[Federal Register Volume 82, Number 11 (Wednesday, January 18, 2017)]
[Proposed Rules]
[Pages 5485-5490]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-00742]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

42 CFR Part 2

[SAMHSA-4162-20]
RIN 0930-ZA07


Confidentiality of Substance Use Disorder Patient Records

AGENCY: Substance Abuse and Mental Health Services Administration, HHS.

ACTION: Supplemental notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: On Feb. 9, 2016, the Substance Abuse and Mental Health 
Services Administration (SAMHSA) published a Notice of Proposed 
Rulemaking (NPRM) that proposed policy changes to update and modernize 
the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR 
part 2). SAMHSA explained in the NPRM that these changes were intended 
to better align the regulations with advances in the U.S. health care 
delivery system while retaining important privacy protections for 
individuals seeking treatment for substance use disorders. The last 
substantive update to these regulations was in 1987. SAMHSA is issuing 
this Supplemental Notice of Proposed Rulemaking (SNPRM) to propose 
additional clarifications to the part 2 regulations as amended by the 
concurrently issued final rule. As noted in the final rule, 42 CFR part 
2 Confidentiality of Substance Use Disorder Patient Records, questions 
raised by commenters highlighted varying interpretations of the 1987 
rule's restrictions on lawful holders and their contractors and 
subcontractors' use and disclosure of part 2-covered data for purposes 
of carrying out payment, health care operations, and other health care 
related activities. In consideration of this feedback and given the 
critical role that third-party payers, other lawful holders, and their 
contractors, subcontractors, and legal representatives play in the 
provision of health care services, SAMHSA is issuing this SNPRM to seek 
further comments on our proposals to address and help clarify these 
matters before establishing any appropriate restrictions on disclosures 
to contractors, subcontractors and legal representatives.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on February 17, 
2017.

ADDRESSES: You may submit comments, identified by Regulatory 
Information Number (RIN) 0930-AA21, by any of the following methods:
    Electronically: Federal eRulemaking Portal: Go to http://www.regulations.gov and follow the instructions for submitting 
comments.
    Regular, Express or Overnight Mail, or Hand Delivery or Courier: 
Written comments sent by hand delivery, or mailed by regular, express, 
or overnight mail must be sent to the following address ONLY: The 
Substance Abuse and Mental Health Services Administration, Department 
of Health and Human Services, Attn: Danielle Tarino, SAMHSA, 5600 
Fishers Lane, Room 13E89A, Rockville, Maryland 20857.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    Instructions: To avoid duplication, please submit only one copy of 
your comments by only one method. All submissions received must include 
the agency name and docket number or RIN for this rulemaking. All 
comments received will become a matter of public record and will be 
posted without change to http://www.regulations.gov, including any 
personal information provided. For detailed instructions on submitting 
comments and additional information on the rulemaking process and 
viewing public comments, see the ``Request for Public Comments'' 
heading of the SUPPLEMENTARY INFORMATION section of this document.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Danielle Tarino, SAMHSA, 5600 Fishers 
Lane, Room 13E89A, Rockville, Maryland 20857, 240-276-2857, Email 
address: [email protected]

SUPPLEMENTARY INFORMATION:

Background

    On February 9, 2016, SAMHSA published an NPRM in the Federal 
Register (81 FR 6987) proposing updates to regulations for the 
Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 
2). These regulations implement title 42, section

[[Page 5486]]

290dd-2 of the United States Code pertaining to Confidentiality of 
Records. SAMHSA explained in that NPRM, it proposed to update these 
regulations, last substantively amended in 1987, to reflect development 
of integrated health care models and growing use of electronic means 
for exchanging patient information. At the same time, SAMHSA wished to 
maintain protections for (part 2) patient identifying information, as 
persons with substance use disorders still may encounter significant 
discrimination if their information is improperly disclosed.
    Elsewhere in this issue of the Federal Register SAMHSA published a 
final rule. In response to public comments, the final rule provides for 
greater flexibility in disclosing (part 2) patient identifying 
information within the health care system while continuing to address 
the privacy concerns of patients seeking treatment for a substance use 
disorder. SAMHSA received 376 comments on the NPRM. SAMHSA received a 
number of comments to the NPRM that went beyond what SAMHSA was 
proposing. Some commenters to the NPRM urged SAMHSA to clarify the 
scope of permitted disclosures of (part 2) patient identifying 
information by third-party payers. Some commenters asked that the 
current and proposed Qualified Service Organization (QSO) (part 2) 
patient identifying information disclosure provisions be applied to 
disclosures by third-party payers and other lawful holders of (part 2) 
patient identifying information to support health care operations and 
payment. Some commenters suggested doing this through the expansion of 
the definition of QSO. For instance, one commenter suggested that the 
definition of qualified service organization include ``lawful holders 
of [p]art 2 patient identifying information,'' stating that ACOs often 
engage analytics companies to provide support in identifying those 
high-risk patients who would benefit from care management and other 
services. Another commenter suggested expanding provisions concerning 
audits and evaluations to permit CMS to disclose (part 2) patient 
identifying information to ACOs and bundled payment participating 
entities for program audit and evaluation purposes. Others noted that 
QSOs themselves, as well as state Medicaid programs often use software 
vendors and other contractors, subcontractors, and legal 
representatives to carry out administrative and claims processing 
functions. A commenter further urged that the tasks that could be 
carried out under the QSO policies not only be broadened to include 
population health management activities but also ``clinical 
professional support services (e.g., quality improvement initiatives, 
utilization review and management services); third-party liability and 
coordination of benefit support services; activities related to 
preventing fraud, waste and abuse; and other activities and functions 
typically performed by contractors for or on behalf of third-party 
payers.''
    In developing the final rule, SAMHSA responded directly to several 
of these public comments about the NPRM. For instance, the ``To Whom'' 
discussion in the preamble to the final rule provides that: ``[f]or 
purposes of payment-related activities, to the extent that federal or 
state law authorizes or requires that the Medicaid or Medicare agency 
or program share data or enter into a contractual arrangement or other 
formal agreements to do so, written consent to disclose patient 
identifying information to the agencies or programs (as a third-party 
payer) under section 2.31(a)(4)(iii)(A) is considered to extend to the 
contractors, subcontractors, and legal representatives of the agencies 
or programs.'' SAMHSA discussed in the final rule preamble that a 
``lawful holder'' of (part 2) patient identifying information is an 
individual or entity who has received such information as the result of 
a part 2-compliant patient consent (with a prohibition on re-disclosure 
notice) or as permitted under the part 2 statute, regulations, or 
guidance and, therefore, is bound by 42 CFR part 2.
    One commenter indicated that state Medicaid agencies hire 
contractors for a wide array of ``administrative functions''; and that 
those contractors and vendors accessed (part 2) patient identifying 
information to carry out these activities. Other comments noted the 
role of third-parties in Medicaid program claims processing. Another 
commenter suggested that, given the role of MCOs, state Medicaid 
agencies and other programs, whether a patient designated the ``name of 
the state agency, the MCO or simply Medicaid, the rule should consider 
consent to apply to the State and its contracted delivery system.'' 
Another commenter similarly urged that ``In order to ensure that 
Medicaid programs can carry out its operational requirements, consent 
that names the Medicaid agency or the MCO should permit disclosure to 
the entity's contractors, when necessary.''
    With respect to lawful holders, certain commenters requested 
changes to or highlighted the need for additional guidance regarding 
how third-party payers may use and disclose (part 2) patient 
identifying information (as defined in 42 CFR 2.11) as they carry out 
their payment and health care operations. One commenter asked for 
explicit confirmation that Medicaid plans were allowed to process 
claims through a contracted entity (e.g., Medicaid managed care 
organizations (MCOs)). Similarly, another commenter recommended that 
the rule clarify that a patient's naming of the state agency, the MCO, 
or simply Medicaid were all adequate to consent to allowing the 
patient's information to be released to whichever entity actually 
conducted the required functions on behalf of the third-party payer. 
One commenter suggested that such payers should be viewed as 
intermediaries for purposes of sharing substance use disorder 
information with treating providers. Other commenters noted that 
Medicaid agencies and MCOs both require access to (part 2) patient 
identifying information for the purposes of payment. Another commenter 
discussed the history of the part 2 rules and asserted that the 
governing statute, 42 U.S.C. 290dd-2, does not require treating third-
party payers differently than other payers. The commenter further 
asserted that ``[e]ssentially all third-party payers contract with 
third parties to obtain services and perform activities that involve 
specialized expertise, equipment or other resources that the payer does 
not maintain in-house due to the associated administrative and other 
costs.''
    These comments, while not addressing specific changes proposed in 
the NPRM, have prompted SAMHSA to propose additional clarifications and 
modifications to the part 2 rules to clarify the scope of permissible 
disclosures. In an effort to address some of the commenters' requests 
and recommendations for clarity SAMHSA is concurrently issuing this 
SNPRM with the final rule to elicit public comment on these additional 
proposals to further clarify and expound upon these pertinent comments. 
We seek comment on our proposals regarding the following concepts and 
provisions: The payment and health care operations-related disclosures 
that can be made to contractors, subcontractors, and legal 
representatives by lawful holders under the part 2 rule consent 
provisions; and the provisions governing disclosures for purposes of 
carrying out a Medicaid, Medicare or Children's Health Insurance 
Program (CHIP) audit or evaluation. SAMHSA will take any such comments 
under consideration if it engages in further rulemaking in the future.

[[Page 5487]]

    SAMHSA will consider the public comments on this SNPRM, any 
relevant comments already received on these subjects in response to the 
February 9, 2016, NPRM and relevant comments made at the June 11, 2014 
listening session on part 2 (see 79 FR 26929) before issuing a final 
rule.

Proposed Provisions

    SAMHSA seeks comment on proposals in this SNPRM to retain the 
notice found in Sec.  2.32 but consider whether an abbreviated notice 
would be appropriate and in which circumstances, further revise Sec.  
2.33 (Disclosures permitted with written consent) define and limit the 
circumstances in which certain disclosures for the purposes of payment 
and health care operations can be made; and similarly to further revise 
Sec.  2.53 (Audit and Evaluation) to expressly address further 
disclosures by contractors, subcontractors, and legal representatives 
for purposes of carrying out a Medicaid, Medicare, or CHIP audit or 
evaluation. SAMHSA also seeks comment on its proposals regarding the 
establishment of appropriate restrictions and safeguards on lawful 
holders and their contractors, subcontractors, and legal 
representatives' use and disclosure of (part 2) patient identifying 
information for the purposes discussed in this SNPRM. SAMHSA is not 
soliciting comments on any other issues relating to the final rule and 
will not consider comments at this time that address changes to part 2 
other than those contemplated in this SNPRM.

Section 2.32 Prohibition on Re-Disclosure

    SAMHSA does not propose to substantively modify the existing notice 
at 2.32, but seeks comment on whether it should add a shorter 
abbreviated statement in subsection (a) Notice to accompany re-
disclosure to be used in certain circumstances (e.g., for particular 
types of disclosures or technical systems) where a shorter notice may 
be warranted. An abbreviated statement could read, for example, ``Data 
is subject to 42 CFR part 2. Use/disclose in conformance with part 2.''

Section 2.33 Disclosures Permitted With Written Consent

    SAMHSA understands that contractors, subcontractors, and legal 
representatives play an integral role in the management, delivery, and 
payment of health care services, but believes that limits should be 
placed on disclosures of (part 2) patient identifying information to 
such entities to carry out these activities. As such, SAMHSA seeks 
public comment on its proposal to explicitly list and limit under Sec.  
2.33(b), specific types of activities for which any lawful holder of 
(part 2) patient identifying information would be allowed to further 
disclose the minimal information necessary for specific payment and 
health care operations activities described below. While lawful holders 
may disclose (part 2) patient identifying information to contractors, 
subcontractors, and legal representatives for these purposes, this 
proposal makes clear the scope and requirements for those permitted 
disclosures. To the extent that a written consent permits the use of 
part 2 patient identifying information for payment or healthcare 
operations, this provision at Sec.  2.33(b) specifies that the further 
disclosures specified below can be made. SAMHSA notes that this list of 
activities related to payment and health care operation is similar to 
the HIPAA Privacy Rule's definition of the terms ``payment'' and 
``health care operations,'' although SAMHSA is not adopting those 
definitions in their entirety. The payment and health care operation 
activities listed in this section does not include activities that 
SAMHSA considers to be related to the patient's diagnosis, treatment, 
or referral for treatment. SAMHSA believes it is important to maintain 
patient choice in disclosing information to health care providers with 
whom they will have direct contact. For these reasons, this provision 
will not cover care coordination or case management and the proposal 
provides that disclosures to contractors, subcontractors, and legal 
representatives to carry out other purposes are not permitted under 
this section. SAMHSA will consider certain payment or health care 
operations-related activities permissible for lawful holders to 
disclose to contractors, subcontractors, or legal representatives as 
long as the activities fit within the overall purpose of the written 
consent. See paragraphs (b)(1) through (17) of Sec.  2.33
    SAMHSA also solicits comment on whether the proposed listing of 
explicitly permitted activities is adequate and appropriate to ensure 
the health care industry's ability to conduct necessary payment and the 
described health care operational functions, while still affording 
adequate privacy protections for the individuals who were diagnosed, 
treated, or referred for treatment. We note that contractors, 
subcontractors, and legal representatives that would receive data under 
this provision would become lawful holders upon receipt of such data, 
and, as such, would themselves be subject to the part 2 requirements. 
Moreover, consent would still be required and disclosures must be made 
in accordance with section 2.13(a), Confidentiality restrictions and 
safeguards, which states that ``[a]ny disclosure made under these 
regulations must be limited to that information which is necessary to 
carry out the purpose of the disclosure.'' Consequently, the stated 
purpose of a written consent limits the scope of the disclosures with 
respect to the (part 2) patient identifying information disclosed. In 
addition, lawful holders that disclose (part 2) patient identifying 
information to contractors, subcontractors, and legal representatives 
for payment and the described health care operations may only disclose 
(part 2) patient identifying information to contractors, 
subcontractors, and legal representatives that perform a function that 
is consistent with the stated purpose of the consent and only to 
perform that function. SAMHSA seeks comments on the proper mechanisms 
to convey the scope of the consent to lawful holders, contractors, 
subcontractors, and legal representatives, including those who are 
downstream recipients of (part 2) patient identifying information given 
current electronic data exchange technical designs.
    SAMHSA also believes that it is critical that contractors, 
subcontractors, and legal representatives understand their obligations 
with respect to (part 2) patient identifying information. Accordingly, 
SAMHSA proposes new regulatory text under Sec.  2.33(c) requiring that 
lawful holders that engage contractors and subcontractors to carry out 
payment and the described health care operations that will entail using 
or disclosing (part 2) patient identifying information include specific 
contract and subcontract provisions requiring contractors and 
subcontractors to comply with the provisions of part 2. An appropriate 
comparable instrument will suffice in cases where there is otherwise no 
contract between the lawful holder and a legal representative who is 
retained voluntarily (as opposed to one who is required to represent 
the lawful holder by law, in which case the requirement for a contract 
or comparable instrument in 2.33(c) shall not apply). SAMHSA proposes 
to amend subsection (b) and add a new subsection (c) to the disclosure 
permitted with written consent provisions at Sec.  2.33. SAMHSA seeks 
comment on the proposal to revise

[[Page 5488]]

disclosures permitted with written consent provision in Sec.  2.33.

Section 2.53 Audit and Evaluation

    SAMHSA recognized in the final rule the critical importance of 
audits and evaluations. Accordingly, SAMHSA made clear that disclosures 
of patient identifying information to ACO's and similar CMS-regulated 
entities to carry out Medicare, Medicaid and Children's Health 
Insurance Program (CHIP) audit and evaluation activities are permitted.
    However, public comments requested further specification regarding 
the permitted disclosures of (part 2) patient identifying information 
for audit and evaluation purposes. Public commenters noted that, as 
with other payment and health care operations, contractors, 
subcontractors, and legal representatives may be tasked with conducting 
audit and evaluation activities. Such entities may not be CMS-
regulated, and may be conducted for private payers as well as Medicare 
and Medicaid programs. In addition, commenters noted that audits and 
evaluations may include quality improvement activities, as well as 
efforts related to reimbursement and financing. As such, SAMHSA 
proposes further amendment as set out in the regulatory text of section 
2.53.

Request for Public Comments

    SAMHSA believes that the new proposals and clarifications discussed 
above will provide the desired solutions and understanding sought by 
commenters to the NPRM, while also offering patient protections 
appropriate to the current health care environment.
    In making these proposals, SAMHSA notes that such payment and the 
described health care operations and audit and evaluation functions 
will still be governed by other applicable laws and regulations, such 
as the HIPAA Privacy and Security Rules, in addition to 42 CFR part 2.
    SAMHSA notes that the fact that lawful holders and part 2 programs 
are permitted to disclose data in no way obviates the overarching 
purpose of part 2: to protect (part 2) patient identifying information 
for patients seeking diagnosis, treatment, or referral for treatment 
for substance use disorders. Lawful holders and part 2 programs have 
responsibility to exercise due diligence with respect to their 
contractors, subcontractors, or legal representatives to whom they 
disclose or with whom they exchange (part 2) patient identifying 
information. Should the changes in this SNPRM be adopted, SAMHSA 
anticipates issuing further guidance about these topics.
    SAMHSA seeks specific comment on the implications of these proposed 
changes on the privacy and confidentiality of records concerning 
substance use disorder diagnosis, prognosis and treatment, and referral 
for treatment and overall goals of the part 2 rules, and the regulatory 
and financial impact, if any, of these proposals.
    SAMHSA also seeks comments on the following for its consideration 
in future rulemaking and guidance:
    (1) Additional purposes for which lawful holders should be able to 
disclose (part 2) patient identifying information,
    (2) Further subregulatory guidance that SAMHSA and other agencies 
could provide to help facilitate implementation of 42 CFR part 2 in the 
current healthcare environment.

Regulatory Impact Analysis (RIA)

    In this SNPRM, SAMHSA proposes clarifications and revisions of the 
following: The disclosures permitted with written consent (Sec.  2.33), 
the payment and health care operations activities for which lawful 
holders may disclose (part 2) patient identifying information to their 
contractors, subcontractors, and legal representatives; and the audit 
and evaluation provision that permit certain disclosures for purposes 
of carrying out a Medicaid, Medicare or CHIP audit and evaluation 
(Sec.  2.53).
    SAMHSA has analyzed the costs of complying with the proposed 
regulations in this supplemental NPRM. SAMHSA does not believe these 
revisions, if ultimately adopted, will result in any additional costs 
to Part 2 programs. Based on public comments, SAMHSA anticipates that 
these modifications will enhance efficiency of such payment and health 
care operations as claims processing, business management, training and 
customer service. The proposal specifies that lawful holders who 
receive part 2 records under the terms of a patient's written consent 
are permitted to further disclose those records to their contractors, 
subcontractors, and legal representatives to carry out payment and 
certain health care operations described in the SNPRM. When information 
is shared with contractors, subcontractors, and legal representatives, 
contract and subcontract provisions (or provisions in an appropriate 
comparable instrument in the case of certain legal representatives) 
must be included requiring these entities to comply with the provisions 
of part 2. Changes proposed to the audit and evaluation provisions will 
make clear that the individual or entity receiving (part 2) patient 
identifying information for audit and evaluation or quality improvement 
purposes is permitted to further disclose this information to 
contractor(s) or subcontractor(s) to complete these activities. Should 
these proposals ultimately be adopted, SAMHSA does not anticipate 
entities will incur any additional costs beyond those analyzed in the 
Final Rule. Nonetheless, SAMHSA seeks comments on costs and benefits of 
this change for part 2 programs and any burdens these proposed changes 
may impose on regulated entities.
    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 60-day notice in the Federal Register and solicit 
public comment before a collection of information requirement is 
submitted to the Office of Management and Budget (OMB) for review and 
approval. PRA issues are discussed in the final rule. SAMHSA 
anticipates no substantive changes in PRA requirements should changes 
proposed in the SNPRM be adopted. SAMHSA seeks and will consider public 
comment on our assumptions as they relate to the PRA requirements.
    SAMHSA has examined the impact of this proposed rule under 
Executive Order 12866 on Regulatory Planning and Review (September 30, 
1993), Executive Order 13563 on Improving Regulation and Regulatory 
Review (January 18, 2011), the Regulatory Flexibility Act of 1980 (Pub. 
L. 96-354, September 19, 1980), the Unfunded Mandates Reform Act of 
1995 (Pub. L. 104-4, March 22, 1995), and Executive Order 13132 on 
Federalism (August 4, 1999).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health, and safety 
effects; distributive impacts; and equity). Executive Order 13563 is 
supplemental to and reaffirms the principles, structures, and 
definitions governing regulatory review as established in Executive 
Order 12866. SAMHSA expects that the changes proposed in this SNPRM, if 
adopted, will not have an annual effect on the economy of $100 million 
or more in at least 1 year. Therefore, this rule will not be an 
economically significant regulatory action as defined by Executive 
Order 12866.
    The Regulatory Flexibility Act (RFA) requires agencies that issue a 
regulation to analyze options for regulatory relief of small businesses 
if a rule has a

[[Page 5489]]

significant impact on a substantial number of small entities. The RFA 
generally defines a ``small entity'' as (1) a proprietary firm meeting 
the size standards of the Small Business Administration; (2) a 
nonprofit organization that is not dominant in its field; or (3) a 
small government jurisdiction with a population of less than 50,000 
(States and individuals are not included in the definition of ``small 
entity''). For similar rules, HHS considers a rule to have a 
significant economic impact on a substantial number of small entities 
if at least 5 percent of small entities experience an impact of more 
than 3 percent of revenue. SAMHSA anticipates that the proposals in 
this SNPRM, if adopted, will not have a significant economic impact on 
a substantial number of small entities.
    Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires 
that agencies prepare a written statement, which includes an assessment 
of anticipated costs and benefits, before proposing ``any rule that 
includes any Federal mandate that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100,000,000 or more (adjusted annually for 
inflation) in any one year.'' The current threshold after adjustment 
for inflation is $146 million, using the most current (2015) implicit 
price deflator for the gross domestic product. The proposals in this 
SNPRM, if adopted, would not trigger the Unfunded Mandate Reform Act 
because it will not result in expenditures of this magnitude by states 
or other government entities.

List of Subjects in 42 CFR Part 2

    Alcohol abuse, Alcoholism, Drug abuse, Grant programs--health, 
Health records, Privacy, Reporting, and Recordkeeping requirements.
    For the reasons stated in the preamble, SAMHSA proposes to amend 42 
CFR part 2 as follows:

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

0
1. The authority citation for part 2 continues to read as follows:

    Authority: Sec. 408 of Pub. L. 92-255, 86 Stat. 79, as amended 
by sec. 303(a), (b) of Pub L. 93-282, 83 Stat. 137, 138; sec. 
4(c)(5)(A) of Pub. L. 94-237, 90 Stat. 244; sec. 111(c)(3) of Pub. 
L. 94-581, 90 Stat. 2852; sec. 509 of Pub. L. 96-88, 93 Stat. 695; 
sec. 973(d) of Pub. L. 97-35, 95 Stat. 598; and transferred to sec. 
527 of the Public Health Service Act by sec. 2(b)(16)(B) of Pub. L. 
98-24, 97 Stat. 182 and as amended by sec. 106 of Pub. L. 99-401, 
100 Stat. 907 (42 U.S.C. 290ee-3) and sec. 333 of Pub. L. 91-616, 84 
Stat. 1853, as amended by sec. 122(a) of Pub. L. 93-282, 88 Stat. 
131; and sec. 111(c)(4) of Pub. L. 94-581, 90 Stat. 2852 and 
transferred to sec. 523 of the Public Health Service Act by sec. 
2(b)(13) of Pub. L. 98-24, 97 Stat. 181 and as amended by sec. 106 
of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 290dd-3), as amended by 
sec. 131 of Pub. L. 102-321, 106 Stat. 368, (42 U.S.C. 290dd-2).

Subpart B--General Provisions

0
2. Revise Sec.  2.33 to read as follows:


Sec.  2.33  Disclosures permitted with written consent.

    (a) If a patient consents to a disclosure of their records under 
Sec.  2.31, a program may disclose those records in accordance with 
that consent to any person or category of persons identified or general 
designated in the consent, except that disclosures to central 
registries and in connection with criminal justice referrals must meet 
the requirements of Sec. Sec.  2.34 and 2.35, respectively.
    (b) If a patient consents to a disclosure of their records under 
Sec.  2.31 for payment and/or health care operations activities, a 
lawful holder who receives such records under the terms of the written 
consent may further disclose those records as may be necessary for its 
contractors, subcontractors, or legal representatives to carry out 
payment and/or the following health care operations on behalf of such 
lawful holder. Disclosures to contractors, subcontractors, and legal 
representatives to carry out other purposes are not permitted under 
this section. In accordance with Sec.  2.13(a), disclosures under this 
section must be limited to that information which is necessary to carry 
out the stated purpose of the disclosure.
    (1) Billing, claims management, collections activities, obtaining 
payment under a contract for reinsurance, claims filing and related 
health care data processing;
    (2) Clinical professional support services (e.g., quality 
assessment and improvement; initiatives, utilization review and 
management services);
    (3) Patient safety activities;
    (4) Activities pertaining to:
    (i) The training of student trainees and health care professionals;
    (ii) The assessment of practitioner competencies; and
    (iii) The assessment of provider and/or health plan performance;
    (iv) Training of non-health care professionals;
    (5) Accreditation, certification, licensing, or credentialing 
activities;
    (6) Underwriting, enrollment, premium rating, and other activities 
related to the creation, renewal, or replacement of a contract of 
health insurance or health benefits, and ceding, securing, or placing a 
contract for reinsurance of risk relating to claims for health care;
    (7) Third-party liability coverage;
    (8) Activities related to addressing fraud, waste and abuse;
    (9) Conducting or arranging for medical review, legal services, and 
auditing functions;
    (10) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and 
operating, including formulary development and administration, 
development or improvement of methods of payment or coverage policies;
    (11) Business management and general administrative activities, 
including, but not limited to, management activities relating to 
implementation of and compliance with the requirements of this or other 
statutes or regulations;
    (12) Customer services, including the provision of data analyses 
for policy holders, plan sponsors, or other customers;
    (13) Resolution of internal grievances;
    (14) The sale, transfer, merger, consolidation, or dissolution of 
an organization;
    (15) Determinations of eligibility or coverage (e.g. coordination 
of benefit services or the determination of cost sharing amounts), and 
adjudication or subrogation of health benefit claims;
    (16) Risk adjusting amounts due based on enrollee health status and 
demographic characteristics;
    (17) Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges.
    (c) Lawful holders who wish to disclose patient identifying 
information pursuant to subsection (b) of this section must enter into 
a written contract with the contractor (or appropriate comparable 
instrument in the case of a legal representative retained voluntarily 
by the lawful holder), which provides that the contractor and any 
subcontractor or legal representative are or will be fully bound by the 
provisions of part 2 upon receipt of the patient identifying data, and, 
as such that each disclosure shall be accompanied by the notice 
required under Sec.  2.32. In making such disclosure, the lawful holder 
should specify permitted uses of patient identifying information 
consistent with the written consent, by the contractor and any 
subcontractors or legal

[[Page 5490]]

representatives to carry out the payment and health care operations 
activities listed in the preceding subparagraph, require such 
recipients to implement appropriate safeguards to prevent unauthorized 
uses and disclosures and require such recipients to report any 
unauthorized uses, disclosures, or breaches of patient identifying 
information to the lawful holder. The lawful holder should only 
disclose information to the contractor or subcontractor or legal 
representative that is necessary for the contractor or subcontractor to 
perform its duties under the contract. Also, the contract does not 
permit a contractor or subcontractor or legal representative to re-
disclose information to a third party unless that third party is a 
contract agent of the contractor or subcontractor, helping them provide 
services described in the contract, and only as long as the agent only 
further discloses the information back to the contractor or lawful 
holder from which the information originated.
0
3. Amend Sec.  2.53 by:
0
a. Revising paragraph (a)(1)(i).
0
b. Revising paragraphs (b)(2)(i) and (ii).
0
c. Revising paragraph (c)(5).
    The revisions and addition read as follows:


Sec.  2.53  Audit and evaluation.

    (a) * * *
    (1) * * *
    (i) Any Federal, State, or local governmental agency which provides 
financial assistance to the program or is authorized by law to regulate 
the activities of the part 2 program or those of the lawful holder;
* * * * *
    (b) * * *
    (2) * * *
    (i) Any federal, state, or local governmental agency which provides 
financial assistance to the program or is authorized by law to regulate 
the activities of the part 2 program or those of the lawful holder; or
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program, which is a third-party payer covering patients 
in the part 2 program, or which is a quality improvement organization 
performing a utilization or quality control review, or such 
individual's or entity's or quality improvement organization's 
contractors, subcontractors, or legal representatives.
* * * * *
    (c) * * *
    (5) If a disclosure to an individual or entity is authorized under 
this section for a Medicare, Medicaid, or CHIP audit or evaluation, 
including a civil investigation or administrative remedy, as those 
terms are used in paragraph (c)(2) of this section, the individual or 
entity may further disclose the patient identifying information that is 
received for such purposes to its contractor(s) or subcontractor(s) to 
carry out the audit or evaluation, and a quality improvement 
organization which obtains such information under paragraph (a) or (b) 
of this section may disclose the information to that individual or 
entity (or, to such individual's or entity's contractors, 
subcontractors, or legal representatives, but only for the purposes of 
this section.
* * * * *

    Dated: January 5, 2017.
Kana Enomoto,
Acting Deputy Assistant Secretary for Mental Health and Substance Use.
    Approved:
Sylvia M. Burwell,
Secretary.
[FR Doc. 2017-00742 Filed 1-13-17; 11:15 am]
 BILLING CODE 4162-20-P