[Federal Register Volume 84, Number 165 (Monday, August 26, 2019)]
[Proposed Rules]
[Pages 44568-44589]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-17817]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
42 CFR Part 2
[SAMHSA-4162-20]
RIN 0930-AA32
Confidentiality of Substance Use Disorder Patient Records
AGENCY: Substance Abuse and Mental Health Services Administration
(SAMHSA), U.S. Department of Health and Human Services (HHS).
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: This notice of proposed rulemaking proposes changes to the
Confidentiality of Substance Use Disorder Patient Records regulations.
These proposals were prompted by the need to continue aligning the
regulations with advances in the U.S. health care delivery system,
while retaining important privacy protections for individuals seeking
treatment for substance use disorders (SUDs). SAMHSA strives to
facilitate information exchange for safe and effective substance use
disorder care, while addressing the legitimate privacy concerns of
patients seeking treatment for a substance use disorder. Within the
constraints of the statute, these proposals are also an effort to make
the regulations more understandable and less burdensome.
DATES: To be assured consideration, comments must be received at one of
the addresses provided below, no later than 5 p.m. on October 25, 2019.
ADDRESSES: In commenting, please refer to file code SAMHSA 4162-20.
Because of staff and resource limitations, we cannot accept comments by
facsimile (FAX) transmission.
You may submit comments in one of four ways (to avoid duplication,
please submit your comments in only one of the ways listed):
1. Electronically. Federal eRulemaking Portal. You may submit
comments electronically to http://www.regulations.gov. Follow the
``Submit a comment'' instructions.
2. By regular mail. Written comments mailed by regular mail must be
sent to the following address ONLY: The Substance Abuse and Mental
Health Services Administration, Department of Health and Human
Services, Attention: SAMHSA--Deepa Avula, 5600 Fishers Lane, Room
17E41, Rockville, MD 20857.
Please allow sufficient time for mailed comments to be received
before the close of the comment period.
3. By express or overnight mail. Written comments sent by express
or overnight mail must be sent to the following address ONLY:
The Substance Abuse and Mental Health Services Administration,
Department of Health and Human Services, Attention: SAMHSA--Deepa
Avula, 5600 Fishers Lane, Room 17E41, Rockville, MD 20857.
4. By hand or courier. Written comments delivered by hand or
courier must be delivered to the following address ONLY: The Substance
Abuse and Mental Health Services Administration, Department of Health
and Human Services, Attention: SAMHSA--Deepa Avula, 5600 Fishers Lane,
Room 17E41, Rockville, MD 20857.
For information on viewing public comments, see the beginning of
the SUPPLEMENTARY INFORMATION section.
FOR FURTHER INFORMATION CONTACT: Ms. Deepa Avula, (240) 276-2542.
SUPPLEMENTARY INFORMATION:
Inspection of Public Comments: All comments received before the
close of the comment period are available for viewing by the public,
including any personally identifiable or confidential business
information that is included in a comment. We post all comments
received before the close of the comment period on the following
website as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that website to
view public comments.
Table of Contents
I. Background
II. Overview of the Proposed Regulations
III. Provisions of the Proposed Rule
A. Definitions (Sec. 2.11)
B. Applicability (Sec. 2.12)
C. Consent Requirements (Sec. 2.31)
D. Prohibition on Re-disclosure (Sec. 2.32)
E. Disclosures Permitted with Written Consent (Sec. 2.33)
F. Disclosures to Prevent Multiple Enrollments (Sec. 2.34)
G. Disclosures to Prescription Drug Monitoring Programs (Sec.
2.36)
H. Medical Emergencies (Sec. 2.51)
I. Research (Sec. 2.52)
J. Audit and Evaluation (Sec. 2.53)
K. Orders Authorizing the Use of Undercover Agents and
Informants (Sec. 2.67)
IV. Collection of Information Requirements
V. Response to Comments
VI. Regulatory Impact Analysis
A. Statement of Need
B. Overall Impact
C. Alternatives Considered
D. Conclusion
Acronyms
ADAMHA Alcohol, Drug Abuse, and Mental Health Administration
[[Page 44569]]
CFR Code of Federal Regulations
DEA Drug Enforcement Agency
DOJ Department of Justice
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
FAX Facsimile
FDA Food and Drug Administration
FEMA Federal Emergency Management Agency
FR Federal Register
HHS Department of Health and Human Services
HIPAA Health Insurance Portability and Accountability Act of 1996
HIE Health Information Exchange
NPRM Notice of Proposed Rulemaking
ONC Office of the National Coordinator for Health Information
Technology
OTP Opioid Treatment Program
OUD Opioid Use Disorder
PDMP Prescription Drug Monitoring Program
SAMHSA Substance Abuse and Mental Health Services Administration
SNPRM Supplemental Notice of Proposed Rulemaking
SUD Substance Use Disorder
U.S.C. United States Code
I. Background
The Confidentiality of Substance Use Disorder Patient Records
regulations (42 CFR part 2) implement section 543 of the Public Health
Service Act, 42 United States Code (U.S.C.) 290dd-2, as amended by
section 131 of the Alcohol, Drug Abuse and Mental Health Administration
Reorganization Act (ADAMHA Reorganization Act), Public Law, 102-321
(July 10, 1992). The regulations were originally issued to prevent
access to patient records for the treatment of substance use disorder,
in a time when there was not broader privacy and data security standard
for health data Under the regulations, a ``substance use disorder'' is
a defined term, which refers to a cluster of cognitive, behavioral, and
physiological symptoms indicating that an individual continues using a
substance despite significant substance-related problems such as
impaired control, social impairment, risky use, and pharmacological
tolerance and withdrawal. For the purposes of part 2, this definition
does not include tobacco or caffeine use.
The regulations were first promulgated as a final rule in 1975 (40
FR 27802) and amended thereafter in 1987 (52 FR 21796) and 1995 (60 FR
22296). On February 9, 2016, SAMHSA published a notice of proposed
rulemaking (NPRM) (81 FR 6988) (the ``2016 proposed rule''), inviting
comment on proposals to update the regulations, to reflect the
development of integrated health care models and the growing use of
electronic platforms to exchange patient information, as well as the
breadth of laws and regulatory actions implemented since 1975, that
more broadly protect patient data, as patients and as consumers. At the
same time, consistent with the statute, we (note that throughout this
proposed rule, ``we'' refers to SAMHSA) wished to preserve
confidentiality protections it establishes for patient identifying
information from covered programs because persons with substance use
disorders may encounter significant discrimination or experience other
negative consequences if their information is improperly disclosed.
In response to public comments, on January 18, 2017, SAMHSA
published a final rule (82 FR 6052) (the ``2017 final rule''),
providing for greater flexibility in disclosing patient identifying
information within the health care system, while continuing to protect
the confidentiality of substance use disorder patient records. SAMHSA
concurrently issued a supplemental notice of proposed rulemaking
(SNPRM) (82 FR 5485) (the ``2017 proposed rule'') to solicit public
comment on additional proposals. In response to public comments, SAMHSA
subsequently published a final rule on January 3, 2018 (83 FR 239) (the
``2018 final rule'') that provided greater clarity regarding payment,
health care operations, and audit or evaluation-related disclosures,
and provided language for an abbreviated prohibition on re-disclosure
notice.
In both the 2017 and 2018 final rules, SAMHSA signaled its intent
to continue to monitor implementation of 42 CFR part 2, and to explore
potential future rulemaking to better address the complexities of
health information technology, patient privacy, and interoperability,
within the constraints of the statute. The emergence of the opioid
crisis, with its catastrophic impact on individuals, families, and
caregivers, and corresponding clinical and safety challenges for
providers, has highlighted the need for thoughtful updates to 42 CFR
part 2. The laws and regulations governing the confidentiality of
substance abuse records were originally written out of concern for the
potential for misuse of those records against patients in treatment for
a SUD, thereby undermining trust and leading individuals with substance
use disorders not to seek treatment. As observed in the 1983 proposed
rule, the purpose of 42 CFR part 2 is to ensure that patients receiving
treatment for a substance use disorder in a part 2 program ``are not
made more vulnerable to investigation or prosecution because of their
association with a treatment program than they would be if they had not
sought treatment'' (48 FR 38763).
In recent years, the devastating consequences of the opioid crisis
have resulted in an unprecedented spike in overdose deaths related to
both prescription and illegal opioids including heroin and fentanyl,\1\
as well as correspondingly greater pressures on the SUD treatment
system, and heightened demand for SUD treatment services. This proposed
rule proposes changes to the regulation that SAMHSA believes would
better align with the needs of individuals with SUD and of those who
treat these patients in need, and help facilitate the provision of
well-coordinated care, as while ensuring appropriate confidentiality
protection for persons in treatment through part 2 programs.
---------------------------------------------------------------------------
\1\ Recent statistics published by the Centers for Disease
Control and Prevention reflect a spike in the rate of opioid-related
overdose deaths in recent years. See https://www.cdc.gov/mmwr/volumes/67/wr/mm675152e1.htm?s_cid=mm675152e1_w.
---------------------------------------------------------------------------
II. Overview of the Proposed Regulations
Balancing the concerns noted above, SAMHSA proposes several changes
to the regulations at 42 CFR part 2 (part 2). First, we propose to
amend language throughout the regulation to clarify several aspects of
the applicability and disclosure requirements. Specifically, in Section
III.B., Applicability, SAMHSA proposes to amend Sec. 2.12 to clearly
state in the regulatory text that the recording of information about a
SUD and its treatment by a non-part 2 entity does not, by itself,
render a medical record subject to the restrictions of 42 CFR part 2,
provided that the non-part 2 entity segregates any specific SUD records
received from a part 2 program (either directly, or through another
lawful holder). SAMHSA believes this proposed language would encourage
part 2 programs and non-part 2 providers to deliver better and safer
coordinated care, while also protecting the confidentiality of
individuals seeking such care. SAMHSA explains this proposal more fully
in Section III.B.
In addition, SAMHSA proposes several changes to 42 CFR part 2,
consistent with the proposed policy described above. Specifically, in
Section III.A., Definitions, we propose to amend and clarify the
definition of ``Records'' in Sec. 2.11, in a manner that aligns with
the proposed revision to Sec. 2.12 described above. And in Section
III.D., Prohibition on Re-disclosure, SAMHSA proposes to amend the
standard written notice in Sec. 2.32, to clarify the disclosure and
re-disclosure limits under 42 CFR part 2.
[[Page 44570]]
Additionally, SAMHSA seeks to reduce barriers to care coordination
for patients with SUD, in Section III.F., Disclosure to Prevent
Multiple Enrollments, by proposing to amend Sec. 2.34 to allow non-
opioid treatment providers (e.g., non-part 2 providers who nevertheless
manage care for patients with SUD from time to time) to access central
registries. In Section III.G., Disclosure to Prescription Drug
Monitoring Programs, SAMHSA proposes to add new Sec. 2.36 to permit
opioid treatment programs (OTPs) to disclose dispensing and prescribing
data, as required by applicable state law, to prescription drug
monitoring programs (PDMPs), subject to patient consent. As noted
above, patient safety is of paramount importance, and many drugs
prescribed and dispensed by non-OTPs could have life-threatening and
even deadly consequences if not properly coordinated with those
prescribed and dispensed by OTPs. Therefore, SAMHSA believes it
necessary for both OTPs and non-OTPs to report, and to access,
prescription drug records in central registries and PDMPs, and to
monitor dosing accordingly.
SAMHSA also makes several proposals that specifically decrease
burden for patients accessing care, without compromising patient
confidentiality. First, in Section III.C., Consent Requirements, SAMHSA
proposes to amend Sec. 2.31, to allow patients to consent to the
disclosure of their information to a wide range of entities, without
naming the specific individual receiving this information on behalf of
a given entity; special instructions would apply with respect to
consents for disclosure of information to information exchanges and
research institutions. We believe this proposal would give patients the
ability to apply for and access federal, state, and local resources and
benefits more easily, (e.g., social security benefits; local sober
living or halfway house programs). Second, in Section III.H., Medical
Emergencies, SAMHSA proposes to amend to Sec. 2.51 to allow disclosure
of patient information to another part 2 program or other SUD treatment
provider during State or Federally declared natural and major
disasters. SAMHSA believes this proposal would reduce the burden of
disclosure requirements both for patients to receive, and for
clinicians to provide, care that may not be otherwise feasible during
natural and major disasters, ensuring that patients can continue to
receive on-going and appropriate care.
In Section III.E., Disclosures Permitted with Written Consent,
SAMHSA proposes amendments to Sec. 2.33 to expressly allow disclosure
to specified entities and individuals for 17 types of payment and
health care operational activities. Although SAMHSA believes these
activities were already permitted by the regulation, we have received
feedback from stakeholders that there remains some confusion on these
points. Therefore, we believe it necessary to more clearly state this
regulatory permission in the regulatory text, to avoid any further
confusion. SAMHSA also proposes amendments to Sec. 2.53 (Audit and
Evaluation) together with clarifying guidance, under Section III.J. The
amendments to Sec. 2.53 would help to resolve confusion about
permitted types of disclosures to and from federal, state and local
governmental agencies and to and from third-party payers, for the
purpose of audit and evaluation, among other changes. They would also
allow patient identifying information to be disclosed to federal,
state, and local agencies, and the contractors, subcontractors, and
legal representatives of such agencies in the course of conducting
audits or evaluations mandated by statute or regulation, if those
audits or evaluations cannot be carried out using de-identified
information. Likewise, in section III.I., Research, SAMHSA proposes to
allow research disclosures of part 2 patient data by a HIPAA covered
entity to individuals and organizations who are neither HIPAA covered
entities, nor subject to the Common Rule, for the purpose of conducting
scientific research. SAMHSA believes this change will better align the
requirements of part 2, the Common Rule, and the Privacy Rule around
the conduct of research on human subjects, and will help to streamline
duplicative requirements for research disclosures under part 2 and the
Privacy Rule in some instances. SAMHSA is also proposing to amend
section Sec. 2.52 (Research) to clarify that research disclosures may
be made to members of the workforce of a HIPAA covered entity for
purposes of employer-sponsored research, as well as to permit research
disclosures to recipients who are covered by FDA regulations for the
protection of human subjects in clinical investigations (at 21 CFR part
50).
In Section III.K., Orders Authorizing Use of Undercover Agents and
Informants, SAMHSA proposes to revise our policies in Sec. 2.67 for
the placement of undercover agents and informants within a part 2
program, to provide more clarity regarding the permitted time period
for placement pursuant to court order.
Finally, SAMHSA provides the following guidance on how employees,
volunteers and trainees of part 2 facilities should handle
communications using personal devices and accounts, especially in
relation to Sec. 2.19 concerning disposition of records by
discontinued programs. In Sec. 2.11, the current regulation defines
``Records'' to include information relating to a patient that could
include email and texts. In Sec. 2.19, the regulation codifies the
requirements for disposition of records from a discontinued part 2
program. These requirements state that records which are electronic
must be ``sanitized'' within one year of the discontinuation of the
part 2 program. This sanitization must render the patient identifying
information non-retrievable in accordance with Sec. 2.16 (security for
records). Read together, current Sec. Sec. 2.11, 2.16, and 2.19 could
be interpreted to mean that, if an individual working in a part 2
program receives a text or email from a patient on his or her personal
phone which he or she does not use in the regular course of their
employment in the part 2 program, and this part 2 program is
discontinued, the personal device may need to be sanitized. Depending
on the policies and procedures of the part 2 program, this sanitization
may render the device no longer useable to that individual. SAMHSA
clarifies that this interpretation is not the intent of the
regulations.
Although SAMHSA does not encourage patient communication through
personal email and cell phones, it recognizes that patients may make
contact through the personal devices or accounts of an employee (or
volunteer or trainee) of a part 2 program, even if the employee (or
volunteer or trainee) does not use such device or account in the
regular course of their employment in the part 2 program. In such
instances, SAMHSA wishes neither to convey that these devices become
part of the part 2 record, nor that, if the part 2 program is
discontinued, these devices must be sanitized. Instead, SAMHSA
clarifies that, in the case that patient contact is made through an
employee's (or volunteer's or trainee's) personal email or cell phone
account which he or she does not use in the regular course of business
for that part 2 program, the employee should immediately delete this
information from his or her personal account and only respond via an
authorized channel provided by the part 2 program, unless responding
directly from the employee's account is required in order to protect
the best interest of the patient. If the email or
[[Page 44571]]
text contains patient identifying information, the employee should
forward this information to such authorized channel and then delete the
email or text from any personal account. These authorized channels are
then subject to the normal standards of sanitization under Sec. Sec.
2.16 and 2.19 and any other applicable federal and state laws. SAMHSA
believes that this process will both protect the employee's personal
property and the confidentiality of the patient's records if the
patient makes such unauthorized contact.
III. Provisions of the Proposed Rule
A. Definitions (Sec. 2.11)
In the current regulation, ``Records'' is defined to mean ``any
information, whether recorded or not, created by, received, or acquired
by a part 2 program relating to a patient.'' In the 2017 final rule,
SAMHSA noted that some commenters expressed confusion regarding what is
considered unrecorded information (82 FR 6068); it, therefore, added
parenthetical examples in an effort to clarify. But with the exception
of these parenthetical examples, the basic definition for ``records''
under part 2 has remained the same since the 1987 final rule.
In a subsequent section of this proposed rule (III.B.) on
``Applicability'' (at Sec. 2.12), SAMHSA discusses a proposed change
to the restriction on disclosures under part 2, which would serve to
clarify some record-keeping activities of non-part 2 providers that
fall outside the scope of 42 CFR part 2. As explained in section
III.B., the proposed change is needed to facilitate communication and
coordination between part 2 programs and non-part 2 providers, and to
ensure that appropriate communications are not hampered by fear among
non-part 2 providers of inadvertently violating part 2, as a result of
receiving and reading a protected SUD patient record and then providing
care to the patient.
SAMHSA proposes here to make a conforming amendment to the Sec.
2.11 definition of ``records,'' by adding, at the end of the first
sentence of the definition, the phrase, ``provided, however, that
information conveyed orally by a part 2 program to a non-part 2
provider for treatment purposes with the consent of the patient does
not become a record subject to this part in the possession of the non-
part 2 provider merely because that information is reduced to writing
by that non-part 2 provider. Records otherwise transmitted by a part 2
program to a non-part 2 provider retain their characteristic as a
``record'' subject to this part in the possession of the non-part 2
provider, but may be segregated by that provider.''
The effect of this proposed amendment would be to incorporate a
very limited exception to the definition of ``records,'' such that a
non-part 2 provider who orally receives a protected SUD record from a
part 2 program may subsequently engage in an independent conversation
with her patient, informed by her discussion with the part 2 provider,
and record SUD information received from the part 2 program or the
patient, without fear that her own records thereafter would become
covered by part 2. As discussed below in the proposed revisions to the
``Applicability'' section of part 2 (at Sec. 2.12), the intent of
these proposed clarifications is to better facilitate coordination of
care between non-part 2 providers and part 2 programs, and to resolve
lingering confusion among non-part 2 providers about when and how they
can capture SUD patient care information in their own records, without
fear of those records being subject to the confidentiality requirements
of part 2.
B. Applicability (Sec. 2.12)
In the 1987 final rule, SAMHSA broadly established that the
restrictions on disclosure under 42 CFR part 2 would apply to any
alcohol and drug abuse information obtained by a federally assisted
alcohol or drug abuse program. As explained in 1987, by limiting the
applicability of 42 CFR part 2 to specialized programs--that is, to
those programs that hold themselves out as providing and which actually
provide alcohol or drug abuse diagnosis, treatment, and referral for
treatment--the aim was to simplify the administration of the
regulations, but without significantly affecting the incentive to seek
treatment provided by the confidentiality protections. Limiting the
applicability of 42 CFR part 2 to specialized programs was intended to
lessen the adverse economic impact of the regulations on a substantial
number of facilities which provide SUD care only as incident to the
provision of general medical care. The exclusion of hospital emergency
departments and general medical or surgical wards from coverage was not
seen as a significant deterrent to patients seeking assistance for
alcohol and drug abuse. SAMHSA's experience in the more than 30 years
since 1987 has been consistent with this expectation.
The 2017 final rule elaborated on this policy, by establishing that
the disclosure restrictions on SUD patient records would extend to
individuals or entities who receive such records either from a part 2
program or from another lawful holder. See 42 CFR 2.12(d)(2)(i)(C). As
explained in the 2017 final rule, a ``lawful holder'' of patient
identifying information is an individual or entity who has received
such information as the result of a part 2-compliant patient consent,
or as a result of one of the exceptions to the consent requirements in
the statute or implementing regulations (82 FR 6068). Thus, the effect
of the 2017 rule was to expand the scope of application for part 2
confidentiality, by ensuring that records initially created by a part 2
program would remain protected under 42 CFR part 2 throughout a chain
of subsequent re-disclosures, even into the hands of a downstream
recipient not itself a part 2 program. The reason for the 2017 change
was, once again, to avoid any deterrent effect on patients seeking
specialized SUD care through part 2 treatment programs, by virtue of
the patient records from those programs losing their part 2
confidentiality protection following a disclosure downstream to other
``lawful holder'' recipients of those records (81 FR 6997).
Although that policy was established in the 2017 final rule,
specifically in Sec. 2.12(d)(2)(i)(C), there remains some confusion
within the provider community about what information collected by non-
part 2 entities is (or is not) covered by the part 2 restrictions on
re-disclosure. When SAMHSA expanded the reach of the Applicability
provision in 2017, the intent was not to change the policy established
in the 1987 rulemaking, nor to make the records of non-part 2 entities
(such as some primary care providers) directly subject to 42 CFR part
2, simply because information about SUD status and treatment might be
included in those records. Rather, the intent underlying the 2017
provision was to clarify the applicability of 42 CFR part 2 in a
targeted manner, so that records initially created under the protection
of part 2 would continue to be protected following disclosure to
downstream recipients. In doing so, SAMHSA sought to encourage
individuals to enter into SUD treatment through part 2 programs, by
strengthening the confidentiality protection for records that originate
from those programs. Implicit in SAMHSA rulemaking since 1987 has been
the pursuit of a balance of policy interests: On the one hand,
consistent with the Congressionally stated purpose of the drug abuse
confidentiality statute, to encourage entry into SUD treatment by
ensuring that the records of treatment
[[Page 44572]]
through a part 2 program would not be publicly disclosed, and on the
other hand, to reduce the adverse impact of part 2 burdens on general
medical care providers and facilities and on patient care.
In the wake of the nation's opioid epidemic and continuing trends
related to alcohol use disorder and cannabis use disorder, it has
become increasingly important for primary care providers and general
medical facilities not covered by 42 CFR part 2 to be able to carry out
treatment and health care operations that sometimes involve creating
new records that mention SUD status and care. Such records and
activities are not covered by 42 CFR part 2. However, coordination of
care between part 2 programs and non-part 2 providers would involve the
disclosure of SUD records and information by the former to the latter.
Under the current 42 CFR part 2 regulation, such disclosures of records
by a part 2 program to a non-part 2 provider do not render all
subsequent records on SUD caretaking activity undertaken by the non-
part 2 provider subject to the part 2 regulation. For example, when a
non-part 2 provider is directly treating her own patient, and creates a
record based on her own patient contact that includes SUD information,
then that record is not covered by part 2.
Nevertheless, SAMHSA recognizes that there may be significant
confusion or misunderstanding as to the applicability of part 2 rules
to non-part 2 providers. This results in increased burden on non-part 2
providers, and the potential for impaired coordination of care for
patients, which could be life threatening, for example, if an affected
patient has an opioid use disorder. Although the existing text of 42
CFR 2.12 (d)(2)(i)(C) on Applicability does not compel these results,
SAMHSA's experience in recent years has demonstrated the need for
clearer regulatory language, to better delineate the records of non-
part 2 entities which are not covered by the 42 CFR part 2 rules.
Based on the above considerations, SAMHSA proposes to add a new
subsection (d)(2)(ii) to Sec. 2.12, to better clarify that a non-part
2 treating provider's act of recording information about a SUD and its
treatment would not make that record subject to 42 CFR part 2. SUD
records received by that non-part 2 entity from a part 2 program are
subject to part 2 restrictions on redisclosure of part 2 information by
lawful holders, including redisclosures by non-part 2 providers.
However, the records created by the non-part 2 provider in its direct
patient encounter(s) would not be subject to part 2, unless the records
received from the part 2 program are incorporated into such records.
Segregation of any part 2 records previously received from a part 2
program can be used to ensure that new records (e.g., a treatment note
based on a direct clinical encounter with the patient) created by non-
part 2 providers during their own patient encounters would not become
subject to the part 2 rules.
SAMHSA believes that this addition would further clarify the 2017
revisions, by affirming that the independent record-keeping activities
of non-part 2-covered entities remain outside the coverage of 42 CFR
part 2, despite such providers' (segregated) possession, as lawful
holders, of part 2-covered records. The part 2 disclosure restrictions
only apply to SUD patient records originating with part 2 providers.
Such part 2 originating records are subject to the part 2 limitations
on use and disclosure as they move through the hands of other ``lawful
holders'' and part 2 programs. Even where part 2 does not apply to a
patient record created by a non-part 2 provider following a direct
patient encounter, that record will nevertheless be subject to the
HIPAA Privacy Rule.
One means by which non-part 2 treating providers could benefit from
the above proposal would be through the segregated storage of part 2-
covered SUD records received from a part 2 program or other lawful
holder. In the context of a paper record received from a part 2
program, the proposed requirement could be met by the ``segregation''
or ``holding apart'' of these records; in the context of electronic
records from a part 2 program, the proposed requirement could be met by
logical ``segmentation'' of the record in the electronic health record
(EHR) system in which it is held. As under the current rule, when a
non-part 2 entity receives a protected SUD record from a part 2 program
or other lawful holder, the received record is subject to the
heightened confidentiality requirements under part 2. ``Segregating''
the received record, whether by segmenting it or otherwise labeling or
holding it apart, would allow the recipient entity to identify and keep
track of a record that requires heightened protection.
Under both the proposal and the current text of part 2, the lawful
holder recipient entity remains subject to part 2 re-disclosure
restrictions with regard to the part 2 record, whether or not the
recipient entity is able to segregate it. But ``segregating'' allows
the recipient entity both to keep track of the part 2 records, and
readily distinguish them from all the other patient records that the
entity holds which are not subject to part 2 protection. As mentioned
above, ``segregating'' the part 2 record may involve physically holding
apart any part 2-covered records from the recipient's other records,
which would be quite feasible in the case of a received paper record or
an email attachment containing such data. Alternately, ``segregating''
can involve electronic solutions, such as segmenting an electronic SUD
patient record received from a part 2 program by use of a Data
Segmentation for Privacy (DS4P) compliant EHR platform, in which
segmentation is carried out electronically based on the standards of
DS4P architecture (discussed further below). Either of these methods
for ``segregating'' part 2 covered records is a satisfactory way for
the recipient entity to keep track of them, and to distinguish them
from all the other patient records that the entity holds which are not
subject to part 2 protection. We note that ``segregating'' a received
part 2 record does not require the use of a separate server for holding
the received part 2 records. We do not intend this rule to result in
the creation of separate servers or health IT systems for part 2
documents. Our policy is intended to be consistent with existing
technical workflows for data aggregation, storage, and exchange.
One concern that this proposal raises is the possibility that a
non-part 2 provider might transcribe extensively from a part 2 record
without having a clinical purpose for doing so. This, however, is not
the intent of the proposal. Briefly, the intent is to allow a non-part
2 provider to receive SUD information about a patient from a part 2
program, and then to engage in a treatment discussion with that
patient, informed by that information, and then be able to create her
own treatment records including SUD content, without the latter
becoming covered by part 2. This level of flexibility is needed in
order to improve coordination of care efforts, and to save lives. It is
not SAMHSA's intent to encourage a non-part 2 provider to abuse the
rules, by transcribing extensively from a conversation with a part 2
program or from a received part 2 record when creating her own records,
without having a clinical purpose for doing so.
In the 2017 final rule, SAMHSA responded to several public comments
about data segmentation issues connected to 42 CFR part 2. We
acknowledged then that although significant challenges exist for data
segmentation of SUD records within
[[Page 44573]]
some current EHR systems, SAMHSA has led the development of use- case
discussions related to the technical implementation of the Data
Segmentation for Privacy (DS4P) standard and recently contributed to
the development of the FHIR implementation guide for Consent2Share.\2\
We believe that DS4P and Consent2Share are important tools to advance
the needs of part 2 providers and providers across the care continuum.
SAMHSA recognizes and encourages the further development of DS4P
standards, and the adoption by providers of EHR systems that meet those
standards. The current proposal for revising Sec. 2.12 does not,
however, impose on non-part 2 entities any new requirement for data
segmentation as a practice, nor does it establish any new standards or
requirements for EHR technology. SAMHSA considered including, in this
proposed rule, the policy option of defining ``segmented'' and
``segmentation'' under 42 CFR part 2, in order to offer greater clarity
about what these terms mean under the rule. We decided not to do so,
however, since a formal definition of segmentation might have
unforeseen technical ramifications for EHR and HIE systems
implementation in the future. In addition, SAMHSA believes this policy
should be flexible, to allow providers with different operational
standards and capabilities to implement the policy with regard to
segregation or segmentation in the least burdensome way to their
practices, while still maintaining confidentiality of patient records
subject to part 2. Nevertheless, using health IT to support data
segmentation for privacy and consent management is one path that a
provider could use to support their effort to meet part 2 requirements
including those described in this proposed rule.
---------------------------------------------------------------------------
\2\ ``Consent2Share FHIR Profile Design.docx'' can be accessed
at https://gforge.hl7.org/gf/project/cbcc/frs/.
---------------------------------------------------------------------------
In addition to the proposed revision to 42 CFR 2.12(d) above,
SAMHSA proposes conforming changes to the regulatory text of several
other sections of 42 CFR 2.12, to provide further clarification of the
applicability of part 2 restrictions on patient records.
In Sec. 2.12(a), SAMHSA proposes to change the text to reflect
that the restrictions on disclosure apply to ``any records,'' rather
than to ``any information, whether recorded or not.'' We also propose a
conforming change to Sec. 2.12(a)(ii), to indicate that the
restrictions of this part apply to any records which ``contain drug
abuse information obtained . . .'' or ``contain alcohol abuse
information obtained . . .'' Taken together, these changes are
congruent with the amendment to Sec. 2.12(d) and help to make it clear
that part 2 applies to ``records'' (as defined under Sec. 2.11).
In Sec. 2.12(e)(3), SAMHSA proposes to change the text to reflect
that the restrictions on disclosure apply to the recipients ``of part
2-covered records,'' rather than to the recipients ``of information.''
This proposed change is congruent with the proposed amendment to Sec.
2.12(d) and would help to make explicit that downstream restrictions on
re-disclosure by non-Part 2 entities are tied to protected records
which originate from a part 2 program in the first instance. SAMHSA
believes that this proposed conforming change is important, because it
would further establish that the re-disclosure burden for non-part 2
entities ties specifically to the protected records that they receive
from a part 2 program, and not to any other records that the non-part 2
entity creates by itself, regardless of whether the latter might
include some SUD-related content.
In Sec. 2.12(e)(4), SAMHSA likewise proposes a conforming change
to the text, by adding language to reflect that a diagnosis prepared by
a part 2 program for a patient who is neither treated by nor admitted
to that program, nor referred for care elsewhere, is nevertheless
covered by the regulations in this part. The proposed change to the
regulatory text is for clarity, to ensure that this section could not
be misread as applying directly to the activities of a non-part 2
entity or provider.
Similarly, and congruent with the above conforming changes, SAMHSA
is also proposing to modify the definition of ``Records'' in Sec. 2.11
as discussed in Section III.A. above and to modify and streamline the
language in Sec. 2.32 as discussed in Section III.D. below. Readers
are referred to those sections of the proposed rule for specifics on
those proposals and the rationales for such proposed policies.
C. Consent Requirements (Sec. 2.31)
In the 2017 final rule, SAMHSA made several changes to the consent
requirements at Sec. 2.31, to facilitate the sharing of information
within the health care context, while ensuring the patient is fully
informed and the necessary confidentiality protections are in place.
Among those changes, SAMHSA amended the written consent requirements
regarding identification of the individuals and entities to whom
disclosures of protected information may be made (82 FR 6077).
Specifically, SAMHSA adopted a framework for disclosures to entities
that made several distinctions between recipients that have a treating
provider relationship with the patient, and recipients that do not.
Under the current rules at Sec. 2.31(a)(4), if the recipient entity
does not have a treating provider relationship with the patient whose
information is being disclosed and is not a third-party payer, such as
an entity that facilitates the exchange of health care information or
research institutions, the written consent must include the name of the
entity and one of the following: ``the name(s) of an individual
participant(s); the name(s) of an entity participant(s) that has a
treating provider relationship with the patient whose information is
being disclosed; or a general designation of an individual or entity
participant(s) or class of participants that must be limited to a
participant(s) who has a treating provider relationship with the
patient whose information is being disclosed.'' As stated in the 2017
final rule, SAMHSA wants to ensure that patient identifying information
is only disclosed to those individuals and entities on the health care
team with a need to know this sensitive information (82 FR 6084).
SAMHSA, accordingly, limited the ability to use a general designation
in the `to whom' section of the consent requirements to those
individuals or entities with a treating provider relationship to the
patient at issue.
Since the 2017 final rule was published, SAMHSA has learned that
some patients with substance use disorders may want part 2 programs to
disclose protected information to entities for reasons including
eligibility determinations and seeking non-medical services or benefits
from governmental and non-governmental entities (e.g., social security
benefits, local sober living or halfway house programs). Because these
entities lack a treating provider relationship with the patient, the
current rules preclude them from being designated by name to receive
the information, unless they are third-party payers, or the patient
knows the identity of the specific individual who would receive the
information on behalf of the benefit program or service provider. In
addition, many of these entities may not be able to identify a specific
employee to receive application information, and instead are likely to
encourage patients to contact them or apply online, such that
information is submitted to the organization rather than to a specific
person. SAMHSA has heard that many patients have encountered
frustration and delays in applying for and receiving services and
[[Page 44574]]
benefits from, and in authorizing part 2 providers to release their
information to, entities providing such services and benefits, by
virtue of the inability to designate these entities by organization
name only on the written consent for disclosure of part 2 information.
It is not SAMHSA's intent to limit patients' ability to consent to the
disclosure of their own information. We wish, rather, to empower
patients to consent to the release and use their health information in
whatever way they choose, consistent with statutory and regulatory
protections designed to ensure the integrity of the consent process.
Therefore, SAMHSA proposes to amend the current regulations to
clarify that patients may consent to disclosures of part 2 information
to organizations without a treating provider relationship. We propose
to amend Sec. 42 CFR 2.31(a)(4)(i), which currently requires a written
consent to include the names of individual(s) to whom a disclosure is
to be made. The amendment would insert the words ``or the name(s) of
the entity(-ies)'' to that section, so that a written consent must
include the name(s) of the individual(s) or entity(-ies) to whom or to
which a disclosure is to be made. SAMHSA believes that this language
aligns more closely with the wording of the regulation before the
January 2017 final rule changes and would alleviate problems caused by
the inability to designate by name an individual recipient at an
entity. For example, if a patient wants a part 2 program to disclose
impairment information to the Social Security Administration for a
determination of benefits, such patient would only need to authorize
this agency on the ``to whom'' section of the consent form, rather than
identify a specific individual at the agency to receive such
information.
SAMHSA proposes to remove Sec. 2.31(a)(4)(ii) and (iii)(A), and
redesignate current Sec. 2.31(a)(4)(iii)(B) as Sec. 2.31(a)(4)(ii).
SAMHSA also proposes to amend the newly redesignated Sec.
2.31(a)(4)(ii), so that it applies only to entities that facilitate the
exchange of health information (e.g., health information exchanges
(HIEs)) or research institutions. The proposed amendment would provide
that, if the recipient entity is an entity that facilitates the
exchange of health information or is a research institution, the
consent must include the name of the entity and one of the following:
(1) The name(s) of an individual or entity participant(s); or (2) a
general designation of an individual or entity participant(s) or class
of participants, limited to a participant(s) who has a treating
provider relationship with the patient whose information is being
disclosed. As stated in the January 2017 final rule (82 FR 6084), for
entities that facilitate the exchange of health information or are
research institutions, SAMHSA wants to ensure that patient identifying
information is only disclosed to those individuals and entities on the
health care team with a need to know this sensitive information.
Therefore, in instances where information is disclosed to entities that
facilitate the exchange of health information or research institutions,
SAMHSA will continue to limit the ability to use a general designation
(e.g., ``all my treating providers'') in the ``to whom'' section of the
consent requirements to those individuals or entities with a treating
provider relationship.
D. Prohibition on Re-Disclosure (Sec. 2.32)
As discussed in Section III.B. above, in the 2017 final rule,
SAMHSA clarified that the disclosure restrictions on SUD patient
records would extend to individuals or entities who receive such
records either from a part 2 program or from another lawful holder. We
further emphasized this clarification in the notice requirements in
Sec. 2.32. Under Sec. 2.32, each disclosure made with a patient's
consent must contain a written statement notifying the recipient of the
applicability of 42 CFR part 2 to any re-disclosure of the protected
record. In the 2017 final rule, SAMHSA noted that the prohibition on
re-disclosure provision only applies to information from the record
that would identify, directly or indirectly, an individual as having
been diagnosed, treated, or referred for treatment for a substance use
disorder by a part 2-covered provider. The prohibition still allows
other health-related information shared by the part 2 program to be re-
disclosed, if permissible under the applicable law (82 FR 6089).
SAMHSA has heard from the provider community that this section of
the regulation has prompted downstream, non-part 2 providers to
manually redact portions of their disclosure data files that identify a
patient as having or having had a substance use disorder. This activity
is operationally burdensome and not the intent of the 2017 final rule.
As noted in Section III.B. above, SAMHSA proposes to modify the
regulations such that the recording of information about a SUD and its
treatment by a non-part 2 entity is permitted and does not constitute
records that have been redisclosed under part 2 (and, thus, subjected
to part 2 protections), provided that any specific SUD records received
from a part 2 program or other lawful holder are segregated or
segmented. Therefore, a downstream entity would not need to redact SUD
information in its records, provided that the original record received
from the part 2 program or other lawful holder is segregated or
segmented.
To ensure that downstream entities are aware that they do not need
to redact information in their files if they have means of identifying
the part 2-covered data (e.g., by segregating or segmenting the files
received from the part 2 program), as proposed above, SAMHSA proposes
to modify and streamline the notice language in Sec. 2.32(a)(1), to
remove the superfluous language that has contributed to confusion
regarding the restrictions on re-disclosures. Specifically, we propose
to remove ``information in'' and ``that identifies a patient as having
or having had a substance use disorder either directly, by reference to
publicly available information, or through verification of such
identification by another person,'' from the current notice language
established in the regulation. Additionally, SAMHSA has added language
to specifically state that only the record is subject to the
prohibition on re-disclosure in Sec. 2.32, unless further disclosure
either is expressly permitted by written consent of the individual
whose information is being disclosed in the record or is otherwise
permitted by 42 CFR part 2.
E. Disclosures Permitted With Written Consent (Sec. 2.33)
In the 2018 final rule (83 FR 241), SAMHSA clarified at Sec.
2.33(b), the scope and requirements for permitted disclosures by a
lawful holder to contractors, subcontractors, and legal
representatives, for the purpose of payment and certain health care
operations. In the 2017 proposed rule, SAMHSA proposed to include a
list of 17 specific types of permitted payment and health care
operations (82 FR 5487).
Based on the numerous comments received requesting additions or
clarifications to the list, as well as concerns that the changes
occurring in the health care payment and delivery system could rapidly
render any list of activities included in the regulatory text outdated,
SAMHSA decided not to include the list of 17 activities in the
regulation text in the 2018 final rule, and, instead, decided to
include a list of the types of permitted activities in the preamble of
the 2018 final rule. SAMHSA stated in the 2018 final rule that we
included this list of activities in the preamble in order to make clear
that it is an illustrative rather than
[[Page 44575]]
exhaustive list of the types of payment and health care operations
activities that would be acceptable to SAMHSA (83 FR 241). By removing
the list from the regulatory text, SAMHSA intended for other
appropriate payment and health care operations activities to be
permitted under Sec. 2.33 as the health care system continues to
evolve.
Since the 2018 final rule was published, SAMHSA has learned that
including an illustrative list of permissible activities in the
preamble rather than in the text of the regulation did not fully
clarify the circumstances under which part 2 information could be
further disclosed under Sec. 2.33. Specifically, stakeholders may
believe that a particular activity is not permissible unless it is
explicitly identified within the regulatory text. Therefore, to clear
up any remaining confusion, SAMHSA proposes to amend Sec. 2.33(b) to
expressly include the illustrative list of permissible activities that
was contained in the preamble of the 2018 final rule (83 FR 243). It is
important to note, as was noted in the preamble to the 2018 final rule,
that this list is illustrative rather than exhaustive.
Specifically, examples of permissible activities that SAMHSA
considers to be payment and health care operations activities to be
added under Sec. 2.33(b) include:
Billing, claims management, collections activities,
obtaining payment under a contract for reinsurance, claims filing and
related health care data processing;
Clinical professional support services (e.g., quality
assessment and improvement initiatives; utilization review and
management services);
Patient safety activities;
Activities pertaining to:
[cir] The training of student trainees and health care
professionals;
[cir] The assessment of practitioner competencies;
[cir] The assessment of provider and/or health plan performance;
and/or
[cir] Training of non-health care professionals;
Accreditation, certification, licensing, or credentialing
activities;
Underwriting, enrollment, premium rating, and other
activities related to the creation, renewal, or replacement of a
contract of health insurance or health benefits, and/or ceding,
securing, or placing a contract for reinsurance of risk relating to
claims for health care;
Third-party liability coverage;
Activities related to addressing fraud, waste and/or
abuse;
Conducting or arranging for medical review, legal
services, and/or auditing functions;
Business planning and development, such as conducting cost
management and planning-related analyses related to managing and
operating, including formulary development and administration,
development or improvement of methods of payment or coverage policies;
Business management and/or general administrative
activities, including management activities relating to implementation
of and compliance with the requirements of this or other statutes or
regulations;
Customer services, including the provision of data
analyses for policy holders, plan sponsors, or other customers;
Resolution of internal grievances;
The sale, transfer, merger, consolidation, or dissolution
of an organization;
Determinations of eligibility or coverage (e.g.,
coordination of benefit services or the determination of cost sharing
amounts), and adjudication or subrogation of health benefit claims;
Risk adjusting amounts due based on enrollee health status
and demographic characteristics; and
Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges.
To further clarify that the list is not exhaustive, SAMHSA also
proposes to add ``other payment/health care operations activities not
expressly prohibited'' in this provision to the end of the list. For
example, SAMHSA previously added language to the regulatory text in
Sec. 2.33(b) to clarify that disclosures to contractors,
subcontractors and legal representatives are not permitted for
activities related to a patient's diagnosis, treatment, or referral for
treatment. SAMHSA again clarifies that Sec. 2.33(b) is not intended to
cover care coordination or case management, and disclosures to
contractors, subcontractors, and legal representatives to carry out
such purposes are not permitted under this section. We note that this
policy differs from the Health Insurance Portability and Accountability
Act Privacy Rule, under which `health care operations' encompasses such
activities as case management and care coordination. SAMHSA has
previously emphasized the importance of maintaining patient choice in
disclosing information to health care providers with whom they will
have direct contact (83 FR 243). Although Sec. 2.33(b) does not cover
disclosures for the purpose of care coordination or case management,
such disclosures may nevertheless be made under other provisions of
Sec. Sec. 2.31 and 2.33. Additionally, several of the proposals to
revise other sections of part 2 in this rule-making will help to
facilitate coordination of care, as under Sec. 2.12 (Applicability).
F. Disclosures To Prevent Multiple Enrollments (Sec. 2.34)
In the 2017 final rule, SAMHSA modernized Sec. 2.34 by updating
terminology and revising corresponding definitions. Section 2.34
permits consensual disclosure of patient records to a withdrawal
management or maintenance treatment program within 200 miles of a part
2 program. After receiving comments, we retained the specificity of
``200 miles'' to prevent multiple enrollments that could result in
patients receiving multiple streams of SUD treatment medications, which
in turn may increase the likelihood of an adverse event or of diversion
(82 FR 6094).
Central registries, defined in Sec. 2.11, do not exist in all
states, and the defining parameters for the operation of the registries
vary somewhat across states and across part 2 programs. However, in the
context of the opioid epidemic, recent experience has demonstrated that
it is important for all providers who work with SUD patients, including
non-opioid treatment program (non-OTP) providers, to have access to the
information in the central registries, for the purpose of helping
prevent duplicative patient enrollment for opioid use disorder
treatment. Access to central registry information is also needed by
non-OTP providers to fully inform their decisions when considering
appropriate prescription drugs, including opioids, for their patients.
Methadone is a long-acting opioid used to treat opioid use
disorders and for pain that, when used at levels higher than
recommended for an individual patient, can lead to low blood pressure,
decreased pulse, decreased respiration, seizures, coma, or even death.
When used as a part of a supervised medication assisted treatment (MAT)
program, methadone is a safe and effective treatment for SUD, including
OUD. Methadone is a long acting opioid, subject to accumulation when
its metabolism is inhibited. Its effects may be potentiated by certain
other drugs with which it may have pharmacodynamic interactions, so the
medication is specifically tailored to each individual patient and must
be used exactly as prescribed. Exceeding the specific dosing can lead
to dangerous side effects and potential overdose. Other medications,
including
[[Page 44576]]
other SUD treatments, such as buprenorphine, as well as other
medication including other opioids, benzodiazepines, HIV medications,
certain antipsychotics and anti-depressants, also have the potential to
interact dangerously with methadone.
Buprenorphine products are also long-acting opioid formulations
approved by the Food and Drug Administration (FDA) for treatment of
opioid use disorder, subject to limitations, which can be dispensed at
OTPs, and in outpatient settings. While buprenorphine is demonstrated
to exhibit a ceiling effect on respiratory depression in persons with
opioid tolerance, it has significant opioid effects in those without
tolerance which can contribute to adverse events including opioid
overdose. Both of these long acting opioids (methadone and
buprenorphine) have potential drug interactions with other medications
that could lead to adverse events, including drug toxicity and opioid
overdose.
These realities underscore the reason it is important for a
prescriber to check central registries, when possible, to assure that
it is appropriate to prescribe the contemplated opioid therapies for a
particular individual. The ability to query a central registry
regarding any duplicative enrollment in similar treatment can also be
crucial to effective care, and to ensuring patient safety. Similarly,
to avoid opioid-related adverse events, it is imperative that
prescribing clinicians be aware of any opioid therapy that may be in
current use by a patient prior to making further medication prescribing
decisions.
Under the current language of Sec. 2.34(a), a part 2 program may
seek a written patient consent in order to disclose treatment records
to a central registry. In turn, the recipient central registry may only
disclose-patient contact information for the purpose of preventing
multiple enrollments under Sec. 2.34(b). Currently, under Sec.
2.34(c), the central registry may only disclose when asked by a
``member program'' whether an identified patient is enrolled in another
member program.
SAMHSA proposes to expand the scope of Sec. 2.34 to make non-OTP
providers with a treating provider relationship with the patient
eligible to query a central registry to determine whether the specific
patient is already receiving opioid treatment through a member program
to prevent duplicative enrollments and prescriptions for excessive
opioids, as well as to prevent any adverse effects that may occur as a
result of drug interactions with other needed medications.
Specifically, SAMHSA proposes to amend Sec. 2.34(b) to include the use
of central registry information to coordinate care with a non-part 2
program. In addition, we propose to add a new subsection (d) to
specifically permit non-member treating providers to access the central
registries. Previous subsection (d) will be re-designated as subsection
(e).
SAMHSA believes that disclosures by central registries to non-OTP
treating providers will help to ensure patient safety, and to prevent
duplicative treatment plans and medications or medication doses that
could place a patient receiving SUD treatment at risk.
For the reasons above, SAMHSA proposes to amend Sec. 2.34(b) and
(d) to allow non-OTP providers that have a treating relationship to the
patient to access the central registries to inquire about that patient.
G. Disclosure to Prescription Drug Monitoring Programs (Sec. 2.36)
A prescription drug monitoring program (PDMP) is a statewide
electronic database that collects, analyzes, and makes available
prescription data on controlled substances prescribed by practitioners
and non-hospital pharmacies.\3\ Forty-nine states, St. Louis County,
Missouri \4\ and the District of Columbia have legislatively mandated
the creation of PDMPs. Most states had developed their own PDMP prior
to the current opioid crisis; however, few prescribers accessed
them.\5\ As opioid use disorder rates, overdoses and deaths increased
significantly since 1999, the majority of states began requiring health
professionals to check the state's PDMP \6\ before prescribing
controlled substances to patients. Currently, 41 states require
physicians to use their state's PDMP to analyze prescription history
prior to writing a prescription for opioids or other controlled
substances.\7\ Studies have shown that states that have implemented
such a requirement have seen declines in overall opioid prescribing,
drug-related hospitalizations, and overdose deaths.\8\
---------------------------------------------------------------------------
\3\ SAMHSA's Center for the Application of Prevention
Technologies; Using Prescription Drug Monitoring Program Data to
Support Prevention Planning. Available at: https://www.samhsa.gov/capt/sites/default/files/resources/pdmp-overview.pdf.
\4\ Former Missouri Gov. Greitens ordered the creation of a
statewide PDMP in July 2017, but state lawmakers have not yet
authorized funding for the program. St. Louis County started its own
PDMP in April 2017, which covers nearly 80 percent (28 counties and
6 cities) of Missouri physicians and pharmacists.
\5\ Brandeis University Prescription Drug Monitoring Program
Training and Technical Assistance Center. Available at: http://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.
\6\ Pew Charitable Trusts and National Alliance for State Model
Drug Laws. Available at: https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2017/12/29/in-opioid-epidemic-states-intensify-prescription-drug-monitoring.
\7\ Pew Charitable Trusts. When are Prescribers Required to Use
Prescription Drug Monitoring Programs? January 24, 2018. Available
at: https://www.pewtrusts.org/en/research-and-analysis/data-visualizations/2018/when-are-prescribers-required-to-use-prescription-drug-monitoring-programs.
\8\ Brandeis University Prescription Drug Monitoring Program
Training and Technical Assistance Center. Available at: http://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.
---------------------------------------------------------------------------
Most PDMPs track prescription drug information on Schedule II-V
controlled medications. Pharmacies must submit the prescription data
required by their state's PDMP, depending on the state's statutory
requirements. More robust PDMP programs have been associated with
greater reductions in prescription opioid overdoses.\9\ As noted above,
this data allows providers to ensure that a patient is not receiving
multiple prescriptions and to enhance patient care and patient safety.
---------------------------------------------------------------------------
\9\ Pew Charitable Trusts. When are Prescribers Required to Use
Prescription Drug Monitoring Programs? January 24, 2018. Available
at: Available at: https://www.pewtrusts.org/en/research-and-analysis/data-visualizations/2018/when-are-prescribers-requiredd-to-use-prescription-drug-monitoring-programs.
---------------------------------------------------------------------------
Presently, OTPs are not required to report methadone or
buprenorphine dispensing to their states' PDMP. In our 2011 guidance
letter, SAMHSA encouraged OTP staff to access PDMPs, but stated that
OTPs could not disclose patient identifying information to a PDMP
unless an exception applies, consistent with the federal
confidentiality requirements.\10\ SAMHSA no longer believes this policy
is advisable in light of the current public health crisis arising from
opioid use, misuse, and abuse. In the past 10 years, there has been a
substantial increase in prescription drug misuse, admissions to
substance use facilities, emergency department visits and opioid-
related deaths.\11\ The omission of OTP data from a PDMP can lead to
potentially dangerous adverse events for patients who may receive
duplicate or potentially contraindicated prescriptions as part of
medical care outside of an OTP, thereby placing them at risk for
adverse events, including
[[Page 44577]]
possible overdose or even fatal drug interactions.
---------------------------------------------------------------------------
\10\ Clark HW. Dear Colleague letter. September 27, 2011.
Available at: https://www.samhsa.gov/sites/default/files/programs_campaigns/medication_assisted/dear_colleague_letters/2011-colleague-letter-state-prescription-drug-monitoring-programs.pdf.
\11\ SAMHSA. In Brief: Prescription Drug Monitoring Programs: A
Guide For Healthcare Providers. Volume 10, Issue 1 (Winter 2017).
Available at: https://store.samhsa.gov/system/files/sma16-4997.pdf.
---------------------------------------------------------------------------
SAMHSA believes that permitting part 2 programs, including OTPs,
and lawful holders to enroll in PDMPs and submit the dispensing data
for controlled substances required by states currently for other
prescribed, controlled substances would allow for greater patient
safety, better patient treatment, and better care coordination among
the patient's providers. Therefore, SAMHSA proposes to add a new
section Sec. 2.36, permitting OTPs and other lawful holders to report
the required data to their respective state PDMPs when dispensing
medications. The proposed rule would require part 2 providers to obtain
written consent from the patient whose identifying information will be
disclosed prior to making such reports. This update is consistent with
the proposal under Sec. 2.34(c) to allow non-OTPs to query central
registries to prevent duplicate enrollment.
SAMHSA acknowledges that this proposal may raise concerns about law
enforcement access to PDMPs, particularly in those states in which
PDMPs are operated by a law enforcement agency. However, individuals
are not limited to OTPs when seeking OUD treatment. Prescriptions
written for OUD opioid pharmacotherapy by non-OTP providers are already
recorded in the state PDMP. By implication, PDMPs operated by law
enforcement agencies are already receiving some patient data related to
SUD treatment. Although the current proposal might expand that
practice, it would not create it. And because the disclosure of SUD
patient records by OTPs would be made contingent on written patient
consent, any negative impact on patient confidentiality seems likely to
be small. By contrast, the omission from PDMPs of dispensing and
prescribing data from OTPs presents serious safety risks for SUD
patients. While the reporting of patient data to a PDMP by an OTP would
make it possible for law enforcement, prescribers, and pharmacies with
access to a PDMP to determine that a specific patient had received
services at a specific OTP, law enforcement would still require a court
order meeting the requirements of 42 U.S.C. 290dd-2(c) to access the
covered records of that patient or any other patient served at the OTP.
SAMHSA believes that allowing for OTP reporting to PDMPs further
enhances PDMPs as a tool to help prevent prescription drug misuse and
opioid overdose, while providing more complete and accurate data. In
turn, more robust PDMP data is imperative for prescribers and providers
to make better and more accurate patient care decisions while
increasing patient safety and assuring appropriate care.
H. Medical Emergencies (Sec. 2.51)
Under Sec. 2.51, disclosures of substance use disorder treatment
records without patient consent are permitted in a bona fide medical
emergency. Although not a defined term under part 2, a ``bona fide
medical emergency'' most often refers to the situation in which an
individual requires urgent clinical care to treat an immediately life-
threatening condition (e.g., heart attack, stroke, overdose, etc.), and
in which it is infeasible to seek the individual's consent to release
of relevant, sensitive SUD records prior to administering potentially
life-saving care. SAMHSA proposes to amend this section to address the
impact of major \12\ and natural disasters, declared by state or
federal authorities, on access to substance use treatment and services,
in addition to the more common situation of an individual experiencing
a ``bona fide medical emergency.''
---------------------------------------------------------------------------
\12\ The Federal Emergency Management Agency (FEMA) notes that
the President can declare a major disaster for any natural event,
regardless of cause, that is determined to have caused damage of
such severity that it is beyond the combined capabilities of state
and local governments to respond. https://www.fema.gov/disaster-declaration-process.
---------------------------------------------------------------------------
Disasters (e.g., hurricanes, wildfires) can present unique
challenges for patients with substance use disorders, and for their
treating providers. These events may disrupt the usual access to
services and medications across a geographic region. As a result,
patients may be required to seek treatment at facilities or with
providers who do not have full access to their records.
When access to, or operation of, substance use disorder treatment
facilities and services are disrupted on a regional basis in the wake
of a disaster like a hurricane or wildfire, many patients become unable
to access care through their usual providers, while many providers may
be unable to follow usual consent-based procedures in order to obtain
and/or release records for large numbers of patients. Thus, the
disclosure requirements of 42 CFR part 2 may be too burdensome in these
instances. For example, in the case of a hurricane, normal policies and
procedures for obtaining consent according to Sec. Sec. 2.31 and 2.32
may not be operational. At the same time, the inability of SUD patients
to access needed care through their usual providers (or other
providers) that have access to part 2-protected records concerning
their condition, may constitute or lead to medical emergencies. As a
result of these factors, SAMHSA believes that it is necessary--and
consistent with its statutory authority--to include natural and major
disasters within the meaning of medical emergency for which there would
be an exception to the requirement of consent for disclosure of part 2
records. In this NPRM, such an exception is proposed.
SAMHSA underscores that consent should still be obtained if at all
feasible, but appropriate care should be the priority in these often-
devastating scenarios and an exception should be allowed. Thus, SAMHSA
proposes to revise Sec. 2.51(a) to facilitate expedient access to care
for patients with SUDs during natural and major disasters.
Specifically, SAMHSA proposes to authorize, under Sec. 2.51(a), a part
2 program to disclose patient identifying information to medical
personnel, without patient consent, as needed in the event of a natural
or major disaster to deliver effective ongoing substance use disorder
services to patients in such disasters. Specifically, SAMHSA proposes
that this medical emergency exception would apply only when a state or
federal authority declares a state of emergency as a result of a
disaster and the part 2 program is closed and unable to provide
services or obtain the informed consent of the patient as a result of
the disaster, and would immediately be rescinded once the part 2
program resumes operations.
I. Research (Sec. 2.52)
SAMHSA recognizes the need for researchers to use SUD-related data
to advance scientific research, particularly in light of the national
opioid epidemic. SAMHSA supports the conduct of scientific research on
SUD care, and has worked to allow researchers appropriate access to
healthcare data relating to SUD, while maintaining appropriate
confidentiality protections for patients.
Under 42 CFR 2.52, part 2 programs are permitted to disclose
patient identifying information for research, without patient consent,
under limited circumstances. In the 2017 Final Rule, SAMHSA made
several changes to the research exception at Sec. 2.52, including
permitting the disclosure of data by lawful holders (as well as by part
2 programs) to qualified personnel for the purpose of conducting
scientific research.
Currently Sec. 2.52 allows the disclosure of patient identifying
information for research purposes without patient consent, if the
recipient of the patient identifying information is a HIPAA-covered
entity or business associate, and has obtained and documented
authorization from the patient, or a
[[Page 44578]]
waiver or alteration of authorization, consistent with the HIPAA
Privacy Rule at 45 CFR 164.508 or 164.512(i) or the recipient is
subject to the HHS regulations regarding the protection of human
subjects under the Common Rule. (45 CFR part 46).
Since the 2017 Final Rule, SAMHSA has become aware that limiting
research disclosures under Sec. 2.52, to only HIPAA-covered entities
or institutions subject to the Common Rule,\13\ may make it more
difficult for some legitimate stakeholders to obtain data from SUD
treatment records, for the purpose of conducting scientific research.
For example, under the current provisions of Sec. 2.52, the disclosure
by a lawful holder of SUD records for the purpose of research to a
State agency without a part 2 patient consent may be barred, given that
most State agencies are neither HIPAA-covered entities nor directly
subject to the Common Rule. It is not SAMHSA's intention or policy to
make it more burdensome for these sorts of stakeholders to carry out
scientific research. SAMHSA would like to more closely align the
requirements of 42 CFR 2.52 (disclosures for the purpose of research),
with the currently analogous provisions on research under the HIPAA
Privacy Rule (45 CFR 164.512(i)) and the Common Rule, in order to
minimize any conflict or duplication in the requirements for consent to
disclosure of records for the purpose of research. Therefore, SAMHSA is
proposing to modify the text of Sec. 2.52(a), in order to allow
research disclosures of part 2 data from a HIPAA covered entity or
business associate to individuals and organizations who are neither
HIPAA covered entities, nor subject to the Common Rule, provided that
any such data will be disclosed in accordance with the HIPAA Privacy
Rule at 45 CFR 164.512(i). This change will align the requirements of
part 2 with the Privacy Rule around the conduct of research on human
subjects. SAMHSA believes this change to Sec. 2.52(a) is needed, in
order to allow an appropriate range of stakeholders to conduct
scientific and public health research on SUD care and SUD populations.
---------------------------------------------------------------------------
\13\ The Common Rule governs research conducted or supported
(i.e., funded) by the 16 departments and agencies that issued the
Common Rule.
---------------------------------------------------------------------------
In addition, SAMHSA is proposing two additional changes to the text
of Sec. 2.52(a). First, SAMHSA is proposing to add new Sec.
2.52(a)(1)(iii), in order to clarify that research disclosures may be
made to members of the workforce of a HIPAA covered entity for purposes
of employer-sponsored research, where that covered entity requires all
research activities carried out by its workforce to meet the
requirements of either the Privacy Rule and/or Common Rule, as
applicable. Second, SAMHSA is also proposing to add new Sec.
2.52(a)(1)(iv), to permit research disclosures to recipients who are
covered by FDA regulations for the protection of human subjects in
clinical investigations (at 21 CFR part 50), subject to appropriate
documentation of compliance with FDA regulatory requirements, and
pursuant to authority under the Food, Drugs and Cosmetics Act. In both
instances, these proposals would help to align the part 2 requirements
for research disclosures of SUD data, with analogous requirements for
the conduct of research on human subjects that may apply under other
federal regulations in specific circumstances.
J. Audit and Evaluation (Sec. 2.53)
Current regulations at Sec. Sec. 2.53(a), (b), and (c) describe
the circumstances under which specified individuals and entities may
access patient identifying information in the course of an audit or
evaluation. Section 2.53(a) governs the disclosure of patient
identifying information for audits and evaluations that do not involve
the downloading, forwarding, copying, or removing of records from the
premises of a part 2 program or other lawful holder. In these
instances, information may be disclosed to individuals and entities who
agree in writing to comply with the limitations on disclosure and use
in Sec. 2.53(d) and who perform the audit or evaluation on behalf of
one of the following: A federal, state, or local governmental agency
that provides financial assistance to or is authorized to regulate a
part 2 program or other lawful holder; an individual or entity which
provides financial assistance to a part 2 program or other lawful
holder; a third-party payer covering patients in a part 2 program; or a
quality improvement organization (QIO) performing a utilization or
quality control review. The regulations permit disclosure to
contractors, subcontractors, or legal representatives performing audits
and evaluations on behalf of certain individuals, entities, third-party
payers, and QIOs described directly above. At Sec. 2.53(a)(2), the
regulations also allow part 2 programs or other lawful holders to
determine that other individuals and entities are qualified to conduct
an audit or evaluation of the part 2 program or other lawful holder. In
these instances, patient information may be disclosed during an on-
premises review of records, as long as the individuals and entities
agree in writing to comply with the limitations on disclosure and use
in Sec. 2.53(d).
Section 2.53(b) of the regulation governs the copying, removing,
downloading, or forwarding of patient records in connection with an
audit or evaluation performed on behalf of government agencies,
individuals, and entities described in 42 CFR 2.53(b)(2), which are
identical to the agencies, individuals, and entities described in Sec.
2.53(a)(1) above. In these audits, records containing patient
identifying information may be copied or removed from the premises of a
part 2 program or other lawful holder, or downloaded or forwarded to
another electronic system or device from the part 2 program's or other
lawful holder's electronic records, by an individual or entity who
agrees to the records maintenance standards and disclosure limitations
outlined in Sec. 2.53(b)(1)(i)-(iii).
Additionally, patient identifying information may be disclosed to
individuals and entities who conduct Medicare, Medicaid, or CHIP audits
or evaluations as set forth in Sec. 2.53(c).
SAMHSA understands there is confusion about Sec. 2.53 as it
applies to several specific situations, and therefore proposes to make
the following changes to the regulations to improve clarity about what
is permissible under these sections. SAMHSA also proposes to update
part 2 regulatory language related to quality improvement organizations
(QIO) to align with current QIO regulations.
First, some stakeholders have voiced frustration that part 2
programs have been unwilling or unable to disclose patient records that
may be needed by federal, state, and local agencies, to better serve
and protect patients with SUD. For example, a state Medicaid Agency or
state or local health department may need to know about specific types
of challenges faced by patients receiving opioid therapy treatment,
such as co-occurring medical or psychiatric conditions, or social and
economic factors that impede treatment or recovery. An agency may need
this kind of information to recommend or mandate improved medical care
approaches; to target limited resources more effectively to care for
patients; or to adjust specific Medicaid or other program policies or
processes related to payment or coverage to facilitate adequate
coverage and payment. Government agencies may also wish to know how
many patients test positive for a new and harmful illicit drug, and how
part 2 programs are actually treating those patients, as an input to
agency decisions aimed at improving
[[Page 44579]]
quality of care. For example, agencies may wish to modify requirements
for part 2 programs, educate or provide additional oversight of part 2
providers, and/or update corresponding payment or coverage policies.
Third-party payers covering patients in a part 2 program may have
similar objectives for obtaining part 2 information.
Current regulations allow part 2 programs to share information for
the purposes described above in two ways, using either de-identified or
identifiable information. Only SUD records containing patient
identifying information are subject to part 2 protections, and
therefore a part 2 program or other lawful holder may share non-
identifiable information with government agencies (federal, state and
local) for many types of activities.
SAMHSA encourages the use of de-identified or non-identifiable
information whenever possible. However, it may be time consuming, labor
intensive, or technologically difficult for part 2 programs to create,
and for government agencies to obtain quickly, data that does not
contain part 2 identifying information. It may be too cumbersome or
cost prohibitive for part 2 programs to provide the kind of data
necessary in a de-identified format. It also may be challenging for
part 2 programs to provide information quickly in more urgent
situations, without potentially diverting resources away from patient
care.
Patient identifying may also be used to help agencies and third-
party payers improve care in certain circumstances. Under current
regulations at Sec. 2.53(a) and (b), federal, state, and local
government agencies that have the authority to regulate or that provide
financial assistance to part 2 programs, and third-party payers with
covered patients in part 2 programs, may receive patient identifying
information in the course of conducting audits or evaluations.
Additionally, patient identifying information may be disclosed to
individuals and entities to conduct Medicare, Medicaid, or CHIP audits
or evaluations under Sec. 2.53(c). Thus, a Medicaid agency may
evaluate the part 2 providers that participate in its Medicaid program;
a state health department may audit the facilities it licenses pursuant
to its regulatory authority; and a health plan may review part 2
programs that serve its enrollees.
The current regulations do not define audit and evaluation, nor do
they direct the manner in which evaluations are carried out, as noted
by Sec. 2.2(b)(2). Nevertheless, SAMHSA believes that the concept of
audit or evaluation is not restricted to reviews that examine
individual part 2 program performance. They may also include periodic
reviews of part 2 programs to determine if there are any needed actions
at an agency level to improve care and outcomes across the individual
part 2 programs the agency regulates or supports financially. Likewise,
audits or evaluations may include reviews to determine if there are
needed actions at a health plan level to improve care and outcomes for
covered patients in part 2 program. In other words, audits or
evaluations may be conducted with a goal to identify additional steps
agencies or third-party payers should be taking to support the part 2
programs and their patients. This includes reviews that allow agencies
or third-party payer entities to identify larger trends across part 2
programs, in order to respond to emerging areas of need in ways that
improve part 2 program performance and patient outcomes.
SAMHSA proposes to clarify that under Sec. 2.53, government
agencies and third-party payer entities would be permitted to obtain
part 2 records without written patient consent to periodically conduct
audits or evaluations for purposes such as identifying agency or health
plan actions or policy changes aimed at improving care and outcomes for
part 2 patients (e.g., provider education, recommending or requiring
improved health care approaches); targeting limited resources more
effectively to better care for patients; or adjusting specific Medicaid
or other insurance components to facilitate adequate coverage and
payment. These agencies and third-party payers are required to abide by
the restrictions on disclosure and other relevant confidentiality
requirements outlined in Sec. 2.53. Additionally, SAMHSA does not
believe it is generally necessary to conduct these types of audits or
evaluations on a routine or ongoing basis. Rather, we would generally
expect that they would be performed periodically, unless they are
required by applicable law or other compelling circumstances exist,
such as unique cases in which an oversight agency determines there is a
need for ongoing review. Information disclosed for the purpose of a
program audit or evaluation may not be used to directly provide or
support care coordination. As stated previously (83 FR 243), SAMHSA
believes it is important to maintain patient choice in disclosing
information to health care providers with whom patients have direct
contact. Agencies or health plans could, for example, use information
from the aggregated results of part 2 program evaluations to determine
that a new benefit or payment category is needed in order to facilitate
better care coordination.
The preamble to the 2017 final rule noted that the authorizing
statute for part 2 does not provide a general exception to the consent
requirement for disclosure of SUD records, for the purpose of sharing
records with public health officials (82 FR 6079). Furthermore, the
preamble also noted that SAMHSA does not have the statutory authority
to authorize routine disclosure of part 2 information for public health
purposes (82 FR 6079). SAMHSA emphasizes that audits or evaluations
using aggregated data for such purposes described above are distinct
from a broader public health exception. Specifically, under current
regulations, part 2 programs may share information with the agencies
that have the authority to regulate or provide financial support to the
part 2 program, in order to safeguard or improve the care and outcomes
for current and future patients in those programs, or to ensure the
integrity of the funding program and the appropriate use of financial
support by the part 2 program. A broader public health exception would
conceivably enable part 2 programs to share identifiable information
with any public health agency, regardless of its relationship with the
part 2 program, for many types of purposes (e.g., preventative efforts
aimed at a wider population).
To clarify allowable program evaluation activities using patient
identifying information, SAMHSA proposes to redesignate current
Sec. Sec. 2.53(c) and (d) as Sec. Sec. 2.53(e) and (f), respectively,
and insert a new Sec. 2.53(c) titled: ``Activities Included.''
Proposed new paragraph Sec. 2.53(c)(1) would specify that audits or
evaluations may include periodic activities to identify actions that an
agency or third-party payer entity can make, such as changing its
policies or procedures to improve patient care and outcomes across part
2 programs; targeting limited resources more effectively; or
determining the need for adjustments to payment policies for the care
of patients with SUD. This change would clarify that disclosures of
patient records by a part 2 program to an agency or third-party payer
entity are permitted for these purposes without patient consent,
pursuant to this section.
Second, SAMHSA has received feedback that stakeholders are unclear
about whether Sec. 2.53 allows federal, state, and local government
agencies and third-party payers to have access to patient information
for activities related
[[Page 44580]]
to reviews of appropriateness of medical care, medical necessity, and
utilization of services. As described above, the current regulations
allow information to be disclosed to certain federal, state, and local
governmental agencies and third-party payers for audit or evaluation
purposes, as long as they agree to specific restrictions outlined in
the regulations to limit disclosure or use of the records and preserve
patient confidentiality. While neither the statute nor the regulations
define audit or evaluation, these terms should and do include audits or
evaluations to review whether patients are receiving appropriate
services in the appropriate setting. Assessing whether a part 2 program
provides appropriate care is a necessary part of any comprehensive part
2 program audit or evaluation. Government agencies may be charged with
conducting such reviews for licensing or certification purposes or to
ensure compliance with federal or state laws, as may private not-for-
profit entities granted authority under the applicable statutes or
regulations to carry out such work in lieu of the agencies. Third-party
payers also have a stake in the programmatic integrity, as well as the
clinical quality, of the part 2 programs that serve the patients they
cover. Therefore, SAMHSA proposes to insert a new Sec. 2.53 (c)(2)
that clarifies audit and evaluations under this section may include,
but are not limited to, reviews of appropriateness of medical care,
medical necessity, and utilization of services. Stakeholders are also
referred to Sec. 2.33, which allows disclosure of information for
payment and/or health care operations activities with a patient's
consent.
Third, stakeholders have expressed confusion about whether part 2
programs may disclose information for audit or evaluation purposes to
the larger health care organizations in which they operate. For
example, Medicare Condition of Participation regulations at 42 CFR
482.21 require individual hospitals to conduct quality assessment and
performance improvement (QAPI) programs that reflect the complexity of
each hospital's organization and services, and which involve all
hospital departments and services. QAPI programs are ongoing, hospital-
wide, data-driven efforts that focus on addressing high-risk, high-
volume or problem prone areas that affect health outcomes, patient
safety, or quality of care.
The part 2 regulations provide ample leeway for part 2 programs to
share information within their larger health care organizations for
these and other types of evaluations. Under Sec. 2.53(a)(2), part 2
programs may determine that individuals or entities within their health
care organizations are qualified to conduct audits and evaluations and
may share information pursuant to such reviews. Additionally, Sec.
2.12(c)(3) states that, ``The restrictions on disclosure in the
regulations in this part do not apply to communications of information
between or among personnel having a need for the information in
connection with their duties that arise out of the provision of
diagnosis, treatment, or referral for treatment of patients with
substance use disorders if the communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an entity that has direct
administrative control over the program.'' The phrase ``direct
administrative control'' refers to the situation in which a substance
use disorder unit is a component of a larger behavioral health program
or of a general health program.''
In order to eliminate any remaining misunderstanding, however,
SAMHSA proposes to expand the regulatory language to explicitly clarify
that this type of information sharing is permitted under the
regulations. Specifically, we propose to add language to Sec.
2.53(a)(2) to state that, ``Auditors may include any non-part 2 entity
that has direct administrative control over the part 2 program or
lawful holder.'' Additionally, SAMHSA proposes to include similar
language in new subsection (b)(2)(iii). We believe that the proposed
changes will help to clarify that in these situations, identifiable
patient diagnosis or treatment information can be shared with personnel
from an entity with direct administrative control over the part 2
program, where those persons, in connection with their audit or
evaluation duties, need to know the information.
Fourth, while the regulations at Sec. Sec. 2.53(a)(1)(ii) and
(b)(2)(ii) specifically delineate that information may be disclosed to
quality improvement organizations performing utilization or quality
control reviews, these provisions do not explicitly include other types
of entities that are responsible for quality assurance. For example,
the regulations for audit and evaluation do not describe entities, such
as health care organization accrediting or certification bodies, that
may need to review patient records to evaluate whether a part 2 program
meets quality and safety standards. To ensure that stakeholders
understand that disclosure to these types of organizations is
permitted, SAMHSA proposes to insert a new Sec. 2.53(d) stating,
``Quality Assurance Entities Included. Entities conducting audits or
evaluations in accordance with Sec. Sec. 2.53(a) and (b) may include
accreditation or similar types of organizations focused on quality
assurance.''
Additionally, SAMHSA understands that some federal, state, and
local government agencies face challenges in meeting statutory or
regulatory mandates that require them to conduct audits or evaluations
involving part 2 information. For example, the Centers for Medicare &
Medicaid Services conducts risk adjustment data validation in
connection with the risk adjustment program it is required to operate
in accordance with section 1343 of the Patient Protection and
Affordable Care Act, 42 U.S.C. 18063 and implementing regulations.
Under risk adjustment data validation, health insurance issuers are
lawful holders of part 2 identifying information and may be required to
provide it to CMS or its contractors. Therefore, SAMHSA is proposing to
insert a new Sec. 2.53(g) to permit patient identifying information to
be disclosed to federal, state, and local government agencies, as well
as their contractors, subcontractors, and legal representatives of such
agencies, in the course of conducting audits or evaluations mandated by
statute or regulation, if those audits or evaluations cannot be carried
out using de-identified information.
In addition to these changes, SAMHSA proposes to update language
related to quality improvement organizations. Specifically, at
Sec. Sec. 2.53(a)(1)(ii) and (b)(2)(ii), it proposes to amend the
language to align it with the current QIO regulations.
K. Orders Authorizing the Use of Undercover Agents and Informants
(Sec. 2.67)
Under the 1975 final rule, the placement of undercover agents or
informants in a part 2 program was largely prohibited, other than as
specifically authorized by a court order for the purpose of
investigating a part 2 program, or its agents or employees, for
allegations of serious criminal misconduct. At the time the 1975 final
rule was promulgated, it was noted that, although the use of undercover
agents and informants in treatment programs was ordinarily to be
avoided, there occasionally arise circumstances where their use may be
justified (42 FR 27809). More narrowly, it was noted that the
authorizing statute, by itself, did not forbid the use of undercover
agents or informants, and that the express statutory prohibition
against direct disclosure of patient records is
[[Page 44581]]
nevertheless subject to the power of the courts to authorize such
disclosures under 42 U.S.C. 290dd-2(b)(2)(C). Building on these
statutory considerations, it was concluded that the power to regulate
the placement of undercover agents and informants is limited, and that
the importance of criminal investigation of part 2 programs offers a
legitimate policy basis for allowing the placement of undercover agents
or informants in such programs, given a showing of good cause in
specific instances. As explained in the preamble to the 1975 final
rule, experience has demonstrated that medical personnel, no matter how
credentialed, can engage in the illicit sale of drugs on a large scale,
and that the use of undercover agents and informants is normally the
only effective means of securing evidence sufficient to support a
successful prosecution in such instances. Based on over 40 years of
experience since then, SAMHSA believes it is still the case that
medical personnel sometimes engage in the illicit sale or transfer of
drugs, and that a process for authorizing undercover agents is
important to ensure the safety of patients in these part 2 programs.
Under the 1975 final rule, a 60-day time limitation with regard to
the placement of undercover agents and informants in a part 2 program
was imposed, with the opportunity for an applicant to seek an extension
of the court order, for a total of up to 180 days (42 FR 27821). In the
1987 final rule, that period of placement for undercover agents and
informants pursuant to a court order was extended to 6 months. This
policy limitation was codified at Sec. 2.67(d)(2).
Based on consultation with DOJ, the current policy is burdensome
on, and overly restrictive of, some ongoing investigations of part 2
programs. Specifically, DOJ has stated that a typical undercover
operation can often last longer than 6 months, and that 12 months is a
more realistic timeframe for such operations. Therefore, SAMHSA
proposes to amend Sec. 2.67(d)(2), to extend the period for court-
ordered placement of an undercover agent or informant to 12 months,
while authorizing courts to further extend a period of placement
through a new court order.
In addition, DOJ has stated that the current regulation text is
ambiguous regarding when the 6-month, or, as proposed, 12-month period,
should start and stop, in determining whether a court-order period of
placement has elapsed. SAMHSA considered multiple policy options
regarding the tolling of the time period for an undercover placement.
We considered having the time period begin on the date of the issuance
of the court order. Alternatively, SAMHSA also considered having the
time period begin on the date of placement of the undercover agent. In
consultations with DOJ, SAMHSA has found that there is often a lag of
time between the court order and the placement of the agent, for many
reasons. Therefore, starting the time period when the court order is
issued could significantly curtail the length of time an agent can be
undercover at a part 2 program. Furthermore, starting the time period
based on date of placement of the agent would provide greater clarity
and predictability to law enforcement about exactly how long an agent
or informant is allowed to be in the field, since the agent is aware of
the date his or her placement began, but may not be aware of the date
of the court order. Thus, SAMHSA proposes to amend Sec. 2.67(d)(2), to
clarify that the proposed 12-month time period starts when an
undercover agent is placed, or an informant is identified, in the part
2 program.
IV. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), agencies are
required to provide a 60-day notice in the Federal Register and solicit
public comment before a collection of information requirement can be
approved by the Office of Management and Budget (OMB) for review and
approval. Currently, the information collection is approved under OMB
Control No. 0930-0092. The collection of information in this proposed
rule has been submitted to OMB for review under section 3507(d) of the
PRA, and any public comments on this collection of information should
be directed to the Office of Information and Regulatory Affairs of OMB,
Attention: Desk Officer for SAMHSA.
In order to fairly evaluate whether changes to an information
collection should be approved by OMB, section 3506(c)(2)(A) of the PRA
requires that SAMHSA solicit comment on the following issues: (a)
Whether the information collection is necessary and useful to carry out
the proper functions of the agency; (b) The accuracy of the agency's
estimate of the information collection burden; (c) The quality,
utility, and clarity of the information to be collected; and (d)
Recommendations to minimize the information collection burden on the
affected public, including automated collection techniques.
Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered in rule making. SAMHSA explicitly seeks,
and will consider, public comment on our assumptions as they relate to
the PRA requirements summarized in this section.
This proposed rule includes changes to information collection
requirements, that is, reporting, recordkeeping or third-party
disclosure requirements, as defined under the PRA (5 CFR part 1320).
Some of the provisions involve changes from the information collections
set out in the previous regulations. Below, SAMHSA briefly discusses
each proposal and whether such proposal includes changes to information
collection requirements.
In section III.A. of this proposed rule, SAMHSA proposes to modify
the existing definition of ``Records'' in Sec. 2.11 to conform with
other proposed revisions in this proposed rule. See section III.A. for
further information about this proposal. SAMHSA does not believe this
proposal will result in any change in collection of information
requirements since unrecorded information is, by its nature, not
collected.
In section III.B. of this proposed rule, SAMHSA proposes to amend
Sec. 2.12 to clarify in that section that non-part 2 entities may
record SUD treatment about a patient in its own records without
triggering part 2 provided that such providers are able to
differentiate their records from those received from a part 2 program
and part 2 records received from lawful holders. See section III.B. for
further information about this proposal. As stated in that section,
SAMHSA proposes new regulatory text to clarify existing policies; thus,
SAMHSA does not propose to change any collection of information
requirements. Furthermore, we believe that the clarification represents
standard practice in many, if not all, part 2 programs and among other
lawful holders. That is, non-part 2 entities are already either
segregating or segmenting any SUD records received from a part 2
program or deciding not to do so, based on their standard operations.
This proposal would merely clarify that if the non-part 2 entity does,
in fact, segregate or segment these records, the recording of
information about a SUD and its treatment by a non-part 2 entity does
not by itself render a medical record subject to the restrictions of 42
CFR part 2. Thus, SAMHSA does not believe this proposal would result in
any changes in collection of information requirements.
[[Page 44582]]
In section III.C. of this proposed rule, SAMHSA proposes to amend
Sec. 2.31, to allow patients to consent to disclosure of their
information to entities, without naming the specific individual
receiving this information on behalf of a given entity. See section
III.C. for further information about this proposal. This proposal may
result in providers needing to update their standard consent forms to
allow for certain disclosures to such entities; that additional burden
is discussed in the Regulatory Impact Analysis, below. SAMHSA believes
this proposal may result in part 2 program disclosing more information
to certain entities. We discuss this additional burden, in total, with
the additional collection of information requirements that may result
from the proposals in sections III.I., and III.J, below.
In section III.D. of this proposed rule, SAMHSA proposes to modify
and streamline the language in Sec. 2.32(a)(1), to remove the
superfluous language that has contributed to confusion regarding the
restrictions on re-disclosure. See section III.D. for further
information about this proposal. Since part 2 providers are already
required, upon disclosure, to provide a written statement notifying the
recipient of the applicability of 42 CFR part 2 to any re-disclosure of
the protected record, consistent with the prior revisions to part 2,
including the 2017 final rule (82 FR 6106), SAMHSA does not believe
this proposed modification of the language would result in any changes
in collection of information requirements.
In section III.E. of this proposed rule, SAMHSA proposes to specify
in regulatory text an illustrative list of 17 permitted activities
under Sec. 2.33. SAMHSA is also proposing to add to Sec. 2.33 that
other payment and/or health care operations activities not expressly
prohibited under this provision are also allowed. See section III.E.
for further information about this proposal. As noted in that section,
SAMHSA has previously stated that these activities are permitted (83 FR
241); this proposed language would only further clarify this previously
finalized policy. Therefore, SAMHSA does not believe this proposal
would result in any changes in collection of information requirements.
In section III.F. of this proposed rule, SAMHSA proposes to expand
the scope of Sec. 2.34(d) to make non-OTP providers with a treating
provider relationship eligible to query a central registry with their
patient's consent to determine whether a patient is already receiving
treatment through a member program to prevent duplicative enrollments
and prescriptions for methadone or buprenorphine, as well as to prevent
any adverse effects with other prescribed medications. See section
III.F. for further information about this proposal. Based on SAMHSA's
research, the policies and procedures governing central registries vary
widely by each state; in fact, many states do not have central
registries in place. Because of this lack of information, it is not
possible to estimate either the number of additional queries which
central registries may receive as a result of this proposal or the time
or effort required to answer these queries. Therefore, it is difficult
to estimate any additional collection of information requirements which
may result from this proposal. Instead, SAMHSA requests that central
registries and providers that would query central registries provide
comments on any additional information collection requirements this
proposal would cause and any resulting burden.
In section III.G. of this proposed rule, SAMHSA proposes to add a
new Sec. 2.36 permitting part 2 programs to report any data for
controlled substances dispensed or prescribed to patients to PDMPs, as
required by the applicable state law. See section III.G. for further
information about this proposal. SAMHSA anticipates that this proposal
may result in additional burden for part 2 programs choosing to report
to PDMPs in two ways. If a part 2 program chooses to report to a PDMP,
the program will need to update its consent forms to request consent
for disclosure to PDMPs. That burden is discussed in the Regulatory
Impact Analysis, below. The second part of the proposal permits part 2
programs to report any data for controlled substances dispensed to
patients to PDMPs, as required by the applicable state law. To estimate
the additional collection of information requirements associated with
this proposal, SAMHSA used the average number of opiate treatment
admissions from SAMHSA's 2014-2016 Treatment Episode Data Set (TEDS) as
the estimate of the number of clients treated on an annual basis by
part 2 programs (531,965). Although not all programs would need to
report this information under state law or may choose to do so, SAMHSA
has used this number to be conservative and comprehensive of any future
burden if states require reporting in the future. TEDS ``comprises data
that are routinely collected by States in monitoring their individual
substance abuse treatment systems. In general, facilities reporting
TEDS data are those that receive State alcohol and/or drug agency funds
(including Federal Block Grant funds) for the provision of substance
abuse treatment.'' \14\ Although TEDS does not represent all of the
admissions to part 2 programs, as reporting varies by state, SAMHSA
believes it represents the vast majority of admissions. Conservatively,
we assumed that each of these clients would consent to the re-
disclosure of their information to PDMPs and would be dispensed
medication required to be reported to a PDMP. SAMHSA assumes that part
2 programs, based on other state and federal requirements, already are
required to query PDMP databases; therefore, SAMHSA does not include
registration and infrastructure costs in this estimate. For example,
several states require medical directors of OTPs to query their
respective state PDMPs at minimum intervals, including IN, MN, MI, ND,
NC, RI, TN, VT, WA, and WV.\15\ Based on discussions with providers,
SAMHSA also estimates that, in addition to an initial update to the
PDMP database for existing patients, the PDMP database would typically
need to be accessed and updated quarterly for each patient, on average.
Likewise, based on discussion with providers, SAMHSA believes accessing
and reporting to the database would take approximately 2 minutes per
patient, resulting in a total annual burden of 8 minutes (4 database
accesses/updates x 2 minutes per access/update) or 0.133 hours annually
per patient. For the labor costs associated with this activity, SAMHSA
used the average wage rate of $23.04 \16\ per hour for substance abuse
and behavioral disorder counselors (multiplied by two to account for
benefits and overhead costs) to estimate a total burden in year 1 for
the initial update of the PDMP database of $817,098 (531,965 clients x
2 minutes (0.033 hrs) per access/update x $46.08/hr) and an annual
burden in each year of $3,268,391 (531,965 clients x 0.133 hours x
$46.08/hr). Therefore, we estimate that this proposal will result in an
additional cost of $4,085,489 ($817,098 + $3,268,391), as reflected in
Table 1, below.
---------------------------------------------------------------------------
\14\ https://wwwdasis.samhsa.gov/webt/information.htm.
\15\ https://www.pdmpassist.org/pdf/Resources/Use%20of%20PDMP%20data%20by%20opioid%20treatment%20programs.pdf.
\16\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, May 2018, Substance Abuse and
Behavioral Disorder Counselors, Standard Occupations Classification
code (21-1018) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------
In section III.H. of this proposed rule, SAMHSA proposes an
addition to Sec. 2.51 to allow disclosure of patient information
during natural and major disasters. See section III.H. for further
[[Page 44583]]
information about this proposal. Because this proposal by its very
nature does not require additional consent requirements or other
paperwork, SAMHSA does not believe this proposal would result in any
changes in collection of information requirements. Providers, under
their own policies and procedures or other laws, may need to keep track
of the disclosures made, which, could require additional paperwork.
Such requirements, however, are not discussed in this rule, nor does
SAMHSA have any way of estimating them, as policies and procedures may
vary across providers.
In section III.I., and section III.J. of this proposed rule, SAMHSA
proposes to amend Sec. 2.52 and Sec. 2.53 to allow certain
disclosures without patient consent. First, in section III.I. of this
proposed rule, SAMHSA proposes to modify the text of Sec. 2.52(a) in
order to allow research disclosures of part 2 data from a HIPAA covered
entity or business associate to individuals and organizations who are
neither HIPAA covered entities, nor subject to the Common Rule,
provided that any such data will be disclosed in accordance with the
HIPAA Privacy Rule. See section III.I. for further information about
this proposal. Second, SAMHSA proposes to clarify allowed disclosures
for audit and evaluation purposes under Sec. 2.53 for activities
undertaken by a federal, state, or local governmental agency or third-
party payer to improve the delivery of care, to target limited
resources more effectively and/or to determine the need for adjustments
to payment policies for the care of patients with SUD. SAMHSA also
proposes language to clarify that (1) audits and evaluations may
include reviews of appropriateness of medical care, medical necessity,
and utilization of services; (2) part 2 programs may disclose
information, without consent, to non-part 2 entities that have direct
administrative control over such part 2 programs; and (3) entities
conducting audits or evaluations in accordance with Sec. Sec. 2.53(a)
and (b) may include accreditation or similar types of organizations
focused on quality assurance. Further, SAMHSA proposes to permit
patient identifying information to be disclosed to government agencies
in the course of conducting audits or evaluations mandated by statute
or regulation, if those audits or evaluations cannot be carried out
using de-identified information. Finally, SAMHSA is proposing to update
language related to QIOs. See section III.J. for further information
about these proposals. As stated in that section, SAMHSA believes that
the regulations already permit audits and evaluations for reviews of
appropriateness of medical care, medical necessity, and utilization of
services. Likewise, SAMHSA also believes that the current regulations
permit disclosure to a non-part 2 entity with direct administrative
control over a part 2 program and to accreditation and similar
organizations. Therefore, although SAMHSA proposes language to clarify
any confusion that may exist, it believes that these activities are
already permitted and that they would not, therefore, result in any new
collection of information requirements or any other burden. It also
believes updating the QIO language would not create new collection of
information requirements or increase burden. As noted above, SAMHSA
also proposes to allow patient identifying information to be disclosed
to government agencies and third-party payers periodically to identify
needed actions at the agency or payer level, and to contractors hired
by health insurance issuers and government agencies in the course of
conducting audits or evaluations mandated by statute or regulation, if
those audits and evaluations cannot be carried out using de-identified
information. In section III.C of this proposed rule, SAMHSA also
proposes to allow disclosure to entities with patient consent. SAMHSA
believes that the proposals in sections III.C., I, and J, may result in
additional collection of information requirements, as part 2 programs
may be asked to disclose information to agencies and entities as a
result of these proposals. Although SAMHSA is not able to anticipate
the increase in these disclosures, to estimate the potential cost, we
first estimated the number of potentially impacted part 2 programs
based on the anticipated number of requests for a disclosure in a
calendar year. SAMHSA used the average number of substance abuse
treatment admissions from SAMHSA's 2014-2016 TEDS (1,658,732) as the
number of patients treated annually by part 2 programs. SAMHSA then
estimated that part 2 programs would need to disclose average of 15
percent of these records (248,810) as a result of these proposals. We
then estimated that 10 percent or 24,881 (248,810 x 10%) of impacted
part 2 programs would use paper records to comply with these requests
for disclosure reports while the remaining 90% or 223,929 (248,810 x
90%) would use a health IT system. For part 2 programs using paper
records, SAMHSA expects that a staff member would need to gather and
aggregate the information from paper records, and manually track
disclosures; for those part 2 programs with a health IT system, we
expect records and tracking information would be available within the
system.
SAMHSA assumed medical record technicians would be the staff with
the primary responsibility for compiling the information for a list of
disclosures from both paper records and health IT systems. The average
hourly rate for medical record and health information technicians is
$21.16.\17\ In order to account for benefits and overhead costs
associated with staff time, we multiplied the hourly wage rate by two
for a total average hourly wage rate of $42.32. Absent any existing
information on the amount of time associated with producing a list of
disclosures, SAMHSA assumed it would take a medical record technician 4
hours, on average, to produce the information from paper records at a
cost of $169.28 (4 hours x $42.32/hr) and 0.25 hours, on average, to
produce information from a health IT system at a cost of $10.58 (0.25
hours x $42.32/hr). Finally, SAMHSA assumes that agencies will request
that these disclosures be made on secure, online databases, and would
not require notification via email or first class mail, thus resulting
in no additional cost to transmit this information. Based on these
assumptions, SAMHSA estimates that this proposal would result in an
additional cost of $6,581,025 {(24,881 requests x $169.28 per request)
+ (223,929 requests x $10.58 per request){time} , as reflected in Table
1, below.
---------------------------------------------------------------------------
\17\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, May 2018, Medical Records and
Health Information Technicians, Standard Occupations Classification
code (29-2071) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------
In section III.K. of this proposed rule, SAMHSA proposes to amend
Sec. 2.67 to extend the period for court-ordered placement of an
undercover agent or informant to 12 months, while authorizing courts to
further extend a period of placement through a new court order. In that
section, SAMHSA also proposes to explicitly state when the 12-month
period begins to run. See section III.K. for further information about
this proposal. The requirements of the Paperwork Reduction Act do not
apply ``During the conduct of a Federal criminal investigation or
prosecution, or during the disposition of a particular criminal
matter'' (5 CFR 1320.4(a)(1)), or to information collections by the
federal judiciary or state courts (5 CFR 1320.3(a)), except in the rare
case that those information collections and
[[Page 44584]]
conducted or sponsored by an executive branch department (5 CFR
1320.3(a)).
Below, SAMHSA summarizes the estimated cost of the change in
collection of information requirements discussed above.
Table 1--Annualized Burden Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual number
of Responses per Total Hours per Total hourly Hourly wage Total hourly
respondents respondent responses response burden cost cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec. 2.36............................. 531,965 5 2,659,825 0.033 88,661 $46.08 $4,085,489
Sec. Sec. 2.31, 2.52, 2.53 (Paper 24,881 1 24,881 4 99,524 42.32 4,211,856
Records)...............................
Sec. Sec. 2.31, 2.52, 2.53 (Health IT 223,929 1 223,929 0.25 55,982 42.32 2,369,169
Systems)...............................
---------------------------------------------------------------------------------------------------------------
Total............................... 780,775 .............. 2,908,633 .............. 244,167 .............. 10,666,513
--------------------------------------------------------------------------------------------------------------------------------------------------------
V. Response to Comments
Because of the large number of public comments SAMHSA anticipates
receiving on this Federal Register document, it will not be able to
acknowledge or respond to them individually. SAMHSA will consider all
comments received by the date and time specified in the DATES section
of this proposed rule. When SAMHSA proceeds with a subsequent document,
it will respond to the comments in the preamble to that document.
VI. Regulatory Impact Analysis
A. Statement of Need
This proposed rule is necessary to update the Confidentiality of
Substance Use Disorder Patient Records regulations at 42 CFR part 2 to
respond to the emergence of the opioid crisis, with its catastrophic
impact on patients and corresponding clinical and safety challenges for
providers. The goal of this proposed rule is to clarify existing
requirements in 42 CFR part 2 and reduce barriers to information
sharing to ensure appropriate care and patient safety.
As noted in the tables below, SAMHSA believes that the proposed
policies in this proposed rule, if finalized, would result in some
near-term non-recurring and annual recurring financial burdens. We have
weighed these potential burdens against the potential benefits, and
believe, on balance, the potential benefits outweigh any potential
costs. Specifically, the proposals in this rule are meant to allow
providers to better understand the needs of their patients by
clarifying the requirements under part 2 and to break down barriers to
information sharing among part 2 programs and other providers. SAMHSA
believes this information sharing would benefit patients because both
part 2 programs and other providers would be able to more fully
understand the patient's health history and avoid dangerous and even
lethal adverse drug events. In addition, these proposals are also
intended to protect and empower patients by giving them more control
over their consent and control of their records, for example, by
allowing them to consent to disclosure to entities, should they so
choose. Furthermore, in drafting these proposals, SAMHSA was cognizant
of privacy concerns and specifically drafted these proposals to protect
the privacy of patients; for example, the proposal regarding OTP
provider disclosure to PDMPs requires the consent of the patient.
SAMHSA believes that increasing patient safety and the empowerment of
patients would lead to better health outcomes, therefore balancing any
burdens discussed below and any remaining privacy concerns. /
B. Overall Impact
SAMHSA has examined the impacts of this rule as required by
Executive Order 12866 on Regulatory Planning and Review (September 30,
1993), Executive Order 13563 on Improving Regulation and Regulatory
Review (January 18, 2011), the Regulatory Flexibility Act (RFA)
(September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism
(August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)),
and Executive Order 13771 (Reducing and Controlling Regulatory Costs).
Executive Orders 12866 and 13563 direct agencies to assess all costs
and benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). Section 3(f) of Executive
Order 12866 defines a ``significant regulatory ``action'' as an action
that is likely to result in a rule: (1) Having an annual effect on the
economy of $100 million or more in any 1 year, or adversely and
materially affecting a sector of the economy, productivity,
competition, jobs, the environment, public health or safety, or state,
local or tribal governments or communities (also referred to as
``economically significant''); (2) creating a serious inconsistency or
otherwise interfering with an action taken or planned by another
agency; (3) materially altering the budgetary impacts of entitlement
grants, user fees, or loan programs or the rights and obligations of
recipients thereof; or (4) raising novel legal or policy issues arising
out of legal mandates, the President's priorities, or the principles
set forth in the Executive Order. A regulatory impact analysis must be
prepared for major rules with economically significant effects ($100
million or more in any 1 year). This rule does not reach the economic
threshold and thus, is not considered a major rule to which Executive
Orders 12866 or 13771 apply.
The RFA requires agencies to analyze options for regulatory relief
of small businesses. For purposes of the RFA, small entities include
small businesses (including independent contractors), nonprofit
organizations, and small governmental jurisdictions. Individuals and
states are not included in the definition of a small entity. The
proposed rule would allow patients to consent to disclosure of their
information to entities; permit part 2 programs to report data for
controlled substances dispensed to patients to PDMPs with patient
consent; and allow part 2 programs to comply with disclosure requests
from federal, state, or local governmental agencies, third-party payers
and researchers. These proposals will result in additional reporting
burden as well as near-term non-recurring and annual recurring
regulatory impacts to part 2 programs. As shown in Table 2 and as
discussed in the Collection of Information Requirements (Section IV),
we estimate
[[Page 44585]]
the average cost impact per substance abuse treatment admission for
staff training, updates to consent forms, and disclosures to agencies
will be $4.09 in year 1 ($6,782,493 / 1,658,732 patients) and $3.97 in
years 2 through 10 ($6,581,025 / 1,658,732 patients). For opiate
treatment patients, we also estimate the average cost impact for
disclosure to PDMPs to be $7.68 per patient in year 1 ($4,085,489 /
531,965 patients) and $6.14 in years 2 through 10 ($3,268,391 / 531,965
patients). When this is added to the costs for staff training, updates
to consent forms, and disclosures to agencies, the aggregate cost
impact per opiate treatment admission is $11.77 in year 1 and $10.11 in
years 2 through 10. While we are unable to determine how many part 2
programs qualify as small businesses based on the minimum threshold for
small business size of $38.5 million (https://www.sba.gov/federal-contracting/contracting-guide/size-standards), we believe that on a
per-patient basis, this proposed rule will not significantly affect
part 2 treatment programs of any size. SAMHSA has not prepared an
analysis for the RFA because it has determined, and the Secretary
certifies, that this rule, if finalized as proposed, would not have a
significant economic impact on a substantial number of small entities.
As further described in section IV., above, when estimating the
total costs associated with changes to the 42 CFR part 2 regulations,
SAMHSA estimated costs related to collection of information for the
proposed changes to Sec. Sec. 2.31, 2.52, 2.53, and (new) 2.36. In
addition, we estimate that there may be additional burden related to
updating consent forms as a result of the proposals in Sec. Sec. 2.31
and (new) 2.36. In section III.C. of this proposed rule, SAMHSA
proposes to amend Sec. 2.31, to allow patients to consent to
disclosure of their information to entities, without naming the
specific individual receiving this information on behalf of a given
entity. In section III.G. of this proposed rule, SAMHSA proposes to add
a new Sec. 2.36, permitting part 2 programs to report to PDMPs;
patients must consent to disclosure before this reporting can occur.
See sections III.C. and III.G. for further information about these
proposals. These proposals may result in providers needing to update
their standard consent forms to allow for certain disclosures. As
stated in the 2016 proposed rule (81 FR 7009 through 7010), based from
a 2008 study from the Mayo Clinic Health Care Systems,\18\ the reported
cost to update authorization forms was $0.10 per patient. Adjusted for
inflation,\19\ costs associated with updating the patient consent forms
in 2019 would be $0.12 per patient (2018 dollars). SAMHSA used the
average number of substance abuse treatment admissions from SAMHSA's
2014-2016 TEDS (1,658,732) as an estimate of the number of clients
treated on an annual basis by part 2 programs. Therefore, the total
cost burden associated with updating the consent forms to reflect the
updated 42 CFR part 2 regulations is estimated to be a one-time cost of
$199,048 (1,658,732 * $0.12), as reflected in Table 2, below. Further,
the proposal to amend Sec. 2.31 is likely to result in a decrease in
the number of consents to disclosures that patients must make, due to
the ability to consent to entities without naming a specific
individual. Because of a lack of data regarding the number of consents
patients have made to multiple individuals within the same entity which
would become duplicative as a result of the proposed amendment, we are
unable to quantify the reduction in burden related to the expected
reduction in the number of required consents.
---------------------------------------------------------------------------
\18\ Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J.,
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs
and patient perceptions of privacy safeguards at Mayo Clinic. Joint
Commission Journal on Quality and Patient Safety, 34(1), 27-35.
\19\ https://www.bls.gov/cpi/tables/supplemental-files/historical-cpi-u-201905.pdf.
---------------------------------------------------------------------------
In prior proposed rules (e.g., 81 FR 7009), SAMHSA estimated one
hour of training per staff to achieve proficiency in the 42 CFR part 2
regulations. SAMHSA assumes that training associated with the new
requirements discussed in this proposed rule can be accomplished within
the existing one hour of training, therefore we are not proposing any
additional costs for training counseling staff.
With regard to training materials, SAMHSA will assume
responsibility for updating and distributing training materials in year
1 at no cost to part 2 programs. A 2017 study by the Association for
Talent Development determined the average time to develop training
materials for one hour of classroom instruction is 38 hours.\20\
Because we assume that SAMHSA will be updating rather than developing
training materials, we estimate the time for training development to be
one-half that of developing new materials, or 19 hours and would be
performed by an instructor with experience in healthcare at the average
wage rate of $63.71 per hour for a health specialty teacher \21\ and
multiplied the average wage rate by 2 in order to account for benefits
and overhead costs. Based on these assumptions, the updating of
training materials is estimated to cost $2,421 (19 hours x $127.42/
hour). SAMHSA estimates that the updates to consent forms (Sec. Sec.
2.31 and 2.36) would be one-time costs the first year the final rule
would be in effect and would not carry forward into future years. Staff
training costs other than those associated with updating training
materials are assumed to be ongoing annual costs to part 2 programs,
also beginning in the first year that the final rule is in effect.
Costs associated with disclosing information to PDMPs (Sec. 2.36) and
agencies (Sec. 2.53) are assumed to be ongoing annual costs to part 2
programs.
---------------------------------------------------------------------------
\20\ https://www.td.org/insights/how-long-does-it-take-to-develop-one-hour-of-training-updated-for-2017.
\21\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, May 2018, Health Specialty
Teachers, Postsecondary, Standard Occupations Classification code
(25-1071) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------
In section III.K. of this proposed rule, SAMHSA proposes to amend
Sec. 2.67 to extend the period for court-ordered placement of an
undercover agent or informant to 12 months, while authorizing courts to
further extend a period of placement through a new court order. In that
section, SAMHSA also proposes to explicitly state when the 12-month
period begins to run. See section III.K. for further information about
this proposal. Since the requirements for seeking this court order
would be the same, and the proposal would merely be extending the time
of the court order, SAMHSA does not believe this proposal will result
in any additional regulatory burden.
Based on the above, SAMHSA estimates in the first year that the
final rule would be in effect, the costs associated with the proposed
updates to 42 CFR part 2 would be $10,867,982 as shown in Table 2. In
years 2 through 10, SAMHSA estimates that costs would be $9,849,415.
Over the 10-year period of 2019-2028, the total undiscounted cost of
the proposed changes would be $99,512,721 in 2018 dollars. As shown in
Table 3, when future costs are discounted at 3 percent or 7 percent per
year, the total costs become approximately $85.0 million or $70.1
million, respectively. These costs are presented in the tables below.
[[Page 44586]]
Table 2--Total Cost of 42 CFR Part 2 Revisions
----------------------------------------------------------------------------------------------------------------
Disclosure to Staff training Updates to Disclosures
Year PDMPs costs consent forms to agencies Total costs
----------------------------------------------------------------------------------------------------------------
2019............................ $4,085,489 $2,421 $199,048 $6,581,025 $10,867,982
2020............................ 3,268,391 0 0 6,581,025 9,849,415
2021............................ 3,268,391 0 0 6,581,025 9,849,415
2022............................ 3,268,391 0 0 6,581,025 9,849,415
2023............................ 3,268,391 0 0 6,581,025 9,849,415
2024............................ 3,268,391 0 0 6,581,025 9,849,415
2025............................ 3,268,391 0 0 6,581,025 9,849,415
2026............................ 3,268,391 0 0 6,581,025 9,849,415
2027............................ 3,268,391 0 0 6,581,025 9,849,415
2028............................ 3,268,391 0 0 6,581,025 9,849,415
-------------------------------------------------------------------------------
Total....................... 33,501,007 2,421 199,048 65,810,245 99,512,721
----------------------------------------------------------------------------------------------------------------
Table 3--Total Cost of 42 CFR Part 2 Revisions--Annual Discounting
----------------------------------------------------------------------------------------------------------------
Total cost Total cost
Year Total costs with 3% with 7%
discounting discounting
----------------------------------------------------------------------------------------------------------------
2019............................................................ $10,867,982 $10,551,439 $10,156,992
2020............................................................ 9,849,415 9,284,019 8,602,861
2021............................................................ 9,849,415 9,013,610 8,040,057
2022............................................................ 9,849,415 8,751,078 7,514,072
2023............................................................ 9,849,415 8,496,192 7,022,497
2024............................................................ 9,849,415 8,248,730 6,563,081
2025............................................................ 9,849,415 8,008,476 6,133,721
2026............................................................ 9,849,415 7,775,219 5,732,449
2027............................................................ 9,849,415 7,548,757 5,357,429
2028............................................................ 9,849,415 7,328,890 5,006,943
-----------------------------------------------
Total....................................................... 99,512,721 85,006,411 70,130,104
----------------------------------------------------------------------------------------------------------------
C. Alternatives Considered
In drafting this proposed rule, SAMHSA considered potential policy
alternatives and, when possible, proposed the least burdensome
alternatives. For example, in section III.B. of this proposed rule, we
considered specifically proposing the technological and operational
requirements required for segmenting records but decided to allow
providers more latitude to define their best practices, understanding
that specific requirements could pose more burden, specifically to
small and rural providers. In section III.C. of this proposed rule,
SAMHSA also considered only allowing patients to allow disclosure to
state, federal, and local government entities that provide benefits.
Instead, however, it decided to propose to allow patients to more
broadly specify disclosure to entities, so that patients can more
widely control their information. On balance, SAMHSA believes that the
proposals in this rule most appropriately balance the often-competing
interests of burden, privacy, and patient safety.
D. Conclusion
SAMHSA is proposing to amend 42 CFR part 2. With respect to our
proposal to revise the regulations, SAMHSA does not believe that the
proposal would have a significant impact. As discussed above, we are
not preparing an analysis for the RFA because SAMHSA has determined,
and the Secretary certifies, that this proposed rule would not have a
significant economic impact on a substantial number of small entities.
SAMHSA is not preparing an analysis for section 1102(b) of the RFA
because it has determined, and the Secretary certifies, that this
proposed rule would not have a significant impact on the operations of
a substantial number of small rural hospitals. In addition, SAMHSA does
not believe this rule imposes substantial direct effects on (1) states,
including subdivisions thereof, (2) the relationship between the
federal government and the states, or (3) the distribution of power and
responsibilities among the various levels of government. Therefore, the
requirements of Executive Order 13132 on federalism would not be
applicable.
SAMHSA invites public comments on this section and requests any
additional data that would help it to determine more accurately the
impact on individuals and entities of the proposed rule. In accordance
with the provisions of Executive Order 12866, this proposed rule has
been reviewed by the Office of Management and Budget.
List of Subjects in 42 CFR Part 2
Alcohol abuse, Alcoholism, Drug abuse, Grant programs--health,
Health records, Privacy, Reporting and recordkeeping requirements.
VII. Regulation Text
For the reasons set forth in the preamble, the Department of Health
and Human Services proposes to amend 42 CFR part 2 to read as follows:
PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS
0
1. The authority citation for part 2 continues to read as follows:
Authority: Sec. 408 of Pub. L. 92-255, 86 Stat. 79, as amended
by sec. 303(a), (b) of Pub L. 93-282, 83 Stat. 137, 138; sec.
4(c)(5)(A) of Pub. L. 94-237, 90 Stat. 244; sec. 111(c)(3) of Pub.
L. 94-581, 90 Stat. 2852; sec. 509 of Pub. L. 96-88, 93 Stat. 695;
sec. 973(d) of Pub. L. 97-35, 95 Stat. 598; and transferred to sec.
527 of the Public Health Service Act
[[Page 44587]]
by sec. 2(b)(16)(B) of Pub. L. 98-24, 97 Stat. 182 and as amended by
sec. 106 of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 290ee-3) and
sec. 333 of Pub. L. 91-616, 84 Stat. 1853, as amended by sec. 122(a)
of Pub. L. 93-282, 88 Stat. 131; and sec. 111(c)(4) of Pub. L. 94-
581, 90 Stat. 2852 and transferred to sec. 523 of the Public Health
Service Act by sec. 2(b)(13) of Pub. L. 98-24, 97 Stat. 181 and as
amended by sec. 106 of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C.
290dd-3), as amended by sec. 131 of Pub. L. 102-321, 106 Stat. 368,
(42 U.S.C. 290dd-2).
0
2. Amend Sec. 2.11 by revising the definition of ``Records'' to read
as follows:
Sec. 2.11 Definitions.
* * * * *
Records means any information, whether recorded or not, created by,
received, or acquired by a part 2 program relating to a patient (e.g.,
diagnosis, treatment and referral for treatment information, billing
information, emails, voice mails, and texts), provided, however, that
information conveyed orally by a part 2 program to a non-part 2
provider for treatment purposes with the consent of the patient does
not become a record subject to this Part in the possession of the non-
part 2 provider merely because that information is reduced to writing
by that non-part 2 provider. Records otherwise transmitted by a part 2
program to a non-part 2 provider retain their characteristic as records
in the hands of the non-part 2 provider, but may be segregated by that
provider. For the purpose of the regulations in this part, records
include both paper and electronic records.
* * * * *
0
3. Amend Sec. 2.12 by:
0
a. Revising paragraphs (a)(1) introductory text and (a)(1)(ii);
0
b. Adding paragraph (d)(2)(ii); and
0
c. Revising paragraphs (e)(3) and (4) introductory text.
The revisions and additions read as follows:
Sec. 2.12 Applicability.
(a) * * *
(1) Restrictions on disclosure. The restrictions on disclosure in
the regulations in this part apply to any records which:
* * * * *
(ii) Contain drug abuse information obtained by a federally
assisted drug abuse program after March 20, 1972 (part 2 program), or
contain alcohol abuse information obtained by a federally assisted
alcohol abuse program after May 13, 1974 (part 2 program); or if
obtained before the pertinent date, is maintained by a part 2 program
after that date as part of an ongoing treatment episode which extends
past that date; for the purpose of treating a substance use disorder,
making a diagnosis for that treatment, or making a referral for that
treatment.
* * * * *
(d) * * *
(2) * * *
(ii) Notwithstanding paragraph (2)(i)(C) of this section, a non-
part 2 treating provider may record information about a substance use
disorder (SUD) and its treatment that identifies a patient. This is
permitted and does not constitute a record that has been re-disclosed
under part 2, provided that any SUD records received from a part 2
program or other lawful holder are segregated or segmented. The act of
recording information about a SUD and its treatment does not by itself
render a medical record which is created by a non-part 2 treating
provider subject to the restrictions of this part 2.
* * * * *
(e) * * *
(3) Information to which restrictions are applicable. Whether a
restriction applies to the use or disclosure of a record affects the
type of records which may be disclosed. The restrictions on disclosure
apply to any part 2-covered records which would identify a specified
patient as having or having had a substance use disorder. The
restriction on use of part 2 records to bring criminal charges against
a patient for a crime applies to any records obtained by the part 2
program for the purpose of diagnosis, treatment, or referral for
treatment of patients with substance use disorders. (Restrictions on
use and disclosure apply to recipients of part 2 records under
paragraph (d) of this section.)
(4) How type of diagnosis affects coverage. These regulations cover
any record reflecting a diagnosis identifying a patient as having or
having had a substance use disorder which is initially prepared by a
part 2 provider in connection with the treatment or referral for
treatment of a patient with a substance use disorder. A diagnosis
prepared by a part 2 provider for the purpose of treatment or referral
for treatment, but which is not so used, is covered by the regulations
in this part. The following are not covered by the regulations in this
part:
* * * * *
0
4. Amend Sec. 2.31 by revising paragraph (a)(4) to read as follows:
Sec. 2.31 Consent requirements.
(a) * * *
(4)(i) The name(s) of the individual(s) or the name(s) of the
entity(-ies) to which a disclosure is to be made.
(ii) Special instructions for entities that facilitate the exchange
of health information and research institutions. Notwithstanding
paragraph (a)(4)(i) of this section, if the recipient entity
facilitates the exchange of health information or is a research
institution, a written consent must include the name(s) of the entity(-
ies) and
(A) The name(s) of individual or entity participant(s); or
(B) A general designation of an individual or entity participant(s)
or class of participants that must be limited to a participant(s) who
has a treating provider relationship with the patient whose information
is being disclosed. When using a general designation, a statement must
be included on the consent form that the patient (or other individual
authorized to sign in lieu of the patient), confirms their
understanding that, upon their request and consistent with this part,
they must be provided a list of entities to which their information has
been disclosed pursuant to the general designation (see Sec. 2.13(d)).
* * * * *
0
5. Amend Sec. 2.32 by revising paragraph (a)(1) to read as follows:
Sec. 2.32 Prohibition on re-disclosure.
(a) * * *
(1) This information has been disclosed to you from records
protected by federal confidentiality rules (42 CFR part 2). The federal
rules prohibit you from making any further disclosure of this record
unless further disclosure is expressly permitted by the written consent
of the individual whose information is being disclosed in this record
or, is otherwise permitted by 42 CFR part 2. A general authorization
for the release of medical or other information is NOT sufficient for
this purpose (see Sec. 2.31). The federal rules restrict any use of
the information to investigate or prosecute with regard to a crime any
patient with a substance use disorder, except as provided at Sec. Sec.
2.12(c)(5) and 2.65; or
* * * * *
0
6. Amend Sec. 2.33 by revising paragraph (b) to read as follows:
Sec. 2.33 Disclosures permitted with written consent.
* * * * *
(b) If a patient consents to a disclosure of their records under
Sec. 2.31 for payment and/or health care operations activities, a
lawful holder who receives such records under the terms of the written
consent may further disclose those records as may be necessary for its
contractors, subcontractors, or legal representatives to carry out
payment
[[Page 44588]]
and/or health care operations on behalf of such lawful holder.
Disclosures to contractors, subcontractors, and legal representatives
to carry out other purposes such as substance use disorder patient
diagnosis, treatment, or referral for treatment are not permitted under
this section. In accordance with Sec. 2.13(a), disclosures under this
section must be limited to that information which is necessary to carry
out the stated purpose of the disclosure. Examples of permissible
payment and/or health care operations activities under this section
include:
(1) Billing, claims management, collections activities, obtaining
payment under a contract for reinsurance, claims filing, and/or related
health care data processing;
(2) Clinical professional support services (e.g., quality
assessment and improvement initiatives; utilization review and
management services);
(3) Patient safety activities;
(4) Activities pertaining to:
(i) The training of student trainees and health care professionals;
(ii) The assessment of practitioner competencies;
(iii) The assessment of provider and/or health plan performance;
and/or
(iv) Training of non-health care professionals;
(5) Accreditation, certification, licensing, or credentialing
activities;
(6) Underwriting, enrollment, premium rating, and other activities
related to the creation, renewal, or replacement of a contract of
health insurance or health benefits, and/or ceding, securing, or
placing a contract for reinsurance of risk relating to claims for
health care;
(7) Third-party liability coverage;
(8) Activities related to addressing fraud, waste and/or abuse;
(9) Conducting or arranging for medical review, legal services,
and/or auditing functions;
(10) Business planning and development, such as conducting cost
management and planning-related analyses related to managing and
operating, including formulary development and administration,
development or improvement of methods of payment or coverage policies;
(11) Business management and general administrative activities,
including management activities relating to implementation of and
compliance with the requirements of this or other statutes or
regulations;
(12) Customer services, including the provision of data analyses
for policy holders, plan sponsors, or other customers;
(13) Resolution of internal grievances;
(14) The sale, transfer, merger, consolidation, or dissolution of
an organization;
(15) Determinations of eligibility or coverage (e.g., coordination
of benefit services or the determination of cost sharing amounts), and
adjudication or subrogation of health benefit claims;
(16) Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
(17) Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges; and/or
(18) Other payment/health care operations activities not expressly
prohibited in this provision.
* * * * *
0
7. Amend Sec. 2.34 by:
0
a. Revising paragraph (b);
0
b. Redesignating paragraph (d) as paragraph (e); and
0
c. Adding a new paragraph (d).
The revisions and addition read as follows:
Sec. 2.34 Disclosures to prevent multiple enrollments.
* * * * *
(b) Use of information limited to prevention of multiple
enrollments. A central registry and any withdrawal management or
maintenance treatment program to which information is disclosed to
prevent multiple enrollments may not re-disclose or use patient
identifying information for any purpose other than the prevention of
multiple enrollments or to ensure appropriate coordinated care with a
treating provider that is not a part 2 program unless authorized by a
court order under subpart E of this part.
* * * * *
(d) Permitted disclosure by a central registry to a non-member
treating provider, to prevent a multiple enrollment. When, for the
purpose of preventing multiple program enrollments or duplicative
prescriptions, or to inform prescriber decision making regarding
prescribing of opioid medication(s) or other prescribed substances, a
provider with a treating provider relationship that is not a member
program asks a central registry if an identified patient is enrolled in
a member program, the registry may disclose:
(1) The name, address, and telephone number of the member
program(s) in which the patient is enrolled;
(2) Type and dosage of any medication for substance use disorder
being administered or prescribed to the patient by the member
program(s); and
(3) Relevant dates of any such administration or prescription. The
central registry and non-member program treating prescriber may
communicate as necessary to verify that no error has been made and to
prevent or eliminate any multiple enrollments or improper prescribing.
* * * * *
0
8. Add Sec. 2.36 to Subpart C to read as follows:
Sec. 2.36 Disclosures to prescription drug monitoring programs.
Permitted disclosure by a part 2 program or other lawful holder to
a prescription drug monitoring program. A part 2 program or other
lawful holder is permitted to report any SUD medication prescribed or
dispensed by the part 2 program to the applicable state prescription
drug monitoring program if required by applicable state law. A part 2
program or other lawful holder must obtain patient consent to a
disclosure of records under Sec. 2.31 prior to reporting of such
information.
0
9. Amend Sec. 2.51 by revising paragraph (a) to read as follows:
Sec. 2.51 Medical emergencies.
(a) General rule. Under the procedures required by paragraph (c) of
this section, patient identifying information may be disclosed o
medical personnel to the extent necessary to:
(1) Meet a bona fide medical emergency in which the patient's prior
informed consent cannot be obtained; or
(2) Meet a bona fide medical emergency in which a part 2 program is
closed and unable to provide services or obtain the prior written
consent of the patient, during a temporary state of emergency declared
by a state and/or federal authority as the result of a natural or major
disaster, until such time that the part 2 program resumes operations.
* * * * *
0
10. Amend Sec. 2.52 by revising paragraph (a) to read as follows:
Sec. 2.52 Research.
(a) Notwithstanding other provisions of this part, including
paragraph (b)(2) of this section, patient identifying information may
be disclosed for the purposes of the recipient conducting scientific
research if:
(1) The individual designated as director or managing director, or
individual otherwise vested with authority to act as chief executive
officer or their designee, of a part 2 program or other lawful holder
of part 2 data, makes a determination that the recipient of the patient
identifying information is:
[[Page 44589]]
(i) A HIPAA-covered entity or business associate that has obtained
and documented authorization from the patient, or a waiver or
alteration of authorization, consistent with the HIPAA Privacy Rule at
45 CFR 164.508 or 164.512(i), as applicable;
(ii) Subject to the HHS regulations regarding the protection of
human subjects (45 CFR part 46), and provides documentation either that
the researcher is in compliance with the requirements of the HHS
regulations, including the requirements related to informed consent or
a waiver of consent (45 CFR 46.111 and 46.116) or that the research
qualifies for exemption under the HHS regulations (45 CFR 46.104) or
any successor regulations;
(iii) a member of the workforce of a HIPAA-covered entity that
requires that all employer-sponsored research carried out by members of
its workforce be conducted in accordance with the requirements of the
HIPAA Privacy Rule (45 CFR parts 160 an 164 Subpart E) and/or the HHS
regulations regarding the protection of human subjects, and has
obtained and maintained the documentation referenced in paragraph
(a)(1)(i) or (ii) of this section, respectively; or
(iv) subject to the FDA regulations regarding the protection of
human subjects (21 CFR parts 50 and 56) and provides documentation that
the research is in compliance with the requirements of the FDA
regulations, including the requirements related to informed consent or
an exception to, or waiver of, consent (21 CFR part 50) and any
successor regulations; or
(v) any combination of a HIPAA covered entity or business
associate, and/or subject to the HHS regulations regarding the
protection of human subjects, and/or subject to the FDA regulations
regarding the protection of human subjects, and has met the
requirements of paragraph (a)(1)(i), (ii) (iii), and/or (iv) of this
section, as applicable.
(2) The part 2 program or other lawful holder of part 2 data is a
HIPAA covered entity or business associate, and the disclosure is made
in accordance with the HIPAA Privacy Rule requirements at 45 CFR
164.512(i).
(3) If neither paragraph (a)(1) or (a)(2) of this section apply to
the receiving or disclosing party, this section does not apply.
* * * * *
0
11. Amend Sec. 2.53 by:
0
a. Revising paragraphs (a)(1)(ii), (a)(2), and (b)(2)(ii);;
0
b. Adding paragraph (b)(2)(iii);
0
c. Redesignating paragraphs (c) and (d) as paragraphs (e) and (f)
respectively;
0
d. In newly redesignated paragraph (e)(1) introductory text, removing
the reference ``paragraph (c)'' and adding in its place the reference
``paragraph (e)'';
0
e. In newly redesignated paragraph (e)(1)(iii), removing the reference
``paragraph (d)'' and adding in its place the reference ``paragraph
(f)'';
0
f. In newly redesignated paragraph (e)(3)(ii)(F), removing the
reference ``paragraph (c)(1)'' and adding in its place the reference
``paragraph (e)(1)'';
0
g. In newly redesignated paragraphs (e)(4) and (5), removing the
reference ``paragraph (c)(2)'' and adding in its place the reference
``paragraph (e)(2)'';
0
h. In newly redesignated paragraph (e)(6), removing the reference
``paragraph (c)'' and adding in its place the reference ``paragraph
(e)'';
0
i. Adding new paragraphs (c), (d), and (g).
The revisions and additions read as follows:
Sec. 2.53 Audit and evaluation.
(a) * * *
(1) * * *
(ii) Any individual or entity which provides financial assistance
to the part 2 program or other lawful holder, which is a third-party
payer covering patients in the part 2 program, or which is a quality
improvement organization performing a QIO review, or the contractors,
subcontractors, or legal representatives of such individual, entity, or
quality improvement organization.
(2) Is determined by the part 2 program or other lawful holder to
be qualified to conduct an audit or evaluation of the part 2 program or
other lawful holder. Auditors may include any non-part 2 entity that
has direct administrative control over the part 2 program or lawful
holder.
(b) * * *
(2) * * *
(ii) Any individual or entity which provides financial assistance
to the part 2 program or other lawful holder, which is a third-party
payer covering patients in the part 2 program, or which is a quality
improvement organization performing a QIO review, or the contractors,
subcontractors, or legal representatives of such individual, entity, or
quality improvement organization.
(iii) An entity with direct administrative control over the part 2
program or lawful holder.
(c) Activities Included. Audits and evaluations under this section
may include, but are not limited to:
(1) Activities periodically undertaken by a federal, state, or
local governmental agency, or a third-party payer entity, in order to:
(i) Identify actions the agency or third-party payer entity can
make, such as changes to its policies or procedures, to improve care
and outcomes across part 2 programs;
(ii) Target limited resources more effectively; or
(iii) Determine the need for adjustments to payment policies for
the care of patients with SUD; and
(2) Reviews of appropriateness of medical care, medical necessity,
and utilization of services.
(d) Quality Assurance Entities Included. Entities conducting audits
or evaluations in accordance with paragraphs (a) and (b) of this
section may include accreditation or similar types of organizations
focused on quality assurance.
* * * * *
(g) Audits and Evaluations Mandated by Statute or Regulation.
Patient identifying information may be disclosed to federal, state, or
local government agencies, and the contractors, subcontractors, and
legal representatives of such agencies, in the course of conducting
audits or evaluations mandated by statute or regulation, if those
audits or evaluations cannot be carried out using de-identified
information.
0
12. Amend Sec. 2.67 by revising paragraph (d)(2) to read as follows:
Sec. 2.67 Orders authorizing the use of undercover agents and
informants to investigate employees or agents of a part 2 program in
connection with a criminal matter.
* * * * *
(d) * * *
(2) Limit the total period of the placement to twelve months,
starting on the date that the undercover agent or informant is placed
on site within the program. The placement of an undercover agent or
informant must end after 12 months, unless a new court order is issued
to extend the period of placement;
* * * * *
Dated: August 1, 2019.
Elinore F. McCance-Katz,
Assistant Secretary for Mental Health and Substance Use, Substance
Abuse and Mental Health Services Administration.
Approved: August 7, 2019.
Alex M. Azar II,
Secretary, Department of Health and Human Services.
[FR Doc. 2019-17817 Filed 8-22-19; 4:15 pm]
BILLING CODE P