1) The disclosure is made when:
    (i) The patient is accepted for treatment;
    (ii) The type or dosage of the drug is changed; or
    (iii) The treatment is interrupted, resumed or terminated.
    (2) The disclosure is limited to:
    (i) Patient identifying information;
    (ii) Type and dosage of the drug; and
    (iii) Relevant dates.
    (3) The disclosure is made with the patient's written consent 
meeting the requirements of Sec.  2.31, except that:
    (i) The consent must list the name and address of each central 
registry and each known withdrawal management or maintenance treatment 
program to which a disclosure will be made; and
    (ii) The consent may authorize a disclosure to any withdrawal 
management or maintenance treatment

[[Page 7020]]

program established within 200 miles of the program after the consent 
is given without naming any such program.
    (b) Use of information limited to prevention of multiple 
enrollments. A central registry and any withdrawal management or 
maintenance treatment program to which information is disclosed to 
prevent multiple enrollments may not re-disclose or use patient 
identifying information for any purpose other than the prevention of 
multiple enrollments unless authorized by a court order under subpart E 
of this part.
    (c) Permitted disclosure by a central registry to prevent a 
multiple enrollment. When a member program asks a central registry if 
an identified patient is enrolled in another member program and the 
registry determines that the patient is so enrolled, the registry may 
disclose:
    (1) The name, address, and telephone number of the member 
program(s) in which the patient is already enrolled to the inquiring 
member program; and
    (2) The name, address, and telephone number of the inquiring member 
program to the member program(s) in which the patient is already 
enrolled. The member programs may communicate as necessary to verify 
that no error has been made and to prevent or eliminate any multiple 
enrollments.
    (d) Permitted disclosure by a withdrawal management or maintenance 
treatment program to prevent a multiple enrollment. A withdrawal 
management or maintenance treatment program which has received a 
disclosure under this section and has determined that the patient is 
already enrolled may communicate as necessary with the program making 
the disclosure to verify that no error has been made and to prevent or 
eliminate any multiple enrollments.


Sec.  2.35  Disclosures to elements of the criminal justice system 
which have referred patients.

    (a) A part 2 program may disclose information about a patient to 
those individuals within the criminal justice system who have made 
participation in the part 2 program a condition of the disposition of 
any criminal proceedings against the patient or of the patient's parole 
or other release from custody if:
    (1) The disclosure is made only to those individuals within the 
criminal justice system who have a need for the information in 
connection with their duty to monitor the patient's progress (e.g., a 
prosecuting attorney who is withholding charges against the patient, a 
court granting pretrial or post-trial release, probation or parole 
officers responsible for supervision of the patient); and
    (2) The patient has signed a written consent meeting the 
requirements of Sec.  2.31 (except paragraph (a)(8) which is 
inconsistent with the revocation provisions of paragraph (c) of this 
section) and the requirements of paragraphs (b) and (c) of this 
section.
    (b) Duration of consent. The written consent must state the period 
during which it remains in effect. This period must be reasonable, 
taking into account:
    (1) The anticipated length of the treatment;
    (2) The type of criminal proceeding involved, the need for the 
information in connection with the final disposition of that 
proceeding, and when the final disposition will occur; and
    (3) Such other factors as the part 2 program, the patient, and the 
individual(s) within the criminal justice system who will receive the 
disclosure consider pertinent.
    (c) Revocation of consent. The written consent must state that it 
is revocable upon the passage of a specified amount of time or the 
occurrence of a specified, ascertainable event. The time or occurrence 
upon which consent becomes revocable may be no later than the final 
disposition of the conditional release or other action in connection 
with which consent was given.
    (d) Restrictions on re-disclosure and use. An individual within the 
criminal justice system who receives patient information under this 
section may re-disclose and use it only to carry out that individual's 
official duties with regard to the patient's conditional release or 
other action in connection with which the consent was given.

Subpart D--Disclosures Without Patient Consent


Sec.  2.51  Medical emergencies.

    (a) General rule. Under the procedures required by paragraph (c) of 
this section, patient identifying information may be disclosed to 
medical personnel to the extent necessary to meet a bona fide medical 
emergency in which the patient's prior informed consent cannot be 
obtained.
    (b) Special rule. Patient identifying information may be disclosed 
to medical personnel of the Food and Drug Administration (FDA) who 
assert a reason to believe that the health of any individual may be 
threatened by an error in the manufacture, labeling, or sale of a 
product under FDA jurisdiction, and that the information will be used 
for the exclusive purpose of notifying patients or their physicians of 
potential dangers.
    (c) Procedures. Immediately following disclosure, the part 2 
program shall document, in writing, the disclosure in the patient's 
records, including:
    (1) The name of the medical personnel to whom disclosure was made 
and their affiliation with any health care facility;
    (2) The name of the individual making the disclosure;
    (3) The date and time of the disclosure; and
    (4) The nature of the emergency (or error, if the report was to 
FDA).


Sec.  2.52  Research.

    (a) Patient identifying information may be disclosed by the part 2 
program or other lawful holder of part 2 data for the purpose of 
conducting scientific research if the individual designated as director 
or managing director, or individual otherwise vested with authority to 
act as chief executive officer or their designee makes a determination 
that the recipient of the patient identifying information:
    (1) If a Health Insurance Portability and Accountability Act 
(HIPAA) covered entity or business associate, has obtained and 
documented authorization, or a waiver or alteration of authorization, 
consistent with the HIPAA privacy rule at 45 CFR 164.512(i); or
    (2) If subject to the HHS regulations regarding the protection of 
human subjects (45 CFR part 46), provides documentation that the 
researcher is in compliance with the requirements of the HHS 
regulations, including the requirements related to informed consent or 
a waiver of consent (45 CFR 46.111 and 46.116); or
    (3) If both a HIPAA covered entity or business associate and 
subject to the HHS regulations regarding the protection of human 
subjects, has met the requirements of paragraphs (a)(1) and (2) of this 
section; and
    (b) Any individual or entity conducting scientific research using 
patient identifying information obtained under paragraph (a) of this 
section:
    (1) Is fully bound by these regulations and, if necessary, will 
resist in judicial proceedings any efforts to obtain access to patient 
records except as permitted by these regulations.
    (2) Must not re-disclose patient identifying information except 
back to the individual or entity from whom that patient identifying 
information was obtained or as permitted under paragraph (b)(4) of this 
section.
    (3) May include part 2 data in reports only in aggregate form to 
limit the

[[Page 7021]]

potential for the disclosure of patient identities.
    (4) That requests linkages to data sets from a federal data 
repository(-ies) holding patient identifying information must have the 
request reviewed and approved by an Institutional Review Board (IRB) 
registered with the Department of Health and Human Services, Office for 
Human Research Protections in accordance with 45 CFR part 46 to ensure 
that patient privacy is considered and the need for identifiable data 
is justified.
    (i) Upon request, the researcher may be required to provide 
evidence of the IRB approval of the research project that contains the 
data linkage component.
    (ii) Except as provided in paragraph (b) of this section, a 
researcher may not use patient identifying information for data 
linkages purposes.
    (5) Must maintain and destroy patient identifying information in 
accordance with the security policies and procedures established under 
Sec.  2.16.
    (6) Must retain records in compliance with applicable federal, 
state, and local record retention laws.


Sec.  2.53  Audit and evaluation.

    (a) Records not copied or removed. If patient records are not 
downloaded, copied or removed from the part 2 program premises or 
forwarded electronically to another electronic system or device, 
patient identifying information, as defined in Sec.  2.11, may be 
disclosed in the course of a review of records on the part 2 program 
premises to any individual or entity who agrees in writing to comply 
with the limitations on re-disclosure and use in paragraph (d) of this 
section and who:
    (1) Performs the audit or evaluation on behalf of:
    (i) Any federal, state, or local government agency which provides 
financial assistance to the part 2 program or is authorized by law to 
regulate its activities; or
    (ii) Any individual or entity who provides financial assistance to 
the part 2 program, which is a third-party payer covering patients in 
the part 2 program, or which is a quality improvement organization 
performing a utilization or quality control review; or
    (2) Is determined by the part 2 program to be qualified to conduct 
an audit or evaluation of the part 2 program.
    (b) Copying, removing, downloading, or forwarding patient records. 
Records containing patient identifying information, as defined in Sec.  
2.11, may be copied or removed from a part 2 program premises or 
downloaded or forwarded to another electronic system or device from the 
part 2 program's electronic records by any individual or entity who:
    (1) Agrees in writing to:
    (i) Maintain and destroy the patient identifying information in a 
manner consistent with the policies and procedures established under 
Sec.  2.16;
    (ii) Retain records in compliance with applicable federal, state, 
and local record retention laws; and
    (iii) Comply with the limitations on disclosure and use in 
paragraph (d) of this section; and
    (2) Performs the audit or evaluation on behalf of:
    (i) Any federal, state, or local government agency which provides 
financial assistance to the part 2 program or is authorized by law to 
regulate its activities; or
    (ii) Any individual or entity who provides financial assistance to 
the part 2 program, which is a third-party payer covering patients in 
the part 2 program, or which is a quality improvement organization 
performing a utilization or quality control review.
    (c) Medicare, Medicaid, Children's Health Insurance Program (CHIP), 
or related audit or evaluation. (1) Patient identifying information, as 
defined in Sec.  2.11, may be disclosed under paragraph (c) of this 
section to any individual or entity for the purpose of conducting a 
Medicare, Medicaid, or CHIP audit or evaluation, including an audit or 
evaluation necessary to meet the requirements for a Centers for 
Medicare & Medicaid Services (CMS)-regulated accountable care 
organization (CMS-regulated ACO) or similar CMS-regulated organization 
(including a CMS-regulated Qualified Entity (QE)), if the individual or 
entity agrees in writing to comply with the following:
    (i) Maintain and destroy the patient identifying information in a 
manner consistent with the policies and procedures established under 
Sec.  2.16;
    (ii) Retain records in compliance with applicable federal, state, 
and local record retention laws; and
    (iii) Comply with the limitations on disclosure and use in 
paragraph (d) of this section.
    (2) A Medicare, Medicaid, or CHIP audit or evaluation under this 
section includes a civil or administrative investigation of a part 2 
program by any federal, state, or local government agency with 
oversight responsibilities for Medicare, Medicaid, or CHIP and includes 
administrative enforcement, against the part 2 program by the 
government agency, of any remedy authorized by law to be imposed as a 
result of the findings of the investigation.
    (3) An audit or evaluation necessary to meet the requirements for a 
CMS-regulated ACO or similar CMS-regulated organization (including a 
CMS-regulated QE) must be conducted in accordance with the following:
    (i) A CMS-regulated ACO or similar CMS-regulated organization 
(including a CMS-regulated QE) must:
    (A) Have in place administrative and clinical systems; and
    (B) Have in place a leadership and management structure, including 
a governing body and chief executive officer with responsibility for 
oversight of the organization's management and for ensuring compliance 
with and adherence to the terms and conditions of the Participation 
Agreement with CMS; and
    (ii) A CMS-regulated ACO or similar CMS-regulated organization 
(including a CMS-regulated QE) must have a signed Participation 
Agreement with CMS, which provides that the CMS-regulated ACO or 
similar CMS-regulated organization (including a CMS-regulated QE):
    (A) Is subject to periodic evaluations by CMS, or is required by 
CMS to evaluate participants in the CMS-regulated ACO or similar CMS-
regulated organization (including a CMS-regulated QE) relative to CMS-
defined or approved quality and/or cost measures;
    (B) Must designate an executive who has the authority to legally 
bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and 
this part and the terms and conditions of the Participation Agreement 
in order to receive patient identifying information from CMS;
    (C) Agrees to comply with all applicable provisions of 42 U.S.C. 
290dd-2 and this part;
    (D) Must ensure that any audit or evaluation involving patient 
identifying information occurs in a confidential and controlled setting 
approved by the designated executive;
    (E) Must ensure that any communications or reports or other 
documents resulting from an audit or evaluation under this section do 
not allow for the direct or indirect identification of a patient as 
having or having had a substance use disorder; and
    (F) Must establish policies and procedures to protect the 
confidentiality of the patient identifying information consistent with 
this part, the terms and conditions of the Participation Agreement, and 
the requirements set forth in paragraph (c)(1) of this section.
    (4) Program, as defined in Sec.  2.11, includes an employee of, or 
provider of medical services under the program

[[Page 7022]]

when the employee or provider is the subject of a civil investigation 
or administrative remedy, as those terms are used in paragraph (c)(2) 
of this section.
    (5) If a disclosure to an individual or entity is authorized under 
this section for a Medicare, Medicaid, or CHIP audit or evaluation, 
including a civil investigation or administrative remedy, as those 
terms are used in paragraph (c)(2) of this section, then a quality 
improvement organization which obtains the information under paragraph 
(a) or (b) of this section may disclose the information to that 
individual or entity but only for the purpose of conducting a Medicare, 
Medicaid, or CHIP audit or evaluation.
    (6) The provisions of this paragraph do not authorize the part 2 
program, the federal, state, or local government agency, or any other 
individual or entity to disclose or use patient identifying information 
obtained during the audit or evaluation for any purposes other than 
those necessary to complete the audit or evaluation as specified in 
paragraph (c) of this section.
    (d) Limitations on disclosure and use. Except as provided in 
paragraph (c) of this section, patient identifying information 
disclosed under this section may be disclosed only back to the program 
from which it was obtained and used only to carry out an audit or 
evaluation purpose or to investigate or prosecute criminal or other 
activities, as authorized by a court order entered under Sec.  2.66.

Subpart E--Court Orders Authorizing Disclosure and Use


Sec.  2.61  Legal effect of order.

    (a) Effect. An order of a court of competent jurisdiction entered 
under this subpart is a unique kind of court order. Its only purpose is 
to authorize a disclosure or use of patient information which would 
otherwise be prohibited by 42 U.S.C. 290dd-2 and these regulations. 
Such an order does not compel disclosure. A subpoena or a similar legal 
mandate must be issued in order to compel disclosure. This mandate may 
be entered at the same time as and accompany an authorizing court order 
entered under these regulations.
    (b) Examples. (1) A person holding records subject to these 
regulations receives a subpoena for those records. The person may not 
disclose the records in response to the subpoena unless a court of 
competent jurisdiction enters an authorizing order under these 
regulations.
    (2) An authorizing court order is entered under these regulations, 
but the person authorized does not want to make the disclosure. If 
there is no subpoena or other compulsory process or a subpoena for the 
records has expired or been quashed, that person may refuse to make the 
disclosure. Upon the entry of a valid subpoena or other compulsory 
process the person authorized to disclose must disclose, unless there 
is a valid legal defense to the process other than the confidentiality 
restrictions of these regulations.


Sec.  2.62  Order not applicable to records disclosed without consent 
to researchers, auditors and evaluators.

    A court order under these regulations may not authorize qualified 
personnel, who have received patient identifying information without 
consent for the purpose of conducting research, audit or evaluation, to 
disclose that information or use it to conduct any criminal 
investigation or prosecution of a patient. However, a court order under 
Sec.  2.66 may authorize disclosure and use of records to investigate 
or prosecute qualified personnel holding the records.


Sec.  2.63  Confidential communications.

    (a) A court order under these regulations may authorize disclosure 
of confidential communications made by a patient to a part 2 program in 
the course of diagnosis, treatment, or referral for treatment only if:
    (1) The disclosure is necessary to protect against an existing 
threat to life or of serious bodily injury, including circumstances 
which constitute suspected child abuse and neglect and verbal threats 
against third parties;
    (2) The disclosure is necessary in connection with investigation or 
prosecution of an extremely serious crime, such as one which directly 
threatens loss of life or serious bodily injury, including homicide, 
rape, kidnapping, armed robbery, assault with a deadly weapon, or child 
abuse and neglect; or
    (3) The disclosure is in connection with litigation or an 
administrative proceeding in which the patient offers testimony or 
other evidence pertaining to the content of the confidential 
communications.
    (b) [Reserved]


Sec.  2.64  Procedures and criteria for orders authorizing disclosures 
for noncriminal purposes.

    (a) Application. An order authorizing the disclosure of patient 
records for purposes other than criminal investigation or prosecution 
may be applied for by any person having a legally recognized interest 
in the disclosure which is sought. The application may be filed 
separately or as part of a pending civil action in which it appears 
that the patient records are needed to provide evidence. An application 
must use a fictitious name, such as John Doe, to refer to any patient 
and may not contain or otherwise disclose any patient identifying 
information unless the patient is the applicant or has given a written 
consent (meeting the requirements of these regulations) to disclosure 
or the court has ordered the record of the proceeding sealed from 
public scrutiny.
    (b) Notice. The patient and the person holding the records from 
whom disclosure is sought must be provided:
    (1) Adequate notice in a manner which will not disclose patient 
identifying information to other persons; and
    (2) An opportunity to file a written response to the application, 
or to appear in person, for the limited purpose of providing evidence 
on the statutory and regulatory criteria for the issuance of the court 
order.
    (c) Review of evidence: Conduct of hearing. Any oral argument, 
review of evidence, or hearing on the application must be held in the 
judge's chambers or in some manner which ensures that patient 
identifying information is not disclosed to anyone other than a party 
to the proceeding, the patient, or the person holding the record, 
unless the patient requests an open hearing in a manner which meets the 
written consent requirements of these regulations. The proceeding may 
include an examination by the judge of the patient records referred to 
in the application.
    (d) Criteria for entry of order. An order under this section may be 
entered only if the court determines that good cause exists. To make 
this determination the court must find that:
    (1) Other ways of obtaining the information are not available or 
would not be effective; and
    (2) The public interest and need for the disclosure outweigh the 
potential injury to the patient, the physician-patient relationship and 
the treatment services.
    (e) Content of order. An order authorizing a disclosure must:
    (1) Limit disclosure to those parts of the patient's record which 
are essential to fulfill the objective of the order;
    (2) Limit disclosure to those persons whose need for information is 
the basis for the order; and
    (3) Include such other measures as are necessary to limit 
disclosure for the protection of the patient, the physician-

[[Page 7023]]

patient relationship and the treatment services; for example, sealing 
from public scrutiny the record of any proceeding for which disclosure 
of a patient's record has been ordered.


Sec.  2.65  Procedures and criteria for orders authorizing disclosure 
and use of records to criminally investigate or prosecute patients.

    (a) Application. An order authorizing the disclosure or use of 
patient records to criminally investigate or prosecute a patient may be 
applied for by the person holding the records or by any law enforcement 
or prosecutorial officials who are responsible for conducting 
investigative or prosecutorial activities with respect to the 
enforcement of criminal laws. The application may be filed separately, 
as part of an application for a subpoena or other compulsory process, 
or in a pending criminal action. An application must use a fictitious 
name such as John Doe, to refer to any patient and may not contain or 
otherwise disclose patient identifying information unless the court has 
ordered the record of the proceeding sealed from public scrutiny.
    (b) Notice and hearing. Unless an order under Sec.  2.66 is sought 
with an order under this section, the person holding the records must 
be provided
    (1) Adequate notice (in a manner which will not disclose patient 
identifying information to other persons) of an application by a law 
enforcement agency or official;
    (2) An opportunity to appear and be heard for the limited purpose 
of providing evidence on the statutory and regulatory criteria for the 
issuance of the court order; and
    (3) An opportunity to be represented by counsel independent of 
counsel for an applicant who is a law enforcement agency or official.
    (c) Review of evidence: Conduct of hearings. Any oral argument, 
review of evidence, or hearing on the application shall be held in the 
judge's chambers or in some other manner which ensures that patient 
identifying information is not disclosed to anyone other than a party 
to the proceedings, the patient, or the person holding the records. The 
proceeding may include an examination by the judge of the patient 
records referred to in the application.
    (d) Criteria. A court may authorize the disclosure and use of 
patient records for the purpose of conducting a criminal investigation 
or prosecution of a patient only if the court finds that all of the 
following criteria are met:
    (1) The crime involved is extremely serious, such as one which 
causes or directly threatens loss of life or serious bodily injury 
including homicide, rape, kidnapping, armed robbery, assault with a 
deadly weapon, and child abuse and neglect.
    (2) There is a reasonable likelihood that the records will disclose 
information of substantial value in the investigation or prosecution.
    (3) Other ways of obtaining the information are not available or 
would not be effective.
    (4) The potential injury to the patient, to the physician-patient 
relationship and to the ability of the part 2 program to provide 
services to other patients is outweighed by the public interest and the 
need for the disclosure.
    (5) If the applicant is a law enforcement agency or official that:
    (i) The person holding the records has been afforded the 
opportunity to be represented by independent counsel; and
    (ii) Any person holding the records which is an entity within 
federal, state, or local government has in fact been represented by 
counsel independent of the applicant.
    (e) Content of order. Any order authorizing a disclosure or use of 
patient records under this section must:
    (1) Limit disclosure and use to those parts of the patient's record 
which are essential to fulfill the objective of the order;
    (2) Limit disclosure to those law enforcement and prosecutorial 
officials who are responsible for, or are conducting, the investigation 
or prosecution, and limit their use of the records to investigation and 
prosecution of extremely serious crime or suspected crime specified in 
the application; and
    (3) Include such other measures as are necessary to limit 
disclosure and use to the fulfillment of only that public interest and 
need found by the court.


Sec.  2.66  Procedures and criteria for orders authorizing disclosure 
and use of records to investigate or prosecute a part 2 program or the 
person holding the records.

    (a) Application. (1) An order authorizing the disclosure or use of 
patient records to criminally or administratively investigate or 
prosecute a part 2 program or the person holding the records (or 
employees or agents of that part 2 program or person holding the 
records) may be applied for by any administrative, regulatory, 
supervisory, investigative, law enforcement, or prosecutorial agency 
having jurisdiction over the program's or person's activities.
    (2) The application may be filed separately or as part of a pending 
civil or criminal action against a part 2 program or the person holding 
the records (or agents or employees of the part 2 program or person 
holding the records) in which it appears that the patient records are 
needed to provide material evidence. The application must use a 
fictitious name, such as John Doe, to refer to any patient and may not 
contain or otherwise disclose any patient identifying information 
unless the court has ordered the record of the proceeding sealed from 
public scrutiny or the patient has provided a written consent (meeting 
the requirements of Sec.  2.31) to that disclosure.
    (b) Notice not required. An application under this section may, in 
the discretion of the court, be granted without notice. Although no 
express notice is required to the part 2 program, to the person holding 
the records, or to any patient whose records are to be disclosed, upon 
implementation of an order so granted any of the above persons must be 
afforded an opportunity to seek revocation or amendment of that order, 
limited to the presentation of evidence on the statutory and regulatory 
criteria for the issuance of the court order.
    (c) Requirements for order. An order under this section must be 
entered in accordance with, and comply with the requirements of, 
paragraphs (d) and (e) of Sec.  2.64.
    (d) Limitations on disclosure and use of patient identifying 
information. (1) An order entered under this section must require the 
deletion of patient identifying information from any documents made 
available to the public.
    (2) No information obtained under this section may be used to 
conduct any investigation or prosecution of a patient, or be used as 
the basis for an application for an order under Sec.  2.65.


Sec.  2.67  Orders authorizing the use of undercover agents and 
informants to criminally investigate employees or agents of a part 2 
program.

    (a) Application. A court order authorizing the placement of an 
undercover agent or informant in a part 2 program as an employee or 
patient may be applied for by any law enforcement or prosecutorial 
agency which has reason to believe that employees or agents of the part 
2 program are engaged in criminal misconduct.
    (b) Notice. The part 2 program director must be given adequate 
notice of the application and an opportunity to appear and be heard 
(for the limited purpose of providing evidence on the statutory and 
regulatory criteria for the issuance of the court order), unless the 
application asserts a belief that:

[[Page 7024]]

    (1) The part 2 program director is involved in the criminal 
activities to be investigated by the undercover agent or informant; or
    (2) The part 2 program director will intentionally or 
unintentionally disclose the proposed placement of an undercover agent 
or informant to the employees or agents who are suspected of criminal 
activities.
    (c) Criteria. An order under this section may be entered only if 
the court determines that good cause exists. To make this determination 
the court must find:
    (1) There is reason to believe that an employee or agent of the 
part 2 program is engaged in criminal activity;
    (2) Other ways of obtaining evidence of this criminal activity are 
not available or would not be effective; and
    (3) The public interest and need for the placement of an undercover 
agent or informant in the part 2 program outweigh the potential injury 
to patients of the part 2 program, physician-patient relationships and 
the treatment services.
    (d) Content of order. An order authorizing the placement of an 
undercover agent or informant in a part 2 program must:
    (1) Specifically authorize the placement of an undercover agent or 
an informant;
    (2) Limit the total period of the placement to six months;
    (3) Prohibit the undercover agent or informant from disclosing any 
patient identifying information obtained from the placement except as 
necessary to criminally investigate or prosecute employees or agents of 
the part 2 program; and
    (4) Include any other measures which are appropriate to limit any 
potential disruption of the part 2 program by the placement and any 
potential for a real or apparent breach of patient confidentiality; for 
example, sealing from public scrutiny the record of any proceeding for 
which disclosure of a patient's record has been ordered.
    (e) Limitation on use of information. No information obtained by an 
undercover agent or informant placed in a part 2 program under this 
section may be used to criminally investigate or prosecute any patient 
or as the basis for an application for an order under Sec.  2.65.

    Dated: February 2, 2016.
Kana Enomoto,
Acting Administrator, Substance Abuse and Mental Health Services 
Administration.
    Approved: February 4, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human Services.
[FR Doc. 2016-01841 Filed 2-5-16; 11:15 am]
 BILLING CODE 4162-20-P