[Federal Register Volume 83, Number 2 (Wednesday, January 3, 2018)]
[Rules and Regulations]
[Pages 239-252]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-28400]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

42 CFR Part 2

[SAMHSA-4162-20]
RIN 0930-ZA07


Confidentiality of Substance Use Disorder Patient Records

AGENCY: Substance Abuse and Mental Health Services Administration 
(SAMHSA), U.S. Department of Health and Human Services.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule makes changes to the Substance Abuse and 
Mental Health Services Administration's (SAMHSA) regulations governing 
the Confidentiality of Substance Use Disorder Patient Records. These 
changes are intended to better align the regulations with advances in 
the U.S. health care delivery system while retaining important privacy 
protections for individuals seeking treatment for substance use 
disorders. This final rule addresses the prohibition on re-disclosure 
notice by including an option for an abbreviated notice. This final 
rule also addresses the circumstances under which lawful holders and 
their legal representatives, contractors, and subcontractors may use 
and disclose patient identifying information for purposes of payment, 
health care operations, and audits and evaluations. Finally, this final 
rule is making minor technical corrections to ensure accuracy and 
clarity in SAMHSA's regulations.

DATES: Effective date: This final rule is effective February 2, 2018.
    Compliance dates: The compliance date for all provisions of this 
final rule, except for Sec.  2.33(c), is February 2, 2018. As discussed 
in the preamble, contracts between lawful holders and contractors, 
subcontractors, and legal representatives must comply with Sec.  
2.33(c) within two years of the effective date of the final rule.

FOR FURTHER INFORMATION CONTACT: Mitchell Berger, Telephone number: 
(240) 276-1757, Email address: [email protected].

SUPPLEMENTARY INFORMATION: 

I. Background

    On February 9, 2016, SAMHSA published a Notice of Proposed 
Rulemaking (NPRM) in the Federal Register (81 FR 6988), proposing 
updates to the Confidentiality of Alcohol and Drug Abuse Patient 
Records (42 CFR part 2) regulations. These regulations implement title 
42, section 290dd-2 of the United States Code pertaining to the 
Confidentiality of Substance Use Disorder Patient Records held by 
certain substance use disorder treatment programs that receive federal 
financial assistance. As SAMHSA explained in that NPRM, it proposed to 
update these regulations, last substantively amended in 1987, to 
reflect development of integrated health care models and the use of 
electronic exchange of patient information. SAMHSA also wished to 
maintain confidentiality protections for patient identifying 
information, as persons with substance use disorders still may 
encounter significant discrimination if their information is improperly 
disclosed.
    On January 18, 2017, SAMHSA published a final rule (82 FR 6052). In 
response to public comments, the final rule provided for greater 
flexibility in disclosing patient identifying information within the 
health care system while continuing to address the need to protect the 
confidentiality of substance use disorder patient records. SAMHSA 
concurrently issued a supplemental notice of proposed rulemaking 
(SNPRM) (82 FR 5485) to solicit public comment on additional proposals 
including: The payment and health care operations-related disclosures 
that can be made to contractors, subcontractors, and legal 
representatives by lawful holders under the part 2 rule consent 
provisions; and the provisions governing disclosures for purposes of 
carrying out a Medicaid, Medicare or Children's Health Insurance 
Program (CHIP) audit or evaluation. SAMHSA also solicited comments on 
whether an abbreviated notice of the prohibition on re-disclosure 
should be used and, if so, under what circumstances.
    SAMHSA received 55 comments on the SNPRM, and after considering 
those comments, is finalizing the proposed revisions, with some changes 
made in response to the public comments that were received. Some 
comments were outside the scope of the specific provisions SAMHSA 
proposed in the SNPRM or were inconsistent with SAMHSA's legal 
authority regarding the confidentiality of substance use disorder 
patient records. This final rule does not address these comments.

II. Discussion of Public Comments and Final Modifications to 42 CFR 
Part 2

A. Align With HIPAA

Public Comments
    SAMHSA received a number of comments regarding alignment of 42 CFR 
part 2 with the Health Insurance Portability and Accountability Act 
(HIPAA) or the Health Information Technology for Economic and Clinical 
Health (HITECH) Act. Reasons cited by these commenters in support of 
aligning the regulations with HIPAA or HIPAA/HITECH Act were to: (1) 
Promote information flow between providers, including a clinically 
complete patient record; (2) allow providers and administrators of 
services greater discretion; (3) facilitate interoperability; (4) 
improve compliance; (5) enhance privacy protections by making 
confidentiality restrictions more

[[Page 240]]

uniform across health care settings; (6) promote more innovative models 
of health care delivery, including integrated and coordinated care, and 
value-based and population-based models; (7) establish uniform, 
workable regulations with respect to treatment, payment and operations; 
and (8) improve patient care and reduce stigma and potential harm to 
patients.
SAMHSA Response
    SAMHSA has attempted to align this final rule with HIPAA, the 
HITECH Act, and their implementing regulations to the extent feasible, 
based on the proposed revisions in the SNPRM, the public comments 
received, and the limitations on SAMHSA's authority in the governing 
statute, 42 U.S.C. 290dd-2. At the same time, it is important to note 
that part 2 and its authorizing statute are separate and distinct from 
HIPAA, the HITECH Act, and their implementing regulations. Part 2 
provides more stringent federal protections than other health privacy 
laws such as HIPAA and seeks to protect individuals with substance use 
disorders who could be subject to discrimination and legal consequences 
in the event that their information is improperly used or disclosed. To 
the extent feasible given these restrictions, SAMHSA continues to 
review these issues, plans to explore additional alignment with HIPAA, 
and may consider additional rulemaking for 42 CFR part 2.

B. Prohibition on Re-Disclosure (Sec.  2.32)

    In the SNPRM, SAMHSA sought comment on whether an abbreviated 
notice of the prohibition on re-disclosure should be included in Sec.  
2.32 and on the circumstances under which such abbreviated notice 
should be used. The SNPRM provided an example of an abbreviated notice: 
``Data is subject to 42 CFR part 2. Use/disclose in conformance with 
part 2.'' SAMHSA has adopted an abbreviated notice that is 80 
characters long to fit in standard free-text space within health care 
electronic systems. The abbreviated notice in this final rule reads 
``Federal law/42 CFR part 2 prohibits unauthorized disclosure of these 
records.''
Public Comments
    Several commenters expressed support for the abbreviated notice of 
the prohibition on re-disclosure because it provides more flexibility 
and efficiency in meeting the notice requirement. Several supportive 
commenters suggested potential technical solutions for conveying the 
prohibition on re-disclosure, such as communicating part 2 restrictions 
through codes, flags, pop-ups, or other signifiers. However, some of 
these commenters and others also explained that most of the suggestions 
are not technically feasible at this time, due to the lack of 
standardized electronic formats and transmission standards. One 
supportive commenter suggested SAMHSA work with the Department of 
Health and Human Services (HHS) and its agencies, including the Centers 
for Medicare & Medicaid Services (CMS), and the Office of Civil Rights 
(OCR), to explore whether HIPAA electronic transactions and code sets 
can be leveraged or modified to ``flag'' part 2 information and, once 
the recommendation becomes actionable, involve standard-setting bodies 
and the public. Several supportive commenters provided circumstances 
they thought were appropriate for an abbreviated notice of the 
prohibition on re-disclosure, including: (1) All electronic disclosures 
(because there may not currently be a standard mechanism to ``flag'' 
electronic information disclosures that are covered by part 2); (2) 
only paper disclosures; (3) limiting the use of the abbreviated notice 
to the exchange of records between part 2 programs (that would have 
familiarity with the concept of prohibition on re-disclosure); (4) 
exchange of records among part 2 programs and other entities (including 
third-party payers, and other lawful holders); and (5) using a single 
abbreviated notice for all circumstances. A couple of commenters 
indicated that having the notice of prohibition on re-disclosure 
accompany disclosures, as required by Sec.  2.32, is important for 
ensuring compliance with part 2.
    Commenters who opposed the abbreviated notice of the prohibition on 
re-disclosure expressed concerns that a shortened notice: (1) May be 
confusing or unclear to patients and professionals; (2) would fail to 
safeguard against unauthorized disclosures; and (3) would be 
insufficient to solve logistical concerns because, regardless of the 
length of the notice, systems will need to be put in place to tag 
substance use disorder information and send the notice with the 
information being disclosed. In addition, some commenters found the 
current notice to be sufficient.
    SAMHSA also received comments stating that the SNPRM provided 
insufficient information to either support or oppose the abbreviated 
notice of the prohibition on re-disclosure because: (1) The purpose of 
the abbreviated notice was not made clear; and (2) it was unclear 
whether SAMHSA considered the impact the proposed abbreviated notice 
would have on electronic health records formats, system design and 
software development for clinical medical records format, or the impact 
on required HIPAA Administrative transactions. One commenter stated 
that an abbreviated notice of the prohibition on re-disclosure must 
contain, at a minimum, a clear warning label to prevent misuse and 
should state that any misuse is illegal under 42 CFR part 2.
SAMHSA Response
    The 42 CFR part 2 regulations in effect since 1983 have required 
that a notice of the prohibition on re-disclosure accompany each 
disclosure made with the patient's written consent. In the SNPRM, 
SAMHSA proposed the option of an abbreviated notice to satisfy the 
requirements of Sec.  2.32 due to concerns about character limits in 
free-text fields within electronic health record systems. Specifically, 
many of the health care electronic systems have a standard maximum 
character limit of 80 characters in the free text space that may be 
used to transmit this notice.
    While SAMHSA recognizes there may be technical issues to be 
resolved, after considering the totality of the comments, SAMHSA 
believes including an abbreviated notice of the prohibition on re-
disclosure as an option will be beneficial to stakeholders, 
particularly those who use electronic health record systems to exchange 
data. However, because even commenters supporting inclusion of an 
abbreviated notice had differing views about the circumstances under 
which an abbreviated notice should be used, SAMHSA decided, consistent 
with its proposal, to allow use of an abbreviated notice in any 
instance in which a notice is required under the regulations. 
Recognizing concerns expressed by commenters that an abbreviated notice 
could be insufficient to convey understanding of part 2 requirements, 
SAMHSA encourages part 2 programs and other lawful holders using the 
abbreviated notice to discuss the requirements with those to whom they 
disclose patient identifying information. In response to comments 
received that the abbreviated notice did not provide an adequate 
warning against potential misuse of patient identifying information, 
SAMHSA, in this final rule, has modified the language in the 
abbreviated notice to more explicitly notify recipients that improper 
use or disclosure is prohibited under 42 CFR part 2.

[[Page 241]]

C. Disclosures Permitted With Written Consent (Sec.  2.33)

    In the SNPRM, SAMHSA proposed to explicitly list under Sec.  
[thinsp]2.33(b), specific types of activities for which any lawful 
holder of patient identifying information would be allowed to further 
disclose the minimal information necessary for specific payment and 
health care operations activities. SAMHSA proposed new regulatory text 
under Sec.  [thinsp]2.33(c) that would require lawful holders that 
engage contractors and subcontractors to carry out payment and health 
care operations activities that entail the use or disclosure of patient 
identifying information to include specific contract provisions 
addressing compliance with part 2. In this final rule, SAMHSA finalizes 
the scope and requirements for permitted disclosures to contractors, 
subcontractors, and legal representatives for the purpose of payment 
and health care operations. SAMHSA does not retain the proposed list of 
payment and health care operations in the regulatory text and instead, 
moves this list to the preamble section of the final rule to serve as 
illustrative examples of permissible payment and health care operations 
activities. In addition, consistent with SAMHSA's prior statement in 
the SNPRM preamble, SAMHSA adds language to the regulatory text in 
Sec.  2.33(b) to clarify that disclosures to contractors, 
subcontractors, and legal representatives are not permitted for 
substance use disorder patient diagnosis, treatment, or referral for 
treatment. SAMHSA finalizes Sec.  [thinsp]2.33(c) in relation to 
contract language referencing compliance with 42 CFR part 2 and the 
protections of part 2 patient identifying information, but does not 
retain the proposed reference to permitted uses of patient identifying 
information consistent with the written consent.
1. Disclosures by Lawful Holders
Public Comments
    In response to SAMHSA's request for comments on proposed revisions 
to Sec.  2.33, SAMHSA received a number of comments supporting its 
proposal in Sec.  2.33 to clarify that lawful holders of patient 
identifying information may disclose the minimum amount of information 
necessary to contractors, subcontractors, and legal representatives for 
payment and health care operations purposes. Several commenters cited 
practical concerns with the policy as stated in the January 18, 2017, 
final rule, including: (1) It is unrealistic to assume that lawful 
holders of patient identifying information such as third-party payers 
have the expertise and resources to carry out certain payment and 
health care operations without the assistance of contractors; (2) it is 
often not feasible to specify each contractor on a part 2 consent form; 
and (3) specifying contractors on a part 2 consent form unreasonably 
restricts a lawful holder from changing contractors. One commenter 
observed that essential payment and operations activities directly or 
indirectly benefit patients (e.g., by ensuring access to and coverage 
of treatment). One commenter supported the proposal because it further 
aligns part 2 with HIPAA, while another commenter expressed support for 
this or any proposal that would reduce the time and expense incurred by 
part 2 programs when seeking and obtaining patient consent where not 
necessary.
SAMHSA Response
    In the SNPRM, SAMHSA proposed clarifications to the final 
regulations issued on January 18, 2017, where they appeared to be 
needed, based on public comment. SAMHSA appreciates the support it 
received for clarifying the part 2 regulations. SAMHSA is finalizing 
those clarifications as proposed in Sec.  2.33(b) except for the list 
of 17 specific types of payment and health care operations activities 
for which any lawful holder of patient identifying information would be 
allowed to further disclose to contractors, subcontractors, and legal 
representatives. As discussed below, this list of activities is being 
included in the preamble, rather than in regulatory text, in order to 
make clear that it is an illustrative rather than exhaustive list of 
the types of payment and health care operations activities that would 
be acceptable to SAMHSA. By removing the list from the regulatory text, 
SAMHSA intends for other appropriate payment and health care operations 
activities to be permitted under Sec.  2.33 as the health care system 
continues to evolve. In addition, consistent with SAMHSA's prior 
statement in the SNPRM preamble, SAMHSA has added language to the 
regulatory text in Sec.  2.33(b) to clarify that disclosures to 
contractors, subcontractors, and legal representatives are not 
permitted for activities related to a patient's diagnosis, treatment, 
or referral for treatment.
Public Comments
    SAMHSA also received numerous comments opposing its proposal in 
Sec.  2.33. The majority of these commenters were opposed to the 
changes because SAMHSA had not specified additional safeguards that 
would apply in connection with the disclosures. Some commenters 
expressed concern that the changes were too broad or would undermine 
overall part 2 protections. One commenter expressed concern that the 
risk of breaches might increase by permitting additional disclosures to 
facilitate health care operations. Several commenters noted that the 
revisions in Sec.  2.33(b) would permit lawful holders greater latitude 
in sharing information with entities than would be afforded to 
patients. These commenters found that the revisions would permit 
patients to consent to sharing patient identifying information with 
lawful holders, who then are permitted to re-disclose that information 
to contractors, subcontractors, or legal representatives without 
notifying the patient. Conversely, patients would be prohibited from 
consenting to disclose patient identifying information to entities with 
whom they do not have a treating provider relationship without further 
designating an individual participant in that entity. As a result, 
these commenters questioned SAMHSA's intent for this proposal.
    One commenter thought the SNPRM did not provide sufficient 
information to respond to the proposed Sec.  2.33 because of the 
similarity of contractors and subcontractors with qualified service 
organizations (QSOs) under Sec. Sec.  2.11 and 2.12, and the similarity 
to Business Associates under HIPAA. The commenter requested 
clarification on whether it is SAMHSA's intent to directly apply part 2 
to these contractors and subcontractors in a manner similar to what was 
accomplished under the HIPAA Privacy and Security Rules for Business 
Associates of covered entities.
SAMHSA Response
    SAMHSA is seeking a balance between protecting the confidentiality 
of substance use disorder patient records and ensuring that the 
regulations do not pose a barrier to patients with substance use 
disorders who wish to participate in, and could benefit from, emerging 
health care models that promote integrated care and patient safety. 
Unauthorized disclosure of substance use disorder patient records can 
lead to a host of negative consequences, including loss of employment, 
loss of housing, loss of child custody, discrimination by medical 
professionals and insurers, arrest, prosecution, and incarceration. The 
purpose of the part 2 regulations is to ensure that a patient is not 
made more vulnerable by reason of the availability of their patient 
record than an individual with a substance use

[[Page 242]]

disorder who does not seek treatment. SAMHSA recognizes the legitimate 
needs of lawful holders of patient identifying information to disclose 
that information to their contractors, subcontractors, and legal 
representatives for purposes of payment and health care operations as 
long as the core protections of 42 CFR part 2 are maintained. SAMHSA 
notes that the part 2 regulations already state at Sec.  2.13(a): ``. . 
. Any disclosure made under the regulations in this section must be 
limited to that information which is necessary to carry out the purpose 
of the disclosure.'' This provision helps to ensure that information is 
not shared more broadly than the purpose(s) for which the patient 
consents. With respect to the comment that proposed revisions in Sec.  
2.33(b) would provide lawful holders greater latitude in sharing 
information with entities for payment and health care operations 
purposes than would be afforded to patients, SAMHSA acknowledges this 
concern and will be convening a stakeholder meeting relative to part 2 
as required by the 21st Century Cures Act (Pub. L. No: 114-255).
    Finally, it is not SAMHSA's intent to apply part 2 to contractors 
and subcontractors in a manner similar to what was accomplished under 
the HIPAA Privacy and Security Rules for Business Associates in 
accordance with, respectively, sections 13404(a) and 13401(a) of the 
HITECH Act, 42 U.S.C. 17934(a), 17931(a). SAMHSA has attempted to align 
part 2 with HIPAA in this final rule to the extent such changes are 
permissible under 42 U.S.C. 290dd-2. Moreover, as discussed previously, 
SAMHSA plans to explore additional alignment with HIPAA and is 
considering additional rulemaking for 42 CFR part 2.
    At the same time, part 2 and its authorizing statute are separate 
and distinct from HIPAA, the HITECH Act, and their implementing 
regulations. Because of its targeted population, part 2 and its 
authorizing statute provides more stringent federal protections than 
other health privacy laws, including the HIPAA Rules, in order to 
encourage individuals with substance use disorders to seek treatment.
Public Comments
    Several commenters proposed an alternative approach to the proposed 
changes in Sec.  2.33, which would instead allow lawful holders to 
contract with QSOs, just as part 2 programs currently do. One such 
commenter proposed that, instead of an explicit list of activities, 
Sec.  2.33(b) should include a general statement that an entity that 
lawfully receives patient identifying information under a valid part 2 
consent may disclose the information to its contractor under a QSO 
agreement (QSOA) if such disclosure is reasonably consistent with the 
terms of the consent. This commenter also proposed to revise the QSO 
definition to align it more closely with the HIPAA ``business 
associate'' concept. Two commenters questioned the distinction between 
the needs of part 2 programs and other lawful holders to engage third 
parties for operational assistance and requested that the QSO 
definition simply include lawful holders in the list of entities for 
which a QSO may provide services. One of these commenters stated that 
this alternative approach would give patients a choice and align better 
with patients' expectations without adding another layer of complexity.
SAMHSA Response
    SAMHSA declines to implement the suggested alternative approaches. 
SAMHSA agrees there are similarities between contractors under Sec.  
2.33(b) and QSOs. However, SAMHSA did not propose in the SNPRM to 
revise the provision on QSOs.
2. List of Payment and Health Care Operations Activities
    In the SNPRM, SAMHSA sought public comment on whether the proposed 
listing of permitted activities is adequate and appropriate to ensure 
the health care industry's ability to conduct necessary payment and 
health care operations, while still maintaining adequate 
confidentiality of substance use disorder patient records. SAMHSA also 
sought comment on the specific types of activities for which a lawful 
holder of patient identifying information would be allowed to further 
disclose the minimal information necessary for specific payment and 
health care operations activities described in the SNPRM. Further, 
SAMHSA requested public comment on additional purposes for which lawful 
holders should be able to disclose patient identifying information. 
SAMHSA is finalizing the clarifications, as proposed in Sec.  2.33, but 
now includes the list of 17 specific types of payment and health care 
operations as illustrative examples in the preamble rather than the 
regulatory text.
Public Comments
    Many commenters responded to SAMHSA's requests for comments on 
whether the proposed list of explicitly permitted payment and health 
care operations activities is adequate and appropriate. Several 
commenters expressly supported the list of payment and operations 
activities included in the SNPRM. One commenter stated that the 
proposed 17 categories of payment and operations activities are 
essential to allowing third-party payers and other lawful holders to 
reasonably operate. Another commenter observed that the proposed 
payment and health care operations activities represent significant 
progress toward SAMHSA's stated goal of modernizing 42 CFR part 2 to 
increase opportunities for individuals with substance use disorders to 
participate in new and emerging health care models and health 
information technology.
    Numerous commenters recommended that care coordination and case 
management be added to the list, noting the importance of these 
services in the operational and treatment responsibilities in serving 
patients, including those with a dual diagnosis of mental health and 
substance use disorder. Conversely, several commenters recommended that 
SAMHSA include a statement in the regulatory text explicitly excluding 
care coordination and case management from Sec.  2.33(b). Another 
commenter also stated that disclosures to contractors, subcontractors, 
and legal representatives should not include information concerning 
diagnosis, treatment and/or referral to treatment without a patient's 
express consent.
    Several commenters were confused by, or disagreed with, SAMHSA's 
omission of treatment-related activities such as care coordination and 
case management from the list of payment and health care operations 
activities for which additional disclosures were proposed in the SNPRM. 
One such commenter stated that it was unclear why a contractor 
performing a treatment-related activity should be subject to greater 
confidentiality safeguards (e.g., specific consent) than an entity 
performing a payment or business-related activity. Others thought the 
benefits of care coordination outweighed any risk of including it on 
the list of permitted activities because SAMHSA also included on the 
list patient safety activities, which are inextricably linked to care 
coordination and case management. Another commenter, stating that 
health information technology and health information exchange are 
essential building blocks of integrated care, argued that the exclusion 
of care coordination and case management from permitted health care 
operations would make it extremely difficult for state Medicaid 
agencies, managed care

[[Page 243]]

organizations (MCOs), and providers to use this technology to provide 
high quality, integrated care. One commenter pointed out that third-
party payers, to which disclosure would be permitted under the SNPRM, 
may perform care coordination and case management activities as well as 
payment and health care operations activities.
    SAMHSA also received comments requesting a variety of additions to 
the list of permitted activities. In addition, SAMHSA received comments 
requesting clarification of some of the activities included on the 
list. Finally, two commenters observed that the rapid changes occurring 
in the health care payment and delivery system may make any list of 
permitted activities included in the final rule outdated very quickly.
    A few commenters disagreed with including in the regulatory text a 
list of permitted payment and health care operations activities. One 
commenter thought SAMHSA should be more protective of vulnerable 
patients because the list was seen as a loophole that would result in 
patient identifying information being spread beyond the immediate point 
of care and being used in unforeseen ways. For consistency, one 
commenter requested that SAMHSA replicate HIPAA's definition of payment 
at 45 CFR164.501 for the purpose of collection activities under 
proposed Sec.  2.33(b)(1).
    SAMHSA also received a number of comments requesting that certain 
activities on the list of payment and health care operations activities 
be restricted or narrowed. A number of commenters requested that SAMHSA 
remove or narrow proposed Sec.  2.33(b)(15) & (16) to ensure patients' 
protected substance use disorder information will not be used to limit 
or deny insurance coverage or access to health care. Some commenters 
expressed concern that the proposed Sec.  2.33(b)(2) could be 
interpreted as allowing protected information to be disclosed to 
employers. Many of these commenters stated they did not support the 
SNPRM's proposed changes in general, or SAMHSA's proposal to permit 
lawful holders to disclose patient identifying information obtained 
pursuant to patient consent to contractors, subcontractors, and legal 
representatives for payment and health care operations purposes, in 
particular, without further protections and safeguards. Two commenters 
disagreed with the inclusion of five of the proposed activities 
(Sec. Sec.  2.33(b)(6), 2.33(b)(10), 2.33(b)(12), 2.33(b)(15), and 
2.33(b)(16)) because they could adversely affect patient enrollment in 
health plans and determinations regarding insurability, treatment, and 
eligibility.
    Several commenters also requested additional protections to ensure 
lawful holders and their contractors, subcontractors, and legal 
representatives only use information protected under part 2 for the 
purposes listed in the patient's written consent.
SAMHSA Response
    While SAMHSA is finalizing the clarifications as proposed in Sec.  
2.33, SAMHSA is not including the list of 17 specific types of payment 
and health care operations in the regulatory text that would be the 
basis for further disclosures by a lawful holder of patient identifying 
information. Based on the numerous comments received requesting 
additions or clarifications to the list, as well as concerns that the 
rapid changes occurring in the health care payment and delivery system 
could render any list of activities included in the regulatory text 
outdated, SAMHSA has decided to include the list in the preamble of 
this final rule to illustrate the types of permissible payment and 
health care operations activities.
    Examples of permissible activities under Sec.  2.33(b) that SAMHSA 
considers to be payment and health care operations activities include:
     Billing, claims management, collections activities, 
obtaining payment under a contract for reinsurance, claims filing and 
related health care data processing;
     Clinical professional support services (e.g., quality 
assessment and improvement initiatives; utilization review and 
management services);
     Patient safety activities;
     Activities pertaining to:
     The training of student trainees and health care 
professionals;
     The assessment of practitioner competencies;
     The assessment of provider and/or health plan performance; 
and
     Training of non-health care professionals;
     Accreditation, certification, licensing, or credentialing 
activities;
     Underwriting, enrollment, premium rating, and other 
activities related to the creation, renewal, or replacement of a 
contract of health insurance or health benefits, and ceding, securing, 
or placing a contract for reinsurance of risk relating to claims for 
health care;
     Third-party liability coverage;
     Activities related to addressing fraud, waste and abuse;
     Conducting or arranging for medical review, legal 
services, and auditing functions;
     Business planning and development, such as conducting 
cost-management and planning-related analyses related to managing and 
operating, including formulary development and administration, 
development or improvement of methods of payment or coverage policies;
     Business management and general administrative activities, 
including management activities relating to implementation of and 
compliance with the requirements of this or other statutes or 
regulations;
     Customer services, including the provision of data 
analyses for policy holders, plan sponsors, or other customers;
     Resolution of internal grievances;
     The sale, transfer, merger, consolidation, or dissolution 
of an organization;
     Determinations of eligibility or coverage (e.g. 
coordination of benefit services or the determination of cost sharing 
amounts), and adjudication or subrogation of health benefit claims;
     Risk adjusting amounts due based on enrollee health status 
and demographic characteristics;
     Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges.
    This list of payment and health care operations is substantively 
unchanged from that which was proposed as regulatory text in the SNPRM 
published on January 18, 2017. In this final rule, SAMHSA maintains its 
position that the payment and health care operations activities 
referenced in Sec.  2.33 and listed in the preamble are not intended to 
encompass substance use disorder patient diagnosis, treatment, or 
referral for treatment. SAMHSA believes it is important to maintain 
patient choice in disclosing information to health care providers with 
whom patients have direct contact. For this reason, the final provision 
in Sec.  2.33(b) is not intended to cover care coordination or case 
management and disclosures to contractors, subcontractors, and legal 
representatives to carry out such purposes are not permitted under this 
section. In addition, SAMHSA added language to the regulatory text in 
Sec.  2.33(b) to clarify that disclosures to contractors, 
subcontractors and legal representatives are not permitted for 
activities related to a patient's diagnosis, treatment, or referral for 
treatment. SAMHSA notes that the position articulated in this final 
rule differs from the HIPAA Privacy Rule, under which `health care 
operations' encompasses such activities as case management and care 
coordination. However, SAMHSA appreciates the concerns expressed by

[[Page 244]]

some commenters about such issues as the exclusion of care coordination 
and case management from Sec.  2.33(b). SAMHSA also appreciates 
comments received concerning potential risks of including care 
coordination, case management and other activities in Sec.  2.33(b). 
Consistent with the 21st Century Cures Act, prior to March 21, 2018, 
the Secretary of HHS will convene relevant stakeholders to determine 
the effects of 42 CFR part 2 on patient care, health outcomes, and 
patient privacy. This meeting will provide stakeholders with an 
additional opportunity to provide further input to SAMHSA regarding 
implementation of part 2, including changes adopted in this final rule.
3. Contract Provisions for Disclosures Under Proposed Sec.  2.33(c)
    SAMHSA proposed new regulatory text requiring that lawful holders 
that engage contractors and subcontractors to carry out payment and 
health care operations that require using or disclosing patient 
identifying information include specific contract provisions requiring 
contractors and subcontractors to comply with the provisions of part 2. 
SAMHSA is finalizing this proposal except that it is not requiring that 
the contract specify the permitted uses of patient identifying 
information by the contractor, subcontractor, or legal representative. 
An appropriate comparable legal instrument will suffice in cases where 
there is otherwise no contract between the lawful holder and a legal 
representative who is retained voluntarily; when a legal representative 
is required to represent the lawful holder by law, the requirement for 
a contract or comparable legal instrument in Sec.  2.33(c) shall not 
apply.
Public Comments
    SAMHSA received several comments expressing general support for the 
proposed provisions in Sec.  2.33(c) relating to contracts or legal 
agreements between lawful holders and their contractors, 
subcontractors, and legal representatives. One of these commenters 
agreed that limits should be placed on disclosures to contractors, such 
as allowing disclosure of only the minimum patient identifying 
information necessary for specific payment or health care operations.
    A number of commenters, however, opposed including specific 
contract requirements in Sec.  2.33(c) between lawful holders and their 
contractors requiring compliance with part 2. Many of these commenters 
stated that this provision would impose significant contract amendment 
burdens industry-wide and would be disruptive to business 
relationships. Commenters noted that business associate agreements 
under HIPAA as well as many contracts already require compliance with 
all applicable federal and state laws, which would include part 2. Some 
commenters requested that contract provisions requiring compliance with 
applicable federal laws and regulations be deemed as satisfying the 
requirement of proposed Sec.  2.33(c) even if part 2 is not 
specifically mentioned. One commenter stated that contracts typically 
specify the purposes for which the contractor may use any confidential 
information and so it is not necessary to require language on specific 
permitted uses and disclosure of patient identifying information.
    Some commenters stated that Sec.  2.33(c) should not be included in 
future rulemaking. One such commenter requested that SAMHSA provide 
evidence that current contract language is not adequately addressing 
part 2 uses and disclosures by those entities specified in Sec.  
2.33(c). Another commenter requested that SAMHSA explore leveraging 
information technology to identify more efficient ways for patients to 
consent to disclosure. This commenter also recommended that SAMHSA 
conduct an assessment or promulgate an Advanced Notice of Proposed 
Rulemaking to solicit information to determine the adequacy of existing 
contracts or business processes to address information disclosures with 
contracted entities. Several commenters stated that SAMHSA could 
address concerns with an extension, by regulation, of the part 2 
protections to any entity handling the information disclosed via 
consent.
    SAMHSA received comments that asked that that the language in 
proposed Sec.  2.33(c) be modified to allow the patient identifying 
information safeguards to be spelled out in the contract and/or 
business associates agreement.
SAMHSA Response
    SAMHSA is finalizing Sec.  2.33(c) as proposed, but has revised the 
regulatory text to remove the reference to patient consent as it 
relates to the requirement to specify permitted uses of patient 
identifying information by the contractor, subcontractor, or legal 
representative. However, SAMHSA notes that Sec.  2.13 requires that any 
disclosure made under the regulations must be limited to that 
information which is necessary to carry out the purpose of the 
disclosure. Therefore, to comply with Sec.  2.13, lawful holders should 
ensure that the purpose section of the consent form is consistent with 
the role of or services provided by the contractor or subcontractor 
(e.g., ``payment and health care operations'').
    SAMHSA understands the concerns expressed by commenters regarding 
bringing contracts into compliance with Sec.  2.33(c). To address these 
concerns, the final rule allows lawful holders two years from the 
effective date of the final rule to bring their contracts and legal 
agreements with contractors, subcontractors, and voluntary legal 
representatives into compliance. If lawful holders choose not to re-
disclose patient identifying information to contractors, 
subcontractors, or legal representatives as specified under Sec.  
2.33(b), they do not have to comply with Sec.  2.33(c).
    SAMHSA disagrees with comments that propose allowing existing 
contractual language regarding general compliance with applicable 
federal laws to satisfy requirements under Sec.  2.33(c). SAMHSA 
believes that it is important for part 2 to be specifically mentioned 
in contracts and legal agreements when lawful holders are disclosing 
part 2 patient identifying information to contractors, subcontractors 
and voluntary legal representatives under Sec.  2.33(b). A fundamental 
principle of 42 CFR part 2 is that patients should have as much control 
as possible over their patient identifying information. Referencing 
part 2 in contracts will help to underscore the importance of 
compliance with part 2 provisions.
    However, SAMHSA also recognizes that entities may have different 
approaches to ensuring compliance with part 2 and other laws. While 
SAMHSA requires compliance with Sec.  2.33(c) for lawful holders who 
wish to disclose patient identifying information pursuant to Sec.  
2.33(b), SAMHSA is not specifying the exact contract language to be 
used.
    With respect to the comment regarding limiting disclosures to the 
minimum information necessary, Sec.  2.13 requires that any disclosure 
made must be limited to that information which is necessary to carry 
out the purpose of the disclosure. Contractors, subcontractors, and 
legal representatives will be required to comply with this and all 
applicable provisions under part 2. (Section 2.33(c) states that 
contractors and any subcontractors or legal representatives are fully 
bound by the provisions of part 2 upon receipt of patient identifying 
information).
Public Comments
    One commenter requested that SAMHSA remove the following

[[Page 245]]

sentence from Sec.  2.33(c): ``In making such disclosure, the lawful 
holder should specify permitted uses of patient identifying information 
consistent with the written consent, by the contractor and any 
subcontractors or legal representatives to carry out the payment and 
health care operations activities listed in the preceding subparagraph, 
require such recipients to implement appropriate safeguards to prevent 
unauthorized uses and disclosures and require such recipients to report 
any unauthorized uses, disclosures, or breaches of patient identifying 
information to the lawful holder.'' Commenters stated that lawful 
holders will not possess the written consent because it is typically 
held by the part 2 program and it would be impractical, if not 
impossible, for the written consent form to be passed on to other 
entities. Another commenter stated that mechanisms for transmitting 
written consent forms had yet to evolve.
    A commenter stated that a prohibition on re-disclosure notice under 
Sec.  2.32 should not be required when a disclosure from a contractor 
that is a cloud services provider is back to the lawful holder or is 
disclosed under the direction or control of the lawful holder because 
the cloud service provider would not have control over the disclosure 
and therefore could not accompany the disclosure with a notice related 
to Sec.  2.32 and suggested alternative language.
    Other commenters supported the provisions in proposed Sec.  2.33(c) 
but specified additional safeguards that should be added or referenced. 
Several commenters requested that SAMHSA include another requirement in 
proposed Sec.  2.33(c) that contractors, subcontractors, and legal 
representatives be bound by all of the requirements that apply to QSOs, 
as QSOs and contractors serve similar functions. These commenters 
stated that written contracts under proposed Sec.  2.33(c), therefore, 
would require contractors, subcontractors, and legal representatives to 
agree to resist in judicial proceedings any efforts to obtain access to 
patient records identifying information related to substance use 
disorder diagnosis, treatment, or referral for treatment except as 
permitted by part 2. These commenters also expressed opposition to the 
SNPRM's proposed changes in general or SAMHSA's proposal to permit 
lawful holders to disclose patient identifying information obtained 
pursuant to patient consent to contractors, subcontractors and legal 
representatives, including for payment and health care operations 
purposes, without these and other protections. One commenter stated 
that a List of Disclosures requirement for lawful holders who wish to 
re-disclose patient identifying information to contractors, 
subcontractors, and legal representatives should be included in 
contractual language.
    One commenter requested that SAMHSA require in the contractual text 
that contractors, subcontractors, and legal representatives use 
protected substance use disorder information only for the purpose(s) 
listed in the patient's written consent and that re-disclosure by 
contractors, subcontractors, and legal representatives to third parties 
be allowed only as long as the third party discloses the patient 
identifying information back to the contractors or lawful holders from 
which the information originated.
SAMHSA Response
    SAMHSA declines to provide specific and detailed contract language 
because SAMHSA believes lawful holders need the flexibility to include 
language that fits within their contract structures. However, 
regardless of the specific contractual language used, all lawful 
holders, contractors, subcontractors, and legal representatives must 
comply with applicable requirements specified in Sec.  2.33(c) as well 
as the other applicable provisions in part 2.
    SAMHSA does not require that part 2 consent forms be passed along 
to the contractor or subcontractor. SAMHSA has revised the regulatory 
text in Sec.  2.33(c) to remove the reference to patient consent as it 
relates to the requirement to specify permitted uses of patient 
identifying information by the contractor, subcontractor, or legal 
representative. However, Sec.  2.13 requires that any disclosure made 
under the regulations must be limited to that information which is 
necessary to carry out the purpose of the disclosure. Therefore, to 
comply with Sec.  2.13, part 2 programs and other lawful holders should 
ensure that the purpose section of the consent form is consistent with 
the role of or services provided by the contractor or subcontractor 
(e.g., ``payment and health care operations''). Those utilizing 
contractors or subcontractors should then inform those parties in their 
contracts that information governed by part 2 requires the contractor 
or subcontractor to take reasonable steps to prevent unauthorized uses 
and disclosures and to inform the lawful holder of any breaches and/or 
unauthorized uses. If a contractor receives information for quality 
assurance purposes, for instance, they should not be sharing it for 
other purposes, much less for activities not related to payment and 
health care operations. Section Sec.  2.33(c) specifies the 
requirements of a written contract; it is up to the lawful holder and 
contractor to determine how their contracts should address these 
requirements.
    With regard to cloud service providers storing patient identifying 
information for a lawful holder, SAMHSA declines to make the suggested 
changes to the language in Sec.  2.33(c). Under Sec.  2.33, lawful 
holders, contractors and their subcontractors are responsible for 
providing a prohibition on re-disclosure notice (Sec.  2.32) if they 
re-disclose patient identifying information to their contractors in 
order to meet the requirements of Sec.  2.33. If other entities access 
the information as permitted by the lawful holder (because the other 
entities that gain access to the information via the cloud are 
contractors with the lawful holder (Sec.  2.33) and not the cloud 
services provider, or to fulfill the requirements on the written 
consent (Sec.  2.31), then the lawful holder (not the cloud service 
provider) is responsible for ensuring that a notice of the prohibition 
on re-disclosure is conveyed to those entities, along with the 
information.
    Regardless of the specific contractual language used, all lawful 
holders, contractors, subcontractors, and legal representatives must 
comply with requirements specified in Sec.  2.33(c) as well as the 
other applicable provisions in part 2. Therefore, with respect to the 
comments on contractors, subcontractors, and legal representatives 
resisting disclosure of patient records in judicial proceedings, SAMSHA 
notes that Sec.  2.13(a) already states: ``The patient records subject 
to the regulations in this part may be disclosed or used only as 
permitted by the regulations in this part and may not otherwise be 
disclosed or used in any civil, criminal, administrative, or 
legislative proceedings conducted by a federal, state or local 
authority.'' In addition, Sec.  2.13(a) already requires that any 
disclosures must be limited to the information which is necessary to 
carry out the purpose of the consent. In response to the request that 
the contract require compliance with the security requirements, Sec.  
2.16, Security for Records, already applies to part 2 programs and 
other lawful holders of patient identifying information, and, 
therefore, would apply to contractors, subcontractors, and legal 
representatives.

[[Page 246]]

4. Other Comments Concerning Disclosures by Lawful Holders
Public Comments
    SAMHSA received a number of comments relative to Medicaid agencies 
and MCOs with which they contract; the commenters stated that MCOs are 
considered to be an extension of the Medicaid agency. Several of these 
commenters requested clarification that, under Sec.  2.33(b), MCOs (one 
commenter noted that such organizations are called coordinated care 
organizations in that state) may disclose patient identifying 
information for health care operations and payment purposes to the 
state agency with which the organization is under contract. One 
commenter requested clarification that under Sec.  2.33(b) lawful 
holders may disclose patient identifying information to the state 
Medicaid agency with which they are contracted. Another commenter 
requested that that this provision explicitly permit disclosures 
between managed care organizations, their contractors and a Medicaid 
program. Similarly, a commenter also pointed out that proposed Sec.  
2.33(b) would only allow a lawful holder to disclose to its own 
contractors and subcontractors, which would not relieve the 
administrative obstacles part 2 providers experience when trying to 
obtain insurance coverage for their patients because the part 2 
programs would have to deal directly with a peer reviewer or 
utilization review company that is a subcontractor to the insurance 
company named on the consent form.
SAMHSA Response
    With regard to the comments on Medicaid agencies and the managed 
care organizations with which they contract, as well as those 
addressing administrative obstacles contractors may face in obtaining 
patient identifying information, the information can be disclosed 
directly to the contractor or subcontractor and does not need to first 
be disclosed to the lawful holder (i.e., recipient named on the consent 
form) and then subsequently re-disclosed, as long as the information is 
being used for the purposes of payment and health care operations. This 
is because contractors, legal representatives, and subcontractors are 
acting on behalf of the lawful holders based on contracts, legal 
agreements or mandates in law.
Public Comments
    Two commenters, pointing to the varying definitions for 
``contractors'' and ``subcontractors'' under different laws and 
regulations, requested that SAMHSA consider defining these terms.
SAMHSA Response
    SAMHSA did not propose to define ``contractors'' and 
``subcontractors'' in its proposed rule and declines to do so now in 
the final rule. As stated in Sec.  2.33(c), lawful holders who wish to 
disclose patient identifying information pursuant to subsection (b) of 
this section must enter into a written contract with the contractor (or 
appropriate comparable legal instrument in the case of a legal 
representative retained voluntarily by the lawful holder). In the case 
where there is a legal representative who is required to represent the 
lawful holder by law, the requirement for a contract or comparable 
legal instrument in Sec.  2.33(c) shall not apply. SAMHSA believes this 
general understanding of a contractor or subcontractor provides the 
necessary flexibility for these types of arrangements while still 
ensuring that all parties must adhere to requirements and protections 
specified in Sec.  2.33(c).
Public Comments
    One commenter requested that SAMHSA add a new Sec.  2.33(d) to 
state that ``if the contractor, subcontractor, or legal representative 
needs patient identifying information directly from the part 2 program, 
the contractor, subcontractor, or legal representative must produce a 
copy of the agreement mandated by Sec.  2.33(c) prior to the part 2 
program releasing any information.''
SAMHSA Response
    SAMHSA declines to require contractors, subcontractors, and legal 
representatives to produce a copy of the agreement mandated by Sec.  
2.33(c) prior to the part 2 program releasing any information because 
SAMHSA did not propose to do so in the SNPRM. The decision as to 
whether to share this information would be at the discretion of the 
contracting parties.
Public Comments
    One commenter stated that proposed Sec.  2.33(b) should apply to 
all lawful holders (and not just those who received patient identifying 
information pursuant to a written consent), which would enable QSOs to 
disclose without consent to contractors and subcontractors.
SAMHSA Response
    SAMHSA declines to eliminate the requirement that Sec.  2.33(b) 
only applies to lawful holders that receive patient identifying 
information pursuant to a written consent. SAMHSA believes that the 
consent requirement for lawful holders that fall under Sec.  2.33(b) 
must be maintained and that Sec.  2.33(b) should not apply to QSOs. 
Further, SAMHSA guidance indicates that a QSOA does not permit a QSO to 
re-disclose information to a third party unless that third party is a 
contract agent of the QSO, helping them provide services described in 
the QSOA, and only as long as the agent only further discloses the 
information back to the QSO or to the part 2 program from which it 
came.
C. Audit and Evaluation (Sec.  2.53)
    SAMHSA recognizes that federal, state, and local governments often 
need to access all of the records, including part 2 program records, 
held by entities they regulate in order to appropriately evaluate 
compliance with applicable laws, rules, and policies. As a result, in 
the SNPRM, SAMHSA proposed regulatory changes to clarify that audits 
and evaluations may be performed on behalf of federal, state, and local 
governments providing financial assistance to, or regulating the 
activities of, lawful holders as well as part 2 programs. SAMHSA 
recognizes that federal, state, and local governments often need to 
access all of the records, including part 2 program records, held by 
entities they regulate in order to appropriately evaluate compliance 
with applicable laws, rules, and policies. For example, an Accountable 
Care Organization (ACO) or similar CMS-regulated health care models may 
wish to evaluate the impact of integrated care on several participating 
behavioral health care programs' quality of care, or a state may wish 
to do an audit to see how many individuals who leave state-supported 
correctional facilities subsequently receive substance use disorder 
treatment. In addition, SAMHSA proposed regulatory revisions to: 
Specify that audits and evaluations may be performed by contractors, 
subcontractors, or legal representatives on behalf of a third-party 
payers or a quality improvement organizations; and state that if 
disclosures are made under this section for a Medicare, Medicaid, or 
CHIP audit or evaluation, including a civil investigation or 
administrative remedy, further disclosures may be made to contractors, 
subcontractors, or legal representatives to carry out the audit or 
evaluation. SAMHSA is now finalizing these requirements. It has also 
made certain technical amendments to correct inadvertent omissions in 
the rule's text to effectuate SAMHSA's intent to permit disclosure and 
use of patient identifying information held by other lawful holders for 
audit and evaluation purposes, as well as to clarify

[[Page 247]]

and operationalize the requirements of this section.
Public Comments
    SAMHSA received a range of comments concerning the proposed 
amendments with regard to permitted disclosures of patient identifying 
information to contractors, subcontractors, and legal representatives 
for purposes of carrying out an audit or evaluation under part 2. 
SAMHSA received a number of comments supporting these revisions. 
Several of the commenters also expressed support specifically for the 
provision allowing patient identifying information to be disclosed for 
purposes of carrying out an audit or evaluation, with some citing 
proposed Sec.  2.53(a)(1)(i) in particular. Some commenters stated this 
particular revision would allow lawful holders of patient identifying 
information to disclose that information to audit and oversight 
entities in order to respond to an audit or evaluation request, and 
that clear authority to disclose patient identifying information for 
audits (which may include quality improvement and program integrity) is 
critical to Medicaid program operations. Another commenter supported 
the proposed changes because they would appear to allow disclosure of 
patient identifying information to a government agency authorized to 
regulate the activities of any lawful holder, not just a part 2 program 
or private payer, and because this change would at least partially 
conform to HIPAA's permissible disclosures to health system oversight 
agencies. The commenter, however, expressed concern that the proposed 
language did not make clear whether the government agency must obtain 
access to the records directly from the part 2 program rather than from 
the other lawful holder that the agency regulates, as obtaining records 
from the part 2 program posed communications challenges.
SAMHSA Response
    SAMHSA appreciates the support for the further amendments as set 
out in the regulatory text of Sec.  2.53. Inclusion of these additional 
provisions reflects that contractors, subcontractors and legal 
representatives are increasingly involved in audit and evaluation 
activities. SAMHSA recognizes that federal, state, and local 
governments often need to access all of the records, including part 2 
program records, held by entities they regulate in order to 
appropriately evaluate compliance with applicable laws, rules, and 
policies. We believe including these changes will assist in compliance 
with part 2 and other federal, state, and local rules and regulations 
and improve part 2 program quality.
    With respect to the commenter's concern, if a government agency is 
auditing or evaluating a lawful holder, which it regulates, the agency 
may receive the patient identifying information necessary for that 
audit or evaluation directly from the lawful holder.
Public Comments
    SAMHSA also received a number of comments opposing the proposal to 
permit re-disclosure of patient identifying information without patient 
consent to contractors and subcontractors for audit and evaluation 
purposes unless SAMHSA provides additional safeguards. Several of these 
commenters noted that the proposed changes to Sec.  2.53 have the 
potential to greatly expand the universe of individuals and entities 
who may receive protected substance use disorder information without 
patient consent for audit and evaluation purposes.
    A couple of commenters expressed concern that detailed patient 
records would be used for purposes of risk adjustment and reporting of 
the patient's severity of illness to predict health care cost 
expenditures and adjust payer payments. One commenter stated that, if 
data are being used to impact a patient's score or health coverage, 
patient consent should be required.
SAMHSA Response
    SAMHSA appreciates the array of recommendations commenters provided 
for possible restrictions and safeguards. SAMHSA is contemplating 
future rulemaking for 42 CFR part 2, and will take these 
recommendations under advisement at that time.
    With regard to the suggestion that SAMHSA require patient consent 
if data could be used to affect a patient's health coverage or health 
score, SAMHSA reiterates that under the terms of Sec.  2.53, patient 
identifying information may only be used for audit and evaluation 
purposes.

D. Other Public Comments on the SNPRM

1. Extension of Part 2 Restrictions to Third Parties
Public Comments
    Two commenters stated that changes made to the SNPRM were 
predicated on the concept that part 2 confidentiality restrictions 
extend beyond part 2 programs to third parties, including lawful 
holders, contractors, subcontractors and legal representatives. These 
commenters, noting that no definitions exist in the regulatory text for 
``lawful holders,'' ``contractors,'' or ``subcontractors,'' or ``legal 
representatives,'' requested that SAMHSA address whether the part 2 
statute permits the extension of these restrictions beyond part 2 
programs.
SAMHSA Response
    The statute (42 U.S.C. 290dd-2) authorizes SAMHSA to promulgate 
regulations to effectuate the confidentiality provisions governing 
substance use disorder patient records. The part 2 rule's applicability 
to third parties is a reasonable exercise of SAMHSA's statutory 
authority to ensure protection of part 2 information in the possession 
of lawful holders other than part 2 programs.
2. Greater Weight to Comments From Patient and Part 2 Program
Public Comments
    SAMHSA received several comments requesting that greatest weight be 
given to comments from patients and consumers who will be directly 
affected by any changes to part 2; one of these commenters made this 
request because patients entering treatment will likely be unable to 
anticipate complex re-disclosure risks for activities proposed by the 
SNPRM. In addition, a commenter requested that special consideration be 
given to comments from substance use disorder treatment providers.
SAMHSA Response
    Every comment received on the SNPRM was given careful 
consideration, and SAMHSA has endeavored in this final rule to take 
into account the varying perspectives of public commenters. SAMHSA is 
seeking a balance between ensuring that patients with substance use 
disorders have the ability to participate in, and benefit from, new and 
emerging health care models that promote integrated care and patient 
safety and ensuring the confidentiality of substance use disorder 
patient records, given the potential for discrimination, harm to 
reputations and relationships, and serious civil and criminal 
consequences that could result from impermissible disclosures.

E. Regulatory Impact Analysis (RIA)

    In the SNPRM, SAMHSA stated that, if adopted, the proposed 
revisions should not result in any additional costs to part 2 programs. 
However, SAMHSA specifically sought comment on the implications of the 
proposed changes on the regulatory and financial impact, if any, of 
these proposed rules.

[[Page 248]]

Public Comments
    SAMHSA did not receive any comments on costs related to specific 
proposals made in the SNPRM or the RIA.

F. Requests for Public Comment

    In the January 18, 2017, SNPRM, SAMHSA made several requests for 
public comments based on its expectation that there may be future 42 
CFR part 2-related rulemaking. Those comments are summarized below.
1. Conveying the Scope of the Written Consent
    In the SNPRM, SAMHSA sought comment on the proper mechanisms to 
convey the scope of the consent to lawful holders, contractors, 
subcontractors, and legal representatives, including those who are 
downstream recipients of patient identifying information given current 
electronic data exchange technical designs.
Public Comments
    Commenters suggested that SAMHSA provide more clarity on these 
mechanisms, particularly given the current electronic exchange 
environment and recommended more specific ways to ensure patients 
retain control over how their information is disclosed. Another 
commenter asserted proposed consent requirements could be burdensome, 
and a third-party payer may be unable to assess part 2 program 
compliance with consent requirements.
SAMHSA Response
    SAMHSA has modified language in Sec.  2.33(c) so as not to imply 
that the consent form must be provided to the recipient of part 2 
records. Sections 2.13, 2.31, and other sections of part 2 require 
recipients of patient identifying information to have knowledge of 42 
CFR part 2 as it relates to the purpose for which information is being 
disclosed and can be re-disclosed lawfully. Individuals and entities 
that disclose or receive patient identifying information via patient 
consent must be able to comply with these requirements.
2. Other Restrictions and Safeguards
    In the SNPRM, SAMHSA specifically sought comments regarding the 
establishment of appropriate restrictions and safeguards on lawful 
holders and their contractors, subcontractors, and legal 
representatives' use and disclosure of patient identifying information 
for the purposes discussed in the SNPRM.
a. General
Public Comments
    SAMHSA received a number of responses to this request for comments 
regarding the establishment of appropriate restrictions and safeguards. 
These comments recommended a wide array of patient protections and 
safeguards. While some commenters noted there is a legitimate need for 
lawful holders to disclose protected information to their contractors, 
subcontractors, and legal representatives for payment and health care 
operations purposes, many commenters expressed concern that the breadth 
of the proposed changes may undermine core protections under part 2, 
which give substance use disorder patients control over how their 
information is disclosed so as not to make them more vulnerable to 
potential negative consequences of such disclosures. Loss of 
employment, loss of housing, loss of child custody, discrimination by 
medical professionals and insurers, and arrest, prosecution, and 
incarceration were cited as potential negative consequences. Most 
commenters stated concern over, or even their opposition to, SAMHSA 
finalizing proposed changes in the SNPRM without including certain 
additional protections.
SAMHSA Response
    SAMHSA appreciates the array of recommendations commenters provided 
for possible restrictions and safeguards. SAMHSA believes that the 
existing restrictions and safeguards--including provisions limiting use 
of patient identifying information in criminal and civil procedures and 
requiring that any disclosure made under these regulations must be 
limited to that information which is necessary to carry out the purpose 
of the disclosure--are adequate.
b. Commenter Recommendations for Anti-Discrimination Protections
    Many commenters recommended the addition of specific anti-
discrimination protections that would apply to disclosures pursuant to 
the proposed Sec. Sec.  2.33(b) and 2.53. Commenters expressed concern 
over the potential for misuse of information and a desire to balance 
the increased flexibility of proposed Sec. Sec.  2.33 and 2.53 with 
increased protections.
SAMHSA Response
    Promulgating rules that address discriminatory action is outside 
the scope of SAMHSA's legal authority.
c. Commenter Recommendations for Patient Notification on the Consent 
Form
Public Comments
    Several commenters expressed concern that the proposed changes to 
Sec.  2.33 would greatly expand access to patient identifying 
information by individuals and entities to whom the patient did not 
specifically consent and for purposes not always evident to the 
patient. These commenters, and a number of others, requested that 
SAMHSA require, at a minimum, a notification to patients on the consent 
form that they are consenting to the disclosure of their patient 
identifying information to both the recipient and the recipient's 
contractors, subcontractors, and legal representatives to the extent 
those contractors, subcontractors, and legal representatives need the 
information to carry out payment or health care operations purposes.
SAMHSA's Response
    SAMHSA is contemplating future rulemaking for 42 CFR part 2 and 
will take these recommendations under consideration at that time. In 
addition, consistent with the 21st Century Cures Act, prior to March 
21, 2018, the Secretary of HHS will convene relevant stakeholders to 
determine the effects of 42 CFR part 2 on patient care, health 
outcomes, and patient privacy. The information obtained at the meeting 
will help to inform the course of any further part 2 rule-making. 
SAMHSA will consider these comments on privacy and confidentiality in 
conjunction with those made during the stakeholder meeting.
d. Commenter Recommendations for Mechanisms for Identifying and 
Sanctioning Unauthorized Disclosures
Public Comments
    Several commenters recommended adding a requirement that lawful 
holders who wish to re-disclose patient identifying information to 
contractors, subcontractors, and legal representatives be subject to 
the same List of Disclosures requirements that apply to intermediaries 
who disclose patient identifying information pursuant to a general 
designation under the consent requirements at Sec.  2.31. In addition, 
a couple of commenters requested that SAMHSA impose a List of 
Disclosures requirement on audit and evaluation agencies. One commenter 
requested that SAMHSA not finalize the proposed changes in the SNPRM 
without mechanisms in place to enable individuals who have been 
adversely

[[Page 249]]

impacted to identify the source of a disclosure and initiate sanctions.
SAMHSA Response
    SAMHSA appreciates the recommendations to add mechanisms to enable 
individuals who have been adversely impacted to identify the source of 
a disclosure, including adding a List of Disclosures requirement. 
SAMHSA is contemplating future rulemaking for 42 CFR part 2, and will 
take these recommendations under consideration.
e. Other Commenter Recommendations for Additional Restrictions and 
Safeguards
Public Comments
    SAMHSA also received comments recommending other types of 
protections and safeguards. One commenter recommended SAMHSA reinforce 
patients' rights to file grievances and complaints and suggested that 
SAMHSA explore the ability to impose a confidentiality certificate on 
information disclosed to third parties similar to 42 U.S.C. 241(d), 
which protects the privacy of research subjects. A couple of commenters 
suggested strengthening patient protections by adding re-disclosure 
prohibitions in the statute similar to the confidentiality protections 
extended to certain veterans' medical records, including substance use 
disorder patient records in Title 38.
    Another commenter stated that given stigma and risk of adverse 
impact, it was critical to have additional protections in place such as 
substantial penalties for disclosure violations and failure to maintain 
tracking of disclosures and mechanisms for an individual to identify 
and correct errors in an electronic health record and for identifying 
the source of the disclosed errors. This commenter stated that, because 
there is no clear mechanism to correct errors in records, it is 
critical that initial sharing of information be restricted until such 
mechanisms are developed.
    In addition, two commenters stated that the proposed audit and 
evaluation revisions could conflict with intended court order 
protections at Sec. Sec.  2.64 through 2.67 and requested SAMHSA 
clarify the necessity to obtain court orders in such investigations and 
prosecutions as a result of a Medicare, Medicaid, or CHIP audit or 
evaluation.
SAMHSA Response
    SAMHSA appreciates the recommendations for identifying the source 
of a disclosure under Sec.  2.33, and strengthening language regarding 
a patient's right to file a grievance. SAMHSA is contemplating future 
rulemaking for 42 CFR part 2, and will take these recommendations under 
advisement at that time.
    In addition, SAMHSA does not have the authority to make statutory 
revisions, so SAMHSA cannot add re-disclosure prohibitions to the 
authorizing statute. With regard to the comment regarding the 
imposition of substantial penalties, the part 2 regulations already 
include provisions to implement the statutory criminal penalties for 
violations. Further, SAMHSA does not have the authority to require a 
mechanism for making corrections in an electronic health record.
    SAMSHA believes that permitting contractors, subcontractors, and 
legal representatives to obtain information for audit and evaluation 
purposes does not contradict or undermine protections currently within 
Sec. Sec.  2.64 through 2.67. For instance, Sec.  2.53 provides that 
the audit and evaluation provisions ``do not authorize the part 2 
program, the federal, state, or local government agency, or any other 
individual or entity to disclose or use patient identifying information 
obtained during the audit or evaluation for any purposes other than 
those necessary to complete the audit or evaluation.'' Similarly, Sec.  
2.53(d) explicitly states that, except as provided, ``patient 
identifying information disclosed under this section may be disclosed 
only back to the part 2 program or other lawful holder from which it 
was obtained and may be used only to carry out an audit or evaluation 
purpose or to investigate or prosecute criminal or other activities, as 
authorized by a court order entered under Sec.  [thinsp]2.66.''
3. Impact on Privacy and Confidentiality and Part 2 Goals
    SAMHSA specifically sought comment on the implications of the 
proposed revisions on the privacy and confidentiality of substance use 
disorder patient records and the overall goals of 42 CFR part 2.
Public Comment
    SAMHSA received several comments that addressed this request, some 
of which were general in nature, while others were specific to proposed 
revisions in either Sec.  2.32 or in Sec.  2.33. All commenters 
expressed support for preserving patients' confidentiality. One 
commenter expressed general concerns about parties trying to alter 
federal confidentiality protections in a manner that will not benefit 
patients. These concerns included prospective patients avoiding seeking 
treatment over fears that the proposed broader dissemination of their 
treatment information may lead to that information becoming known by 
friends, family, employers, insurers, and other providers of medical 
services. Commenters expressed concern regarding the privacy and 
confidentiality impact of the SNPRM changes to Sec. Sec.  2.32 and 
2.33. These commenters asserted that: (1) The changes would, over time, 
result in gradual disclosure of part 2 data as a result of failing to 
communicate through the notice the importance of avoiding improper re-
disclosures; (2) substance use disorder patients would not likely agree 
to the broad use of their personal information for activities that they 
do not understand or are perhaps incapable of refusing (e.g., 
incompetent); and (3) terms such as ``health care operations'' and 
``quality improvement'' are too general, allowing activities that have 
few limits or boundaries. A couple of commenters stated that the 
proposed changes would result in patients attempting to exclude their 
records from research and quality improvement systems or avoiding 
lifesaving treatment services. In addition, one commenter expressed 
concern that SAMHSA may have unintentionally abrogated its 
responsibility to protect vulnerable patients.
SAMHSA Response
    As stated previously, this final rule builds on efforts in the 
January 18, 2017, 42 CFR part 2 final rule (82 FR 6052) to better 
reflect changes in the health care system, such as the increasing use 
of electronic health records, and drive toward greater integration of 
physical and behavioral health care. Despite efforts to enhance 
integration, SAMHSA remains committed to protecting the confidentiality 
of patient records. This rule updates 42 CFR part 2 to balance these 
important needs. However, as an added protection and consistent with 
the 21st Century Cures Act, prior to March 21, 2018, the Secretary of 
HHS will convene relevant stakeholders to determine the effects of 42 
CFR part 2 on patient care, health outcomes, and patient privacy. The 
information obtained at the meeting will help to inform the course of 
any further part 2 rule-making, and SAMHSA will consider these comments 
on privacy and confidentiality in conjunction with those made during 
the stakeholder meeting.

[[Page 250]]

III. Rulemaking Analysis

Regulatory Impact Analysis (RIA)

    In this final rule, SAMHSA finalizes certain revisions to 42 CFR 
part 2 as follows: Prohibition on re-disclosure (Sec.  2.32); the 
disclosures permitted with written consent (Sec.  [thinsp]2.33), 
including the payment and health care operations activities for which 
lawful holders may disclose patient identifying information to their 
contractors, subcontractors, and legal representatives. In addition, 
SAMHSA clarifies that the audit and evaluation provision (Sec.  
[thinsp]2.53) permits certain disclosures to contractors, 
subcontractors, and legal representatives for purposes of carrying out 
an audit or evaluation, and that audits and evaluations may be 
performed on behalf of federal, state, and local governments providing 
financial assistance to or regulating the activities of lawful holders 
of patient identifying information as well as part 2 programs.
    Notably, SAMHSA explicitly sought comment on costs and benefits of 
its proposed changes. Of the 55 public comments received on the 
proposed rule, none substantively focused on cost or burden issues. 
Public comments support SAMHSA's view in this final rule that these 
modifications will enhance information-sharing and efficiency of such 
payment and health care operations as claims processing, business 
management, training, and customer service and facilitate audit and 
evaluation activities. Further, SAMHSA believes that the re-disclosure 
provisions will make it easier for some part 2 programs and other 
lawful holders to use electronic health systems.
    The January 18, 2017, final rule noted that in ``the absence of 
data and studies specifically focused on compliance with 42 CFR part 2, 
SAMHSA has estimated these costs based on a range of published costs 
associated with HIPAA implementation and compliance.'' SAMHSA notes 
that the HIPAA Omnibus Final Rule (78 FR 5566, Jan. 25, 2013) similarly 
provided a transition period for covered entities to incorporate new 
provisions into agreements between business associates and covered 
entities (up to 20 months after publication of the final rule for some 
agreements, provided certain conditions were met) and anticipated that 
there would be little added cost as these contracts would already be 
required. SAMHSA believes that the cost of updating agreements among 
part 2 programs and other lawful holders to reflect the provisions 
adopted in this final rule would be negligible. In order to provide 
entities with maximum flexibility reflecting their unique contractual 
arrangements, contracts may include statements about required 
compliance with 42 CFR part 2; however, no specific language beyond 
this concept is required by the rule. This rule provides up to two 
years from the effective date to comply with this section. Because part 
2 programs and other lawful holders can modify their contracts during 
the normal renegotiation of contracts as existing contracts expire or, 
if such contracts are not regularly updated, can make such changes up 
to two years from this final rule's effective date, new regulatory 
language required by Sec.  2.33(c), as revised, should impose a minimal 
burden.
    SAMHSA similarly believes that the abbreviated notice of the 
prohibition on re-disclosure adopted in this final rule provides 
additional options to part 2 entities that will facilitate adoption of 
electronic health records and reduce regulatory burdens. Entities not 
wishing to use the abbreviated notice may use the standard prohibition 
on re-disclosure notice. As the revised notice has limited characters, 
SAMHSA believes that it can be more readily used with existing 
electronic health record systems.
    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 60-day notice in the Federal Register and solicit 
public comment before a collection of information requirement is 
submitted to the Office of Management and Budget (OMB) for review and 
approval. PRA issues were discussed in the SNPRM. SAMHSA stated that it 
anticipated no substantive changes in PRA requirements should changes 
proposed in the SNPRM be adopted. SAMHSA received no public comment on 
our assumptions as they relate to the PRA requirements. SAMHSA 
continues to believe that the final rule imposes no new PRA burdens.
    SAMHSA has examined the impact of this final rule under Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993), 
Executive Order 13771 on Reducing Regulation and Controlling Regulatory 
Costs (January 30, 2017), Executive Order 13563 on Improving Regulation 
and Regulatory Review (January 18, 2011), the Regulatory Flexibility 
Act of 1980 (Pub. L. 96-354, September 19, 1980), the Unfunded Mandates 
Reform Act of 1995 (Pub. L. 104-4, March 22, 1995), and Executive Order 
13132 on Federalism (August 4, 1999).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health, and safety 
effects; distributive impacts; and equity). Executive Order 13563 is 
supplemental to, and reaffirms the principles, structures, and 
definitions governing regulatory review, as established in Executive 
Order 12866. Executive Order 13771 requires that the costs associated 
with significant new regulations ``shall, to the extent permitted by 
law, be offset by the elimination of existing costs associated with at 
least two prior regulations.'' The changes finalized in this rule will 
not have an annual effect on the economy of $100 million or more in at 
least one year. Therefore, this final rule is not an economically 
significant regulatory action as defined by Executive Order 12866, or a 
significant regulation under Executive Order 13771. The Regulatory 
Flexibility Act (RFA) requires agencies that issue a regulation to 
analyze options for regulatory relief of small businesses if a rule has 
a significant impact on a substantial number of small entities. The RFA 
generally defines a ``small entity'' as (1) a proprietary firm meeting 
the size standards of the Small Business Administration; (2) a 
nonprofit organization that is not dominant in its field; or (3) a 
small government jurisdiction with a population of less than 50,000. 
(States and individuals are not included in the definition of ``small 
entity''). For similar rules, HHS considers a rule to have a 
significant economic impact on a substantial number of small entities 
if at least five percent of small entities experience an impact of more 
than three percent of revenue. This final rule will not have a 
significant economic impact on a substantial number of small entities.
    Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires 
that agencies prepare a written statement, which includes an assessment 
of anticipated costs and benefits, before proposing ``any rule that 
includes any Federal mandate that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100,000,000 or more (adjusted annually for 
inflation) in any one year.'' This final rule does not trigger the 
Unfunded Mandates Reform Act, because it will not result in 
expenditures of this magnitude by states or other government entities.

IV. Provisions of Technical Amendments

    This section contains corrections to the final regulations 
published in the Federal Register on January 18, 2017 (82 FR 6988). The 
word ``manage'' was inadvertently omitted from the

[[Page 251]]

regulation text at Sec.  2.15 concerning incompetent and deceased 
patients. It should read ``to manage their own affairs'' rather than 
``to their own affairs.'' A typographical error and reference in the 
regulation to ``paragraph (a)(8)'' should have instead read ``paragraph 
(a)(6)'' in the text of the regulations at Sec.  2.35 concerning 
disclosures to elements of the criminal justice system which have 
referred patients. As a result, we are making technical corrections in 
42 CFR part 2 at Sec. Sec.  2.15 and 2.35.
    Section 553 of the Administrative Procedure Act, 5 U.S.C. 
553(b)(3)(B), provides that, when an agency for good cause finds that 
notice and public procedure are impracticable, unnecessary, or contrary 
to the public interest, the agency may issue a rule without providing 
notice and an opportunity for public comment. We have determined that 
there is good cause for making these technical corrections final 
without prior notice and opportunity for comment because the changes 
address minor typographical errors, misprints, or omissions, which are 
noncontroversial and do not substantively change the requirements of 
the rule. Furthermore, the minor corrections do not impose any 
additional obligations on any party. Thus, notice and public comment is 
impracticable, unnecessary, or contrary to the public interest.
Conclusion
    SAMHSA is finalizing changes to clarify the payment and health care 
operations activities for which lawful holders may disclose patient 
identifying information to their contractors, subcontractors, and legal 
representatives. In addition, SAMHSA clarifies that the audit and 
evaluation provision permits certain disclosures to contractors, 
subcontractors, and legal representatives for purposes of carrying out 
an audit or evaluation under Sec.  [thinsp]2.53. SAMHSA is finalizing 
changes to clarify that audits and evaluations may be performed on 
behalf of federal, state and local governments providing financial 
assistance to, or regulating the activities of lawful holders, as well 
as part 2 programs. The final rule also includes an abbreviated notice 
of the prohibition on re-disclosure. Finally, SAMHSA is making minor 
technical corrections to select provisions of the 42 CFR part 2 final 
rule published in the Federal Register on January 18, 2017.

List of Subjects in 42 CFR Part 2

    Alcohol abuse, Alcoholism, Drug abuse, Grant programs--health, 
Health records, Privacy, Reporting, and Recordkeeping requirements.

    For the reasons stated in the preamble of this final rule, 42 CFR 
part 2 is amended as follows:

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

0
1. The authority citation for part 2 continues to read as follows:

    Authority:  42 U.S.C. 290dd-2.


Sec.  2.15   [Amended]

0
2. Amend Sec.  2.15(a)(1) by removing the phrase ``to their own 
affairs'' and adding in its place the phrase ``to manage their own 
affairs''.

0
3. Revise Sec.  2.32 to read as follows:


Sec.  2.32  Prohibition on re-disclosure.

    (a) Notice to accompany disclosure. Each disclosure made with the 
patient's written consent must be accompanied by one of the following 
written statements:
    (1) This information has been disclosed to you from records 
protected by federal confidentiality rules (42 CFR part 2). The federal 
rules prohibit you from making any further disclosure of information in 
this record that identifies a patient as having or having had a 
substance use disorder either directly, by reference to publicly 
available information, or through verification of such identification 
by another person unless further disclosure is expressly permitted by 
the written consent of the individual whose information is being 
disclosed or as otherwise permitted by 42 CFR part 2. A general 
authorization for the release of medical or other information is NOT 
sufficient for this purpose (see Sec.  2.31). The federal rules 
restrict any use of the information to investigate or prosecute with 
regard to a crime any patient with a substance use disorder, except as 
provided at Sec. Sec.  2.12(c)(5) and 2.65; or
    (2) 42 CFR part 2 prohibits unauthorized disclosure of these 
records.
    (b) [Reserved]

0
4. Revise Sec.  [thinsp]2.33 to read as follows:


Sec.  [thinsp]2.33  Disclosures permitted with written consent.

    (a) If a patient consents to a disclosure of their records under 
Sec.  [thinsp]2.31, a part 2 program may disclose those records in 
accordance with that consent to any person or category of persons 
identified or generally designated in the consent, except that 
disclosures to central registries and in connection with criminal 
justice referrals must meet the requirements of Sec. Sec.  [thinsp]2.34 
and 2.35, respectively.
    (b) If a patient consents to a disclosure of their records under 
Sec.  [thinsp]2.31 for payment and/or health care operations 
activities, a lawful holder who receives such records under the terms 
of the written consent may further disclose those records as may be 
necessary for its contractors, subcontractors, or legal representatives 
to carry out payment and/or health care operations on behalf of such 
lawful holder. Disclosures to contractors, subcontractors, and legal 
representatives to carry out other purposes such as substance use 
disorder patient diagnosis, treatment, or referral for treatment are 
not permitted under this section. In accordance with Sec.  
[thinsp]2.13(a), disclosures under this section must be limited to that 
information which is necessary to carry out the stated purpose of the 
disclosure.
    (c) Lawful holders who wish to disclose patient identifying 
information pursuant to paragraph (b) of this section must have in 
place a written contract or comparable legal instrument with the 
contractor or voluntary legal representative, which provides that the 
contractor, subcontractor, or voluntary legal representative is fully 
bound by the provisions of part 2 upon receipt of the patient 
identifying information. In making any such disclosures, the lawful 
holder must furnish such recipients with the notice required under 
Sec.  [thinsp]2.32; require such recipients to implement appropriate 
safeguards to prevent unauthorized uses and disclosures; and require 
such recipients to report any unauthorized uses, disclosures, or 
breaches of patient identifying information to the lawful holder. The 
lawful holder may only disclose information to the contractor or 
subcontractor or voluntary legal representative that is necessary for 
the contractor or subcontractor or voluntary legal representative to 
perform its duties under the contract or comparable legal instrument. 
Contracts may not permit a contractor or subcontractor or voluntary 
legal representative to re-disclose information to a third party unless 
that third party is a contract agent of the contractor or 
subcontractor, helping them provide services described in the contract, 
and only as long as the agent only further discloses the information 
back to the contractor or lawful holder from which the information 
originated.

0
5. Amend Sec.  2.35 by revising paragraph (a)(2) as follows:


Sec.  2.35  Disclosure to elements of the criminal justice system which 
have referred patients.

    (a) * * *
    (2) The patient has signed a written consent meeting the 
requirements of

[[Page 252]]

Sec.  [thinsp]2.31 (except paragraph (a)(6) of this section which is 
inconsistent with the revocation provisions of paragraph (c) of this 
section) and the requirements of paragraphs (b) and (c) of this 
section.

0
6. Amend Sec.  [thinsp]2.53 by:
0
a. Revising paragraphs (a) introductory text, (a)(1)(i) and (ii), 
(a)(2).
0
b. Revising paragraphs (b) introductory text, (b)(2)(i) and (ii).
0
c. Revising paragraph (c)(5).
0
d. Revising paragraph (d).
    The revisions and addition read as follows:


Sec.  [thinsp]2.53  Audit and evaluation.

    (a) Records not copied or removed. If patient records are not 
downloaded, copied or removed from the premises of a part 2 program or 
other lawful holder, or forwarded electronically to another electronic 
system or device, patient identifying information, as defined in Sec.  
2.11, may be disclosed in the course of a review of records on the 
premises of a part 2 program or other lawful holder to any individual 
or entity who agrees in writing to comply with the limitations on re-
disclosure and use in paragraph (d) of this section and who:
    (1) * * *
    (i) Any federal, state, or local governmental agency that provides 
financial assistance to a part 2 program or other lawful holder, or is 
authorized by law to regulate the activities of the part 2 program or 
other lawful holder;
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program or other lawful holder, which is a third-party 
payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a utilization or quality control 
review, or such individual's or entity's or quality improvement 
organization's contractors, subcontractors, or legal representatives.
    (2) Is determined by the part 2 program or other lawful holder to 
be qualified to conduct an audit or evaluation of the part 2 program or 
other lawful holder.
    (b) Copying, removing, downloading, or forwarding patient records. 
Records containing patient identifying information, as defined in Sec.  
2.11, may be copied or removed from the premises of a part 2 program or 
other lawful holder or downloaded or forwarded to another electronic 
system or device from the part 2 program's or other lawful holder's 
electronic records by any individual or entity who:
    (2) * * *
    (i) Any federal, state, or local governmental agency that provides 
financial assistance to the part 2 program or other lawful holder, or 
is authorized by law to regulate the activities of the part 2 program 
or other lawful holder; or
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program or other lawful holder, which is a third-party 
payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a utilization or quality control 
review, or such individual's or entity's or quality improvement 
organization's contractors, subcontractors, or legal representatives.
* * * * *
    (c) * * *
    (5) If a disclosure to an individual or entity is authorized under 
this section for a Medicare, Medicaid, or CHIP audit or evaluation, 
including a civil investigation or administrative remedy, as those 
terms are used in paragraph (c)(2) of this section, the individual or 
entity may further disclose the patient identifying information that is 
received for such purposes to its contractor(s), subcontractor(s), or 
legal representative(s), to carry out the audit or evaluation, and a 
quality improvement organization which obtains such information under 
paragraph (a) or (b) of this section may disclose the information to 
that individual or entity (or, to such individual's or entity's 
contractors, subcontractors, or legal representatives, but only for the 
purposes of this section).
* * * * *
    (d) Limitations on disclosure and use. Except as provided in 
paragraph (c) of this section, patient identifying information 
disclosed under this section may be disclosed only back to the part 2 
program or other lawful holder from which it was obtained and may be 
used only to carry out an audit or evaluation purpose or to investigate 
or prosecute criminal or other activities, as authorized by a court 
order entered under Sec.  [thinsp]2.66.
* * * * *

    Dated: December 19, 2017.
Elinore F. McCance-Katz
Assistant Secretary for Mental Health and Substance Use.
    Approved: December 20, 2017.
Eric D. Hargan,
Acting Secretary, Department of Health and Human Services.
[FR Doc. 2017-28400 Filed 1-2-18; 8:45 am]
 BILLING CODE P