[Federal Register Volume 89, Number 33 (Friday, February 16, 2024)]
[Rules and Regulations]
[Pages 12472-12631]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-02544]



[[Page 12471]]

Vol. 89

Friday,

No. 33

February 16, 2024

Part III





 Department of Health and Human Services





-----------------------------------------------------------------------





42 CFR Part 2





Confidentiality of Substance Use Disorder (SUD) Patient Records; Final 
Rule

  Federal Register / Vol. 89 , No. 33 / Friday, February 16, 2024 / 
Rules and Regulations  

[[Page 12472]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

42 CFR Part 2

RIN 0945-AA16


Confidentiality of Substance Use Disorder (SUD) Patient Records

AGENCY: Office for Civil Rights, Office of the Secretary, Department of 
Health and Human Services; Substance Abuse and Mental Health Services 
Administration (SAMHSA), Department of Health and Human Services.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The United States Department of Health and Human Services (HHS 
or ``Department'') is issuing this final rule to modify its regulations 
to implement section 3221 of the Coronavirus Aid, Relief, and Economic 
Security (CARES) Act. The Department is issuing this final rule after 
careful consideration of all public comments received in response to 
the notice of proposed rulemaking (NPRM) for the Confidentiality of 
Substance Use Disorder (SUD) Patient Records. This final rule also 
makes certain other modifications to increase alignment with the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy 
Rule to improve workability and decrease burden on programs, covered 
entities, and business associates.

DATES: 
    Effective date: This final rule is effective on April 16, 2024.
    Compliance date: Persons subject to this regulation must comply 
with the applicable requirements of this final rule by February 16, 
2026.

FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: 

Table of Contents

I. Executive Summary
    A. Purpose of Rulemaking and Issuance of Proposed Rule
    B. Severability
    C. Summary of the Major Provisions
    D. Summary of the Costs and Benefits of the Major Provisions
II. Statutory and Regulatory Background
III. Overview of Public Comments
    A. General Discussion of Comments
    B. General Comments
    1. General Support for the Proposed Rule
    2. General Opposition to the Proposed Rule
IV. Analysis and Response to Public Comments and Final Modifications
    A. Effective and Compliance Dates
    B. Substantive Proposals and Responses to Comments
V. Regulatory Impact Analysis
    A. Executive Orders 12866 and 13563 and Related Executive Orders 
on Regulatory Review
    1. Summary of the Final Rule
    2. Need for the Final Rule
    3. Response to Public Comment
    4. Cost-Benefit Analysis
    5. Consideration of Regulatory Alternatives
    B. Regulatory Flexibility Act
    C. Unfunded Mandates Reform Act
    D. Executive Order 13132--Federalism
    E. Assessment of Federal Regulation and Policies on Families
    F. Paperwork Reduction Act of 1995
    1. Explanation of Estimated Annualized Burden Hours for 42 CFR 
Part 2
    2. Explanation of Estimated Capital Expenses for 42 CFR Part 2

                            Table of Acronyms
------------------------------------------------------------------------
              Acronym                              Meaning
------------------------------------------------------------------------
ACO...............................  Accountable Care Organization.
ADAMHA............................  Alcohol, Drug Abuse, and Mental
                                     Health Administration
                                     Reorganization Act.
ADT...............................  Admit, Discharge, Transfer.
APCD..............................  All-Payer Claims Database.
BLS...............................  Bureau of Labor Statistics.
CARES Act.........................  Coronavirus Aid, Relief, and
                                     Economic Security Act.
CBO...............................  Community-based Organizations.
CFR...............................  Code of Federal Regulations.
CHIP..............................  Children's Health Insurance Program.
CMP...............................  Civil Money Penalty.
CMS...............................  Centers for Medicare & Medicaid
                                     Services.
COVID-19..........................  Coronavirus Disease 2019.
CSP...............................  Cloud Service Provider.
DOJ...............................  U.S. Department of Justice.
E.O...............................  Executive Order.
EHR...............................  Electronic Health Record.
ePHI..............................  Electronic Protected Health
                                     Information.
FDA...............................  Food and Drug Administration.
FOIA..............................  Freedom of Information Act.
FR................................  Federal Register.
GS................................  General Schedule.
Health IT.........................  Health Information Technology.
HHS or Department.................  U.S. Department of Health and Human
                                     Services.
HIE...............................  Health Information Exchange.
HIN...............................  Health Information Network.
HIPAA.............................  Health Insurance Portability and
                                     Accountability Act of 1996.
HITECH Act........................  Health Information Technology for
                                     Economic and Clinical Health Act of
                                     2009.
HIV...............................  Human Immunodeficiency Virus.
ICR...............................  Information Collection Request.
IHS...............................  Indian Health Service.
ISDEAA............................  Indian Self-Determination and
                                     Education Assistance Act.
MAT...............................  Medication Assisted Treatment.
MHPAEA............................  Mental Health Parity and Addiction
                                     Equity Act.
MOUD..............................  Medications for Opioid Use Disorder.
MPCD..............................  Multi-Payer Claims Database.
NIST..............................  National Institute of Standards and
                                     Technology.
NOAA..............................  National Oceanic and Atmospheric
                                     Administration.
NPP...............................  Notice of Privacy Practices.
NPRM..............................  Notice of Proposed Rulemaking.

[[Page 12473]]

 
N-SSATS...........................  National Survey of Substance Abuse
                                     Treatment Services.
OCR...............................  Office for Civil Rights.
OIG...............................  Office of the Inspector General.
OIRA..............................  Office of Information and Regulatory
                                     Affairs.
OMB...............................  Office of Management and Budget.
ONC...............................  Office of the National Coordinator
                                     for Health Information Technology.
OTP...............................  Opioid Treatment Program.
PDMP..............................  Prescription Drug Monitoring
                                     Program.
PHI...............................  Protected Health Information.
PHSA..............................  Public Health Service Act.
PRA...............................  Paperwork Reduction Act of 1995.
Pub. L............................  Public Law.
QSO...............................  Qualified Service Organization.
QSOA..............................  Qualified Service Organization
                                     Agreement.
RFA...............................  Regulatory Flexibility Act.
RFI...............................  Request for Information.
RIA...............................  Regulatory Impact Analysis.
RPMS..............................  Resource and Patient Management
                                     System.
SAMHSA............................  Substance Abuse and Mental Health
                                     Services Administration.
SBA...............................  Small Business Administration.
SUD...............................  Substance Use Disorder.
TEDS..............................  Treatment Episode Data Set.
TEFCA.............................  Trusted Exchange Framework and
                                     Common Agreement.
TPO...............................  Treatment, Payment, and/or Health
                                     Care Operations.
U.S.C.............................  United States Code.
USPHS.............................  U.S. Public Health Service.
VA................................  U.S. Department of Veterans Affairs.
------------------------------------------------------------------------

I. Executive Summary

A. Purpose of Rulemaking and Issuance of Proposed Rule

    On March 27, 2020, Congress enacted the Coronavirus Aid, Relief, 
and Economic Security (CARES) Act, including section 3221 of the Act 
\1\ entitled ``Confidentiality and Disclosure of Records Relating to 
Substance Use Disorder.'' Section 3221 enacts statutory amendments to 
section 290dd-2 of title 42 United States Code (42 U.S.C. 290dd-2).\2\ 
These amendments require the U.S. Department of Health and Human 
Services (HHS or ``Department'') to increase the regulatory alignment 
between title 42 of the Code of Federal Regulations (CFR) (42 CFR part 
2 or ``part 2''),\3\ which includes privacy provisions that protect SUD 
patient records, and key aspects of the Health Insurance Portability 
and Accountability Act of 1996 (HIPAA) \4\ Privacy, Breach 
Notification, and Enforcement regulations (``HIPAA regulations''),\5\ 
which govern the use and disclosure of protected health information 
(PHI).\6\
---------------------------------------------------------------------------

    \1\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
    \2\ 42 U.S.C. 290dd-2.
    \3\ For readability, the Department refers to specific sections 
of 42 CFR part 2 using a shortened citation with the ``Sec.  '' 
symbol except where necessary to distinguish title 42 citations from 
other CFR titles, such as title 45 CFR, and in footnotes where the 
full reference is used.
    \4\ Subtitle F of title II of HIPAA, Public Law 104-191, 110 
Stat. 1936 (Aug. 21, 1996) added a new part C to title XI of the 
Social Security Act (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 14, 
1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C. 
1320d-1320d-8)), as amended by the Health Information Technology for 
Economic and Clinical Health (HITECH) Act of 2009, Public Law 111-5, 
123 Stat. 226 (Feb. 17, 2009) (codified at 42 U.S.C. 139w-4(0)(2)), 
enacted as title XIII of division A and title IV of division B of 
the American Recovery and Reinvestment Act of 2009 (ARRA), Public 
Law 111-5, 123 Stat. 226 (Feb. 17, 2009).
    \5\ See the HIPAA Privacy Rule, 45 CFR parts 160 and 164, 
subparts A and E; the HIPAA Security Rule, 45 CFR parts 160 and 164, 
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part 
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160, 
subparts C, D, and E. Breach notification requirements were added by 
the HITECH Act.
    \6\ PHI is individually identifiable health information 
maintained or transmitted by or on behalf of a HIPAA covered entity. 
See 45 CFR 160.103 (definitions of ``Individually identifiable 
health information'' and ``Protected health information'').
---------------------------------------------------------------------------

    On December 2, 2022, the Department published a notice of proposed 
rulemaking (NPRM) proposing to modify part 2 consistent with the 
requirements of section 3221.\7\ In the NPRM, the Department proposed 
to: (1) enhance restrictions against the use and disclosure of part 2 
records \8\ in civil, criminal, administrative, and legislative 
proceedings; (2) provide for civil enforcement authority, including the 
imposition of civil money penalties (CMPs); (3) modify consent for uses 
and disclosures of part 2 records for treatment, payment, and health 
care operations (TPO) purposes; (4) impose breach notification 
obligations; (5) incorporate some definitions from the HIPAA 
regulations into part 2; (6) provide new patient rights to request 
restrictions on uses and disclosures and obtain an accounting of 
disclosures made with consent; (7) add a permission to disclose de-
identified records to public health authorities; and (8) address 
concerns about potential unintended consequences for government 
agencies that investigate part 2 programs due to the change in 
enforcement authority and penalties for violations of part 2.
---------------------------------------------------------------------------

    \7\ 87 FR 74216 (Dec. 2, 2022). The Department also proposed 
modifications to the HIPAA Notice of Privacy Practices (NPP) in 
January 2021 and April 2023. See Proposed Modifications to the HIPAA 
Privacy Rule to Support, and Remove Barriers to, Coordinated Care 
and Individual Engagement, 86 FR 6446 (Jan. 21, 2021) and HIPAA 
Privacy Rule To Support Reproductive Health Care Privacy 88 FR 23506 
(Apr. 17, 2023).
    \8\ Within this rule the terms records and part 2 records are 
used interchangeably to refer to information subject to part 2.
---------------------------------------------------------------------------

    The 60-day public comment period for the proposed rule closed on 
January 31, 2023, and the Department received approximately 220 
comments in response to its proposal.\9\ After considering the public 
comments, the Department is issuing this final rule that adopts many of 
the proposals set forth

[[Page 12474]]

in the NPRM, with certain modifications based on the input received. 
This final rule aligns certain part 2 requirements more closely with 
requirements of the HIPAA regulations to improve the ability of 
entities that are subject to part 2 to use and disclose part 2 records 
and make other changes to part 2, as described in this preamble. We 
believe this final rule implements the modifications required by the 
CARES Act amendments to 42 U.S.C. 290dd-2 and will decrease burdens on 
patients and providers, improve coordination of care and access to care 
and treatment, and protect the confidentiality of treatment records.
---------------------------------------------------------------------------

    \9\ The public comments are available at https://www.regulations.gov/docket/HHS-OCR-2022-0018/comments.
---------------------------------------------------------------------------

    The provisions of the proposed rule and the public comments 
received that were within the scope of the proposed rule are described 
in more detail below in sections III and IV.

B. Severability

    In this final rule, we adopt modifications to 42 CFR part 2 that 
support a unified scheme of privacy protections for part 2 records. 
While the unity and comprehensiveness of this scheme maximizes its 
utility, we clarify that its constituent elements operate independently 
to protect patient privacy. Were a provision of this regulation stayed 
or invalidated by a reviewing court, the provisions that remain in 
effect would continue to provide vital patient privacy protections. For 
example, the essential part 2 provisions concerning such issues as 
restrictions on use of part 2 records in criminal, civil, and 
administrative proceedings and written consent requirements would 
remain in effect even if certain other provisions, such as the 
limitation on civil or criminal liability in Sec.  2.3(b), were no 
longer in effect. Similarly, the provisions regulating different forms 
of conduct under part 2 (e.g., use, disclosure, consent requirements) 
each provide distinct benefits for patient privacy. Thus, we consider 
the provisions adopted in this final rule to be severable, both 
internally within this final rule and from the other provisions in part 
2, and the Department's intent is to preserve the rule in its entirety, 
and each independent provision of the rule, to the fullest extent 
possible.
    Accordingly, any provision of 42 CFR part 2 that is held to be 
invalid or unenforceable by its terms, or as applied to any person or 
circumstance, should be construed so as to give maximum effect to the 
provision permitted by law, unless such holding is one of utter 
invalidity or unenforceability, in which event the provision is 
intended to be severable from this part and not affect the remainder 
thereof or the application of the provision to other persons not 
similarly situated or to other dissimilar circumstances.

C. Summary of the Major Provisions

    After consideration of the public comments received in response to 
the NPRM, the Department is issuing this final rule as follows: \10\
---------------------------------------------------------------------------

    \10\ Additional revisions are not listed here because they are 
not considered major. Generally, the proposals not listed make non-
substantive changes. These proposals are reviewable in section IV 
and the amendatory language in the last section of the final rule 
and include proposals to modify Sec.  2.17 (Undercover agents and 
informants); Sec.  2.20 (Relationship to state laws); Sec.  2.21 
(Relationship to Federal statutes protecting research subjects 
against compulsory disclosure of their identity); and Sec.  2.34 
(Uses and Disclosures to prevent multiple enrollments).
---------------------------------------------------------------------------

1. Section 2.1--Statutory Authority for Confidentiality of Substance 
Use Disorder Patient Records
    Finalizes Sec.  2.1 to more closely reflect the authority granted 
in 42 U.S.C. 290dd-2(g), including with respect to court orders 
authorizing the disclosure of records under 42 U.S.C. 290dd-2(b)(2)(C).
2. Section 2.2--Purpose and Effect
    Finalizes paragraph (b) of Sec.  2.2 to compel disclosures to the 
Secretary \11\ that are necessary for enforcement of this rule, using 
language adapted from the HIPAA Privacy Rule at 45 CFR 
164.502(a)(2)(ii). Finalizes a new paragraph (b)(3) that prohibits any 
limits on a patient's right to request restrictions on use of records 
for TPO or a covered entity's \12\ choice to obtain consent to use or 
disclose records for TPO purposes as provided in the HIPAA Privacy 
Rule. References ``use and disclosure'' in Sec.  2.2(a) and (b). 
Removes reference to criminal penalty and finalizes new paragraph 
(b)(3).
---------------------------------------------------------------------------

    \11\ Unless otherwise stated, ``Secretary'' as used in this rule 
refers to the Secretary of HHS.
    \12\ Covered entities are health care providers who transmit 
health information electronically in connection with any transaction 
for which the Department has adopted an electronic transaction 
standard, health plans, and health care clearinghouses. See 45 CFR 
160.103 (definition of ``Covered entity'').
---------------------------------------------------------------------------

3. Section 2.3--Civil and Criminal Penalties for Violations
    Finalizes the heading of this section as above. This section as 
finalized now references the HIPAA enforcement authorities in the 
Social Security Act at sections 1176 (civil enforcement, including the 
culpability tiers established by the Health Information Technology for 
Economic and Clinical Health (HITECH) Act of 2009) and 1177 (criminal 
penalties),\13\ as implemented in the HIPAA Enforcement Rule.\14\ 
Paragraph (b) includes a limitation on civil or criminal liability 
(``safe harbor'') under part 2 for investigative agencies that act with 
reasonable diligence before making a demand for records in the course 
of an investigation or prosecution of a part 2 program or person 
holding the record, provided that certain conditions are met.\15\ 
Further modifies the ``reasonable diligence'' steps to mean taking all 
of the following actions: searching for the practice or provider among 
the SUD treatment facilities in SAMHSA's online treatment locator; 
searching in a similar state database of treatment facilities where 
available; checking a practice or program's website, where available, 
or physical location; viewing the entity's Patient Notice or HIPAA NPP 
if it is available; and taking all these steps within no more than 60 
days before requesting records or placing an undercover agent or 
informant. Updates language referring to enforcement, now set forth in 
paragraph (c).
---------------------------------------------------------------------------

    \13\ See Public Law 111-5, 123 Stat. 226 (Feb. 17, 2009). 
Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939) 
amended sections 1176 and 1177 of the Social Security Act (codified 
at 42 U.S.C. 1320d-5 and 1320d-6) to add civil and criminal penalty 
tiers for violations of the HIPAA Administrative Simplification 
provisions.
    \14\ See 45 CFR part 160 subparts C, D, and E.
    \15\ Although this provision is not expressly required by the 
CARES Act, it falls within the Department's general rulemaking 
authority in 42 U.S.C. 290dd-2(g), and is needed to address the 
logical consequences of the changes required by sec. 3221.
---------------------------------------------------------------------------

4. Section 2.4--Complaints of Noncompliance
    Modifies the heading to refer to ``Complaints of noncompliance.'' 
Finalizes inclusion of requirements consistent with those applicable to 
HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a 
requirement for a part 2 program to establish a process to receive 
complaints. Adds a new provision permitting patients to file complaints 
with the Secretary in the same manner as under 45 CFR 160.306. 
Finalizes a prohibition against taking adverse action against patients 
who file complaints and a prohibition against requiring patients to 
waive the right to file a complaint as a condition of providing 
treatment, enrollment, payment, or eligibility for services.
5. Section 2.11--Definitions
    Finalizes definitions of the following terms within this part 
consistent with the NPRM: ``Breach,'' ``Business associate,'' ``Covered 
entity,'' ``Health

[[Page 12475]]

care operations,'' ``HIPAA,'' ``HIPAA regulations,'' ``Informant,'' 
``Part 2 program director,'' ``Program,'' ``Payment,'' ``Person,'' 
``Public health authority,'' ``Records,'' ``Substance use disorder 
(SUD),'' ``Third-party payer,'' ``Treating provider relationship,'' 
``Treatment,'' ``Unsecured protected health information,'' ``Unsecured 
record,'' and ``Use.'' Adds a definition of ``Substance Use Disorder 
(SUD) counseling notes'' on which input was requested in the NPRM. Adds 
new definitions of ``Lawful holder'' and ``Personal representative.'' 
Adopts a revised definition of ``Intermediary,'' but with an exclusion 
for part 2 programs, covered entities, and business associates. 
Modifies definition of ``Investigative agency'' to reference state, 
local, territorial, and Tribal investigative agencies. Modifies 
definition of ``Patient identifying information'' to ensure consistency 
with the de-identification standard incorporated into this final rule. 
Modifies the proposed definition of ``Qualified Service Organization'' 
(QSO) to expressly include business associates as QSOs where the QSO 
meets the definition of business associate for a covered entity that is 
also a part 2 program.
6. Section 2.12--Applicability
    Replaces ``Armed Forces'' with ``Uniformed Services'' in paragraphs 
(b)(1) and (c)(2) of Sec.  2.12. Incorporates four statutory examples 
of restrictions on the use or disclosure of part 2 records to initiate 
or substantiate any criminal charges against a patient or to conduct 
any criminal investigation of a patient. Adds language to qualify the 
term ``Third-party payer'' with the phrase ``as defined in this part.'' 
Specifies that a part 2 program, covered entity, or business associate 
\16\ that receives records based on a single consent for all future 
uses and disclosures for TPO is not required to segregate or segment 
such records. Revises paragraph (e)(4)(i) to clarify when a diagnosis 
is not covered by part 2.
---------------------------------------------------------------------------

    \16\ A business associate is a person, other than a workforce 
member, that performs certain functions or activities for or on 
behalf of a covered entity, or that provides certain services to a 
covered entity involving the disclosure of PHI to the person. See 45 
CFR 160.103 (definition of ``Business associate'').
---------------------------------------------------------------------------

7. Section 2.13--Confidentiality Restrictions and Safeguards
    Finalizes the redesignation of Sec.  2.13(d) requiring a list of 
disclosures as new Sec.  2.24 and modifies the text for clarity.
8. Section 2.14--Minor Patients
    Finalizes the change of the verb ``judges'' to ``determines'' to 
describe a part 2 program director's evaluation and decision that a 
minor lacks decision making capacity.
9. Section 2.15--Patients Who Lack Capacity and Deceased Patients
    Finalizes changes proposed in the NPRM. Changes the heading as 
above. Replaces outdated terminology and clarifies that paragraph (a) 
of this section refers to an adjudication by a court of a patient's 
lack of capacity to make health care decisions while paragraph (b) 
refers to a patient's lack of capacity to make health care decisions 
without court adjudication. Clarifies consent for uses and disclosures 
of records by personal representatives for patients who lack capacity 
to make health care decisions in paragraph (a) and deceased patients in 
paragraph (b)(2).
10. Section 2.16--Security for Records and Notification of Breaches
    Finalizes changes proposed in the NPRM. Changes the heading as 
above. Finalizes the de-identification provision to align with the 
HIPAA Privacy Rule standard at 45 CFR 164.514. Creates an exception to 
the requirement that part 2 programs and lawful holders create policies 
and procedures to secure records that applies to family, friends, and 
other informal caregivers who are lawful holders as defined in this 
regulation. Applies the HITECH Act breach notification provisions \17\ 
that are currently implemented in the HIPAA Breach Notification Rule to 
breaches of records by part 2 programs. Modifies the exemption for 
lawful holders by exempting them from Sec.  2.16(a) instead of only 
paragraph (a)(1).
---------------------------------------------------------------------------

    \17\ Section 13400 of the HITECH Act (codified at 42 U.S.C. 
17921) defined the term ``Breach''. Section 13402 of the HITECH Act 
(codified at 42 U.S.C. 17932) enacted breach notification 
provisions, discussed in detail below.
---------------------------------------------------------------------------

11. Section 2.19--Disposition of Records by Discontinued Programs
    Finalizes an exception to clarify that these provisions do not 
apply to transfers, retrocessions, and reassumptions of part 2 programs 
pursuant to the Indian Self-Determination and Education Assistance Act 
(ISDEAA), to facilitate the responsibilities set forth in 25 U.S.C. 
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25 
U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA 
regulations. Updates the language to refer to ``non-electronic'' 
records and include ``paper'' records as an example of non-electronic 
records.
12. Section 2.22--Notice to Patients of Federal Confidentiality 
Requirements
    Finalizes proposed changes to requirements for notice to patients 
of Federal confidentiality requirements (hereinafter, ``Patient 
Notice'') to address protections required by 42 U.S.C. 290dd-2, as 
amended by section 3221 of the CARES Act. Modifies the statement of a 
patient's right to discuss the notice with a designated contact person 
by permitting the part 2 program to list an office rather than naming a 
person. Further modifies the list of patient rights to include the 
following: (1) a right to a list of disclosures by an intermediary for 
the past 3 years as provided in Sec.  2.24 (moved from the consent 
requirements in Sec.  2.31); and (2) a right to elect not to receive 
any fundraising communications to fundraise for the benefit of the part 
2 program. Further modifies the fundraising provision by replacing the 
proposed requirement to obtain patient consent with a requirement to 
provide individuals with the opportunity to opt out of receiving 
fundraising communications, which more closely aligns with the HIPAA 
regulations. Clarifies that a court order authorizing use or disclosure 
must be accompanied by a subpoena or similar legal mandate compelling 
disclosure.
13. Section 2.23--Patient Access and Restrictions on Use and Disclosure
    Finalizes the heading as above. Adds the term ``disclosure'' to the 
heading and body of this section to clarify that information obtained 
by patient access to their record may not be used or disclosed for 
purposes of a criminal charge or criminal investigation.
14. Section 2.24--Requirements for Intermediaries
    Finalizes the retitling of the redesignated section that is moved 
from Sec.  2.13(d) as above to clarify the responsibilities of 
recipients of records received under a consent with a general 
designation (other than part 2 programs, covered entities, and business 
associates), such as research institutions, accountable care 
organizations (ACOs), and care management organizations.
15. Section 2.25--Accounting of Disclosures
    Finalizes this new section to implement 42 U.S.C. 290dd-2(b)(1)(B), 
as amended by the section 3221 of the CARES Act, to add a right to an

[[Page 12476]]

accounting of all disclosures made with consent for up to three years 
prior to the date the accounting is requested. A separate provision 
applies to disclosures for TPO purposes made through an EHR. The 
compliance date for Sec.  2.25 is tolled until the HIPAA Accounting of 
Disclosures provision at 45 CFR 164.528 is revised to address 
accounting for TPO disclosures made through an EHR.
16. Section 2.26--Right To Request Privacy Protection for Records
    Finalizes this new section to implement 42 U.S.C. 290dd-2(b)(1)(B), 
as amended by the section 3221 of the CARES Act, to incorporate into 
part 2 the rights set forth in the HIPAA Privacy Rule at 45 CFR 
164.522, including: (1) a patient right to request restrictions on 
disclosures of records otherwise permitted for TPO purposes, and (2) a 
patient right to obtain restrictions on disclosures to health plans for 
services paid in full by the patient.
17. Subpart C--Uses and Disclosures With Patient Consent
    Finalizes change to the heading of subpart C as above to reflect 
changes made to the provisions of this subpart related to the consent 
to use and disclose part 2 records, consistent with 42 U.S.C. 290dd-
2(b), as amended by the section 3221(b) of the CARES Act.
18. Section 2.31--Consent Requirements
    Finalizes the proposed alignment of the content requirements for 
part 2 written consent with the content requirements for a valid HIPAA 
authorization and clarifies how recipients may be designated in a 
consent to use and disclose part 2 records for TPO. Further modifies 
the rule by replacing the proposed requirement to obtain consent for 
fundraising with an opportunity for the patient to opt out. Adds 
consent provisions for uses and disclosures of SUD counseling notes, 
and adds an express requirement for separate consent for use and 
disclosure of records in civil, criminal, administrative, or 
legislative proceedings.
19. Section 2.32--Notice and Copy of Consent To Accompany Disclosure
    Further modifies the proposed heading to read as above by inserting 
``and copy of consent''. Finalizes the proposed alignment of the 
content requirements for the required notice that accompanies a 
disclosure of records (hereinafter ``Notice to Accompany Disclosure'') 
with the requirements of 42 U.S.C. 290dd-2(b), as amended by section 
3221(b) of the CARES Act. Further modifies this section by creating a 
new requirement that each disclosure made with the patient's written 
consent must be accompanied by a copy of the consent or a clear 
explanation of the scope of the consent provided.
20. Section 2.33--Uses and Disclosures Permitted With Written Consent
    Changes the heading as proposed, to read as above. Aligns this 
provision with the statutory authority in 42 U.S.C. 290dd-2(b)(1), as 
amended by section 3221(b) of the CARES Act. Replaces the provisions 
requiring consent for uses and disclosures for payment and certain 
health care operations with permission to use and disclose records for 
TPO with a single consent given once for all such future uses and 
disclosures (``TPO consent'') as permitted by the HIPAA regulations, 
until such time as the patient revokes the consent in writing. 
Finalizes proposed redisclosure permissions for three categories of 
recipients of part 2 records pursuant to a written consent with some 
additional modifications to limit the ability to redisclose part 2 
records in accordance with HIPAA to covered entities and business 
associates, as follows: (1) permits a covered entity or business 
associate that receives part 2 records pursuant to a TPO consent to 
redisclose the records in accordance with the HIPAA regulations, except 
for certain proceedings against the patient; \18\ (2) permits a part 2 
program that is not a covered entity to redisclose records received 
pursuant to a TPO consent according to the consent; and (3) permits a 
lawful holder that is not a covered entity or business associate to 
redisclose part 2 records for payment and health care operations to its 
contractors, subcontractors, or legal representatives as needed to 
carry out the activities specified in the consent. Finalizes the 
contracting requirements in paragraph (c) to exclude covered entities 
and business associates because they are subject to HIPAA business 
associate agreement requirements.
---------------------------------------------------------------------------

    \18\ See 42 U.S.C. 290dd-2(b)(1)(B) and (c).
---------------------------------------------------------------------------

21. Section 2.35--Disclosures to Elements of the Criminal Justice 
System Which Have Referred Patients
    Finalizes the proposals to replace ``individuals'' with ``persons'' 
and clarifies that permitted redisclosures of information are from part 
2 records.
22. Subpart D--Uses and Disclosures Without Patient Consent
    Finalizes the proposal to change the heading of subpart D to 
reflect changes made to the provisions of this subpart related to the 
consent to use and disclose part 2 records, consistent with 42 U.S.C. 
290dd-2 as amended by the CARES Act.
23. Section 2.51--Medical Emergencies
    Finalizes the proposal to replace the term ``individual'' with the 
term ``person'' in Sec.  2.51(c)(2).
24. Section 2.52--Scientific Research
    Finalizes the proposed modifications to the heading as above to 
reflect statutory language. The final rule further aligns with the 
HIPAA Privacy Rule by replacing the requirements to render part 2 data 
in research reports non-identifiable with the HIPAA Privacy Rule's de-
identification standard in 45 CFR 164.514.
25. Section 2.53--Management Audits, Financial Audits, and Program 
Evaluation
    Finalizes changes as proposed. Modifies the heading to reflect 
statutory language. To support implementation of 42 U.S.C. 290dd-
2(b)(1), as amended by section 3221(b) of the CARES Act, adds a 
provision to acknowledge the permission to use and disclose records for 
health care operations purposes based on written consent of the patient 
and the permission to redisclose such records as permitted by the HIPAA 
Privacy Rule if the recipient is a part 2 program, covered entity, or 
business associate.
26. Section 2.54--Disclosures for Public Health
    Finalizes the proposed addition of this section to implement 42 
U.S.C. 290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES 
Act, to permit the disclosure of records without patient consent to 
public health authorities provided that the records disclosed are de-
identified according to the standards established in section 45 CFR 
164.514.
27. Subpart E--Court Orders Authorizing Use and Disclosure
    Finalizes proposed modifications to the heading of subpart E as 
above to reflect changes made to the provisions of this subpart related 
to the uses and disclosure of part 2 records in proceedings consistent 
with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by sections 3221(b) 
and (e) of the CARES Act.
28. Section 2.62--Order Not Applicable to Records Disclosed Without 
Consent to Researchers, Auditors, and Evaluators
    Finalizes the proposed replacement of the term ``qualified 
personnel'' with a

[[Page 12477]]

reference to the criteria that define such persons and adds a reference 
to Sec.  2.53 as a technical edit.
29. Section 2.63--Confidential Communications
    Finalizes proposed changes to paragraph (a)(3) of Sec.  2.63 to 
expressly include civil, criminal, administrative, and legislative 
proceedings as forums where the requirements for a court order under 
this part would apply, to implement 42 U.S.C. 290dd-2(c), as amended by 
section 3221(c) of the CARES Act.
30. Section 2.64--Procedures and Criteria for Orders Authorizing Uses 
and Disclosures for Noncriminal Purposes
    Finalizes proposed changes that expand the types of forums where 
restrictions on use and disclosure of records in civil proceedings 
against patients apply \19\ to expressly include administrative and 
legislative proceedings and also restricts the use of testimony 
conveying information in a record in civil proceedings against 
patients, absent consent or a court order.
---------------------------------------------------------------------------

    \19\ See 42 CFR part 2, subpart E.
---------------------------------------------------------------------------

31. Section 2.65--Procedures and Criteria for Orders Authorizing Use 
and Disclosure of Records To Criminally Investigate or Prosecute 
Patients
    Finalizes changes as proposed. Modifies the heading as above. 
Expands the types of forums where restrictions on uses and disclosure 
of records in criminal proceedings against patients apply \20\ to 
expressly include administrative and legislative proceedings and also 
restricts the use of testimony conveying information in a part 2 record 
in criminal proceedings against patients, absent consent or a court 
order.
---------------------------------------------------------------------------

    \20\ Id.
---------------------------------------------------------------------------

32. Section 2.66--Procedures and Criteria for Orders Authorizing Use 
and Disclosure of Records To Investigate or Prosecute a Part 2 Program 
or the Person Holding the Records
    Finalizes changes as proposed and adds new changes. Modifies the 
heading as above. Finalizes requirements for investigative agencies to 
follow in the event that they discover in good faith that they received 
part 2 records during an investigation or prosecution of a part 2 
program or the person holding the records, in order to seek a court 
order as required under Sec.  2.66. Adds a further modification to 
provide that information from records obtained in violation of this 
part cannot be used in an application for a court order to obtain such 
records.
33. Section 2.67--Orders Authorizing the Use of Undercover Agents and 
Informants To Investigate Employees or Agents of a Part 2 Program in 
Connection With a Criminal Matter
    Finalizes proposed criteria for issuance of a court order in 
instances where an application is submitted after the placement of an 
undercover agent or informant has already occurred, requiring an 
investigative agency to satisfy the conditions at Sec.  2.3(b). Adds a 
further modification to provide that information from records obtained 
in violation of this part cannot be used in an application for a court 
order to obtain such records.
34. Section 2.68--Report to the Secretary
    Finalizes the proposed requirement for investigative agencies to 
file annual reports about the instances in which they applied for a 
court order after receipt of part 2 records or placement of an 
undercover agent or informant as provided in Sec. Sec.  2.66(a)(3) and 
2.67(c)(4).
35. General Changes To Use and Disclosure
    Finalizes proposed changes to re-order ``disclosure and use'' to 
``use and disclosure'' throughout the regulation consistent with their 
usage in the HIPAA Privacy Rule which generally regulates the ``use and 
disclosure'' of PHI and relies on the phrase as a term of art.\21\ 
Inserts ``use'' or ``disclose'' to reflect the scope of activity that 
is the subject of the regulatory provision.
---------------------------------------------------------------------------

    \21\ See, e.g., 45 CFR 164.502, Uses and disclosures of 
protected health information: General rules.
---------------------------------------------------------------------------

D. Summary of the Costs and Benefits of the Major Provisions

    This final rule is anticipated to have an annual effect on the 
economy of $12,720,000 in the first year of the rule, followed by net 
savings in years two through five, resulting in overall net cost 
savings of $8,445,706 over five years. The Office of Management and 
Budget (OMB) has determined that this proposed rule is a significant 
regulatory action under section 3(f) of E.O. 12866, but not under 
section 3(f)(1).
    Accordingly, the Department has prepared a Regulatory Impact 
Analysis (RIA) that presents the estimated costs and benefits of the 
rule.

II. Statutory and Regulatory Background

Confidentiality of SUD Records

    Congress enacted the first Federal confidentiality protections for 
SUD records in section 333 of the Comprehensive Alcohol Abuse and 
Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970.\22\ 
This statute authorized ``persons engaged in research on, or treatment 
with respect to, alcohol abuse and alcoholism to protect the privacy of 
individuals who [were] the subject of such research or treatment'' from 
persons not connected with the conduct of the research or treatment by 
withholding identifying information.
---------------------------------------------------------------------------

    \22\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (Dec. 31, 
1970) (codified at 42 U.S.C. 2688h).
---------------------------------------------------------------------------

    Section 408 of the Drug Abuse Office and Treatment Act of 1972 \23\ 
applied confidentiality requirements to records relating to drug abuse 
prevention authorized or assisted under any provision of the Act. 
Section 408 permitted disclosure, with a patient's written consent, for 
diagnosis or treatment by medical personnel and to government personnel 
for obtaining patient benefits to which the patient is entitled. The 
1972 Act also established exceptions to the consent requirement to 
permit disclosures for bona fide medical emergencies; to qualified 
personnel for conducting certain activities, such as scientific 
research or financial audit or program evaluation, as long as the 
patient is not identified in any reports; and as authorized by court 
order granted after application showing good cause.\24\
---------------------------------------------------------------------------

    \23\ See sec. 408, Public Law 92-255, 86 Stat. 65 (Mar. 21, 
1972) (codified at 21 U.S.C. 1175). Section 408 also prohibited the 
use of a covered record for use or initiation or substantiation of 
criminal charges against a patient or investigation of a patient. 
Section 408 provided for a fine in the amount of $500 for a first 
offense violation, and not more than $5,000 for each subsequent 
offense.
    \24\ Id.
---------------------------------------------------------------------------

    The Comprehensive Alcohol Abuse and Alcoholism Prevention, 
Treatment, and Rehabilitation Act Amendments of 1974 \25\ expanded the 
types of records protected by confidentiality restrictions to include 
records relating to ``alcoholism,'' ``alcohol abuse'', and ``drug 
abuse'' maintained in connection with any program or activity 
conducted,

[[Page 12478]]

regulated, or directly or indirectly federally assisted by any United 
States agency. The 1974 Act also permitted the disclosure of records 
based on prior written patient consent only to the extent such 
disclosures were allowed under Federal regulations. Additionally, the 
1974 Act excluded the interchange of records within the Armed Forces or 
components of the U.S. Department of Veterans Affairs (VA), then known 
as the Veterans' Administration, from the confidentiality 
restrictions.\26\
---------------------------------------------------------------------------

    \25\ See sec. 101, title I, Public Law 93-282, 88 Stat. 126 (May 
14, 1974) (codified at 42 U.S.C. 4541 note), providing that: ``This 
title [enacting this section and sections 4542, 4553, 4576, and 4577 
of this title, amending sections 242a, 4571, 4572, 4573, 4581, and 
4582 of this title, and enacting provisions set out as notes under 
sections 4581 and 4582 of this title] may be cited as the 
`Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, 
and Rehabilitation Act Amendments of 1974'.''
    \26\ See sec. 408, title I, Public Law 92-255, 86 Stat. 79 (Mar. 
21, 1972) (originally codified at 21 U.S.C. 1175). See 21 U.S.C. 
1175 note for complete statutory history.
---------------------------------------------------------------------------

    In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health 
Administration Reorganization Act (ADAMHA Reorganization Act) \27\ 
added section 543, Confidentiality of Records, to the Public Health 
Service Act (PHSA) \28\ (``part 2 statute''), which narrowed the 
grounds upon which a court could grant an order permitting disclosure 
of such records from ``good cause'' (i.e., based on weighing the public 
interest in the need for disclosure against the injury to the patient, 
physician patient relationship, and treatment services) \29\ to ``the 
need to avert a substantial risk of death or serious bodily harm.'' 
\30\ Congress also established criminal penalties for part 2 violations 
under title 18 of the United States Code, Crimes and Criminal 
Procedure.\31\ Finally, section 543 granted broad authority to the 
Secretary of HHS to prescribe regulations to carry out the purposes of 
section 543 and provide for safeguards and procedures, including 
criteria for the issuance and scope of court orders to authorize 
disclosure of SUD records, ``as in the judgment of the Secretary are 
necessary or proper to effectuate the purposes of this section, to 
prevent circumvention or evasion thereof, or to facilitate compliance 
therewith.'' \32\
---------------------------------------------------------------------------

    \27\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10, 
1992) (codified at 42 U.S.C. 201 note).
    \28\ Codified at 42 U.S.C. 290dd-2.
    \29\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (Dec. 31, 
1970).
    \30\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10, 
1992) (codified at 42 U.S.C. 201 note).
    \31\ Id., adding sec. 543(b)(2)(C) to the PHSA.
    \32\ Id., adding sec. 543(g) to the PHSA.
---------------------------------------------------------------------------

    In 1975, the Department promulgated the first Federal regulations 
implementing statutory SUD confidentiality provisions at 42 CFR part 
2.\33\ In 1987, the Department published a final rule making 
substantive changes to the scope of part 2 to clarify the regulations 
and ease the burden of compliance by part 2 programs within the 
parameters of the existing statutory restrictions.\34\ After the 1992 
enactment of the ADAMHA Reorganization Act, the Department later 
clarified the definition of ``program'' in a 1995 final rule to narrow 
the scope of part 2 regulations pertaining to medical facilities to 
cover identified units within general medical facilities which holds 
themselves out as providing, and provide SUD treatment and medical 
personnel or other staff in a general medical care facility whose 
primary function is the provision of SUD diagnosis, treatment or 
referral for treatment and who are identified as such providers.\35\
---------------------------------------------------------------------------

    \33\ See 40 FR 27802 (July 1, 1975).
    \34\ See 52 FR 21796 (June 9, 1987). See also Notice of Decision 
to Develop Regulations, 45 FR 53 (Jan. 2, 1980) and (Aug. 25, 1983).
    \35\ See 60 FR 22296 (May 5, 1995). See also 59 FR 42561 (Aug. 
18, 1994) and 59 FR 45063 (Aug. 31, 1994). The ambiguity of the 
definition of ``program'' was identified in United States v. Eide, 
875 F. 2d 1429 (9th Cir. 1989) where the court held that the general 
emergency room is a ``program'' as defined by the regulations.
---------------------------------------------------------------------------

HIPAA and the HITECH Act

    In 1996, Congress enacted HIPAA,\36\ which included Administrative 
Simplification provisions requiring the establishment of national 
standards \37\ to protect the privacy and security of individuals' PHI 
and establishing civil money and criminal penalties for violations of 
the requirements, among other provisions.\38\ The Administrative 
Simplification provisions and implementing regulations apply to covered 
entities, which are health care providers who conduct covered health 
care transactions electronically, health plans, and health care 
clearinghouses.\39\ Certain provisions of the HIPAA regulations also 
apply directly to ``business associates'' of covered entities.\40\
---------------------------------------------------------------------------

    \36\ See Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
    \37\ See the Administrative Simplification provisions of title 
II, subtitle F, of HIPAA, supra note 4. See also sec. 264 of HIPAA 
(codified at 42 U.S.C. 1320d-2 note). See also, Centers for Medicare 
& Medicaid Services, ``HIPAA and Administrative Simplification'' 
(Sept. 6, 2023), https://www.cms.gov/about-cms/what-we-do/administrative-simplification/hipaa/statutes-regulations.
    \38\ See 42 U.S.C. 1320d-1-1320d-9. With respect to privacy 
standards, Congress directed the Department to ``address at least 
the following: (1) The rights that an individual who is a subject of 
individually identifiable health information should have. (2) The 
procedures that should be established for the exercise of such 
rights. (3) The uses and disclosures of such information that should 
be authorized or required.'' 42 U.S.C. 1320d-2 note.
    \39\ See 42 U.S.C. 1320d-1 (applying Administrative 
Simplification provisions to covered entities).
    \40\ See ``Office for Civil Rights Fact Sheet on Direct 
Liability of Business Associates under HIPAA'' (May 2019) for a 
comprehensive list of requirements in the HIPAA regulations that 
apply directly to business associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
---------------------------------------------------------------------------

    The HIPAA Privacy Rule, including provisions implemented as a 
result of the HITECH Act,\41\ regulates the use and disclosure of PHI 
by covered entities and business associates, requires covered entities 
to have safeguards in place to protect the privacy of PHI, and requires 
covered entities to obtain the written authorization of an individual 
to use and disclose the individual's PHI unless the use or disclosure 
is otherwise required or permitted by the HIPAA Privacy Rule.\42\ The 
HIPAA Privacy Rule includes several use and disclosure permissions that 
are relevant to this NPRM, including the permissions for covered 
entities to use and disclose PHI without written authorization from an 
individual for TPO; \43\ to public health authorities for public health 
purposes; \44\ and for research in the form of a limited data set \45\ 
or pursuant to a waiver of authorization by a Privacy Board or 
Institutional Review Board.\46\ The HIPAA Privacy Rule also establishes 
the rights of individuals with respect to their PHI, including the 
rights to: receive adequate notice of a covered entity's privacy 
practices; request restrictions of certain uses and disclosures; access 
(i.e., to inspect and obtain a copy of) their PHI; request an amendment 
of their PHI; and receive an accounting of certain disclosures of their 
PHI.\47\ Finally, the HIPAA Privacy Rule specifies standards for de-
identification of PHI such that, when implemented, the information is 
no longer individually identifiable health

[[Page 12479]]

information subject to the HIPAA regulations.\48\
---------------------------------------------------------------------------

    \41\ The HITECH Act extended the applicability of certain HIPAA 
Privacy Rule requirements and all of the HIPAA Security Rule 
requirements to the business associates of covered entities; 
required HIPAA covered entities and business associates to provide 
for notification of breaches of unsecured PHI (implemented by the 
HIPAA Breach Notification Rule); established new limitations on the 
use and disclosure of PHI for marketing and fundraising purposes; 
prohibited the sale of PHI; required consideration of whether a 
limited data set can serve as the minimum necessary amount of 
information for uses and disclosures of PHI; and expanded 
individuals' rights to access electronic copies of their PHI in an 
electronic health record (EHR), to receive an accounting of 
disclosures of their PHI with respect to electronic PHI (ePHI), and 
to request restrictions on certain disclosures of PHI to health 
plans. In addition, subtitle D strengthened and expanded HIPAA's 
enforcement provisions. See subtitle D of title XIII of the HITECH 
Act, entitled ``Privacy'', for all provisions (codified in title 42 
of U.S.C.).
    \42\ See 45 CFR 164.502(a).
    \43\ See 45 CFR 164.506.
    \44\ See 45 CFR 164.512(b).
    \45\ See 45 CFR 164.514(e)(1) through (4).
    \46\ See 45 CFR 164.512(i).
    \47\ See 45 CFR 164.520, 164.522, 164.524, 164.526 and 164.528.
    \48\ See 45 CFR 164.514(a) through (c).
---------------------------------------------------------------------------

    The HIPAA Security Rule, codified at 45 CFR parts 160 and 164, 
subparts A and C, requires covered entities and their business 
associates to implement administrative, physical, and technical 
safeguards to protect electronic PHI (ePHI). Specifically, covered 
entities and business associates must ensure the confidentiality, 
integrity, and availability of all ePHI they create, receive, maintain, 
or transmit; \49\ protect against reasonably anticipated threats or 
hazards to the security or integrity of the information \50\ and 
reasonably anticipated impermissible uses or disclosures; \51\ and 
ensure compliance by their workforce.\52\
---------------------------------------------------------------------------

    \49\ See 45 CFR 164.306(a)(1).
    \50\ See 45 CFR 164.306(a)(2).
    \51\ See 45 CFR 164.306(a)(3).
    \52\ See 45 CFR 164.306(a)(4).
---------------------------------------------------------------------------

    The HIPAA Breach Notification Rule, codified at 45 CFR parts 160 
and 164, subparts A and D, implements HITECH Act requirements \53\ for 
covered entities to provide notification to affected individuals, the 
Secretary, and in some cases the media, following a ``breach'' of 
unsecured PHI. The HIPAA Breach Notification Rule also requires a 
covered entity's business associate that experiences a breach of 
unsecured PHI to notify the covered entity of the breach. A breach is 
the acquisition, access, use, or disclosure of PHI in a manner not 
permitted by the HIPAA Privacy Rule that compromises the security or 
privacy of ``unsecured'' PHI, subject to three exceptions: \54\ (1) the 
unintentional acquisition, access, or use of PHI by a workforce member 
or person acting under the authority of a covered entity or business 
associate, if such acquisition, access, or use was made in good faith 
and within the scope of authority; (2) the inadvertent disclosure of 
PHI by a person authorized to access PHI at a covered entity or 
business associate to another person authorized to access PHI at the 
covered entity or business associate, or organized health care 
arrangement in which the covered entity participates; and (3) the 
covered entity or business associate making the disclosure has a good 
faith belief that the unauthorized person to whom the impermissible 
disclosure was made, would not reasonably have been able to retain the 
information.
---------------------------------------------------------------------------

    \53\ See sec. 13402 of the HITECH Act (codified at 42 U.S.C. 
17932).
    \54\ See 45 CFR 164.402, ``breach'', paragraph (1).
---------------------------------------------------------------------------

    The HIPAA Breach Notification Rule provides that a covered entity 
may rebut the presumption that such impermissible use or disclosure 
constituted a breach by demonstrating that there is a low probability 
that PHI has been compromised based on a risk assessment of at least 
four required factors: (1) the nature and extent of the PHI involved, 
including the types of identifiers and the likelihood of re-
identification; (2) the unauthorized person who used the PHI or to whom 
the disclosure was made; (3) whether the PHI was actually acquired or 
viewed; and (4) the extent to which the risk to the PHI has been 
mitigated.\55\
---------------------------------------------------------------------------

    \55\ Id. paragraph (2).
---------------------------------------------------------------------------

    The HIPAA Enforcement Rule, codified at 45 CFR part 160 subparts C, 
D, and E, includes standards and procedures relating to investigations 
into complaints about noncompliance with the HIPAA regulation, 
compliance reviews, the imposition of CMPs, and procedures for 
hearings. The HIPAA Enforcement Rule states generally that the 
Secretary will impose a CMP upon a covered entity or business associate 
if the Secretary determines that the covered entity or business 
associate violated a HIPAA Administrative Simplification provision.\56\ 
However, the HIPAA Enforcement Rule also provides for informal 
resolution of potential noncompliance,\57\ which occurs through 
voluntary compliance by the regulated entity, corrective action, or a 
resolution agreement with the payment of a settlement amount to HHS 
Office for Civil Rights (OCR).
---------------------------------------------------------------------------

    \56\ Criminal penalties may be imposed by the Department of 
Justice for certain violations under 42 U.S.C. 1320d-6.
    \57\ See 45 CFR 160.304. See also 45 CFR 160.416 and 160.514.
---------------------------------------------------------------------------

    The Department promulgated or modified key provisions of the HIPAA 
regulations as part of the ``Modifications to the HIPAA Privacy, 
Security, Enforcement, and Breach Notification Rules Under the Health 
Information Technology for Economic and Clinical Health Act and the 
Genetic Information Nondiscrimination Act, and Other Modifications to 
the HIPAA Rules'' final rule (``2013 Omnibus Final Rule''),\58\ in 
which the Department implemented applicable provisions of the HITECH 
Act, among other modifications. For example, the Department 
strengthened privacy and security protections for PHI, finalized breach 
notification requirements, and enhanced enforcement by increasing 
potential CMPs for violations, including establishing tiers of 
penalties based on a covered entity's or business associate's level of 
culpability.\59\
---------------------------------------------------------------------------

    \58\ 78 FR 5566 (Jan. 25, 2013).
    \59\ Id.
---------------------------------------------------------------------------

    The Secretary of HHS delegated authority to OCR to make decisions 
regarding the implementation and interpretation of the HIPAA Privacy, 
Security, Breach Notification, and Enforcement regulations.\60\
---------------------------------------------------------------------------

    \60\ See U.S. Dep't of Health and Human Servs., Office of the 
Secretary, Office for Civil Rights; Statement of Delegation of 
Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and 
Human Servs., Office of the Secretary, Office for Civil Rights; 
Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep't of 
Health and Human Servs., Office of the Secretary, Statement of 
Organization, Functions and Delegations of Authority, 81 FR 95622 
(Dec. 28, 2016).
---------------------------------------------------------------------------

Earlier Efforts To Align Part 2 With the HIPAA Regulations

    Prior to amendment by the CARES Act, 42 U.S.C. 290dd-2 provided 
that records could be disclosed only with the patient's prior written 
consent, with limited exceptions.\61\ The exceptions related to records 
maintained by VA or the Armed Forces and, for example, disclosures for 
continuity of care in emergency situations or between personnel who 
have a need for the information in connection with their duties that 
arise out of the provision of the diagnosis, treatment, or referral for 
treatment of patients with SUD.\62\ The exceptions did not include, for 
example, a disclosure of part 2 records by a part 2 program to a third-
party medical provider to treat a condition other than SUD absent an 
emergency situation. Therefore, the current part 2 regulations require 
prior written consent of the patient for most uses and disclosures of 
part 2 records, including for non-emergency treatment purposes. In 
contrast, the HIPAA Privacy Rule permits covered entities to use and 
disclose an individual's PHI for TPO without the individual's HIPAA 
authorization.\63\
---------------------------------------------------------------------------

    \61\ The limited exceptions are codified in current regulation 
at 42 CFR 2.12(c) and 42 CFR part 2, subpart D.
    \62\ See 42 CFR 2.12(c)(3). These disclosures are limited to 
communications within a part 2 program or between a part 2 program 
and an entity having direct administrative control over the part 2 
program.
    \63\ See 45 CFR 164.501.
---------------------------------------------------------------------------

    The Department has modified and clarified part 2 several times to 
align certain provisions more closely with the HIPAA Privacy Rule,\64\ 
address changes in health information technology (health IT), and 
provide greater flexibility for disclosures of patient identifying 
information within the health care system, while continuing to protect 
the confidentiality of part 2 records.\65\ For example, the Department 
clarified in a 2017 final rule that the definition of ``patient 
identifying information'' in

[[Page 12480]]

part 2 includes the individual identifiers listed in the HIPAA Privacy 
Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not 
already listed in the part 2 definition.\66\ The 2017 final rule also 
revised Sec.  2.16 (Security for Records) to more closely align with 
HIPAA and permitted the use of a consent that generally designates the 
recipient of records rather than naming a specific person.\67\
---------------------------------------------------------------------------

    \64\ See 85 FR 42986 (July 15, 2020) and 83 FR 239 (Jan. 3, 
2018).
    \65\ 82 FR 6052 (Jan. 18, 2017). See also 81 FR 6988 (Feb. 9, 
2016).
    \66\ See 82 FR 6052, 6064.
    \67\ 82 FR 6052, 6054.
---------------------------------------------------------------------------

    In 2018, the Department issued a final rule clarifying the 
circumstances under which lawful holders and their legal 
representatives, contractors, and subcontractors could use and disclose 
part 2 records related to payment and health care operations in Sec.  
2.33(b) and for audit or evaluation-related purposes. The Department 
clarified that previously listed types of payment and health care 
operations uses and disclosures under the lawful holder permission in 
Sec.  2.33(b) were illustrative, and not definitive so as to be 
included in regulatory text.\68\ The Department also acknowledged the 
similarity of the list of activities to those included in the HIPAA 
Privacy Rule definition of ``health care operations'' but declined to 
fully incorporate that definition into part 2.\69\ The Department 
specifically excluded care coordination and case management from the 
list of payment and health care operations activities permitted without 
prior written consent of the patient under part 2 based on a 
determination that these activities are akin to treatment.
---------------------------------------------------------------------------

    \68\ See 83 FR 239, 241-242.
    \69\ Id. at 242.
---------------------------------------------------------------------------

    In 2018 the Department also codified language for an abbreviated 
Notice to Accompany Disclosure of part 2 records.\70\ Although the rule 
retained the requirement that a patient must consent before a lawful 
holder may redisclose part 2 records for treatment,\71\ the Department 
explained that the purpose of the part 2 regulations is to ensure that 
a patient receiving treatment for an SUD is not made more vulnerable by 
reason of the availability of their patient records than an individual 
with a SUD who does not seek treatment.\72\ The Department 
simultaneously recognized the legitimate needs of lawful holders to 
obtain payment and conduct health care operations as long as the core 
protections of part 2 are maintained.\73\
---------------------------------------------------------------------------

    \70\ 83 FR 239, 240. See also 82 FR 5485, 5487 (Jan. 18, 2017).
    \71\ 83 FR 239, 242.
    \72\ 82 FR 6052, 6053.
    \73\ 83 FR 239, 242.
---------------------------------------------------------------------------

    In a final rule published July 15, 2020,\74\ the Department 
retained the requirement that programs obtain prior written consent 
before disclosing part 2 records in the first instance (outside of 
recognized exceptions). At the same time the Department reversed its 
previous exclusion of care coordination and case management from the 
list of payment and health care operations in Sec.  2.33(b) for which a 
lawful holder may make further disclosures to its contractors, 
subcontractors, and legal representatives.\75\ The Department based 
this change on comments received on the proposed rule in 2019 and on 
section 3221(d)(4) of the CARES Act, which incorporated the HIPAA 
Privacy Rule definition of ``health care operations,'' including care 
coordination and case management activities,\76\ into paragraph (k)(4) 
of 42 U.S.C. 290dd-2.\77\ The July 2020 final rule also modified the 
consent requirements in Sec.  2.31 by establishing special requirements 
for written consent \78\ when the recipient of part 2 records is a 
health information exchange (HIE) (as defined in 45 CFR 171.102 \79\). 
In this final rule, the Department now finalizes a definition of the 
term ``intermediary'' \80\ to further facilitate the exchange of part 2 
records in new models of care, including those involving a research 
institution providing treatment, an ACO, or a care coordination or care 
management organization.\81\
---------------------------------------------------------------------------

    \74\ 85 FR 42986. See also 84 FR 44568 (Aug. 26, 2019).
    \75\ See 42 CFR 2.33(b).
    \76\ See 45 CFR 164.501.
    \77\ See 85 FR 42986, 43008-009. Sec. 3221(k)(4) expressed the 
Sense of Congress that the Department should exclude paragraph 
(6)(v) of 45 CFR 164.501 (relating to creating de-identified health 
information or a limited data set, and fundraising for the benefit 
of the covered entity) from the definition of ``health care 
operations'' in applying the definition to these records.
    \78\ See 85 FR 42986, 43006.
    \79\ Id. See also 21st Century Cures Act: Interoperability, 
Information Blocking, and the ONC Health IT Certification Program, 
85 FR 25642 (May 1, 2020).
    \80\ See 42 CFR 2.11, defining ``Intermediary'' as a person, 
other than a program, covered entity, or business associate, who has 
received records under a general designation in a written patient 
consent to be disclosed to one or more of its member participants 
for the treatment of the patient(s)--e.g., a health information 
exchange, a research institution that is providing treatment, an 
accountable care organization, or a care management organization.
    \81\ U.S. Dep't of Health and Human Servs., ``Information 
Related to Mental and Behavioral Health, including Opioid Overdose'' 
(Dec. 23, 2022), https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html; U.S. Dep't of Health and 
Human Servs., ``Does HIPAA permit health care providers to share 
protected health information (PHI) about an individual with mental 
illness with a third party that is not a health care provider for 
continuity of care purposes? For example, can a health care provider 
refer a patient experiencing homelessness to a social services 
agency, such as a housing provider, when doing so may reveal that 
the basis for eligibility is related to mental health?'' (Jan. 9, 
2023), https://www.hhs.gov/hipaa/for-professionals/faq/3008/does-hipaa-permit-health-care-providers-share-phi-individual-mental-illness-third-party-not-health-care-provider-continuity-care-purposes/index.html.
---------------------------------------------------------------------------

    The Department again modified part 2 on December 14, 2020,\82\ by 
amending the confidential communications section of Sec.  2.63(a)(2), 
which enumerated a basis for a court order authorizing the use of a 
record when ``the disclosure is necessary in connection with 
investigation or prosecution of an extremely serious crime allegedly 
committed by the patient.'' The December 2020 final rule removed the 
phrase ``allegedly committed by the patient,'' explaining that the 
phrase was included in previous rulemaking by error, and clarifying 
that a court has the authority to permit disclosure of confidential 
communications when the disclosure is necessary in connection with 
investigation or prosecution of an extremely serious crime that was 
allegedly committed by either a patient or an individual other than the 
patient.
---------------------------------------------------------------------------

    \82\ 85 FR 80626 (Dec. 14, 2020).
---------------------------------------------------------------------------

Section 3221 of the Coronavirus Aid, Relief, and Economic Security 
(CARES) Act

    On March 27, 2020, Congress enacted the CARES Act \83\ to provide 
emergency assistance to individuals, families, and businesses affected 
by the COVID-19 pandemic. Section 3221 of the CARES Act, 
Confidentiality and Disclosure of Records Relating to Substance Use 
Disorder, substantially amended 42 U.S.C. 290dd-2 to more closely align 
Federal privacy standards applicable to part 2 records with the HIPAA 
and HITECH Act privacy standards, breach notification standards, and 
enforcement authorities that apply to PHI, among other modifications.
---------------------------------------------------------------------------

    \83\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020). 
Significant components of section 3221 are codified at 42 U.S.C. 
290dd-2 as further detailed in this final rule.
---------------------------------------------------------------------------

    The requirements in 42 U.S.C. 290dd-2(b), (c), and (f), as amended 
by section 3221 of the CARES Act, with respect to patient consent and 
redisclosures of SUD records, now align more closely with HIPAA Privacy 
Rule provisions permitting uses and disclosures for TPO and establish 
certain patient rights with respect to their part 2 records consistent 
with provisions of the HITECH Act; restrict the use and disclosure of 
part 2 records in legal proceedings; and set civil and criminal 
penalties for

[[Page 12481]]

violations. Section 3221 also amended 42 U.S.C. 290dd-2(j) and (k) by 
adding HITECH Act breach notification requirements and new terms and 
definitions consistent with the HIPAA regulations and the HITECH Act, 
respectively. Finally, section 3221 requires the Department to modify 
the HIPAA NPP \84\ requirements at 45 CFR 164.520 so that covered 
entities and part 2 programs provide notice to individuals regarding 
privacy practices related to part 2 records, including individuals' 
rights and uses and disclosures that are permitted or required without 
authorization.
---------------------------------------------------------------------------

    \84\ Section 3221(i) requires the Secretary to update 45 CFR 
164.520, the HIPAA Privacy Rule requirements with respect to the 
HIPAA NPP.
---------------------------------------------------------------------------

    Paragraph (b) of section 3221 (Disclosures to Covered Entities 
Consistent with HIPAA), adds a new paragraph (1) (Consent), to section 
543 of the PHSA \85\ and expands the ability of covered entities, 
business associates, and part 2 programs to use and disclose part 2 
records for TPO. The text of section 3221(b) adding paragraph (1)(B) to 
42 U.S.C. 290dd-2 states that once prior written consent of the patient 
has been obtained, those contents may be used or disclosed by a covered 
entity, business associate, or a program subject to 290dd-2 for the 
purposes of TPO as permitted by the HIPAA regulations. Any disclosed 
information may then be redisclosed in accordance with the HIPAA 
regulations.
---------------------------------------------------------------------------

    \85\ Paragraph (1) is codified at 42 U.S.C. 290dd-2(b).
---------------------------------------------------------------------------

    To the extent that 42 U.S.C. 290dd-2(b)(1) now provides for a 
general written patient consent covering all future uses and 
disclosures for TPO ``as permitted by the HIPAA regulations,'' and 
expressly permits the redisclosure of part 2 records received for TPO 
``in accordance with the HIPAA regulations,'' the Department believes 
this means the recipient redisclosing the records must be a covered 
entity, business associate, or part 2 program that has received part 2 
records under a TPO consent. The Department's proposals throughout this 
final rule are premised on its reading of section 3221(b) as applying 
to redisclosures of part 2 records by covered entities, business 
associates, and part 2 programs, including those covered entities that 
are part 2 programs.
    In addition to the provisions of section 3221 described above, 
paragraph (g) of section 3221, Antidiscrimination, adds a new provision 
(i)(1) to 42 U.S.C. 290dd-2 to prohibit discrimination against an 
individual based on their part 2 records in: (A) admission, access to, 
or treatment for health care; (B) hiring, firing, or terms of 
employment, or receipt of worker's compensation; (C) the sale, rental, 
or continued rental of housing; (D) access to Federal, State, or local 
courts; or (E) access to, approval of, or maintenance of social 
services and benefits provided or funded by Federal, State, or local 
governments.\86\ Further, the new paragraph (i)(2) prohibits 
discrimination by any recipient of Federal funds against individuals 
based on their part 2 records.\87\ As stated in the NPRM, the 
Department intends to implement the CARES Act antidiscrimination 
provisions in a separate rulemaking. However, we discuss below and 
briefly respond to comments we received on the NPRM concerning 
antidiscrimination and stigma issues.
---------------------------------------------------------------------------

    \86\ See sec. 3221(g) of the CARES Act.
    \87\ Id.
---------------------------------------------------------------------------

III. Overview of Public Comments

A. General Discussion of Comments

    The Department received approximately 220 comments on the NPRM. By 
a wide margin, most of the commenters represented organizations rather 
than individuals (87 percent versus 13 percent). Professional and trade 
associations, including medical professional associations, and patient, 
provider, or other advocacy organizations were the most represented, 
followed by organizations that could fall within multiple categories. 
Other commenters included hospitals and health care systems, state and 
local government agencies, health plans and managed care organizations, 
health IT vendors, and unaffiliated individuals. Among the 27 
individual commenters, nearly a third stated that they had current or 
past experience as an SUD provider, health care administrator, or 
health IT or legal professional.
    The specific issue mentioned most frequently in comments was the 
proposal to allow patients to sign a single consent form for all future 
uses and disclosures of their SUD records for TPO purposes. This was 
followed by the proposed consent requirements, regulatory definitions, 
protections for patients in investigations and proceedings against 
them, and requirements for intermediaries, in that order.

B. General Comments

    Approximately 75 percent of commenters provided general views on 
the NPRM covering multiple issues, including the need for better or 
complete alignment with HIPAA, concerns about erosion of privacy and 
the need for informed consent for disclosures, requests for 
Departmental guidance, and requests to better fund SUD treatment 
services and health IT technology for part 2 providers.
General Support for the Proposed Rule
    Public comments showed strong general support for the NPRM, with 
nearly half voicing clear support and nearly one-third expressing 
support while offering suggestions for improvement. Comments in support 
of the proposed rule stated that the proposed changes would improve 
care coordination, support patient privacy, reduce data and information 
gaps between patients and providers, reduce the stigma around SUD 
treatment, and reduce costs.
    A group of commenters supported the proposed changes but did not 
view the proposals as sufficient--they sought more comprehensive 
change, to essentially recreate a set of HIPAA standards for part 2 
records.
General Opposition to the Proposed Rule
    Some commenters that expressed opposition to the NPRM stressed the 
importance of privacy and the need for informed consent regarding the 
use and disclosure of SUD treatment information, particularly for the 
use of records in investigations and proceedings against a patient. 
Some SUD providers, medical professionals, trade associations, advocacy 
organizations, a mental health provider, and nearly all individual 
commenters urged the Department not to make changes to part 2, largely 
to maintain the existing privacy protections. One advocacy organization 
urged the Department to weigh the risk to patients of their data being 
used without their permission and their potential loss of privacy 
surrounding seeking treatment for SUD, against any potential benefits 
provided for providers by the new rule.

IV. Analysis and Response to Public Comments and Final Modifications

    The discussion below provides a section-by-section description of 
the final rule and responds to comments received from the public in 
response to the 2022 NPRM. As the Department discussed in the NPRM, the 
CARES Act did not expressly require every proposal promulgated by the 
Department. Some of the Department's proposals were proposed to align 
the language of this regulation with that in the HIPAA Privacy Rule and 
to clarify already-existing part 2 permissions or restrictions.

[[Page 12482]]

A. Effective and Compliance Dates

Proposed Rule
    In the NPRM, the Department proposed to finalize an effective date 
for a final rule that would occur 60 days after publication, and a 
compliance date that would occur 22 months after the effective date. 
Taken together, the two dates would give entities two years after 
publication to finalize compliance measures. In the NPRM, we \88\ 
stated ``[e]ntities subject to a final rule would have until the 
compliance date to establish and implement policies and practices to 
achieve compliance.'' \89\ The Department proposed to provide the same 
compliance date for both the proposed modifications to 45 CFR 164.520, 
the HIPAA NPP provision, and the more extensive part 2 modifications.
---------------------------------------------------------------------------

    \88\ In this final rule, ``we'' and ``our'' denote the 
Department.
    \89\ 87 FR 74216, 74218.
---------------------------------------------------------------------------

    The HIPAA regulations generally require covered entities and 
business associates to comply with new or modified standards or 
implementation specifications no later than 180 days from the effective 
date of any such standards or implementation specifications,\90\ 
whereas the part 2 regulation does not contain a standard compliance 
period for regulatory changes.
---------------------------------------------------------------------------

    \90\ See 45 CFR 160.105.
---------------------------------------------------------------------------

    However, as we explained in the NPRM, the proposed compliance 
period would allow part 2 programs to revise existing policies and 
practices, complete other implementation requirements, and train their 
workforce members on the changes, as well as minimize administrative 
burdens on entities subject to the HIPAA Privacy Rule.
    We requested comment on the adequacy of the 22-month compliance 
period that follows the proposed effective date and any benefits or 
unintended adverse consequences for entities or individuals of a 
shorter or longer compliance period.
Comment
    More than half of the commenters who addressed the timeline for 
compliance, including several providers, health plans, professional 
medical and trade associations, and HIE networks, expressed support or 
opined that the proposed dates were feasible. Some of these commenters 
believed changes could be implemented sooner. Several of these 
supportive commenters offered the opinion that compliance deadlines 
facilitate care coordination and therefore should not be unnecessarily 
delayed, but that the Department should offer technical assistance 
leading up to the compliance deadline to assist entities in 
implementing these changes. Some commenters stated that the Department 
should make clear that covered entities and part 2 programs who wish to 
comply with new finalized provisions, such as permissively using and 
disclosing SUD records for TPO or using the new authorization form with 
a general designation, before the proposed timeline should be able to 
do so voluntarily.
    Several commenters opined that the compliance timeline should be 
shortened. In general, these commenters stated that a shorter 
compliance timeline would more quickly facilitate improved care 
coordination for SUD patients and avoid extending the opioid crisis. A 
few of these commenters suggested that the gap in time between the 
effective date and compliance date would allow entities to ``choose'' 
whether to follow existing or revised regulations for a period of time, 
and thus impede interoperability. Others in this group of commenters 
suggested that the proposed compliance date was excessively long, 
demonstrated a lack of urgency by the Department for improving SUD data 
exchange and care for SUD patients, and would prolong the 
``misalignment'' of privacy protections for different types of 
information. One of these commenters recommended an alternative 12-
month timeline that would include the effective date with only 10 
additional months for compliance. A few of these commenters further 
encouraged the Department to clarify that entities wishing to implement 
any regulatory changes before the proposed timelines could voluntarily 
do so.
Response
    We appreciate the comments and clarify here that persons who are 
subject to the regulation and are able to voluntarily comply with 
regulatory provisions finalized in this rulemaking may do so at any 
time after the effective date. We also agree with the commenters who 
emphasized the important role that this rule will play in improving 
care coordination for patients experiencing addiction or other forms of 
SUD, and we acknowledge their concerns about timely implementation. As 
finalized, we believe the effective and compliance dates strike the 
right balance between incentivizing entities to come into compliance in 
a timely fashion, and granting them sufficient time to adjust policies, 
procedures, and, in some cases, technology to support new or revised 
regulations.
Comment
    A few commenters expressed support for the proposed timelines but 
requested clarification about whether new finalized provisions would 
apply to records created prior to the compliance date of the final 
rule. These commenters urged the Department to apply modified 
requirements to part 2 records created prior to the compliance date of 
the final rule to avoid the burdensome task of separating records and 
applications for consent.
Response
    The changes finalized in this rule will apply to records created 
prior to the final rule. We agree with commenters who stated that 
separating records by date of creation for differential treatment would 
be unduly burdensome.
Comment
    Slightly less than half of the commenters about this topic, 
including medical associations, a technology vendor, HIE/HINs, state 
and local agencies, health plans, and professional provider 
organizations, suggested that the Department should either lengthen the 
compliance timeline or finalize the proposed compliance date but delay 
enforcement, or issue a compliance safe harbor beyond the compliance 
date. For example, one commenter suggested that the Department 
implement a two-year enforcement delay while a few other commenters 
suggested a three-year enforcement delay or two-year phased enforcement 
approach beyond the compliance date. Some commenters requested that the 
Department spend the time tolled by the enforcement delay to issue 
implementation guidance addressing the interaction of the Centers for 
Medicare & Medicaid Services (CMS) Interoperability Rule,\91\ HIPAA 
regulations, and 42 CFR part 2, or work with the IT vendor community to 
address data segmentation approaches.
---------------------------------------------------------------------------

    \91\ See 85 FR 25510 (May 1, 2020).
---------------------------------------------------------------------------

    A few state and local agencies opined that the 22-month compliance 
period following the effective date would not be adequate for 
communication, training, implementation, and monitoring of extensive 
SUD provider networks with varying delivery options. One of these 
agencies cited as an example the state of California where the Medicaid 
SUD service delivery system may include hundreds of county and 
contracted providers such that the burden of audits, deficiency 
findings, and corrective actions would be felt statewide. Another state 
agency commented that its state needed more

[[Page 12483]]

time to develop a means to track TPO disclosures and recommended a 60-
month timeline after publication of the rule. Other alternative 
timelines suggested by commenters included a recommendation by a dental 
professional association to establish an effective date of no less than 
one year after publication of the final rule, and a compliance date of 
no less than one year after the effective date; an additional 12 months 
beyond the proposed 22-month compliance timeline to better accommodate 
new interoperability rules and a corresponding need by part 2 programs 
to update technology; or a 34-month period following the 60-day 
effective date period to grant part 2 programs greater time to 
implement changes in practice related to the rule, as well as 
additional time for questions and clarifications from the Department. 
Commenters also suggested that an enforcement delay include a delay in 
imposing civil monetary penalties or ``safe harbor'' protection for 
part 2 programs, providers, business associates, and covered entities 
acting in good faith.
Response
    We disagree with commenters who suggested or recommended that the 
Department delay enforcement of a final part 2 rule beyond the proposed 
timeline. We also disagree that additional safe harbor protection for 
the entities that would be regulated under this rule is necessary or 
appropriate. Either an enforcement delay or an enforcement safe harbor 
(that would effectively extend the compliance timeline) would frustrate 
the timely implementation of the CARES Act amendments to meaningfully 
improve the ability of impacted entities to coordinate care for 
individuals experiencing SUD, as suggested by the many commenters who 
either agreed with the proposed effective and compliance dates or 
sought a shorter compliance timeline. The Department may provide 
further guidance on the CMS Interoperability Rule in relation to data 
segmentation issues, HIPAA, and part 2, but we do not believe that this 
should delay finalization of the modifications to the part 2 rule or 
compliance deadlines.
Comment
    One commenter, a Tribal health board, recommended that Indian 
Health Service (IHS) and Tribal facilities using the existing IHS 
medical record system be exempted from compliance with part 2 until 
such time as IHS modernizes its electronic health record (EHR) system, 
projected for 2025. It further requested that SAMHSA issue guidance for 
pharmacies utilizing and issuing electronic prescriptions through the 
Resource and Patient Management System (RPMS) EHR system, and 
associated redisclosures, in the context of an integrated pharmacy 
system with the full RPMS EHR.
Response
    The timeline finalized here is consistent with this request. As 
explained, the two-month delay between publication and an effective 
date combined with a 22-month compliance deadline beyond the effective 
date grants entities two years after publication to comply. Absent 
extenuating circumstances that cause the Department to require 
compliance sooner, this final rule will require compliance no earlier 
than third quarter of calendar year 2025.
Comment
    A few commenters representing HIE networks expressed support for 
the Department's proposal to toll the date by which part 2 programs 
must comply with the proposed accounting of disclosures requirements at 
Sec.  2.25 until the effective date of a final rule on a revised HIPAA 
accounting of disclosures standard at 45 CFR 164.528 to ensure the 
consistency with HIPAA.
Response
    We appreciate these comments.
Comment
    A few commenters recommended that the Department delay this rule in 
its entirety until other proposed HIPAA regulations are finalized to 
permit commenters to better assess interactions between the alignment 
and to reduce administrative burden, such as reviewing multiple 
proposed HIPAA NPP provisions.
Response
    The Department is not finalizing the proposed HIPAA NPP provisions 
in this final rule, but plans to do so in a future HIPAA final rule. We 
intend to align compliance dates for any required changes to the HIPAA 
NPP and part 2 Patient Notice to enable covered entities to make such 
changes at the same time. We believe the two-year compliance timeline 
following publication of this rule provides adequate time to assess 
alignment implications between HIPAA and part 2 and adjust accordingly.
Final Dates
    The final rule adopts the proposed effective date of 60 days after 
publication of this final rule, and the proposed compliance date of 24 
months after the publication of this final rule. We are also finalizing 
the proposed accounting of disclosure provision at Sec.  2.25, but 
tolling the effective and compliance dates for that provision until 
such time as the Department finalizes a revised provision in HIPAA at 
45 CFR 164.528.

B. Substantive Proposals and Responses to Comments

Section 2.1--Statutory Authority for Confidentiality of Substance Use 
Disorder Patient Records
Proposed Rule
    Section 2.1 describes the statutory authority vested in 42 U.S.C. 
290dd-2(g) to prescribe implementing regulations. The Department 
proposed to revise Sec.  2.1 to more closely align this section with 
the statutory text of 42 U.S.C. 290dd-2(g) and subsection 290dd-
2(b)(2)(C) related to the issuance of court orders authorizing 
disclosures of part 2 records.
Comment
    A health plan commenter expressed support for this language 
alignment and that the specific references to authorized disclosures 
pursuant to court order will assist part 2 programs in their compliance 
efforts. A state agency said that these changes to part 2 will affect 
its Medicaid system and Prepaid Inpatient Health Plans. Compliance is 
further required for State licensed narcotic treatment facilities and 
residential alcohol and drug treatment facilities.
Response
    We appreciate these comments.
Final Rule
    The final rule adopts the proposed changes to this section without 
further modification.
Section 2.2--Purpose and Effect
Proposed Rule
    Section 2.2 establishes the purpose and effect of regulations 
imposed in this part upon the use and disclosure of part 2 records. The 
Department proposed to amend paragraph (b) of this section to reflect 
that Sec.  2.2(b) compels disclosures to the Secretary that are 
necessary for enforcement of this rule, using language adapted from the 
HIPAA Privacy Rule at 45 CFR 164.502(a)(2)(ii). In the NPRM, the 
Department stated that the regulations do not require use or disclosure 
under any circumstance other than when disclosure is required by the 
Secretary to investigate or determine a person's compliance with

[[Page 12484]]

this part.\92\ The Department also proposed to add a new paragraph 
(b)(3) to this section to clarify that nothing in this rule should be 
construed to limit a patient's right to request restrictions on use of 
records for TPO or a covered entity's choice to obtain consent to use 
or disclose records for TPO purposes as provided in the HIPAA Privacy 
Rule. The Department specifically stated that the ``regulations in this 
part are not intended to direct the manner in which substantive 
functions such as research, treatment, and evaluation are carried 
out.'' \93\
---------------------------------------------------------------------------

    \92\ 87 FR 74216, 74226.
    \93\ 87 FR 74216, 74274.
---------------------------------------------------------------------------

Comment
    A commenter said that it is logical for disclosures to the 
Secretary under Sec.  2.2 to be consistent with analogous disclosures 
under HIPAA. Regarding the proposed modification to Sec.  2.2(b)(1) to 
provide that the regulations generally do not require the use and 
disclosure of part 2 records, except when disclosure is required by the 
Secretary, another commenter said that it would be more logical and 
appropriate to treat part 2 records as HIPAA-covered records. The 
commenter believed that continued stigmatization of the diagnoses 
treated by part 2 facilities is a barrier to treatment and creates a 
two-tiered approach to use and disclosure that provides no meaningful 
benefit to patients.
Response
    We appreciate these comments and have finalized this section as 
noted below. We believe our changes align part 2 more closely with 
HIPAA while also acknowledging changes to 42 U.S.C 290dd-2, as amended 
by section 3221 of the CARES Act, which continue to provide additional 
protection for part 2 records, especially in legal proceedings against 
a patient. This section is needed to prevent harm to patients from 
stigma and discrimination consistent with the intent of part 2 and the 
CARES Act, including newly added statutory antidiscrimination 
requirements (42 U.S.C. 290dd-2(i)).
Comment
    A SUD professional association discussed stigma and discrimination 
to which SUD patients are subject and asked that any discussion of 
proposed changes in the NPRM first begin with the context of why these 
protections exist. Citing to Sec.  2.2(b)(2), the association noted 
that there are a number of adverse impacts to which patients are 
vulnerable including those related to: criminal justice, health care, 
housing, life insurance coverage, loans, employment, licensure, and 
other intentional or passive discrimination against patients. A 
psychiatric hospital said that, under current Sec.  2.2(b)(2), the 
purpose of the substance use disorder confidentiality protections is to 
encourage care without fear of stigma-related adverse impacts, not to 
block access to it for patients.
Response
    We have long emphasized and agree with commenters that one primary 
purpose of the part 2 regulations is to, as the 1987 rule stated, 
ensure ``that an alcohol or drug abuse patient in a federally assisted 
alcohol or drug abuse program is not made more vulnerable by reason of 
the availability of his or her patient record than an individual who 
has an alcohol or drug problem and who does not seek treatment.'' \94\ 
The final rule continues to emphasize, including in this section, that 
most uses and disclosures allowed under part 2 are permissive and not 
mandatory. The final rule adds that disclosure may be required ``when 
disclosure is required by the Secretary to investigate or determine a 
person's compliance with this part pursuant to Sec.  2.3(c).'' 
Likewise, a court order with a subpoena or similar legal mandate may 
compel disclosure of part 2 records, as explained in Sec.  2.61, Legal 
effect of order.\95\
---------------------------------------------------------------------------

    \94\ 52 FR 21796, 21805.
    \95\ Section 2.61(a) provides that court orders entered under 
this subpart are ``unique'' and only issued to authorize a 
disclosure or use, and not ``compel'' disclosure. It further 
provides ``A subpoena or a similar legal mandate must be issued in 
order to compel disclosure. This mandate may be entered at the same 
time as and accompany an authorizing court order entered under the 
regulations in this part.'' Under the HIPAA Privacy Rule, a 
disclosure pursuant to such a court order, but without an 
accompanying subpoena, would not constitute a disclosure required by 
law as that term is defined at 45 CFR 164.103.
---------------------------------------------------------------------------

Comment
    A commenter believed the Department's proposal to add a new 
paragraph (b)(3) to Sec.  2.2 to provide that nothing in this part 
shall be construed to limit a patient's right to request restrictions 
on use of records for TPO or a covered entity's choice to obtain 
consent to use or disclose records for TPO purposes as provided in the 
HIPAA Privacy Rule appears consistent with patients' rights 
requirements under HIPAA and is a logical clarification.
Response
    We appreciate the comment on our proposed changes which are 
finalized here.
Final Rule
    The final rule adopts all changes to Sec.  2.2 as proposed, without 
further modification.
Section 2.3--Civil and Criminal Penalties for Violations
Proposed Rule
    Section 2.3 of 42 CFR part 2 currently requires that any person who 
violates any provision of the part 2 regulations be criminally fined in 
accordance with title 18 U.S.C. The Department proposed multiple 
changes to this section to implement the new authority granted in 
section 3221(f) of the CARES Act as applied in 42 U.S.C. 290dd-2(f) so 
that sections 1176 and 1177 of the Social Security Act apply to a part 
2 program for a violation of 42 CFR part 2 in the same manner as they 
apply to a covered entity for a violation of part C of title XI of the 
Social Security Act (HIPAA Administrative Simplification).
    The Department proposed to replace title 18 criminal enforcement 
with civil and criminal penalties under sections 1176 and 1177 of the 
Social Security Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as 
implemented in the HIPAA Enforcement Rule.\96\ The Department also 
proposed to rename Sec.  2.3 as ``Civil and criminal penalties for 
violations'' and reorganize Sec.  2.3 into paragraphs (a), (b), and 
(c). Proposed Sec.  2.3(a) would incorporate the penalty provisions of 
42 U.S.C. 290dd-2(f), which apply the civil and criminal penalties of 
sections 1176 and 1177 of the Social Security Act, respectively, to 
violations of part 2. Proposed changes and comments regarding 
paragraphs (a), (b), and (c) are discussed below.
---------------------------------------------------------------------------

    \96\ See 45 CFR part 160, subpart D (Imposition of Civil Money 
Penalties).
---------------------------------------------------------------------------

Comment
    We received comments concerning proposed revisions to Sec.  2.3(a). 
A state agency requested clarification regarding the agencies 
authorized to enforce Sec.  2.3. Given statutory changes made by the 
CARES Act, the commenter asked that the Department clarify which 
agencies are authorized to enforce part 2 pursuant to the proposed 
provision. This commenter opined that section 1176 of the Social 
Security Act authorizes the Secretary to impose penalties, the attorney 
general of a state to bring a civil action for statutory damages in 
certain circumstances, and OCR to use corrective action in cases where 
the person did not know of the violation involved. The commenter asked 
for confirmation that the Department is the Federal agency that is

[[Page 12485]]

authorized to enforce part 2 through civil penalties and further seeks 
clarification regarding whether the Department will act through OCR, 
SAMHSA, or another entity. The commenter also seeks clarification that 
the authorized state enforcement agency is the office of the attorney 
general. Additionally, section 1177 of the Social Security Act pertains 
to criminal penalties for knowing violations, but does not identify the 
specific agency charged with enforcement. The commenter seeks 
confirmation that under the proposed rule, the Federal Department of 
Justice (DOJ) has jurisdiction over enforcement of part 2 through 
criminal penalties.
Response
    We appreciate requests for clarification on enforcement of part 2 
as proposed and now finalized in this rule. As we have noted in 
previous rulemakings such as the ``HIPAA Administrative Simplification: 
Enforcement'' final rule ``[u]nder sections 1176 and 1177 of the Act, 
42 U.S.C. 1320d-5 and 6, these persons or organizations, collectively 
referred to as `covered entities,' may be subject to CMPs and criminal 
penalties for violations of the HIPAA regulations. HHS enforces the 
CMPs under section 1176 of the Act, and [DOJ] enforces the criminal 
penalties under section 1177 of the Act.'' \97\ As part of the HITECH 
Act, state attorneys general may bring civil suits for violations of 
the HIPAA Privacy and Security Rules on behalf of state residents.\98\ 
Under this final rule, alleged violators of part 2 are subject to the 
same penalties as HIPAA covered entities through sections 1176 and 1177 
of the Social Security Act. The CARES Act granted enforcement authority 
to the Secretary for civil penalties and the Department will identify 
the enforcing agency before the compliance date of this final rule.
---------------------------------------------------------------------------

    \97\ 74 FR 56123, 56124 (Oct. 30, 2009). See also, U.S. Dep't of 
Health and Human Servs., ``How OCR Enforces the HIPAA Privacy & 
Security Rules'' (June 7, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html.
    \98\ See U.S. Dep't of Health and Human Servs., ``State 
Attorneys General'' (Dec. 21, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html.
---------------------------------------------------------------------------

Comment
    A state agency said that its state strongly opposes what it 
perceives as increasing the civil and criminal penalties described in 
Sec.  2.3. Understanding the desire to ensure strong privacy 
protections are in place and that sanctions are necessary, the agency 
opined that the current enforcement framework is adequate and 
increasing sanctions would be punitive rather than promoting 
compliance. Punitive sanctions should be brought only against those 
entities or individuals that failed to use due diligence and/or make 
every reasonable attempt to protect against unauthorized disclosure. 
Unintended unauthorized disclosures that result in no material patient 
harm should be treated as that--unintended disclosures that cause de 
minimis or no harm to patients. Increasing sanctions may have the 
unintended consequence of part 2 programs not sharing patient records 
even if the patient in fact desires disclosure.
Response
    We appreciate this commenter's concerns about part 2 enforcement 
and disagree that the sanctions for violations will be harsher than for 
violations of the HIPAA regulations. We note that 42 U.S.C. 290dd-2(f), 
as amended by section 3221(f) of the CARES Act, applies the provisions 
of sections 1176 and 1177 of the Social Security Act to a violation of 
42 CFR part 2 in the same manner as they apply to a violation of part C 
of title XI of the Social Security Act. We are implementing these 
requirements in this final rule. As of the compliance date for this 
final rule, we anticipate taking a similar approach to addressing 
noncompliance under part 2 as for violations of HIPAA, ranging from 
voluntary compliance and corrective action to civil and criminal 
penalties.\99\ Indeed, we are finalizing below Sec.  2.3(c) which 
provides that the provisions of 45 CFR part 160, subparts C, D, and E, 
shall apply to noncompliance with this part with respect to records in 
the same manner as they apply to covered entities and business 
associates for violations of 45 CFR parts 160 and 164 with respect to 
PHI. As proposed, we are incorporating the entirety of 45 CFR part 160, 
subpart D, which includes the mitigating factors in 45 CFR 160.408 and 
the affirmative defenses in 45 CFR 160.410, to align part 2 enforcement 
with the HIPAA Enforcement Rule.
---------------------------------------------------------------------------

    \99\ See U.S. Dep't of Health and Human Servs., ``Enforcement 
Process'' (Sept. 17, 2021), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html; 
HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D, and E.
---------------------------------------------------------------------------

    In contrast, prior to this final rule, all alleged part 2 
violations were subject only to potential criminal penalties. Aligning 
part 2 and HIPAA enforcement approaches should make the enforcement 
process more straightforward for part 2 programs that are covered 
entities because it offers the same mitigating factors for 
consideration in enforcement, such as the number of individuals 
affected by the violation; whether the violation caused physical, 
financial, or reputational harm to the individual or jeopardized an 
individual's ability to obtain health care, the size of the covered 
entity or part 2 program; and whether the penalty would jeopardize the 
covered entity or part 2 program's ability to continue doing business. 
This alignment also affords part 2 programs, including those that are 
covered entities, the same affirmative defenses to alleged 
noncompliance and generally prohibits the imposition of a civil money 
penalty for a violation that is not due to willful neglect and is 
corrected within 30 days of discovery.
Final Rule
    We are finalizing Sec.  2.3(a) to specify that under 42 U.S.C. 
290dd-2(f), any person who violates any provision of this part shall be 
subject to the applicable penalties under sections 1176 and 1177 of the 
Social Security Act, 42 U.S.C. 1320d-5 and 1320d-6, as implemented in 
the HIPAA Enforcement Rule.
Section 2.3(b) Limitation on Criminal or Civil Liability
Proposed Rule
    As noted in the NPRM, after consultation with DOJ, the Department 
proposed in Sec.  2.3(b) to create a limitation on civil or criminal 
liability (``safe harbor'') for persons acting on behalf of 
investigative agencies when, in the course of investigating or 
prosecuting a part 2 program or other person holding part 2 records, 
such agencies or persons unknowingly receive part 2 records without 
first obtaining the requisite court order. The proposed safe harbor 
applies only in instances where records are obtained for the purposes 
of investigating a part 2 program or person holding the record, not a 
patient. Further, investigative agencies would be required to follow 
part 2 requirements for obtaining, using, and disclosing part 2 records 
as part of an investigation or prosecution, including requirements 
related to seeking a court order, filing protective orders, maintaining 
security for records, and ensuring that records obtained in program 
investigations are not used in legal actions against patients who are 
the subjects of the records.
    This safe harbor would be available for uses or disclosures 
inconsistent with part 2 only when the person acting on behalf of an 
investigative agency acted

[[Page 12486]]

with reasonable diligence to determine in advance whether part 2 
applied to the records or part 2 program. Paragraph (b)(1) proposed to 
clarify what constitutes reasonable diligence in determining whether 
part 2 applies to a record or part 2 program before an investigative 
agency makes an investigative demand or places an undercover agent with 
the part 2 program or person holding the records. The Department 
proposed specifically that reasonable diligence under this provision 
would require acting within a reasonable period of time, but no more 
than 60 days prior to, the request for records or placement of an 
undercover agent or informant. As proposed, reasonable diligence would 
include taking the following actions to determine whether a health care 
practice or provider (where it is reasonable to believe that the 
practice or provider provides SUD diagnostic, treatment, or referral 
for treatment services) provides such services: (1) checking a 
prescription drug monitoring program (PDMP) in the state where the 
provider is located, if available and accessible to the agency under 
state law; or (2) checking the website or physical location of the 
provider.
    In addition, Sec.  2.3(b) as proposed was intended to require an 
investigative agency to meet any other applicable requirements within 
part 2 for any use or disclosure of the records that occurred, or would 
occur, after the investigative agency knew, or by exercising reasonable 
diligence would have known, that it received part 2 records. The 
Department also proposed amending Sec. Sec.  2.66 and 2.67 to be 
consistent with and further implement these proposed changes in Sec.  
2.3.
Comment
    A state agency that regulates health facilities expressed concern 
that statements made by HHS in the NPRM when describing the need for 
the safe harbor provision for investigative agencies might bring its 
authority to obtain part 2 records from health care facilities into 
question. The commenter explains that the Department's justification 
and interpretation of the need for a safe harbor provision could result 
in licensed health care facilities refusing to provide it with access 
to part 2 records until the state agency obtains a court order under 
subpart E. While the commenter appreciated the clarification provided 
by the Department in the NPRM (``[HHS] does not intend to modify the 
applicability of Sec.  2.12 or Sec.  2.53 for investigative 
agencies''), the commenter asked that Sec.  2.3(b) affirm that 
investigative agencies will not be required to demonstrate due 
diligence or obtain a court order if their access, use, and disclosure 
of part 2 records is covered by another exception to part 2, such as 
the audit and evaluation exception in Sec.  2.53.
    An academic medical center advocated for a narrower definition of 
``investigative agency'' than proposed and expressed concern about 
applying the proposed limitation on liability to a broad category of 
agencies. Several other commenters also addressed in their comments the 
Department's proposed definition of ``investigative agency'' in Sec.  
2.11, suggesting inclusion of state, Tribal, or local agencies in this 
definition.
Response
    We address comments on definitions below in Sec.  2.11, including 
concerns about potential unintended adverse consequences of including 
``supervisory'' agencies in the definition of ``investigative agency''. 
We believe that the definition of ``investigative agency'', combined 
with the safe harbor (and its reasonable diligence prerequisite) and 
the annual reporting requirement, provides an appropriate check on 
government access to records in the course of investigating a part 2 
program or lawful holder in those situations where an agency discovers 
it has unknowingly obtained part 2 records. The safe harbor option to 
apply for a court order retroactively does not alter the criteria for a 
court to grant the order, which includes a finding that other means of 
obtaining the records were unavailable, would not be effective, or 
would yield incomplete information. Here, we also clarify that we do 
not intend, in Sec.  2.3(b), to override the existing authority of 
investigative or oversight agencies to access records, without court 
order, when permitted under another section of this regulation. Rather 
than narrowing the definition, we also include, as some commenters 
requested, local, territorial, and Tribal investigative agencies in the 
final ``investigative agency'' definition because they have a role in 
investigations of part 2 programs.
Comment
    Some SUD policy organizations and other commenters suggested that 
the Department should not include a safe harbor provision for 
investigative agencies, as this is not required by the CARES Act and is 
duplicative of existing protections such as qualified immunity. 
According to these commenters, the CARES Act does not require a 
limitation on civil or criminal liability for persons acting on behalf 
of investigative agencies if they unknowingly receive part 2 records. 
Additionally, this provision is deleterious to the confidentiality of 
patients relying on part 2 protections of their records in seeking or 
receiving SUD treatment, further eroding the trust necessary between 
provider and patient for successful SUD treatment.
    The commenters further addressed in their comments the reasonable 
diligence steps proposed to identify whether a provider is a covered 
part 2 program. Though the NPRM proposed that passing by a part 2 
program to observe its operations or checking a PDMP is sufficient to 
determine whether a provider offers SUD services, many SUD providers 
are not required to share information with PDMPs, the commenters 
assert. One commenter suggested that PDMPs do not contain any 
information from part 2 programs that do not prescribe controlled 
substances to patients. Under Sec.  2.36, opioid treatment programs 
(OTPs) may report methadone dispensing information to PDMPs, but only 
if the reporting is mandated by state law and authorized by a part 2-
compliant consent form. The commenters asserted that more accurate 
verification methods exist, such as SAMHSA's online treatment locator 
or state treatment databases. If such a safe harbor provision is 
included, the standard for diligence must be made more explicit and 
subject to more rigorous standards, according to these commenters.
    A legal advocacy organization commented that the safe harbor 
proposal fell outside the scope of the CARES Act and was an unnecessary 
change. It further commented that despite disclosing that it consulted 
with the DOJ, HHS failed to adequately explain why law enforcement 
merits special consideration for protection from liability or why HHS 
did not consult with civil rights organizations, legal and policy 
advocates, providers, or patients. In addition, this commenter opined 
that the proposed safe harbor provision had inadequate guardrails to 
protect privacy because the Department proposed a very low standard of 
reasonable diligence that the investigative agency would be required to 
show and insufficient examples of actions an investigative agency must 
take to identify whether a provider offered SUD treatment under part 2. 
The commenter also remarked that checking a state's PDMP website should 
not be sufficient to establish reasonable diligence since the majority 
of part 2 programs do not report information to PDMPs, and similarly, 
driving by a provider's physical location should not

[[Page 12487]]

be considered sufficient to establish reasonable diligence because many 
SUD providers preserve their patients' privacy by avoiding overt street 
signage or advertisements. This commenter suggested checking SAMHSA's 
online treatment locator or the state oversight agency's list of 
licensed and certified providers as better alternatives than those 
proposed in the NPRM.
    An HIE association expressed concern that if patients believe that 
their information related to seeking SUD treatment or admitting 
continued SUD while in treatment could be disclosed to an investigative 
Federal Government agency, then they may forgo or stop receiving that 
treatment. SUD treatment and the part 2 patient records are some of the 
most sensitive pieces of a person's health record. The commenter 
suggested that it is important for OCR and SAMHSA to engage with 
patient advocacy organizations to understand the needs of patients to 
protect that privacy and ensure treatment is not foregone due to a fear 
of exposure. An individual commenter also recommended consultation by 
the Department with SUD patients and former patients.
    Another group of commenters claimed that the proposed rule's new 
safe harbor provision in Sec.  2.3 was unnecessary, overly broad, and 
was not required by the CARES Act. HHS should withdraw this proposed 
change, these commenters stated, or at least should include more 
accurate methods of how investigative agencies can determine a provider 
offers SUD services (and thus may be subject to part 2) such as 
consulting the SAMHSA online treatment locator.
    An individual commenter viewed the proposed Sec.  2.3(b) changes as 
stigmatizing because it would promote access to patients' records 
against their interests by law enforcement. Another individual 
commenter suggested the proposed safe harbor may create a chilling 
effect, dissuading people from seeking the SUD care and other kinds of 
health care, including prenatal care, that they need. One person in 
recovery said that the proposal's language is vague and open-ended, 
leaving room for interpretation and loopholes for fishing expeditions 
by law enforcement through patient records. This commenter further 
stated that while it is important that bad actor treatment centers or 
providers are held accountable, the solution should not sacrifice 
fundamental privacy rights of patients.
    Another commenter recommended a bar against using the safe harbor 
provision without inquiring directly with the provider about whether 
part 2 applies. The organization has helped part 2 programs respond to 
hundreds of law enforcement requests for SUD treatment records. Based 
on its experience, many part 2 programs report that law enforcement 
officials are not familiar with part 2 and do not listen to program 
staff when they flag its requirements for law enforcement. The 
commenter stated that part 2 program staff have even been arrested and 
charged with obstruction for attempting to explain the Federal privacy 
law as a result of this lack of knowledge by law enforcement.
    A county government expressed opposition to the Department's 
proposals in Sec.  2.3, and relatedly in Sec. Sec.  2.66 and 2.67. 
According to this commenter, the Department should consider that once 
information is received by an investigator, there is no way to undo the 
knowledge learned even if records are destroyed as required in 
Sec. Sec.  2.66 and 2.67. Thus, the commenter concluded, the Department 
should not finalize the safe harbor.
    Another county government, also expressing opposition to proposed 
changes in Sec. Sec.  2.3 and 2.66, commented that it believes the 
creation of a safe harbor for improper use or disclosure of part 2 
records by investigative agencies is contrary to the ``fundamental 
policy goals'' that support more stringent privacy protections for 
substance use treatment records under 42 CFR part 2. This commenter 
explained its view that patients remain fearful of legal repercussions 
for engaging in substance use and will be discouraged from seeking 
treatment if guardrails that protect information are lowered. This 
commenter further opined that creating a safe harbor for investigative 
agencies could have the unintended consequence of creating an incentive 
for investigative agencies to design document requests to technically 
meet the requirements of the safe harbor, with the hopes of providers 
turning over part 2 records to which the investigative agency would not 
otherwise have access. Furthermore, according to the commenter, the 
contents of part 2 records could conceivably be used as a basis for 
meeting the criteria for a court order to use or disclose these, or 
other part 2 records, under Sec.  2.64. This commenter further 
recommended that investigators not be permitted to retroactively seek a 
court order to use or disclose part 2 record, and in no event should 
investigative agencies be able to use information from part 2 records 
that they did not have proper authority to receive as the basis for a 
retroactive court order for use of disclosure of part 2 records.
Response
    As noted above and in response to comments, this final rule no 
longer considers the reasonable diligence requirement specific to the 
safe harbor to be met by checking the applicable PDMP. Instead, this 
rule in the regulatory text of Sec.  2.3 provides that ``reasonable 
diligence'' means taking all of the following actions: searching for 
the practice or provider among the SUD treatment facilities in SAMHSA's 
online treatment locator; searching in a similar state database of 
treatment facilities where available; checking a practice or program's 
website, where available, or physical location; viewing the entity's 
Patient Notice or HIPAA NPP if it is available; and taking all these 
steps within no more than 60 days before requesting records or placing 
an undercover agent or informant.
    SAMHSA's online treatment locator,\100\ even if it does not include 
every SUD provider or may include outdated information for some 
providers, still is more inclusive than PDMPs. Generally, only SUD 
providers who prescribe controlled substances submit data to PDMPs 
while SAMHSA's online treatment locator also includes SUD providers who 
do not prescribe controlled substances. Further, we believe that 
requiring consultation of a PDMP by investigative agencies could 
unnecessarily increase exposure of patient records that are contained 
in a PDMP with the records of part 2 programs or lawful holders who are 
under investigation. The inherent risk of an unnecessary disclosure of 
patient records runs counter to the underlying intent to keep these 
records confidential. Finally, the SAMHSA online treatment locator uses 
existing Departmental resources and is readily available to the general 
public at no cost.\101\
---------------------------------------------------------------------------

    \100\ See Substance Abuse and Mental Health Servs. Admin., 
``FindTreatment.gov,'' https://findtreatment.gov/.
    \101\ See Ned J. Presnall, Giulia Croce Butler, and Richard A. 
Grucza, ``Consumer access to buprenorphine and methadone in 
certified community behavioral health centers: A secret shopper 
study,'' Journal of Substance Abuse Treatment (Apr. 29, 2022), 
https://www.jsatjournal.com/article/S0740-5472(22)00070-8/fulltext; 
Cho-Hee Shrader, Ashly Westrick, Saskia R. Vos, et al., 
``Sociodemographic Correlates of Affordable Community Behavioral 
Health Treatment Facility Availability in Florida: A Cross-Sectional 
Study,'' The Journal of Behavioral Health Services & Research (Jan. 
4, 2023), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9812544/.
---------------------------------------------------------------------------

    As to the suggestion that checking state licensing information 
would be a better indicator of a program's part 2 status, the 
Department disagrees. Licensing may occur at the facility level,

[[Page 12488]]

or separately by occupational specialty, which would require an 
investigative agency to scour several sources of information. Further, 
the definition of part 2 program is broader than that of licensed SUD 
treatment providers because it can include prevention programs, so the 
pool of licensed provider is overly narrow and does not address the 
requirements that a program ``hold itself out'' as providing SUD 
services or that it is in receipt of Federal assistance.
    Regarding comments that HHS did not consult with civil rights 
organizations, legal and policy advocates, providers, or patients, we 
note that we received and reviewed comments submitted by individuals 
and advocacy and civil rights organizations as we are required to do as 
part of the rulemaking process. We also consulted with DOJ and other 
Federal agencies.
    We also acknowledge and appreciate concerns among some individual 
commenters that this provision may further stigmatize people seeking 
SUD treatment. However, we believe the requirement to demonstrate 
reasonable diligence to determine part 2 status in the safe harbor 
along with the requirements in Sec. Sec.  2.66 and 2.67 that prohibit 
use or disclosure of records against a patient in a criminal 
investigation or prosecution or in an application for a court order to 
obtain records for such purposes will help ensure and enhance patient 
privacy consistent with the purpose and intent of part 2 and 42 U.S.C. 
290dd-2 as amended by the CARES Act. We will monitor implementation and 
take steps to address any unintended adverse consequences that may 
follow, particularly for patients because they are not the intended 
focus of these investigations.
    The safe harbor is not required by the CARES Act; it is grounded in 
the Secretary's general rulemaking authority for the confidentiality of 
SUD patient records under 42 U.S.C. 290dd-2(g) and is necessary to 
operationalize subpart E, particularly in the context of other health 
care investigations. For example, investigative agencies may 
inadvertently obtain records from part 2 programs in the course of 
their investigations under other laws such as Medicaid fraud 
regulations, Drug Enforcement Administration (DEA) regulations, and 
HIPAA, where the applicability of part 2 (and the court order 
requirement for program investigations) is not obvious. The safe harbor 
provision facilitates a pathway to conduct the investigation under the 
amended part 2 statute. Contrary to some views expressed by commenters, 
it may be inappropriate for an investigative agency to directly discuss 
with or contact the provider about whether part 2 applies because this 
could apprise them of an investigation or potential use of an informant 
under subpart E. In contrast, reliance on a publicly available 
directory, a HIPAA NPP, or Patient Notice offers neutral sources to 
alert agencies to the potential applicability of part 2.
Comment
    A health care system commented that an investigative agency should 
have ample and sufficient notice that it may receive or come into 
contact with SUD records in the course of investigating or prosecuting 
a part 2 program. However, depending on the requirements or standards 
to be met, the commenter stated that it may be more expedient for an 
investigating agency to rely on the safe harbor after it comes into 
contact with part 2 records. As a result, investigative agencies might 
intentionally bypass the requirement to obtain consent or a court order 
and decide instead to avail themselves of the safe harbor after 
disclosure. In addition, the commenter asserted that the good faith 
standard could easily become diluted and might permit an investigator 
to hide behind the safe harbor when their conduct is the result of 
ignorance or an error in judgment. The commenter also expressed concern 
that the good faith standard would allow for a spectrum of 
interpretations and different courts may apply the standard 
differently, leading to inconsistent results; as such, it would be 
important for the Department to audit and monitor the use of the safe 
harbor to ensure it is being used appropriately.
    An individual commenter asserted that expanding the reach of the 
CARES Act \102\ to create safe harbors for the criminal justice 
communities for violations of part 2 is beyond the intent of Congress, 
noting that the CARES Act does not require the creation of a limitation 
on civil or criminal liability for persons acting on behalf of 
investigative agencies if they unknowingly receive part 2 records. This 
commenter expressed concern that creating a limitation on civil or 
criminal liability under Sec.  2.3 of 42 CFR part 2 or a good faith 
exception under the proposed new paragraph under Sec.  2.66(a)(3) of 42 
CFR part 2 would ``encourage lax investigative actions on the part of 
an investigative agency.'' The commenter believed that investigative 
agencies should continue to be required to seek an authorization from a 
court to use or disclose any records implicated by part 2 protections 
because admonishing an investigative agency to cease using or 
disclosing part 2 records after the fact would in practice give the 
investigative agency license to screen and review part 2 records. This 
commenter also said that the good faith standard of Sec.  2.66(a)(3) 
would offer investigative agencies an ``excuse'' to receive and review 
part 2 records. This commenter also asserted that Sec. Sec.  2.3 and 
2.66(a)(3) and (b) should be eliminated from the final rule as not 
required by the CARES Act and inconsistent with the confidentiality of 
a patient relying on part 2 protections of their records in seeking or 
receiving SUD treatment.
---------------------------------------------------------------------------

    \102\ See sec. 3221(i)(1) of the CARES Act.
---------------------------------------------------------------------------

    Another commenter argued that the limitation of liability would not 
negatively affect a patient's access to SUD treatment but might 
``influence the investigative agency to be cavalier in obtaining the 
appropriate [consent or court order] if they are aware that its 
liability will be limited.'' This commenter further opined that the 
annual reporting to the Secretary could serve as an important way to 
audit the use of the safe harbor this protection, and the limitation of 
liability may support an investigative agency's ability to investigate 
a program, which could increase the quality of care.
Response
    We believe that some commenters misunderstand the process of 
investigating a health care provider and we disagree that an 
investigator would always know before seeking records that a provider 
is subject to part 2. In many instances, an investigation is focused on 
the use of public money such as Medicaid or Medicare claims and 
reimbursement, and the focus is not on whether a provider is treating 
SUDs. Regarding the good faith standard as we explain below, we believe 
the phrase is generally understood to means acting consistent with both 
the text and intent of the statute and part 2 regulations.
    We believe that the operation of this provision is clear in the 
event a finding of good faith is not met. First, a lack of good faith 
could result in the imposition of HIPAA/HITECH Act penalties under 42 
U.S.C. 290dd-2, as amended, if investigators are found to have acted in 
bad faith in obtaining the part 2 records. Second, in Sec. Sec.  2.66 
and 2.67, a finding of good faith is necessary to trigger the ability 
of the agency to apply for a court order to use records that were 
previously obtained.
    We also disagree that this provision will encourage lax 
investigative actions or prompt agencies to ``game'' the regulations to 
improperly obtain

[[Page 12489]]

records. First, the manner in which agencies obtain records will be 
considered by a court as part of the court order process. Second, while 
the safe harbor operates as a limitation on civil and criminal 
liability under 42 U.S.C. 290dd-2(f), it does not provide absolute 
immunity under Federal or state law should an agency or person 
knowingly obtain records improperly or under false pretenses. For 
example, it would be improper to knowingly obtain records without 
following the required procedures for the type of request, or under 
false pretenses.
    We agree with the sentiment that the reporting requirement in Sec.  
2.68 will serve as a useful tool to help monitor the appropriateness of 
investigative agencies' reliance on the regulatory safe harbor. We also 
appreciate the view that facilitating appropriate investigations will 
play an important role in ensuring the quality of care delivered by 
part 2 programs.
Comment
    An SUD provider said that this safe harbor essentially could 
establish a loophole for investigative agencies to obtain part 2 
records without following part 2 requirements, and thus adversely 
affect patient privacy. This commenter believed that the proposed rule 
attempted to justify the safe harbor by addressing the increased 
liability due to added penalties for violations of part 2, the need to 
prosecute bad actors, and public safety. However, this justification 
was misplaced, according to this commenter, and the safe harbor might 
only reduce important protections that limit investigative agencies' 
ability to obtain protected records. By replacing the required elements 
in place to protect the privacy of patients with a loosely defined 
reasonable diligence standard, the proposed rule would only increase 
the chances of investigative agencies unknowingly receiving part 2 
records, according to this commenter. The proposed reasonable diligence 
standard provides investigative agencies with two options to determine 
part 2 application on a provider both of which the commenter views as 
insufficient. Ultimately, these proposed reasonable diligence standards 
can be easily bypassed as a way to obtain records without the requisite 
requirements. The organization expressed the belief that if a 
reasonable diligence standard remains in place, the Department should 
impose more stringent requirements under this standard, such as 
obtaining a copy of a provider's HIPAA NPP to determine part 2 
applicability or comparable requirement.
Response
    We acknowledge this commenter's concerns. As noted in this final 
rule at Sec.  2.3, we are revising the proposed ``reasonable 
diligence'' standard to mean taking all of the following actions: 
searching for the practice or provider among the SUD treatment 
facilities in SAMHSA's online treatment locator; searching in a similar 
state database of treatment facilities where available; checking a 
practice or program's website, where available, or its physical 
location; viewing the entity's Patient Notice or HIPAA NPP if it is 
available; and taking all these steps within no more than 60 days 
before requesting records or placing an undercover agent or informant. 
We are requiring these reasonable diligence steps to be taken in 
response to commenters' concerns about the effects of the safe harbor 
on patient privacy and their specific recommendations for strengthening 
those steps. Importantly, an investigative agency could be subject to 
penalties under the CARES Act enforcement provisions if it does not 
take all of the steps in the required time frame as necessary to 
qualify for the protection afforded by the safe harbor. Finally, as 
discussed above, the reporting requirement to the Secretary will play 
an important role in ensuring transparency. After this rule is 
finalized, the Department intends to make use of such reports to 
monitor compliance with these requirements and work to educate 
patients, providers, investigative agencies and others about these 
provisions.
Comment
    An individual commenter expressed concern about what they 
characterized as a broad swath of potential agencies that conduct 
activities covered by the term ``investigation.'' The commenter opined 
that the types of agencies that conduct investigations are broad and 
many have repeatedly demonstrated their lack of prioritization of 
patient privacy and personal rights. The commenter believed that the 
Department outlines reasonable minimums including access controls, 
requesting and maintaining the minimum data required, and taking the 
most basic steps to determine if staff should or could access patient 
data before doing so, as well as obtaining the legally required 
permissions to lawfully receive such data. However, inability to follow 
these most basic guidelines does not support reducing liability, the 
commenter asserted, suggesting that the reasonable steps the Department 
describes in Sec.  2.3 should be required for investigatory agencies to 
receive any PHI or part 2 records or to deploy an informant.
    An anonymous commenter alleged that parole officers in their state 
frequently violate part 2 by making notes in an automated system 
redisclosing part 2 information from community providers. Until there 
is a regulatory and investigative agency invested in ensuring strict 
adherence to this regulation, the commenter said the Department should 
not ease up on the restrictions and access to SUD confidential 
information.
Response
    We acknowledge that a broad range of agencies is encompassed within 
the definition of ``investigative agency,'' and they have varying 
degrees of involvement with the provision of health care. The 
prerequisites for accessing part 2 records for audit and evaluation 
differ, intentionally, from the prerequisites for placing an informant 
within a program, although both may involve investigative agency review 
of part 2 records. The requirement to first obtain a court order before 
records are sought in a criminal investigation or prosecution is a much 
higher standard. While the safe harbor operates as a limitation on 
civil and criminal liability for agencies that have acted in good 
faith, it does not provide immunity under Federal or state law should 
an investigative agency knowingly obtain records improperly or under 
false pretenses. Further, this final rule establishes a right to file a 
complaint with the Secretary for violations of part 2 by, among others, 
lawful holders.
Comment
    A medical professional association encouraged extending safe harbor 
protections to part 2 programs, providers, business associates, and 
covered entities acting in good faith for at least 34 months following 
the 60-day effective date period (36 total months). According to the 
commenter, this protection is essential to encourage providers to hold 
themselves out as SUD providers and other entities to support part 2 
programs, which will be especially important as the health care system 
implements these new regulations. However, the commenter opposed the 
proposed the safe harbor for investigative agencies as written. 
According to this commenter, as written the proposed safe harbor could 
reduce access to care if part 2 programs or providers feel more at risk 
for acting in good faith than the investigative agencies that do not 
provide patient care.

[[Page 12490]]

Response
    As discussed in the proposed rule, the effective date of a final 
rule will be 60 days after publication and the compliance date will be 
24 months after the publication date. The Department acknowledges 
concerns about compliance and may provide additional guidance after the 
rule is finalized. We acknowledge requests by commenters to extend the 
safe harbor beyond investigative agencies to covered entities, health 
plans, HIEs/HINs, part 2 programs, APCDs, and others. However, we 
decline to make these requested changes because Sec.  2.3 is 
specifically intended to operate in tandem with Sec. Sec.  2.66 and 
2.67 when investigative agencies unknowingly obtain part 2 records in 
the course of investigating or prosecuting a part 2 program and, as a 
result, fail to obtain the required court order in advance. We also 
believe that covered entities and business associates that are likely 
to receive part 2 records are routinely engaged in health care 
activities and are more likely to be aware when they are receiving such 
records.
Comment
    A health IT vendor addressed our request for comment on whether to 
expand the limitation on civil or criminal liability for persons acting 
on behalf of investigative agencies to other entities. The commenter 
requested clarification on how the Department defines ``unknowingly'' 
when considering whether a safe harbor should be created for SUD 
providers that unknowingly hold part 2 records and unknowingly disclose 
them in violation of part 2.
Response
    We have not developed a formal definition of ``unknowingly;'' 
however, the safe harbor for investigative agencies addresses 
situations where the recipient is unaware that records they have 
obtained contain information subject to part 2 although the agency 
first exercised reasonable diligence to determine if the disclosing 
entity was a part 2 program. The reasonable diligence expected of an 
SUD provider would be different in nature because such a provider 
uniquely possesses the information necessary to evaluate whether it is 
subject to this part, and consequently whether any patient records it 
creates are also subject to this part. We think it is more likely that 
the ``unknowing'' situation could occur when an entity other than a 
part 2 program receives records without the Notice to Accompany 
Disclosure and rediscloses them in violation of this part because it is 
unaware that it possesses part 2 records. As we stated in the NPRM, we 
believe this scenario is addressed by the HITECH penalty tiers, so we 
are not expanding the safe harbor to other entities. Covered entities 
and business associates that are likely to receive part 2 records are 
routinely engaged in health care activities and are more likely to be 
aware that they are receiving such records. Further, the HITECH penalty 
tiers were designed to address privacy violations by covered entities 
and business associates.
Comment
    Many commenters argued that the proposed safe harbor provisions 
should apply to entities beyond investigative agencies. The commenters 
included a medical association, a state Medicaid agency, a managed care 
organization, health care providers, HIEs, a state HIE association, and 
other professional and trade associations. The range of entities for 
which a safe harbor was recommended include the following: non-
investigative agencies; covered entities; business associates; other 
SUD providers, facilities, and other providers generally who act in 
good faith and use reasonable diligence to determine whether records 
received/maintained are covered by part 2; health plans based on good 
faith redisclosures that comply with the HIPAA Privacy rule but not 
with the part 2 Rule; HIEs; SUD providers that are unaware of its 
practice designation as a part 2 provider; state Medicaid agency 
administering the Medicaid program; all payer claims databases (APCDs); 
part 2 programs; and lawful holders who, in good faith, unknowingly 
receive part 2 records and then unintentionally violate part 2 with 
respect to those records.
    A county government argued that amending Sec.  2.3 to contain a 
safe harbor provision for providers would better serve the policy goals 
of protecting patient privacy, while recognizing that health systems 
are moving toward integrating substance use treatment with other health 
conditions and behavioral health needs. Many part 2 programs provide 
integrated substance use and mental health treatment, and include 
providers who provide both mental health and substance use treatment or 
work in collaboration with mental health treatment providers. In these 
``dual diagnosis'' programs, mental health providers may over time 
unknowingly generate and/or receive and possess records subject to part 
2.
    Another commenter, a professional association, urged that such a 
safe harbor should remain in place until such time as there is an 
operationally viable means of providing the Notice to Accompany 
Disclosures of part 2 records in Sec.  2.32. It should apply to HIPAA 
entities only if and to the extent that HHS does not, in the final 
rule, permit these entities to integrate these records with their 
existing patient records and treat the data as PHI which, the 
association asserted is the best approach from both patient care and 
operational perspectives.
Response
    We acknowledge requests by commenters to extend the safe harbor 
beyond investigative agencies to covered entities, health plans, HIEs/
HINs, part 2 programs, APCDs, and others. However, we decline to make 
these requested changes because Sec.  2.3 is specifically intended to 
operate in tandem with Sec. Sec.  2.66 and 2.67 when investigative 
agencies unknowingly obtain part 2 records in the course of 
investigating or prosecuting a part 2 program and, as a result, fail to 
obtain the required court order in advance. By contrast, Sec. Sec.  
2.12, 2.31, and 2.32, including the requirement in this final rule that 
each disclosure made with the patient's written consent must be 
accompanied by a notice and a copy of the consent or a clear 
explanation of the scope of the consent, should be sufficient to inform 
recipients of part 2 records of the applicability of part 2 in 
circumstances that do not involve investigations or use of informants.
    SUD providers, in particular, are obligated to know whether they 
are subject to part 2. In the event of an enforcement action against a 
lawful holder that involves an unknowing receipt or disclosure of part 
2 records despite the lawful holder having exercised reasonable 
diligence, the Department will consider the facts and circumstances and 
make a determination as to whether the disclosure of part 2 records 
warrants an enforcement action against the lawful holder. This would 
include considering application of the ``did not know'' culpability 
tier for such violations.\103\
---------------------------------------------------------------------------

    \103\ See 45 CFR 160.404 (b)(2)(i) (the entity ``did not know 
and, by exercising reasonable diligence, would not have known that 
[they] violated such provision[.]''). See also Social Security Act, 
sections 1176 and 1177.
---------------------------------------------------------------------------

Comment
    A health information management association remarked that covered 
entities, lawful holders, and other recipients of SUD PHI are obligated 
to be aware of what information is being disclosed prior to disclosing 
it. Law enforcement requests for information

[[Page 12491]]

should be clear to prevent inadvertent disclosures. According to the 
commenter, a court order, subpoena, or patient ``authorization'' should 
be necessary before obtaining SUD information. Under 45 CFR 164.512(e) 
criteria required for a valid court order and/or subpoena protects the 
SUD PHI. Disclosing SUD information before the correct protections are 
in place could result in the SUD information becoming discoverable 
through the Freedom of Information Act (FOIA).\104\ In addition, once 
the information is disclosed the recipients cannot unsee or unknow the 
information, nor are mechanisms in place to properly return or destroy 
the information.
---------------------------------------------------------------------------

    \104\ Public Law 89-487, 80 Stat. 250 (July 4, 1966) (originally 
codified at 5 U.S.C. 1002; codified at 5 U.S.C. 552).
---------------------------------------------------------------------------

Response
    Part 2, subpart E, requirements are distinct from the HIPAA Privacy 
Rule requirements at 45 CFR 164.512(e). We agree that it is important 
to engage with patients and patient organizations to ensure part 2 
continues to bolster patient privacy and access to SUD treatment. 
SAMHSA provides funding to support the Center of Excellence for 
Protected Health Information Related to Behavioral Health \105\ which 
does not provide legal advice but can help answer questions from 
providers and family members about HIPAA, part 2, and other behavioral 
health privacy requirements. The required report to the Secretary in 
Sec.  2.68 will help the Department monitor investigations and 
prosecutions involving part 2 records. While in theory FOIA or similar 
state laws could apply to mistakenly released information, FOIA 
includes several exemptions and exclusions that could apply to withhold 
information from release in response to a request for such information, 
including FOIA Exemptions 3 (requires the withholding of information 
prohibited from disclosure by another Federal statute), 6 (protects 
certain information about an individual when disclosure would 
constitute a clearly unwarranted invasion of personal privacy), and 7 
(protects certain records or information compiled for law enforcement 
purposes).\106\ State health privacy laws or freedom of information 
laws may contain similar exemptions.\107\
---------------------------------------------------------------------------

    \105\ See The Ctr. of Excellence for Protected Health Info., 
``About COE PHI,'' https://coephi.org/about-coe-phi/.
    \106\ 5 U.S.C. 552(b)(3), (b)(6) & (b)(7).
    \107\ See, e.g., National Freedom of Info. Coal., ``State 
Freedom of Information Laws,'' https://www.nfoic.org/state-freedom-of-information-laws/ and Seyfarth Shaw LLP, ``50-State Survey of 
Health Care Information Privacy Laws'' (July 15, 2021), https://www.seyfarth.com/news-insights/50-state-survey-of-health-care-information-privacy-laws.html.
---------------------------------------------------------------------------

Final Rule
    We are finalizing Sec.  2.3(b) with the additional modifications 
discussed above in response to public comments and reorganizing for 
clarity. This final rule strengthens the safe harbor's proposed 
reasonable diligence requirements in response to public comments that 
the proposed steps would be insufficient and provides that all of the 
specified actions must be initiated for the limitation on liability to 
apply. We clarify here that if any of the actions taken results in 
knowledge that a program or person holding records is subject to part 
2, no further steps are required to further confirm that the program or 
person holding records is subject to part 2.
Section 2.3(c) Applying the HIPAA Enforcement Rule to Part 2 Violations
Proposed Rule
    Proposed Sec.  2.3(c) stated that the HIPAA Enforcement Rule shall 
apply to violations of part 2 in the same manner as they apply to 
covered entities and business associates for violations of part C of 
title XI of the Social Security Act and its implementing regulations 
with respect to PHI.108 109
---------------------------------------------------------------------------

    \108\ See 45 CFR part 160, subpart C (Compliance and 
Investigations), D (Imposition of Civil Money Penalties), and E 
(Procedures for Hearings). See also sec. 13410 of the HITECH Act 
(codified at 42 U.S.C. 17929).
    \109\ This proposal would implement the required statutory 
framework establishing that civil and criminal penalties apply to 
violations of this part, as the Secretary exercises only civil 
enforcement authority. The DOJ has authority to impose criminal 
penalties where applicable. See 68 FR 18895, 18896 (Apr. 17, 2003).
---------------------------------------------------------------------------

Comment
    A state agency stated its view that if Sec.  2.3(c) applies the 
various sanctions of HIPAA to part 2 programs regardless of whether the 
program is a HIPAA covered entity or business associate, the need to 
retain QSOs for part 2 programs that are not covered entities seems to 
be eliminated.
Response
    We disagree that including this section obviates the need for QSOs, 
which we discuss below in Sec.  2.11.
Final rule
    We are finalizing Sec.  2.3(c) with modifications changing 
references to ``violations'' to ``noncompliance.'' This minor change 
recognizes that the provisions of the HIPAA Enforcement Rule address 
not only penalties based on formal findings of violations but also many 
other aspects of the enforcement process, including procedures for 
receiving complaints and conducting investigations into alleged or 
potential noncompliance, which could result in informal resolution 
without a formal finding of a violation.
Section 2.4--Complaints of Noncompliance
Proposed Rule
    The Department proposed to change the existing language of 
paragraphs (a) and (b) of Sec.  2.4 which provide that reports of 
violations of the part 2 regulations may be directed to the U.S. 
Attorney for the judicial district in which the violation occurs and 
reports of any violation by an OTP may be directed to the U.S. Attorney 
and also to SAMHSA. Section 290dd-2(f) of 42 U.S.C., as amended by 
section 3221(f) of the CARES Act, grants civil enforcement authority to 
the Department, which currently exercises its HIPAA enforcement 
authority under section 1176 of the Social Security Act in accordance 
with the HIPAA Enforcement Rule. To implement these changes, the 
Department proposed to re-title the heading to this section by 
replacing ``Reports of violations'' with ``Complaints of 
noncompliance,'' and to replace the existing provisions about directing 
reports of part 2 violations to the U.S. Attorney's Office and to 
SAMHSA with provisions about directing complaints of potential 
violations to a part 2 program. The Department noted that SAMHSA 
continues to oversee OTP accreditation and certification and therefore 
may receive reports of alleged violations by OTPs of Federal opioid 
treatment standards, including privacy and confidentiality 
requirements.
    The Department proposed to add Sec.  2.4(a) to require a part 2 
program to have a process to receive complaints concerning a program's 
compliance with the part 2 regulations. Proposed Sec.  2.4(b) provided 
that a part 2 program may not intimidate, threaten, coerce, 
discriminate against, or take other retaliatory action against any 
patient for the exercise of any right established, or for participation 
in any process provided for in part 2, including the filing of a 
complaint. The Department also proposed to add Sec.  2.4(c) to prohibit 
a part 2 program from requiring patients to waive their right to file a 
complaint as a condition of the provision of treatment, payment, 
enrollment, or eligibility for any program subject to part 2.

[[Page 12492]]

Comment
    Commenters generally supported the Department's proposal to 
establish a complaint process under Sec.  2.4 that aligns with HIPAA 
and ensures part 2 programs would not retaliate against patients who 
filed a complaint or condition treatment or receipt of services on a 
patient's waiving any rights to file a complaint. Commenters advocated 
for part 2 patients being protected against potential discrimination, 
such as job loss, that may occur following improper disclosures of 
their treatment records. They further suggested that this provision 
aligns with the HIPAA Privacy Rule and thus will help to reduce 
administrative burdens. For example, covered entities can use their 
existing Privacy Offices and processes to oversee both part 2 and HIPAA 
compliance. Commenters also believed that application of the HIPAA 
Breach Notification Rule and the HIPAA Enforcement Rule will further 
help to protect part 2 patients. Additionally, commenters supported the 
inclusion of business associates and covered entities within the scope 
of this section.
Response
    We appreciate the comments for the proposed changes to align part 2 
with HIPAA Privacy Rule provisions concerning complaints. Patients with 
SUD continue to experience the effects of stigma and discrimination, 
one reason why privacy protections as established in this regulation 
remain important.\110\ We agree that aligning part 2 and HIPAA 
requirements may reduce administrative burdens.
---------------------------------------------------------------------------

    \110\ See, e.g., Lars Garpenhag, Disa Dahlman, ``Perceived 
healthcare stigma among patients in opioid substitution treatment: a 
qualitative study,'' Substance Abuse Treatment, Prevention, and 
Policy (Oct. 26, 2021), https://pubmed.ncbi.nlm.nih.gov/34702338/; 
Janet Zwick, Hannah Appleseth, Stephan Arndt, ``Stigma: how it 
affects the substance use disorder patient,'' Substance Abuse 
Treatment, Prevention, and Policy (July 27, 2020), https://pubmed.ncbi.nlm.nih.gov/32718328/; Richard Bottner, Christopher 
Moriates and Matthew Stefanko, ``Stigma is killing people with 
substance use disorders. Health care providers need to rid 
themselves of it,'' STAT News (Oct. 2, 2020), https://www.statnews.com/2020/10/02/stigma-is-killing-people-with-substance-use-disorders-health-care-providers-need-to-rid-themselves-of-it/.
---------------------------------------------------------------------------

Comment
    One commenter expressed concern about enhanced penalties, which it 
characterized as potentially punitive and best reserved for those who 
fail to exercise due diligence. Such penalties may deter part 2 
programs from sharing part 2 information, this commenter asserted. 
Other commenters similarly noted what they viewed as potential 
deterrent effects of penalties provided for in this regulation on 
information sharing. A commenter urged reduced penalties for 
unintentional disclosures by part 2 programs as they may require time 
and assistance to comply with these regulations. Another commenter 
urged that clinicians should not be held liable for unintentional 
disclosures of part 2 records by part 2 programs which may need 
additional time and technical assistance to comply with these updated 
regulations in accordance with this regulation.
    By contrast, another commenter urged strict enforcement of this 
provision including penalties for both negligent and intentional 
breaches. The commenter recommended enforcement by states' attorneys 
general and a private right of action for complainants under part 2 if 
states' attorneys general do not pursue enforcement.
Response
    Existing part 2 language imposes a criminal penalty for 
violations.\111\ Section 3221(f) of the CARES Act (codified at 42 
U.S.C. 290dd-2(f)) requires the Department to apply the provisions of 
sections 1176 and 1177 of the Social Security Act to a part 2 program 
for a violation of 42 CFR part 2 in the same manner as they apply to a 
covered entity for a violation of part C of title XI of the Social 
Security Act. Accordingly, the Department proposed to replace title 18 
U.S.C. criminal enforcement in the current regulation with civil and 
criminal penalties under sections 1176 and 1177 of the Social Security 
Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as implemented in the 
HIPAA Enforcement Rule.\112\ Under the HIPAA Enforcement Rule, criminal 
violations fall within the purview of DOJ. Historically, commenters 
have noted that enforcement of penalties concerning alleged part 2 
violations has been limited.\113\ By aligning part 2 requirements in 
this final rule with current HIPAA provisions, part 2 programs now will 
be subject to an enforcement approach that is consistent with that for 
HIPAA-regulated health care providers, thereby reducing administrative 
burdens for part 2 programs that are also HIPAA-covered entities. As 
some commenters suggested, this will also enable staff within HIPAA and 
part 2-regulated entities to more effectively collaborate given 
additional alignment of part 2 and HIPAA regulatory provisions.
---------------------------------------------------------------------------

    \111\ 42 CFR 2.3 (Criminal penalty for violation).
    \112\ HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D, 
and E.
    \113\ See Kimberly Johnson, ``COVID-19: Isolating the Problems 
in Privacy Protection for Individuals with Substance Use Disorder,'' 
University of Chicago Legal Forum (May 1, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3837955; Substance Abuse 
and Mental Health Servs. Admin., ``Substance Abuse Confidentiality 
Regulations; Frequently Asked Questions'' (July 24, 2023), https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs.
---------------------------------------------------------------------------

    Therefore, it is unlikely that part 2 programs will experience an 
adverse impact beyond that which in general applies to covered entities 
under HIPAA. As the Department has explained elsewhere, alleged 
unintentional violations are often resolved with covered entities 
through voluntary compliance or corrective action.\114\
---------------------------------------------------------------------------

    \114\ See ``Enforcement Process,'' supra note 99; HIPAA 
Enforcement Rule, 45 CFR part 160, subparts C, D, and E.
---------------------------------------------------------------------------

    Knowing or intentional violations of HIPAA may be referred to DOJ 
for a criminal investigation. As noted in the NPRM, criminal penalties 
may be imposed by DOJ for certain violations under 42 U.S.C. 1320d-6. 
After publication of this final rule, the Department may provide 
additional guidance specific to part 2; however, we anticipate that 
many entities now will be more comfortable appropriately sharing 
information and developing plans to mitigate risks of part 2 and HIPAA 
violations because the HIPAA and part 2 complaint provisions are now 
better aligned.\115\
---------------------------------------------------------------------------

    \115\ See U.S. Dep't of Health and Human Servs., ``Guidance on 
Risk Analysis,'' (July 22, 2019), https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.
---------------------------------------------------------------------------

    Section 1176 of the Social Security Act, (codified at 42 U.S.C. 
1320d-5), also provides for enforcement by states' attorneys general in 
the form of a civil action. The reference to this statutory provision 
in Sec.  2.3 encompasses this avenue of enforcement.
    Although the HIPAA and HITECH penalties do not provide a private 
right of action for privacy violations, as discussed elsewhere in this 
preamble, in this final rule we provide a right for a person to file a 
complaint to the Secretary for an alleged violation by a part 2 
program, covered entity, business associate, qualified service 
organization, or other lawful holder of part 2 records. While a person 
may file a complaint to the Secretary, part 2 programs also must 
establish a process for the program to directly receive complaints. The 
right to file a complaint directly with the Secretary for an alleged 
violation is analogous to a similar provision within the HIPAA Privacy 
Rule.\116\ Although

[[Page 12493]]

the right to file a complaint to the Secretary for an alleged violation 
of part 2 was not included in the proposed text of Sec.  2.4, it was 
included in the required statements for the Patient Notice. Adding the 
language to Sec.  2.4 is a logical outgrowth of the NPRM and a response 
to public comments received.
---------------------------------------------------------------------------

    \116\ 45 CFR 160.306.
---------------------------------------------------------------------------

Comment
    One commenter asked for a clarification of what is considered an 
``adverse action'' for the purposes of this section. Other commenters 
requested clarification from the Department that acting on a complaint 
that was held in abeyance after a patient exercises their right to 
withdraw consent would not be viewed as retaliation.
Response
    In the NPRM the Department referred to a prohibition on ``taking 
adverse action against patients who file complaints.'' This prohibition 
is broadly similar to that which exists within HIPAA in 45 CFR 160.316 
and 164.530. The Department has described ``adverse actions'' as those 
that may constitute intimidation or retaliation, such as suspending 
someone's participation in a program.\117\ We are not clear what the 
commenter means in referring to taking action on a complaint that was 
held in abeyance after a patient exercises their right to withdraw 
consent not being viewed as retaliation. However, a complaint can be 
withdrawn by the filer.\118\ Health care entities can likewise take 
steps to investigate complaints internally and OCR has developed tools 
and resources to support HIPAA compliance.\119\
---------------------------------------------------------------------------

    \117\ 70 FR 20224, 20230 (Apr. 18, 2005); 71 FR 8389, 8399 (Feb. 
16, 2006).
    \118\ See U.S. Dep't of Health and Human Servs., ``Enforcement 
Highlights'' (July 6, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.
    \119\ See U.S. Dep't of Health and Human Servs., ``HIPAA 
Enforcement'' (July 25, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html.
---------------------------------------------------------------------------

Comment
    Several commenters, including legal and SUD recovery advocacy 
organizations, urged the Department to include in the final rule 
provisions permitting a patient to complain directly to OCR or the 
Secretary, paralleling provisions in HIPAA. Another commenter asked 
about obligations of entities, such as medical licensing boards and 
physician health programs, and how a patient would report alleged 
violations by those entities.
Response
    In response to public comments, we are adding a new provision to 
Sec.  2.4 in this final rule to permit a person to file a complaint to 
the Secretary for a violation of this part by, among others, a lawful 
holder of part 2 records in the same manner as a person may file a 
complaint under 45 CFR 160.203 for a HIPAA violation. Specifically, we 
provide in Sec.  2.4(b) that ``[a] person may file a complaint to the 
Secretary for a violation of this part by a part 2 program, covered 
entity, business associate, qualified service organization, or other 
lawful holder'' in the same manner as under HIPAA (45 CFR 160.306). By 
making this change, we are aligning part 2 with HIPAA and ensuring an 
adequate mechanism for review and disposition of complaints related to 
alleged part 2 violations. We are also adding a regulatory definition 
of lawful holder in this final rule at Sec.  2.11. The Department will 
provide information about how to file complaints of alleged part 2 
violations before the compliance date for the final rule.
Comment
    A commenter asked whether the state, agency, or disclosing person 
would be penalized for a violation that results in the impermissible 
disclosure of records subject to HIPAA or part 2.
Response
    Whether a party subject to part 2 is held accountable for a 
particular violation will depend on the facts and circumstances of the 
case. The Department has explained elsewhere that it will attempt to 
resolve enforcement actions through voluntary compliance, corrective 
action, and/or a resolution agreement, and we anticipate that applying 
the HIPAA Enforcement Rule framework to part 2 will have similar 
results.\120\ Further, lawful holders are prohibited from using and 
disclosing records in proceedings against a patient absent written 
consent or a court order. In the case of an improper disclosure by a 
part 2 program employee, the part 2 program would likely be provided 
with notice of an investigation and the investigator would review 
whether the program had policies and procedures in place and whether 
those were followed in its handling of the improper disclosure. An 
entity's compliance officer can help ensure breaches are properly 
investigated and reported to the Department,\121\ and has 
responsibilities to develop and implement a compliance plan.
---------------------------------------------------------------------------

    \120\ See ``How OCR Enforces the HIPAA Privacy & Security 
Rules,'' supra note 97.
    \121\ See ``What are the Duties of a HIPAA Compliance Officer?'' 
The HIPAA Journal, https://www.hipaajournal.com/duties-of-a-hipaa-compliance-officer/; U.S. Dep't of Health and Human Servs., ``The 
HIPAA Privacy Rule'', https://www.hhs.gov/hipaa/for-professionals/privacy/index.html; U.S. Dep't of Health and Human Servs., 
``Submitting Notice of a Breach to the Secretary'' (Feb. 27, 2023), 
https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html; U.S. Dep't of Health and Human Servs., 
``Training Materials'', https://www.hhs.gov/hipaa/for-professionals/training/index.html.
---------------------------------------------------------------------------

Comment
    A commenter asked for clarification that penalties would not be 
concurrently imposed under both HIPAA and part 2 for the same alleged 
violation(s).
Response
    HIPAA and part 2 regulations stem from different statutory 
authorities and are different compliance regulations. With the CARES 
Act, Congress replaced the previous criminal penalties established for 
part 2 violations with a civil and criminal penalty structure imported 
from HITECH. Nothing in the CARES Act states that an entity that is 
subject to both regulatory schemes shall be subject to only one 
regulation or one regulation's penalties. Therefore, an entity 
potentially remains subject to both regulations, including their 
provisions on penalties for violations.
    What penalties could or would be imposed by the Department in a 
particular case, and under which statutes or regulations (HIPAA, 
HITECH, part 2, other regulations), remains a fact-specific inquiry. 
State law provisions also may apply concurrently with some part 2 and 
HIPAA requirements.\122\ Additionally, some aspects of part 2 or HIPAA 
violations may fall within the jurisdiction of other agencies such as 
SAMHSA (which continues to oversee accreditation of OTPs).\123\
---------------------------------------------------------------------------

    \122\ See The Off. of the Nat'l Coordinator for Health Info. 
Techn. (ONC), ``HIPAA versus State Laws'' (Sept. 5, 2017), https://www.healthit.gov/topic/hipaa-versus-state-laws; Nat'l Ass'n of State 
Mental Health Program Dirs., ``TAC Assessment Working Paper: 2016 
Compilation of State Behavioral Health Patient Treatment Privacy and 
Disclosure Laws and Regulations,'' (2016) https://www.nasmhpd.org/content/tac-assessment-working-paper-2016-compilation-state-behavioral-health-patient-treatment.
    \123\ See Substance Abuse and Mental Health Servs. Admin., 
``Certification of Opioid Treatment Programs (OTPs)'' (July 24, 
2023), https://www.samhsa.gov/medications-substance-use-disorders/become-accredited-opioid-treatment-program.
---------------------------------------------------------------------------

Comment
    One commenter noted that some covered entities may not be part 2

[[Page 12494]]

providers and urged HHS to ease the burden on such programs. Another 
urged that business associates be included within the scope of this 
section.
Response
    We provide in Sec.  2.4(b) that ``[a] person may file a complaint 
to the Secretary for a violation of this part by a part 2 program, 
covered entity, business associate, qualified service organization, or 
other lawful holder in the same manner as a person may file a complaint 
under 45 CFR 160.306 for a violation of the administrative 
simplification provisions of the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996.'' Thus, covered entities and 
business associates are included within the scope of this section. The 
compliance burdens for covered entities of receiving part 2 complaints 
can be minimized by using the same process they already have in place 
for receiving HIPAA complaints.
Comment
    Commenters provided their views as to which agency or agencies 
should receive part 2-related complaints. One commenter requested that 
the regulation expressly identify the agency(ies) authorized to receive 
part 2 complaints from patients. The commenter suggested that 
complaints made to part 2 programs by patients can raise conflict of 
interest issues because the program is investigating its own or its 
staff's alleged misconduct. The commenter further urged that the 
regulation identify specific agencies, such as OCR and SAMHSA, and 
state their obligation to investigate complaints received. Other 
commenters urged that OCR, rather than part 2 programs, receive 
complaints, that patients be permitted to complain directly of 
violations to OCR or that the Department clarify the various roles of 
OCR, SAMHSA, and other agencies. One commenter supported part 2 
programs having a process to receive complaints but said these programs 
are understaffed and underfunded so they would need additional 
resources. A health system that is a part 2 program and a covered 
entity also supported part 2 programs developing a process to receive 
complaints. A county health department asked that Sec.  2.4 be amended 
to include specific provisions about how and where patients can file 
their complaints with the HHS Secretary and the roles of HHS components 
in receiving and investigating complaints.
Response
    In response to public comments, and as provided in the HIPAA 
regulations, we are finalizing an additional modification to Sec.  2.4 
that was not included in this section but was proposed as a required 
statement of rights in the Patient Notice in Sec.  2.22(b)(1)(vi). The 
intent of the enforcement provisions in Sec.  2.4 was to create a 
process that mirrors that for HIPAA violations, but the Department 
inadvertently omitted from its proposed changes to this section an 
express right to complain to the Secretary. Analogous to 45 CFR 
160.306, which permits the submission of complaints to the Secretary 
alleging noncompliance by covered entities with the HIPAA Privacy 
Rule,\124\ we are providing in this final rule a right for a person to 
file a complaint to the Secretary for an alleged violation by a part 2 
program, covered entity, business associate, qualified service 
organization, and other lawful holder of part 2 records. Part 2 
programs also must establish a process for the program to receive 
complaints. A patient is not obliged to report an alleged violation 
either to the Secretary or part 2 program but may report to either or 
both. OCR has explained how HIPAA complaints are investigated, which 
may be instructive, but is not dispositive of how part 2 complaints 
will be handled.\125\ We believe our changes are a logical outgrowth of 
the NPRM which provided an opportunity for public input and we are 
making these changes in response to public comments received. We also 
anticipate releasing information about the specific complaint process 
after publication of this final rule.
---------------------------------------------------------------------------

    \124\ See U.S. Dep't of Health and Human Servs., ``Federal 
Register Notice of Addresses for Submission of HIPAA Health 
Information Privacy Complaints'' (June 8, 2020), https://www.hhs.gov/guidance/document/federal-register-notice-addresses-submission-hipaa-health-information-privacy-complaints; U.S. Dep't 
of Health and Human Servs., ``Filing a Complaint'' (Mar. 31, 2020), 
https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
    \125\ See U.S. Dep't of Health and Human Servs., ``How to File a 
Health Information Privacy or Security Complaint'' (Dec. 23, 2022), 
https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html.
---------------------------------------------------------------------------

Comment
    A commenter urged that the complaint process reflect the needs of 
those with limited English proficiency.
Response
    Part 2 programs should be mindful that Federal civil rights laws 
require certain entities, including recipients of Federal financial 
assistance and public entities, to take appropriate steps. For 
instance, such entities must take steps to ensure that communications 
with individuals with disabilities are as effective as communications 
with others, including by providing appropriate auxiliary aids and 
services where necessary.\126\ In addition, recipients of Federal 
financial assistance must take reasonable steps to ensure meaningful 
access to their programs and activities for individuals with limited 
English proficiency, including through language assistance services 
when necessary.\127\ The Department stated in the 2017 Part 2 Final 
Rule that materials such as consent forms ``should be written clearly 
so that the patient can easily understand the form.'' \128\ The 
Department further stated that it ``encourages part 2 programs to be 
sensitive to the cultural and linguistic composition of their patient 
population when considering whether the consent form should also be 
provided in a language(s) other than English (e.g., Spanish).'' \129\ 
Consistent with these legal requirements, the Department strongly 
encourages development of Sec.  2.4 materials that are clear and 
reflect the needs of a program's patient population.
---------------------------------------------------------------------------

    \126\ See e.g., U.S. Dep't of Health and Human Servs., 
``Effective Communication for Persons Who Are Deaf or Hard of 
Hearing'' (June 16, 2017), https://www.hhs.gov/civil-rights/for-individuals/disability/effective-communication/index.html; U.S. 
Dep't of Health and Human Servs., ``Section 1557: Ensuring Effective 
Communication with and Accessibility for Individuals with 
Disabilities'' (Aug. 25, 2016), https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-disability/index.html.
    \127\ See U.S. Dep't of Health and Human Servs., ``Guidance to 
Federal Financial Assistance Recipients Regarding Title VI 
Prohibition Against National Origin Discrimination Affecting Limited 
English Proficient Persons'' (July 26, 2013), https://www.hhs.gov/civil-rights/for-individuals/special-topics/limited-english-proficiency/guidance-federal-financial-assistance-recipients-title-vi/index.html; U.S. Dep't of Health and Human Servs., ``Section 
1557: Ensuring Meaningful Access for Individuals with Limited 
English Proficiency'' (Aug. 25, 2016), https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-limited-english-proficiency/index.html.
    \128\ 82 FR 6052, 6077.
    \129\ Id.
---------------------------------------------------------------------------

Comment
    Another commenter remarked that some covered entities may need 
technical assistance from the Department to establish complaint 
processes under this section.
Response
    The Department has existing materials to support compliance with 
HIPAA and part 2.\130\ SAMHSA supports a Center of Excellence for 
Protected Health Information Related to Behavioral Health that may 
provide educational

[[Page 12495]]

materials and technical assistance to providers, patients, family 
members, and others.\131\ The Department will consider what additional 
guidance, technical assistance, and engagement on these issues may be 
helpful for covered entities and the public after this regulation is 
finalized.
---------------------------------------------------------------------------

    \130\ See ``How OCR Enforces the HIPAA Privacy & Security 
Rules,'' supra note 97; ``Substance Abuse Confidentiality 
Regulations; Frequently Asked Questions,'' supra note 113.
    \131\ See ``About COE PHI,'' supra note 105.
---------------------------------------------------------------------------

Comment
    Other commenters emphasized that the Department may need additional 
funding and staff adequate to receive and investigate complaints and 
enforce these provisions. Another commenter similarly suggested that 
part 2 programs may need more resources to develop a complaint process, 
describing this as a ``substantial burden'' given part 2 program staff 
and funding challenges.
Response
    With respect to the burden on programs to develop a complaint 
process, we believe that the two-year compliance timeline will provide 
programs with sufficient time to plan for complaint management. We have 
accounted for the burden associated with complaints in the RIA. The 
Department has requested that Congress provide additional funding to 
support part 2 compliance, enforcement, and other activities.\132\ OCR, 
SAMHSA, CMS, and the Office of the National Coordinator for Health 
Information Technology (ONC) have and will continue to collaborate to 
support EHRs and health IT within the behavioral health space.\133\
---------------------------------------------------------------------------

    \132\ See U.S. Dep't of Health and Human Servs., ``Department of 
Health and Human Services, Fiscal Year 2024,'' FY 2024 Budget 
Justification, General Department Management, Office for Civil 
Rights, at 255, https://www.hhs.gov/sites/default/files/fy-2024-gdm-cj.pdf.
    \133\ Id. See also, The Off. of the Nat'l Coordinator for Health 
Info. Tech. (ONC), ``Behavioral Health,'' https://www.healthit.gov/topic/behavioral-health.
---------------------------------------------------------------------------

Comment
    Another commenter believed that programs may need time and support 
to adapt their information technology and EHRs, and urged SAMHSA to 
work with ONC to support such efforts.
Response
    The Department has estimated the cost to the Department to 
implement this final rule and enforce part 2 and has included that in 
the RIA. It has also requested additional funding to support 
compliance, enforcement, and other activities.\134\ The number of part 
2 programs in relation to HIPAA covered entities and business 
associates is very small, so the costs will not rise to the same level 
as for HIPAA implementation efforts. OCR, SAMHSA, CMS, and ONC have 
collaborated and will continue to collaborate to support EHRs and 
health IT within the behavioral health space.\135\
---------------------------------------------------------------------------

    \134\ See ``Department of Health and Human Services, Fiscal Year 
2024,'' supra note 132.
    \135\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------

Final Rule
    We are finalizing this section as proposed in the NPRM and further 
modifying it by adding a new paragraph that provides a patient right to 
file a complaint directly with the Secretary for violations of part 2 
by programs, covered entities, business associates, qualified service 
organizations, and other lawful holders.
    As noted in the NPRM, these changes to Sec.  2.4 will align part 2 
with HIPAA Privacy Rule provisions concerning complaints. Section 
2.4(a) is consistent with the administrative requirements in 45 CFR 
164.530(d) (Standard: Complaints to the covered entity). Proposed Sec.  
2.4(c) would align with the HIPAA Privacy Rule provision at 45 CFR 
164.530(g) (Standard: Refraining from intimidating or retaliatory 
acts). The proposed Sec.  2.4(d) would be consistent with the HIPAA 
Privacy Rule provision at 45 CFR 164.530(h) (Standard: Waiver of 
rights). Thus, part 2 programs that are also covered entities already 
have these administrative requirements in place, but programs that are 
not covered entities would need to adopt new policies and procedures.
Section 2.11--Definitions
Proposed Rule
    Section 2.11 includes definitions for key regulatory terms in 42 
CFR part 2. The Department proposed to add thirteen defined regulatory 
terms and modify the definitions of ten existing terms. Nine of the new 
regulatory definitions proposed for incorporation into part 2 were 
required by section 3221(d) of the CARES Act: ``Breach,'' ``Business 
associate,'' ``Covered entity,'' ``Health care operations,'' ``HIPAA 
regulations,'' ``Payment,'' ``Public health authority,'' ``Treatment,'' 
and ``Unsecured protected health information.'' In each case, 42 U.S.C. 
290dd-2(k), as amended by section 3221(d), requires that each term 
``has the same meaning given such term for purposes of the HIPAA 
regulations.'' \136\
---------------------------------------------------------------------------

    \136\ Section 3221(k) para. 5 incorporates the term HIPAA 
regulations and reads: ``The term `HIPAA regulations' has the same 
meaning given such term for purposes of parts 160 and 164 of title 
45, Code of Federal Regulations.''
---------------------------------------------------------------------------

    Other proposed new or modified definitions included: ``Informant,'' 
``Intermediary,'' ``Investigative agency,'' ``Part 2 program 
director,'' ``Patient,'' ``Person,'' ``Program,'' ``Qualified service 
organization,'' ``Records,'' ``Third-party payer,'' ``Treating provider 
relationship,'' ``Unsecured record,'' and ``Use.'' Some of these terms 
and definitions were proposed by either referencing existing HIPAA 
regulatory terms in 45 CFR parts 160 and 164 in part based on changes 
required by the CARES Act. We also proposed changes for clarity and 
consistency in usage between the HIPAA and part 2 regulations and to 
operationalize other changes proposed in the NPRM.
    In addition, the Department discussed three definitions--for 
``Lawful holder,'' ``Personal representative,'' and ``SUD counseling 
notes''--in requests for comments. The Department proposed each 
definition because it believed the definitions improve alignment of 
this regulation with HIPAA and support implementation efforts.
    Further, we are finalizing a modified definition of ``Patient 
identifying information'' as an outgrowth of changes to the standard 
for de-identification of records in Sec. Sec.  2.16, 2.52, and 2.54 
that are being finalized in response to comments in the NPRM.
General Comment
    Several commenters, including large provider organizations, health 
systems, and an employee benefits association, expressed general 
support for the Department's approach to aligning the definitions for 
terms that would appear in both HIPAA and part 2. One large provider 
organization specifically commented that alignment of definitions 
within HIPAA and part 2 would reduce administrative burden for covered 
entities and part 2 providers by eliminating inconsistent terminology, 
duplicative policies (including overlapping workforce training 
requirements), and regulatory risk due to misinterpretation. An 
academic medical center recommended that the Department compare and 
incorporate any HIPAA definition, in their entirety, as applicable to 
part 2 programs which are also HIPAA covered entities.
General Response
    We appreciate the comments. The Department undertook a careful 
analysis of definitions that, if incorporated, would result in the 
further alignment of this regulation with HIPAA, or that are required 
to operationalize required amendments to the regulations. Responses to 
specific comments about each proposed definition are discussed below.

[[Page 12496]]

Breach
    Section 290dd-2(k), as added by the CARES Act, required the 
Department to adopt the term ``breach'' in part 2 by reference to the 
definition in 45 CFR 164.402 of the HIPAA Breach Notification Rule. 
HIPAA defines ``breach'' as ``the acquisition, access, use, or 
disclosure of protected health information in a manner not permitted 
under subpart E which compromises the security or privacy of the 
protected health information.'' HIPAA also describes the circumstances 
that are considered a ``breach'' and explains that a breach is presumed 
to have occurred when an ``acquisition, access, use, or disclosure'' of 
PHI occurs in a manner not permitted under the HIPAA Privacy Rule 
unless a risk assessment shows a low probability that health 
information has been compromised.\137\ To implement section 290dd-2(j) 
added by section 3221(h) of the CARES Act, which requires notification 
in case of a breach of part 2 records, we reference and incorporate the 
HIPAA breach notification provisions.
---------------------------------------------------------------------------

    \137\ U.S. Dep't of Health and Human Servs., ``Breach 
Notification Rule'' (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
---------------------------------------------------------------------------

Comment
    One legal services commenter requested clarification on the term 
``breach'' and suggested that the Department amend the definition to 
expressly refer to the misuse of records in a manner not permitted 
under 42 CFR part 2 and that compromises the security or privacy of the 
part 2 record, instead of referring to PHI. A medical professionals 
association questioned whether the term ``breach'' could properly be 
applied to lawful holders, but this comment and other comments related 
to the application of breach notification provisions to lawful holders 
are addressed in the description of comments for Sec.  2.16.
Response
    We understand the request to expressly refer to part 2 records 
instead of PHI, but as explained above, we are applying the statutory 
definition that adopts the definition of ``breach'' in this regulation 
by reference to the HIPAA provision. We believe the discussion above 
makes clear that the definition should be applied to records under part 
2 instead of PHI under HIPAA, and we further clarify that breach 
includes use and disclosure of part 2 records in a manner that is not 
permitted by part 2.
Final Rule
    The final rule adopts the proposed definition of ``breach'' without 
modification.
Business Associate
    Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to 
adopt the same meaning of ``business associate'' as is used in the 
HIPAA regulations by incorporating the HIPAA definition codified at 45 
CFR 160.103. Within HIPAA, a ``business associate'' generally describes 
a person who, for or on behalf of a covered entity and other than a 
workforce member of the covered entity, creates, receives, maintains, 
or transmits PHI for a function or activity regulated by HIPAA, or who 
provides services to the covered entity involving the disclosure of PHI 
from the covered entity or from another business associate of the 
covered entity to the person.\138\
---------------------------------------------------------------------------

    \138\ U.S. Dep't of Health and Human Servs., ``Business 
Associates'' (May 24, 2019), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
---------------------------------------------------------------------------

Comment
    The Department received only supportive comments for its proposed 
adoption of the term ``business associate'' into part 2 and the 
proposed definition, as described above. In contrast, many commenters 
expressed concern about the Department's proposal to incorporate 
business associates into the definition of ``Qualified service 
organization'' or how business associates relate to the proposed term 
``Intermediary,'' and those comments are discussed in applicable 
definitional sections below.
Response
    We appreciate the comments.
Final Rule
    The final rule adopts the proposed definition of ``business 
associate'' without modification.
Covered Entity
    Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to 
adopt the same meaning of the term ``Covered entity'' as is used in the 
HIPAA regulations by incorporating the HIPAA definition codified at 45 
CFR 160.103. Within HIPAA a ``covered entity'' means: (1) a health 
plan; (2) a health care clearinghouse; or (3) a health care provider 
who transmits any health information in electronic form in connection 
with a transaction covered by subchapter C of HIPAA, Administrative 
Data Standards and Related Requirements.
Comment
    A large hospital system commented that it supported the inclusion 
of ``health plan'' as part of the definition of ``covered entity'' 
asserting that it would allow for more consistent sharing of 
information with its own health plan and for certain redisclosures of 
part 2 records in alignment with HIPAA.
Response
    The HIPAA definition of ``covered entity'' has long included health 
plans. However, to the extent that the commenter may be referring to 
the narrowed definition of ``third party payer,'' which excludes health 
plans because they are already incorporated within the HIPAA definition 
of covered entities, we agree that the change could have the effect 
described by the commenter.
Final Rule
    The final rule adopts the proposed definition of ``covered entity'' 
without modification.
Health Care Operations
    Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to 
adopt the same meaning of this term as is used in the HIPAA regulations 
by incorporating the HIPAA definition codified at 45 CFR 164.501. 
Within HIPAA, ``health care operations'' refer to a set of specified 
activities, described in six paragraphs, that are conducted by covered 
entities related to covered functions. Paragraphs (1) through (6) 
generally refer to quality assessment and improvement; assessing 
professional competency or qualifications; insurance; detecting and 
addressing fraud and abuse and conducting medical reviews; business 
planning and development; and business management and general 
administrative activities.
Comment
    A provider group specifically supported adoption of the HIPAA 
definition of the term ``health care operations'' and its incorporation 
into this regulation. A large health plan recommended expanding the 
proposed definition to include care coordination and case management by 
health plans as proposed by the Department in the 2021 HIPAA Privacy 
Rule NPRM.\139\ One individual, commenting anonymously, asserted that 
``public health'' should be recognized as a health care operation to

[[Page 12497]]

counter what it termed ``legal activism'' to re-define the term 
``life.''
---------------------------------------------------------------------------

    \139\ See Proposed Modifications to the HIPAA Privacy Rule to 
Support, and Remove Barriers to, Coordinated Care and Individual 
Engagement, 86 FR 6446, 6472 (Jan. 21, 2021).
---------------------------------------------------------------------------

Response
    We appreciate the comments. The Department also notes that changing 
the HIPAA definition of ``health care operations'' is outside the scope 
of its authority for this rulemaking, and public comments submitted in 
response to the 2021 NPRM remain under consideration.
Final Rule
    The final rule adopts the proposed definition of ``health care 
operations'' without modification.
HIPAA
    Although not directed by statute, the Department proposed to add a 
definition of HIPAA that explicitly references the Health Insurance 
Portability and Accountability Act of 1996 as amended by the Privacy 
and Security provisions in subtitle D of title XIII of the 2009 HITECH 
Act. These provisions pertain specifically to the privacy, security, 
breach notification, and enforcement standards governing the use and 
disclosure of PHI, but exclude other components of the HIPAA statute, 
such as insurance portability, and other HIPAA regulatory standards, 
such as the standard electronic transactions regulation. The Department 
proposed this definition of ``HIPAA'' to make clear the specific 
components of the relevant statutes that would be incorporated into 
this part.
Comment
    The Department did not receive any comments specific to its 
adoption of this definition.
Final Rule
    The final rule adopts the proposed definition of ``HIPAA'' without 
modification.
HIPAA Regulations
    The current part 2 rule does not define ``HIPAA regulations.'' 
Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to adopt 
the same meaning of this term as is purposed for parts 160 and 164 of 
title 45 CFR, the regulatory provisions that codify the HIPAA Privacy, 
Security, Breach Notification, and Enforcement regulations 
(collectively referred to as ``HIPAA regulations''). For purposes of 
this rulemaking, the term does not include Standard Unique Identifiers, 
Standard Electronic Transactions, and Code Sets, 42 CFR part 162.
Comment
    The Department did not receive any specific comments, other than 
those already discussed above, concerning its proposed definition of 
this term.
Final Rule
    The final rule adopts the proposed definition of ``HIPAA 
regulations'' without modification.
Informant
    Part 2 currently states that an ``informant'' means an individual: 
(1) who is a patient or employee of a part 2 program or who becomes a 
patient or employee of a part 2 program at the request of a law 
enforcement agency or official; and (2) who at the request of a law 
enforcement agency or official observes one or more patients or 
employees of the part 2 program for the purpose of reporting the 
information obtained to the law enforcement agency or official. Within 
the definition of ``informant,'' the Department proposed to replace the 
term ``individual'' with the term ``person'' as is used in the HIPAA 
regulations. The Department believes that this change will foster 
alignment with HIPAA, avoid confusion with the definition of individual 
in HIPAA, and improve the public's understanding of HIPAA and the part 
2 rules.
Comment
    As noted below, the Department received general support for its 
proposal to align the definition of ``person'' within part 2 with the 
HIPAA definition of ``person'' in 45 CFR 160.103. The Department did 
not receive other specific comments on ``informant''.
Final Rule
    The final rule adopts the proposed definition of ``informant'' 
without modification.
Intermediary
    The current rule imposes requirements on intermediaries in Sec.  
2.13(d)(2) and special consent provisions in Sec.  2.31(a)(4) without 
defining the term ``intermediary.'' Examples of an intermediary 
include, but are not limited to, a HIE, a research institution that is 
providing treatment, an ACO, or a care management organization. To 
improve understanding of the requirements for intermediaries, and to 
distinguish those requirements from the proposed accounting of 
disclosure requirements, the Department proposed to establish a 
definition of intermediary as ``a person who has received records, 
under a general designation in a written patient consent, for the 
purpose of disclosing the records to one or more of its member 
participants who has a treating provider relationship with the 
patient.'' Consistent with HIPAA's definition of ``person,'' and as 
defined in this regulation, an ``intermediary'' may include entities as 
well as natural persons. The requirements for intermediaries were 
proposed to remain unchanged but to be redesignated from Sec.  2.13(d) 
(Lists of disclosures) to new Sec.  2.24 (Requirements for 
intermediaries).
Comment
    Approximately half of the commenters on intermediaries opposed the 
Department's proposal to define intermediary and retain consent 
requirements for disclosures to intermediaries that differ from consent 
for disclosures to business associates generally. Three-fourths of the 
HIE/HIN and health IT vendors that commented on this set of proposals 
opposed them. Several commenters, including a national trade 
association and a leading authority on the use of health IT, stated 
that the proposed definition is too vague and confusing.
Response
    We appreciate these comments about the lack of clarity in the 
current understanding and proposed definition of ``intermediary.'' As 
we stated in the NPRM, the term ``intermediary'' is based on the 
function of the person--receiving records from a part 2 program and 
disclosing them to other providers as a key element of its role--rather 
than on a title or category of an organization or business. We agree 
that the interaction of this term with ``program,'' ``business 
associate,'' and ``covered entity'' is a source of confusion and 
believe a modified definition could address this confusion.
Comment
    Commenters suggested a range of changes to the proposed definition. 
These included revising the HIPAA definition of ``covered entity'' to 
include examples of the intermediaries and removing the part 2 
definition of ``intermediary;'' excluding the following from the 
definition of intermediary: business associates, health IT vendors, and 
health plans; and clarifying what types of HIEs or health IT vendors 
are included in the definition (because some HIE technology or EHR 
software does not maintain data or have access to it when exchanging 
data between systems).

[[Page 12498]]

Response
    We considered the possibility of removing the part 2 definition of 
``intermediary'' entirely; however, that would leave a gap in privacy 
protection for records that are disclosed to intermediaries that are 
not subject to HIPAA requirements. For example, intermediaries may 
include research institutions and care coordination organizations that 
are not always subject to HIPAA. We adopt the proposed language of the 
definition with modification: we exclude programs, covered entities, 
and business associates, in part because the primary requirement of 
intermediaries--to provide a list of disclosures upon patient request--
is similar to the new accounting of disclosures requirements that the 
CARES Act applied to part 2 programs and that already applies to 
covered entities and business associates.
    For clarification, we reiterate here that a research institution 
that is not providing treatment would not be considered an intermediary 
because it would not have member participants with a treating provider 
relationship to a patient. A health app that is providing individual 
patients with access to their records would not be considered an 
intermediary unless it is also facilitating the exchange of part 2 
records from a part 2 program to other treating providers using a 
general designation in a consent.
    We also clarify that member participants of an intermediary refers 
to health care provider practices or health-related organizations, such 
as health plans. The member participants of an intermediary may or may 
not be covered entities. Individual health plan subscribers (i.e., 
enrollees, members of a health plan) are not considered member 
participants of an intermediary, although they may access records 
through an EHR, because they are not providers or health-related 
organizations. Further, employees of providers or health-related 
organizations who share access to the same EHR system are not 
considered member participants of an intermediary because the employer 
as an entity is considered the participant. However, an HIE/HIN that is 
providing services to a part 2 program that is not a covered entity 
would be an intermediary (and the HIE/HIN would also be a QSO).
Comment
    An SUD provider recommended modifying the proposed definition of 
``intermediary'' to include ``a member of the intermediary named in the 
consent,'' rather than limiting it to members of the intermediary that 
have a treating provider relationship with the patient.
Response
    Expanding the definition of ``intermediary'' to include any member 
participant would open the door to accessing patients' SUD records 
without their specific knowledge in advance (because the recipient 
would be in a general designation within a consent). Although the CARES 
Act expanded health plans' and other providers' access to records for 
TPO, we do not believe the intention was to remove all restrictions on 
access by member participants of a research institution, for example. 
Removing programs, covered entities, and business associates from the 
definition carves out a significant portion of entities that would 
otherwise be subject to the intermediary requirements so that it is not 
necessary to change the definition as suggested by the commenter.
Final Rule
    We are adopting the proposed definition of ``intermediary,'' but 
with an exclusion for part 2 programs, covered entities, and business 
associates. We believe excluding business associates, in particular, 
will encourage HIEs to accept part 2 records and include part 2 
programs as participants and reduce burdens on business associates that 
serve as HIEs.
Investigative Agency
    The Department proposed to create a new definition of 
``investigative agency'' to describe those government agencies with 
responsibilities for investigating and prosecuting part 2 programs and 
persons holding part 2 records, such that they would be required to 
comply with subpart E when seeking to use or disclose records against a 
part 2 program or lawful holder. In conjunction with proposed changes 
to subpart E pertaining to use and disclosure of records for 
investigating and prosecuting part 2 programs, the Department proposed 
to define an ``investigative agency'' as ``[a] state or federal 
administrative, regulatory, supervisory, investigative, law 
enforcement, or prosecutorial agency having jurisdiction over the 
activities of a part 2 program or other person holding part 2 
records.'' Such agencies potentially will have available a new 
limitation on liability under Sec.  2.3 if they unknowingly obtain part 
2 records before obtaining a court order for such records, provided 
they meet certain prerequisites.
Comment
    Several commenters recommended that local, territorial, and Tribal 
investigative agencies be added to the definition of ``investigative 
agency'' because they have a role in investigations of part 2 program. 
These commenters asserted, for instance, that local agencies play a 
role in investigating or prosecuting part 2 programs or other holders 
of part 2 records and excluding them from the definition could create 
an uneven application of the law.
Response
    We appreciate the feedback in response to the request for comment 
on whether other types of agencies should be included in the definition 
of ``investigative agency'', and specifically whether adding agencies 
that may be smaller or less resourced would present any concerns or 
unintended consequences. We believe it is useful to include local, 
Tribal, and territorial agencies in the definition; however, such 
agencies should be aware that use of the safe harbor also requires 
reporting to the Secretary of instances when it is applied in an 
investigation or proceeding against a part 2 program or other holder of 
records.
Comment
    A few commenters recommended narrowing the definition of 
``investigative agency'' by excluding agencies that supervise part 2 
programs, to avoid creating uncertainty about whether, in performing 
their supervisory functions, they are expected to obtain a court order 
to use or disclose part 2 records of their subordinate programs. For 
example, a state agency believed that, as proposed, the safe harbor 
applies whenever an agency has obtained records without a court order--
thus the existence of the safe harbor implies that a court order may be 
required for all types of investigations, even when other part 2 
disclosure permissions apply, such as Sec.  2.53 (Management audits, 
financial audits, and program evaluation). They expressed concern that 
holders of records may resist legitimate agency requests for records 
and urge the agency to first seek a court order. One commenter 
recommended clarifying that existing permissions for agencies to obtain 
records without a court order still apply. Another commenter pointed 
out that Sec.  2.12(c)(3)(ii) already allows unlimited communication 
``[b]etween a part 2 program and an entity that has direct 
administrative control over the program,'' which includes government-

[[Page 12499]]

run SUD programs and administering agencies.
Response
    We appreciate these concerns and believe that the existing criteria 
for court orders are sufficient to prevent overuse of the court order 
process by government agencies. Specifically, Sec. Sec.  2.66 and 2.67 
require a finding by the court that ``other ways of obtaining the 
information are not available.'' These include, for example, Sec.  
2.12(c) for agencies with direct administrative control and Sec.  2.53 
for agencies with oversight roles or that act as third-party payers. We 
believe that the existing disclosure permissions for government 
agencies are sufficient to clarify the scope of access to records by 
supervisory agencies without obtaining a court order and that our 
explanation will reinforce agencies' abilities to continue to obtain 
part 2 records under permissions they have historically used and not 
burden courts with unnecessary and potentially ineffective applications 
for court orders. We reiterate here that the existence of the safe 
harbor provision and the opportunity to seek a court order 
retroactively do not affect the availability of other part 2 provisions 
that allow access to records without written consent or a court order.
    We believe this discussion will encourage investigative agencies to 
evaluate how other disclosure permissions may apply to their requests 
for records when they are in the role of a supervisory agency to a part 
2 program.
Comment
    One commenter, a state Medicaid fraud unit, recommended that their 
agency be excluded from the proposed definition of ``investigative 
agency'' and that they be able to access records without a court order. 
In the alternative, they support the proposed safe harbor and related 
procedures proposed in Sec. Sec.  2.66 and 2.67.
Response
    Agencies with oversight authority may continue to rely on Sec.  
2.53 to conduct program evaluations and financial audits without 
obtaining a court order. Comments regarding the ability of a fraud unit 
to rely on the proposed safe harbor are addressed below in the 
discussion of Sec.  2.66.
Final Rule
    In the final rule we are adopting the proposed definition of 
``investigative agency'' and further modifying it to add local, Tribal, 
and territorial agencies.
Lawful Holder
    Lawful holders are not formally defined within part 2. In the 
January 2017 final rule, the Department clarified its use of the term 
``lawful holder'', stating that a ``lawful holder'' of patient 
identifying information is an individual or entity who has received 
such information as the result of a part 2-compliant patient consent 
(with a prohibition on re-disclosure notice) or as a result of one of 
the exceptions to the consent requirements in the statute or 
implementing regulations and, therefore, is bound by 42 CFR part 
2.\140\
---------------------------------------------------------------------------

    \140\ See 82 FR 6052, 6068. See also 81 FR 6988, 6997.
---------------------------------------------------------------------------

    Lawful holders are subject to numerous obligations within the 
regulation, including the following:
     Prohibited from using records in investigations or 
proceedings against a patient without consent or a court order, Sec.  
2.12(d).
     Adopting policies and procedures to protect records 
received, Sec.  2.16.
     Providing notice upon redisclosure, Sec.  2.32.
     Having a contract in place to redisclose records for 
payment and health care operations that binds recipients to comply with 
part 2 and redisclose only back to the program, Sec.  2.33.
     Reporting to Prescription Drug Monitoring Programs only 
with patient consent, Sec.  2.36.
     Lawful holder that is a covered entity--may apply HIPAA 
standards for research disclosures, Sec.  2.52.
     Complying with audit and evaluation disclosure provisions, 
Sec.  2.53.
    In the NPRM the Department proposed three key changes that affect 
lawful holders:
     Section 2.4--to allow patients to file complaints of part 
2 violations against both programs and lawful holders.
     Section 2.12(d)--to expressly state that downstream 
recipients from a lawful holder continue to be bound by the prohibition 
on use of a patient's records in proceedings against the patient, 
absent written consent or a court order.
     Section 2.33(b)(3) and (c)--to exclude covered entities 
and business associates from certain requirements for lawful holders 
who have received records based on consent for payment and health care 
operations; the requirement is for lawful holders to have a written 
contract (with required provisions) before redisclosing records to 
contractors or subcontractors. This section also provides that when 
records are disclosed for payment or health care operations activities 
to a lawful holder that is not a covered entity, business associate, or 
part 2 program, the recipient may further use or disclose those records 
as may be necessary for its contractors, subcontractors, or legal 
representatives to carry out the payment or health care operations 
specified in the consent on behalf of such lawful holders.
Overview of Comments
    Some commenters provided views on whether to create a regulatory 
definition of ``lawful holder,'' and if so, what entities should fall 
within the definition. A significant majority of those commenters 
recommended creation of a regulatory definition to help provide clarity 
about responsibilities of respective types of recipients of part 2 
records and none opposed a new regulatory definition. A few 
organizations did not make a specific recommendation in their comments 
about a regulatory definition of lawful holder but requested that the 
Department provide clarification in the final rule. Several commenters 
offered other views on lawful holders. Additional comments about lawful 
holders are included in the comments on intermediaries.
Comment
    Commenters recommended various definitions of ``lawful holder'' 
that exclude covered entities, business associates, family members, or 
personal representatives.
Response
    We appreciate these recommendations. We are not excluding part 2 
programs, covered entities, and business associates from the finalized 
regulatory definition of lawful holder when they receive part 2 records 
from a part 2 program. However, covered entities and business 
associates that receive part 2 records based on a TPO consent may 
redisclose them as permitted by Sec.  2.33(b)(1) and part 2 programs 
that are not covered entities or business associates, and that receive 
part 2 records based on a TPO consent, may redisclose the records for 
TPO as permitted by Sec.  2.33(b)(2). These recipients of part 2 
records (part 2 programs, covered entities, and business associates) 
are not subject to the additional limitations in Sec.  2.33(b)(3) and 
(c) that apply to other lawful holders who have received records based 
on consent for payment and health care operations. Family members 
remain included as lawful holders; however, they are excluded from the 
requirements

[[Page 12500]]

in Sec.  2.16 to have formal policies and procedures to protect 
records.
Comment
    Commenters recommended that the lawful holder provision provide a 
safe harbor from the imposition of civil or criminal monetary penalties 
under the HIPAA Breach Notification Rule for the unintentional 
redisclosure of part 2 records by lawful holders that would have 
otherwise been a compliant disclosure of PHI under the HIPAA Privacy 
Rules TPO permission.
Response
    We appreciate the feedback but decline to create a new safe harbor 
for unintentional violations by lawful holders because we believe the 
existing penalty tier under the HITECH Act for ``did not know'' 
violations is appropriate to address these types of violations.
Comment
    An advocacy organization for behavioral health recommended that the 
Department define mobile health apps that are business associates as 
``lawful holders'' and consider whether other health care 
interoperability applications or mobile health apps would also fall 
within the new definition.
Response
    We appreciate this feedback on how technology may interact with the 
part 2 regulations. Because we are excluding business associates from 
certain requirements that apply to ``lawful holders'' a mobile health 
app that is a business associate would also be excluded. However, we do 
not believe a technology would qualify on its own as a business 
associate, but rather the owner or developer of the technology that 
qualifies as a person capable of executing a business associate 
agreement. To the extent that the owner or developer of a health app, 
through the use of its technology, becomes a recipient of records in 
the manner described in the definition of ``lawful holder,'' it would 
be a lawful holder subject to the requirements and prohibitions on 
lawful holders of part 2 records.
Comment
    A state agency urged that the rule add lawful holders and 
intermediaries to Sec.  2.12 to permit them to verbally receive part 2 
information and include it in a record without it being considered a 
part 2 record.
Response
    We appreciate this recommendation, but do not believe it is 
necessary for several reasons. First, we are finalizing the definition 
of ``lawful holder'' and the definition of ``intermediary'' (that 
excludes covered entities and business associates). Thus, covered 
entities and business associates will not be subject to requirements 
for lawful holders or intermediaries. Second, we are finalizing changes 
to Sec.  2.12(d) that: (a) expressly state that data segmentation and 
record segregation is not required by part 2 programs, covered 
entities, and business associates that have received records based on a 
single consent for all future TPO; and (b) remove language requiring 
segmentation of part 2 data or segregation of records. As a result of 
these changes, to the extent a lawful holder or intermediary is a part 
2 program, covered entity, or business associate, it is not required to 
segregate the information, but it is still considered a part 2 record 
subject to the prohibition against disclosure in proceedings against a 
patient. Third, the existing rule contains a provision for non-part 2 
providers who document verbally shared part 2 information, excluding 
that information from part 2 status. Thus, only a small set of 
recipients are still subject to the data segregation requirement, 
taking into account the combination of changes finalized within this 
rule.
Comment
    One commenter, a medical professionals association for SUD 
providers, recommended that the definition of ``lawful holders'' 
encompass entities with access to individual part 2 records outside the 
HIPAA/HITECH and part 2 rules, and that the Department should clarify 
that mobile health apps and ``interoperability applications'' that are 
business associates of covered entities would be considered lawful 
holders.
Response
    Rather than refer to specific types of entities, we believe a 
definition based on the status of the person with respect to how they 
received subject records is a more workable definition and likely to 
facilitate common understanding. In this regard, whether a person is a 
managed care organization or mobile app, if that person received 
records pursuant to a part 2-compliant consent with an accompanying 
notice of disclosure, or as a result of a consent exception, the person 
will be properly considered a lawful holder under this final rule.
Final Rule
    The final rule adds a new regulatory definition of ``lawful 
holder'' that is based on SAMHSA's previous explanations and guidance, 
to read as noted in Sec.  2.11.
Part 2 Program Director
    To foster alignment between the HIPAA regulations and the part 2 
Rules, the Department proposed to replace the first instance of the 
term ``individual'' with the term ``natural person'' and the other 
instances of the term ``individual'' with the term ``person'' within 
the definition of ``part 2 program director.''
Comment
    As noted below, the Department received general support for its 
proposal to align the definition of person within part 2 with the HIPAA 
definition of person in 45 CFR 160.103.
Response
    We appreciate the comments on the proposed changes.
Final Rule
    The final rule adopts the proposed definition of ``part 2 program 
director'' without further modification. The Department believes that 
this change will foster alignment with HIPAA and understanding of HIPAA 
and the part 2 rules.
Patient
    The Department proposed to add language to the existing definition 
to clarify that when the HIPAA regulations apply to part 2 records, a 
``patient'' is an individual as that term is defined in the HIPAA 
regulations.
Comment
    The Department received general support for further aligning the 
part 2 definition of patient with the definition of individual within 
the HIPAA regulations.
Final Rule
    The final rule adopts the proposed definition of ``patient'' 
without further modification.
Patient Identifying Information
Request for Comment
    The Department did not propose changes to the definition of 
``patient identifying information'' but requested comment on all 
proposed changes to part 2, including the modifications to the de-
identification standard in Sec. Sec.  2.16, 2.52, and 2.54.

[[Page 12501]]

Comment
    Comments on the proposed de-identification standard are discussed 
in the sections listed above where de-identification is applied.
Response
    In addressing the comments received on the proposed de-
identification standard and developing additional modification to 
better align part 2 with the HIPAA de-identification standard in 45 CFR 
164.514(b), we identified additional changes needed to clarify and 
align terms related to de-identification, including ``patient 
identifying information.'' These changes are described below.
Final Rule
    We are finalizing a modification to clarify the definition of 
``patient identifying information'' and ensure consistency with the de-
identification standard incorporated into this final rule. This change 
is in response to comments received on the NPRM and to align with the 
finalization of the de-identification standard in Sec. Sec.  2.16, 
2.52, and 2.54, and is consistent with the Department's existing 
interpretation of the term. The final rule retains the part 2 term, 
``patient identifying information,'' rather than replacing it with the 
HIPAA term, ``individually identifiable health information,'' because 
the two regulatory schemes apply to different sets of health 
information and the CARES Act mandate for alignment did not erase those 
distinctions.
    The first sentence of the definition of ``patient identifying 
information'' lists the following identifiers: name, address, social 
security number, fingerprints, photograph, or similar information by 
which the identity of a patient, as defined in Sec.  2.11, can be 
determined with reasonable accuracy either directly or by reference to 
other information. This identifying information is consistent with the 
identifiers listed in in 45 CFR 164.514(b)(2)(i) of the HIPAA Privacy 
Rule that must be removed from PHI for it to be considered de-
identified and no longer subject to HIPAA protections. As explained in 
the background section of this rule, the Department clarified in a 2017 
final rule that the definition of patient identifying information in 
part 2 includes the individual identifiers listed in the HIPAA Privacy 
Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not 
already listed in the part 2 definition, and in preamble listed those 
identifiers.\141\
---------------------------------------------------------------------------

    \141\ See 82 FR 6052, 6064.
---------------------------------------------------------------------------

    However, the second sentence of the definition of ``patient 
identifying information'' in the part 2 rule currently in effect allows 
retention of ``a number assigned to a patient by a part 2 program, for 
internal use only by the part 2 program, if that number does not 
consist of or contain numbers (such as a social security, or driver's 
license number) that could be used to identify a patient with 
reasonable accuracy from sources external to the part 2 program.'' This 
exclusion from the definition for a number that could be a part 2 
program's equivalent of a medical record number conflicts with one of 
the identifiers that must be removed under the HIPAA de-identification 
standard (and that is listed in the 2017 Part 2 Final Rule), namely, 
``[a]ny other unique identifying number, characteristic, or code, 
except as permitted by paragraph (c) of this section[.]'' Paragraph (c) 
of Sec.  164.514 allows a covered entity to assign a code or other 
record identifier that can be used to re-identify the PHI, but it must 
be kept secure and not used for any other purpose. The allowable code 
referred to in paragraph (c) is different from the number assigned to a 
patient by a part 2 program, which is more likely to be a provider's 
internal record identifier that may be ubiquitous throughout a 
patient's medical record. Thus, we believe a clarification of the 
current rule is needed that removes the last sentence of the definition 
of patient identifying information.
    The final rule adopts a modified definition of ``patient 
identifying information'' to align more closely with the HIPAA standard 
in 45 CFR 164.514.
Payment
    The Department proposed to adopt the same definition of this term 
as in the HIPAA regulations. This proposal would implement 42 U.S.C. 
290dd-2(k), added by section 3221(d) of the CARES Act, requiring the 
term ``payment'' in this part be given the same meaning of the term for 
the purposes of the HIPAA regulations.
Comment
    The Department received general support for aligning the part 2 
definition of payment with the HIPAA definition.
Response
    We appreciate the comments on adopting the HIPAA definition of 
``payment'' and confirm that the intent is to uniformly apply the term 
``payment'' in both this regulation and the HIPAA context.
Final Rule
    The final rule adopts the proposed definition of ``payment'' 
without further modification.
Person
    The term ``person'' is defined within part 2 as ``an individual, 
partnership, corporation, federal, state or local government agency, or 
any other legal entity, (also referred to as `individual or entity').'' 
The part 2 regulation uses the term ``individual'' in reference to 
someone who is not the patient and therefore not the subject of a part 
2 record. In contrast, the HIPAA regulations at 45 CFR 160.103 define 
the term ``individual'' to refer to the subject of PHI, and ``person'' 
to refer to ``a natural person, trust or estate, partnership, 
corporation, professional association or corporation, or other entity, 
public or private.'' Thus, the HIPAA definition includes both natural 
persons and corporate entities.
    To further the alignment of part 2 and the HIPAA regulations and 
provide clarity for part 2 programs and entities that must comply with 
both sets of requirements, the Department proposed to replace the part 
2 definition of ``person'' with the HIPAA definition in 45 CFR 160.103. 
As an extension of this clarification, the Department further proposed 
to replace the term ``individual'' with ``patient'' when the regulation 
refers to someone who is the subject of part 2 records, to use the term 
``person'' when it refers to someone who is not the subject of the 
records at issue, and to modify the definition of ``patient'' in part 2 
to include an ``individual'' as that term is used in the HIPAA 
regulations. The Department stated that this combination of 
modifications would promote the understanding of both part 2 and the 
HIPAA regulations and requested comment on whether this or other 
approaches would provide more clarity.
Comment
    Commenters generally supported this proposed change as providing 
clarity and helping to align with HIPAA. One commenter, a county SUD 
provider, suggested that referring to ``person'' is helpful for clarity 
and also emphasizes patient autonomy and whole person care. Another 
commenter supported the efforts throughout the rulemaking to streamline 
language by replacing the phrase ``individual or entity'' with the word 
``person,'' but questioned use of this term in Sec.  2.51 (Medical 
emergencies).

[[Page 12502]]

Response
    We appreciate the comments. We confirm here that within this rule 
``person'' refers to both a natural person and an entity, which may 
include a government agency, a health care provider, or another type of 
organization. Thus, the term ``person'' in the new safe harbor at Sec.  
2.3 applies to an investigative agency as well as a natural person who 
is acting under a grant of authority from an investigative agency. The 
comment about disclosures for medical emergencies is discussed further 
in Sec.  2.51 (Medical emergencies).
Final Rule
    The final rule adopts the proposed definition of ``person'' without 
further modification.
Personal Representative
    The Department did not propose a regulatory definition of 
``personal representative'' for this rule but requested comment on 
whether to do so and apply it to Sec.  2.15 which addresses surrogate 
decision making for patients who are deceased or lack capacity to make 
decisions about their health care. Under the existing Sec.  2.15(a)(1) 
provision, consent for disclosures of records may be given by the 
guardian or other individual authorized under state law to act on 
behalf of a patient who has been adjudicated as lacking capacity, for 
any reason other than insufficient age, to manage their own affairs. In 
circumstances without adjudication, under Sec.  2.15(a)(2) the part 2 
program director may exercise the right of the patient to consent to 
disclosure for the sole purpose of obtaining payment for services from 
a third-party payer for an adult patient who for any period suffers 
from a medical condition that prevents knowing or effective action on 
their own behalf.
    The existing rule, at Sec.  2.15(b)(2), requires a written consent 
by an executor, administrator, or other personal representative 
appointed under applicable state law for disclosures for a deceased 
patient's record. If there is no legally appointed personal 
representative, the consent may be given by the patient's spouse or, if 
none, by any responsible member of the patient's family. However, part 
2 does not define any of the terms for the persons who can provide the 
consent, including ``personal representative.''
Comment
    Several commenters, including state agencies and health technology 
vendors, suggested that the Department provide that personal 
representatives can give consent to use and disclose part 2 records on 
behalf of an incapacitated patient. One of the state agencies commented 
that such a grant of authority to personal representatives would help 
ensure care coordination. All agreed that the Department should define 
``personal representative'' and a few of these commenters commented 
that the Department should define it consistent with HIPAA. 
Specifically, a few of these commenters described facilities being 
faced with requests for records by many individuals of varying 
relationships to patients. They asserted that the NPRM leaves room for 
interpretation about who has authority, making it difficult to ensure 
patient privacy consistent with HIPAA.
Response
    We acknowledge and agree with the commenters who provided views on 
this topic. HIPAA does not include ``personal representative'' in its 
definitions section but provides a clear standard in 45 CFR 
164.502(g)(2), where it describes the responsibilities of a personal 
representative as having ``authority to act on behalf of an individual 
who is an adult or an emancipated minor in making decisions related to 
health care.'' Section 164.502(g) provides when, and to what extent, a 
personal representative must be treated as the individual for purposes 
of the HIPAA Privacy Rule. Section 164.502(g)(2) requires a covered 
entity to treat a person with legal authority to act on behalf of an 
adult or emancipated minor in making decisions related to health care 
as the individual's personal representative with respect to PHI 
relevant to such personal representation. Adopting a definition in the 
final rule will clarify who qualifies as a personal representative for 
decisions about uses and disclosures for adults who lack the capacity 
to make decisions about consenting to uses or disclosures of their SUD 
records and provide needed consistency between part 2 and the HIPAA 
Privacy Rule. Defining the term ``personal representative'' consistent 
with the HIPAA standard furthers the alignment of part 2 and HIPAA in 
accordance with the CARES Act and will also assist with treatment and 
care coordination. We considered but decline to adopt 45 CFR 164.502(g) 
in its entirety because several paragraphs conflict with part 2, such 
as consent by minors, and we believe it is important to maintain those 
provisions of part 2 that are more protective of patient privacy.
Final Rule
    We are finalizing in Sec.  2.11 a new regulatory definition of 
``personal representative'' that mirrors language in the HIPAA Privacy 
Rule at 45 CFR 164.502(g).
Program
    Within the definition of ``program,'' the Department proposed to 
replace the term ``individual or entity'' with the term ``person'' as 
is used in the HIPAA regulations and make no other changes. Part 2 
defines program as: (1) An individual or entity (other than a general 
medical facility) who holds itself out as providing, and provides, 
substance use disorder diagnosis, treatment, or referral for treatment; 
or (2) An identified unit within a general medical facility that holds 
itself out as providing, and provides, substance use disorder 
diagnosis, treatment, or referral for treatment; or (3) Medical 
personnel or other staff in a general medical facility whose primary 
function is the provision of substance use disorder diagnosis, 
treatment, or referral for treatment and who are identified as such 
providers.
Comment
    The Department received several comments on the existing definition 
of ``program,'' including several elements for which no changes were 
proposed. Some providers commented that they continue to be confused as 
to the meaning of ``holds itself out.'' Commenters also requested 
clarity as to whether they or their facility's ``primary function'' was 
the provision of SUD treatment. Commenters requested more objective 
definitions of these terms or use of another approach to defining a 
program, such as HHS creating a central registry of part 2 programs 
similar to that developed by the Health Resources and Services 
Administration for health centers or the 340B Drug Pricing Program. 
Lacking such clarity, commenters asserted that it may be difficult for 
providers to distinguish between claims that are subject to part 2 
consent or other provisions from those that are not. Commenters also 
asked whether a program or provider holds themselves out based on their 
advertising SUD services or based on their being known to provide, 
refer, or bill for SUD treatment. One commenter believed that general 
medical facilities are exempt from the definition of part 2 programs 
yet in practice, such facilities may offer SUD treatment and this may 
be widely known in the community. The commenter urged the Department to 
provide additional clarity is needed on how part 2 applies to general 
medical facilities or practices given current emphasis on behavioral 
health integration and care coordination for

[[Page 12503]]

patients. Another commenter noted that facilities making it known that 
they offer SUD treatment can help to reduce stigma and discrimination 
and encourage patients to seek needed care.
    A medical professionals' association asserted that EHRs are not 
designed to treat some units or locations within a facility, such as 
emergency departments, differently than others. The commenter urged the 
Department to define part 2 ``program'' as being limited to licensed 
SUD providers to help provide needed clarity. Other commenters 
suggested that providers may offer medications for opioid use disorder 
(MOUD) (also known as medication assisted treatment (MAT)) \142\ but do 
not specifically hold themselves out as being part 2 programs. 
Commenters urged the Department to clarify that facilities or providers 
providing MOUD do not become part 2 programs unless doing so is their 
primary function.
---------------------------------------------------------------------------

    \142\ This rule follows the convention adopted by SAMHSA of 
referring to MOUD rather than MAT. See 87 FR 77330, 77338 (Dec. 16, 
2022).
---------------------------------------------------------------------------

Response
    We did not propose changes to the long-standing definition of a 
part 2 ``program'' in 42 CFR part 2, and thus the final rule is limited 
to interpreting the definition rather than revising it. Whether a 
provider holds itself out as providing SUD treatment or as a practice 
with the primary function of providing SUD treatment within a general 
medical facility setting is a fact-specific inquiry that may depend on 
how a particular program operates and describes or publicizes its 
services. That said, the Department acknowledges comments about 
providers' challenges in applying the definition of part 2 ``program'' 
in integrated care settings or using EHRs and other technologies to 
support coordinated, integrated care. The Department has provided 
guidance on this issue in the past.\143\ After this rule is final, the 
Department may update or provide additional guidance to help further 
clarify the definition of program. The Department has historically 
noted that most SUD treatment programs are federally assisted and 
therefore that prong of part 2 typically applies. In 2017, the 
Department largely reiterated its proposed interpretations of ``holds 
itself out'' and ``primary function,'' \144\ and more recently 
developed guidance on the applicability of part 2.\145\
---------------------------------------------------------------------------

    \143\ See Substance Abuse and Mental Health Servs. Admin., 
``Disclosure of Substance Use Disorder Patient Records: Does Part 2 
Apply to Me? '' (May 1, 2018), https://www.hhs.gov/guidance/document/does-part-2-apply-me.
    \144\ See discussion at 82 FR 6052, 6066.
    \145\ See ``Disclosure of Substance Use Disorder Patient 
Records: Does Part 2 Apply to Me?,'' supra note 143.
---------------------------------------------------------------------------

Comment
    Another commenter asked that the Department specifically carve out 
from part 2 IHS and Tribal facilities that provide MOUD incident to 
their provision of general medical care.
Response
    We appreciate the comment; however, this change is beyond the scope 
of this rulemaking. The Department conducted a Tribal consultation 
about the CARES Act changes to this rule in March 2022 \146\ and will 
continue to provide support to Tribal entities and collaborate with IHS 
in implementing the final rule. The Department also notes that some 
facilities and providers, even if they do not meet the definition of 
program, still may be required by state regulations to comply with part 
2 requirements.\147\
---------------------------------------------------------------------------

    \146\ See U.S. Dep't of Health and Human Servs., Off. for Civil 
Rights and the Substance Abuse and Mental Health Servs. Admin., 
``Follow up Report on the 42 CFR part 2 Tribal Consultation 
Recommendations'' (June 2023), https://www.samhsa.gov/sites/default/files/follow-up-report-42-cfr-part-2-tribal-consultation-recommendations-june-2023.pdf.
    \147\ See California Health & Human Servs. Agency, Ctr. for Data 
Insights and Innovation, ``State Health Information Guidance, 1.2, 
Sharing Behavioral Health Information in California'' (Apr. 2023), 
https://www.cdii.ca.gov/wp-content/uploads/2023/04/State-Health-Information-Guidance-1.2-2023.pdf; see also ``TAC Assessment Working 
Paper: 2016 Compilation of State Behavioral Health Patient Treatment 
Privacy and Disclosure Laws and Regulations,'' supra note 122.
---------------------------------------------------------------------------

Final Rule
    The final rule adopts the proposed definition of ``program'' 
without further modification.
Public Health Authority
    The Department proposed to adopt the same meaning for this term as 
in the HIPAA Privacy Rule at 45 CFR 164.501. This proposal would 
implement subsection (k) of 42 U.S.C. 290dd-2, added by section 3221(d) 
of the CARES Act, requiring the term in this part be given the same 
meaning of the term for the purposes of the HIPAA regulations.
Comment
    The Department received a few specific supportive comments, 
including from several state agencies, that the addition of the 
proposed definition would facilitate public health authorities' 
provision of comprehensive health and health care information to the 
public, and would help clarify the provision of comprehensive data and 
information to public health authorities for critical public health 
needs.
Response
    We appreciate the comments.
Final Rule
    The final rule adopts the proposed definition of ``public health 
authority'' without further modification.
Qualified Service Organization
    The Department proposed to modify the definition of ``qualified 
service organization'' by adding HIPAA business associates to the 
regulatory text to clarify that they are QSOs in circumstances when 
part 2 records also meet the definition of PHI (i.e., when a part 2 
program is also a covered entity). The Department stated that this 
proposal would facilitate the implementation of the CARES Act with 
respect to disclosures to QSOs. The HIPAA regulations generally permit 
disclosures from a covered entity to a person who meets the definition 
of a business associate (i.e., a person who works on behalf of or 
provides services to the covered entity) \148\ without an individual's 
authorization, when based on a business associate agreement that 
incorporates certain protections.\149\ Similarly, the use and 
disclosure restrictions of this part do not apply to the communications 
between a part 2 program and QSO when the information is needed by the 
QSO to provide services to the part 2 program. This definition is 
proposed in conjunction with a proposal to modify Sec.  2.12 
(Applicability), to clarify that QSOs also use part 2 records received 
from programs to work ``on behalf of'' the program.
---------------------------------------------------------------------------

    \148\ See 45 CFR 160.103 (definition of ``Business associate'').
    \149\ See, e.g., 45 CFR 164.504(e).
---------------------------------------------------------------------------

    The Department also proposed a wording change to replace the phrase 
``individual or entity'' with the term ``person'' as proposed to 
comport with the HIPAA meaning of the term.
Comment
    Several organizations commented on QSOs. A behavioral health 
advocacy organization supported the proposed change because consent 
requirements would not apply to information exchanges between part 2 
programs and business associates when they are providing ``service 
work'' on behalf of the part 2 program and this expansion would 
encourage data sharing for part 2 programs. A state health data agency 
recommended eliminating the QSO

[[Page 12504]]

definition in favor of business associate. The commenter believed that 
if Sec.  2.3(c) applies the various sanctions of HIPAA to part 2 
programs regardless of whether the program is a HIPAA covered entity or 
business associate, the need to retain QSOs for part 2 programs that 
are not covered entities seems to be eliminated. A health system 
commenter has found the existing definition of QSO to be broad, and 
said that it is difficult to know which recipients are receiving part 2 
records. This commenter would support the proposed definition if it 
meant that compliance with a business associate agreement would meet 
the part 2 requirements for a QSO agreement (QSOA).
Response
    The Department is maintaining a distinct definition in part 2 for 
QSOs. The revised definition clarifies the obligations of a business 
associate that has records created by a covered entity that is a part 2 
program (which is subject to all part 2 requirements) and a business 
associate that has records from a covered entity that is only a 
recipient of part 2 records (and subject to the new redisclosure 
permission as allowed under the HIPAA Privacy Rule). While QSOs 
supporting part 2 programs in such activities as data processing and 
other professional services are analogous to the activities of business 
associates supporting covered entities, QSOs have a distinct function 
within part 2. For these reasons, QSOA under part 2 should be 
understood as distinct from business associate agreements required by 
HIPAA.
Comment
    Another state commenter suggested that QSOs should be included in 
the breach notification requirements that are being newly applied to 
part 2 programs.
Response
    We considered finalizing a requirement for QSOs to comply with the 
new breach reporting requirements in Sec.  2.16 in the same manner as 
they apply to business associates under HIPAA. We believe subjecting 
QSOs to this requirement would have underscored the status of QSOs as 
similar to business associates; however, we are not making this change 
because the CARES Act provides that breach notification should apply to 
part 2 programs in the same manner as it does to covered entities and 
does not mention breach notification requirements with respect to QSOs 
or business associates. Regardless, part 2 programs are likely to 
address breach notifications in contractual provisions within a QSOA, 
so QSOs need to be aware of breach notification.
Comment
    A few HIN/HIEs requested that the definition of QSO be modified to 
expressly include subcontractors of QSOs. The commenters further 
requested that the Department withdraw prior regulatory guidance 
regarding ``contract agents,'' because it has been interpreted by some 
as requiring a Federal agency-level relationship between the QSO and 
the QSO's subcontractor to permit the QSO to engage with a 
subcontractor.
Response
    The Department declines to withdraw previous guidance concerning 
contract agents or subcontractors, which it still views as relevant. In 
its 2010 HIE guidance, the Department stated that ``[a]n HIO may 
disclose the Part 2 information to a contract agent of the HIO, if it 
needs to do so to provide the services described in the QSOA, and as 
long as the agent only discloses the information back to the HIO or the 
Part 2 program from which the information originated.'' \150\ In 2017 
the Department noted that ``[w]e have previously clarified in responses 
to particular questions that contracted agents of individuals and/or 
entities may be treated as the individual/entity.'' \151\ In the 2018 
final rule, the Department stated that ``SAMHSA guidance indicates that 
a QSOA does not permit a QSO to re-disclose information to a third 
party unless that third party is a contract agent of the QSO, helping 
them provide services described in the QSOA, and only as long as the 
agent only further discloses the information back to the QSO or to the 
part 2 program from which it came.'' \152\
---------------------------------------------------------------------------

    \150\ Substance Abuse and Mental Health Servs. Admin., 
``Frequently Asked Questions: Applying the Substance Abuse 
Confidentiality Regulations to Health Information Exchange (HIE),'' 
at 8, https://www.samhsa.gov/sites/default/files/faqs-applying-confidentiality-regulations-to-hie.pdf.
    \151\ 82 FR 6052, 6056.
    \152\ 83 FR 239, 246.
---------------------------------------------------------------------------

    The Department, in the 2020 Part 2 Final Rule, noted that 
activities of QSOs ``would overlap with those articulated in Sec.  
2.33(b) related to information disclosures to a lawful holder's 
contractors, subcontractors, and legal representatives for the purposes 
of payment and/or health care operations.'' \153\ This guidance 
continues to be relevant to the roles of QSOs and their subcontractors 
or agents.
---------------------------------------------------------------------------

    \153\ 85 FR 42986, 43009.
---------------------------------------------------------------------------

Comment
    According to one county government, the addition of business 
associates to the definition of a ``qualified service organization'' is 
helpful for the county health system's ability to serve patients in 
need of SUD treatment. As a large health system and provider of 
behavioral health services, this county relies on business associates 
to operate its programs. A clearer definition of QSOs will allow the 
county and its part 2 programs to expand services using business 
associates to provide much needed assistance with claims, data and 
analytics, and quality assurance, the commenter said.
Response
    The Department appreciates the comments on its proposed change.
Comment
    An advocacy organization urged HHS to clarify that a business 
associate must still meet all aspects of the QSO definition, including 
entering into a QSOA. It also suggested that HHS should consider 
creating and publishing an official version of a joint QSOA and 
business associate agreement and that HHS should also work to improve 
major technology vendors' understanding of part 2, so that part 2 
programs and their patients can benefit from services like email, 
cloud-based storage, and telehealth platforms, while maintaining 
confidentiality safeguards. Another commenter said the Department 
should provide guidance on how terms such as intermediaries, business 
associates, qualified service organizations, and lawful holders 
interact and differ.
Response
    The Department appreciates these comments and will consider what 
additional guidance may be helpful after this rule is finalized. The 
Department explains throughout this rule that the roles and functions 
of lawful holders, business associates, QSOs, and intermediaries but 
may provide additional, concise guidance in the future. As highlighted 
in its guidance entitled ``Disclosure of Substance Use Disorder Patient 
Records: Does Part 2 Apply to Me? '' such inquiries are fact-specific 
depending on an organization's or provider's role in SUD treatment and 
the records it shares or receives.\154\
---------------------------------------------------------------------------

    \154\ See ``Disclosure of Substance Use Disorder Patient 
Records: Does Part 2 Apply to Me? '' supra note 143.
---------------------------------------------------------------------------

Final Rule
    The final rule adopts the proposed definition of QSO to expressly 
include

[[Page 12505]]

business associates as QSOs where the PHI in question also constitutes 
a part 2 record and further modifies the new paragraph by adding a 
clarification that the definition of QSO includes business associates 
where the QSO meets the definition of business associate for a covered 
entity that is also a part 2 program. Finalizing the changes to 
expressly include business associates as QSOs responds to comments 
received on the NPRM and those from others on previous part 2 
rulemakings (such as during SAMHSA's 2014 Listening Session) \155\ 
noting that the role of QSOs is analogous to business associates such 
that aligning terminology makes sense given the purpose of section 3221 
of the CARES Act to enhance harmonization of HIPAA and part 2. As noted 
in the NPRM, the Department also believes finalizing this proposal 
facilitates the implementation of the CARES Act with respect to 
disclosures to QSOs.
---------------------------------------------------------------------------

    \155\ See ``Disclosure of Substance Use Disorder Patient 
Records: Does Part 2 Apply to Me? '' supra note 143; see also, 
Confidentiality of Alcohol and Drug Abuse Patient Records, Notice of 
Public Listening Session, 79 FR 26929 (May 12, 2014).
---------------------------------------------------------------------------

Records
    The definition of ``records'' specifies the scope of information 
that part 2 protects. The Department proposed to insert a clause to 
expressly include patient identifying information within the definition 
of records and to remove, as unnecessary, the last sentence that 
expressly included paper and electronic records.
Comment
    Several organizations commented on the definition of ``records.'' 
Several commenters on the definition of ``record'' requested that the 
final rule expressly state that records received from a part 2 program 
under a consent for TPO no longer retain their characteristic as part 2 
records. These commenters provided their views of the difficulties 
associated with tracking the provenance of a particular data element 
once it has been added to a record. One comment suggested that the 
recipient should be able to redisclose the data for TPO even if the 
provenance could not be tracked.
Response
    We appreciate the comments but decline to add a statement that 
records received under a consent for TPO are no longer part 2 records. 
Instead, in response to other comments we are finalizing an express 
statement in Sec.  2.12(d) that segregation of records received by a 
part 2 program, covered entity, or business associate under a consent 
for TPO is not required. We believe it is necessary for the records 
received to retain their characteristic as part 2 records to ensure 
that recipients comply with the continuing prohibition on use and 
disclosure of the records in investigations or proceedings against the 
patient, absent written consent or a court order. We agree with the 
comment that a recipient that is a part 2 program, covered entity, or 
business associate should be able to redisclose the data for TPO as 
permitted by HIPAA and believe that the suite of modifications in the 
final rule accomplishes that end.
Comment
    According to one commenter, the definitions of ``record,'' 
``program,'' and ``patient identifying information'' and how they are 
applied are inconsistent, cross-referential, and confusing. This 
commenter urged the Department to simplify and clarify these terms, 
perhaps by adopting a single term as used in HIPAA (e.g., ``protected 
health information'') to uniformly apply throughout the regulation.
Response
    We appreciate this comment and are finalizing a number of changes 
to improve consistency and clarity throughout the rule; however, we are 
also mindful that many definitions have a special meaning within this 
part and the primary aim of this rulemaking is to implement the CARES 
Act amendments to 42 U.S.C. 290dd-2. We are incorporating the term 
``patient identifying information'' into the definition of record, in 
part to align with the HIPAA definition of PHI which includes 
demographic information. Thus, with this modification the definition 
includes both information that could identify a patient as having or 
having had an SUD, but also information that identifies the patient.
Comment
    An individual commenter recommended that the Department retain the 
last sentence of the definition because it is helpful to indicate that 
part 2 may apply to paper and electronic records and removing it might 
suggest to programs that the regulation no longer applies to paper 
records.
Response
    In the five decades since the promulgation of the part 2 
regulation, health IT has become widely adopted and it is evident that 
records include both paper and electronic formats. The Department does 
not intend to change the meaning or understanding of records with this 
proposed modification, but only to streamline the description.
Final Rule
    We are adopting the proposed definition of ``records'' without 
further modification.
SUD Counseling Notes
    In the NPRM, we requested input about whether to create a new 
definition similar to psychotherapy notes within HIPAA that is specific 
to the notes of SUD counseling sessions by a part 2 program 
professional. Such notes would be part 2 records, but could not be 
disclosed based on a general consent for TPO. They could only be 
disclosed with a separate written consent that is not combined with a 
consent to disclose any other type of health information. We requested 
comments on the benefits and burdens of creating such additional 
privacy protection for SUD counseling notes that are maintained 
primarily for use by the originator of the notes, similar to 
psychotherapy notes as defined in the HIPAA Privacy Rule. We provided 
potential language for ``SUD counseling notes'', defining it as notes 
recorded (in any medium) by a part 2 program provider who is an SUD or 
mental health professional documenting or analyzing the contents of 
conversation during a private counseling session or a group, joint, or 
family counseling session and that are separated from the rest of the 
patient's record. ``SUD counseling notes'' excludes medication 
prescription and monitoring, counseling session start and stop times, 
the modalities and frequencies of treatment furnished, results of 
clinical tests, and any summary of the following items: diagnosis, 
functional status, the treatment plan, symptoms, prognosis, and 
progress to date.\156\
---------------------------------------------------------------------------

    \156\ 87 FR 74216, 74230.
---------------------------------------------------------------------------

Comment
    Many commenters somewhat or strongly supported the Department's 
proposal to include a definition of ``SUD counseling notes.'' We are 
finalizing the proposed definition and discuss comments specifically 
regarding the proposed definition below and other comments relating to 
consent and disclosure of SUD counseling notes within Sec.  2.31.
Comments Supporting a Proposed SUD Counseling Notes Definition
    An SUD recovery organization supported the potential definition. An 
association of medical professionals also supported establishing a 
definition of

[[Page 12506]]

``SUD counseling notes'' that effectively copies the definition of 
``psychotherapy notes'' under the HIPAA Privacy Rule. A state health 
department supported an ``SUD counseling notes'' definition in Sec.  
2.11 because this would permit disclosure without patient consent for 
the purpose of oversight of the originator of the SUD counseling notes 
to ensure patient safety. Another state agency urged that SUD 
counseling session notes be treated similarly to psychotherapy notes as 
now addressed in HIPAA (i.e., SUD counseling notes be given protections 
equal to psychotherapy notes). A provider supported the addition of a 
definition of ``SUD counseling notes'' as written to incorporate the 
same protections as described in the HIPAA regulations for 
psychotherapy notes. The provider believed that any perceived burdens 
to creating a separate definition of SUD counseling notes are 
outweighed by the benefits of the additional protections by requiring 
separate authorization for release of the SUD counseling notes. A 
county agency recommended that we add this protection in alignment with 
the psychotherapy notes restriction under HIPAA and further suggests 
that the protection extend to all clinical notes in addition to the 
notes of SUD counselors. The commenter further recommended that the 
definition of ``counseling notes'' include assessment forms. This added 
protection would safeguard against use of SUD counseling notes in 
pending legal cases and pending dependency court (child custody) cases.
    A hospital commenter supported providing a corresponding protection 
in part 2 for certain notes for SUD patients, like psychotherapy notes 
have under HIPAA, but did not support the use of a new term that would 
differentiate SUD counseling notes from psychotherapy notes. Instead, 
the hospital recommended using psychotherapy notes or SUD psychotherapy 
notes for consistency. The commenter also suggested further discussion 
of the use of the term ``psychotherapy notes'' in the regulations, 
since the term continues to generate confusion. The commenter stated 
that the terms ``counseling notes'' and ``psychotherapy notes'' have a 
different meaning in routine clinical practice and are used frequently, 
but do not seem to meet the definition in the NPRM.
Response
    We appreciate comments concerning our proposed definition of ``SUD 
counseling notes'' and respond as follows. As discussed in the NPRM, 
the intent of the potential definition we described was to align with 
HIPAA provisions regarding psychotherapy notes, and we discuss 
psychotherapy notes further in Sec.  2.31 below.\157\ We believe the 
final definition of ``SUD counseling notes'' will ease compliance 
burdens for part 2 programs because the definition almost exactly 
matches the definition of ``psychotherapy notes'' under the HIPAA 
Privacy Rule except for the references to SUD professionals and SUD 
notes.
---------------------------------------------------------------------------

    \157\ See, e.g., 45 CFR 164.501; 45 CFR 164.508; U.S. Dep't of 
Health and Human Servs., ``Does HIPAA provide extra protections for 
mental health information compared with other health information? '' 
(Sept. 12, 2017), https://www.hhs.gov/hipaa/for-professionals/faq/2088/does-hipaa-provide-extra-protections-mental-health-information-compared-other-health.html; 65 FR 82461, 82497, 82514 (Dec. 28, 
2000).
---------------------------------------------------------------------------

    As we explained in the 2000 final HIPAA Privacy Rule, psychotherapy 
notes ``are the personal notes of the therapist, intended to help him 
or her recall the therapy discussion and are of little or no use to 
others not involved in the therapy.'' \158\ While the commenter above 
did not define what it meant by assessment forms, consistent with HIPAA 
our final definition of ``SUD counseling notes'' expressly excludes 
``medication prescription and monitoring, counseling session start and 
stop times, modalities and frequencies of treatment furnished, results 
of clinical tests, and any summary of the following items: diagnosis, 
functional status, the treatment plan, symptoms, prognosis, and 
progress to date.''
---------------------------------------------------------------------------

    \158\ 65 FR 82461, 82623.
---------------------------------------------------------------------------

Comment
    Several SUD recovery organizations supported a ``SUD counseling 
notes'' definition because these notes often contain highly sensitive 
information that supports therapy. Limiting access to these notes is 
critical to protect the therapeutic alliance due to the unique risks 
that patients face due to the highly sensitive information in these 
notes. An SUD recovery association and SUD provider commented that the 
Department should protect counseling notes using a new definition 
similar to psychotherapy notes, require specific consent, and not allow 
such consent to be combined with consent to disclose any other type of 
health information. According to these two commenters the patient's 
prognosis should be considered a counseling note because it could bias 
staff toward the patient's situation; it is subjective and the large 
turnover of counseling staff results in greater reliance on existing 
reports. An individual commenter also said that they supported the 
Department's version of SUD counseling notes, but expressed concern 
about excluding prognosis from SUD counseling notes; they too believed 
that prognosis is too subjective and its exclusion from the definition 
could result in bias or prejudice. Given the large turnover of 
counseling staff and the use of fairly junior clinicians to provide 
service, prognosis should be considered a counseling note. A few SUD 
treatment professionals associations also said that counseling notes 
should be so protected using a new definition similar to psychotherapy 
notes.
Response
    We appreciate comments from SUD recovery organizations and others 
about our proposed changes. The final definition of ``SUD counseling 
notes'' expressly excludes ``medication prescription and monitoring, 
counseling session start and stop times, the modalities and frequencies 
of treatment furnished, results of clinical tests, and any summary of 
the following items: diagnosis, functional status, the treatment plan, 
symptoms, prognosis, and progress to date.'' Thus, prognosis 
information is excluded from ``SUD counseling notes'' under the 
definition adopted in this final rule. Information critical to the 
patients' diagnosis and treatment such as prognosis and test results, 
should be within the patient's part 2 record or medical record such 
that it may be available for such activities as treatment consultation, 
medication management, care coordination, and billing.\159\
---------------------------------------------------------------------------

    \159\ See U.S. Dep't of Health and Human Servs., ``Individuals' 
Right under HIPAA to Access their Health Information 45 CFR 
164.524'' (Oct. 20, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html; 45 CFR 164.501 
(definition of ``Designated record set'').
---------------------------------------------------------------------------

    Neither HIPAA nor part 2 provides a right of access to 
psychotherapy notes or SUD counseling notes, but for different reasons. 
Under HIPAA, although psychotherapy notes are part of the designated 
record set (because the clinician may use them to make decisions about 
the individual), they are specifically excluded from the right of 
access in 45 CFR 164.524. Under part 2, there is no general right of 
access for part 2 records, and thus there is no right of access for SUD 
counseling notes, which are a narrow subset of part 2 records. However, 
under both HIPAA and part 2, clinicians may exercise their discretion 
and voluntarily provide patients with access to psychotherapy notes 
and/or SUD counseling notes or a portion of such notes.

[[Page 12507]]

Comment
    A local government agency supported explicitly defining ``SUD 
counseling notes'' as discussed in the NPRM. The commenter said we 
should clearly define how and where SUD counseling notes must be 
treated differently from other part 2 records and the HIPAA designated 
record set. Such clarification will assist dually regulated entities' 
efforts to comply with the HIPAA Privacy Rule and Information Blocking 
requirements.\160\ The commenter proposed redefining ``HIPAA 
psychotherapy notes'' to include all part 2-defined SUD counseling 
notes by reference. Such a straightforward alignment would minimize 
burden and maximize ease of compliance.
---------------------------------------------------------------------------

    \160\ See The Off. of the Nat'l Coordinator for Health Info. 
Tech. (ONC), ``Information Blocking'', https://www.healthit.gov/topic/information-blocking.
---------------------------------------------------------------------------

Response
    We appreciate comments concerning the definition of ``SUD 
counseling notes'' including the suggestion to redefine HIPAA 
``psychotherapy notes'' at 45 CFR 164.501 to include SUD counseling 
notes. However, changes to the HIPAA definitions are outside the scope 
of this rulemaking.
Comment
    A health insurer supported a separate definition of ``SUD 
counseling notes'' that makes clear the distinction between these types 
of notes, other notes, and part 2 records. SUD counseling notes are 
distinct from other notes, such as psychotherapy and analysis notes, 
according to this commenter. Most treatment for SUDs is done through 
individual and group counseling to address specific goals of a 
treatment plan, the commenter said, so excluding all notes would in 
effect exclude the disclosure of SUD information, unless there is 
differentiation between these notes. Even though the commenter 
recognizes the definitions would overlap in several aspects--such as 
for consent requirements--it welcomed the overlap, as there would be an 
additional administrative burden around creating a separate consent for 
SUD counseling notes if requirements differed within the definition.
Response
    We appreciate this comment on our proposed changes. The commenter 
correctly apprehends that the provisions for SUD counseling notes 
require that they be separated from the rest of the part 2 and/or 
medical record to be recognized as ``SUD counseling notes'' and 
afforded additional privacy protection. We agree that the definition of 
``SUD counseling notes'' in this final rule will support patient 
participation in individual and group SUD counseling. SAMHSA has noted 
elsewhere the importance of privacy and confidentiality in both 
individual and group counseling settings.\161\
---------------------------------------------------------------------------

    \161\ See Substance Abuse and Mental Health Servs. Admin., ``TIP 
41: Substance Abuse Treatment: Group Therapy'' (2015), https://store.samhsa.gov/product/TIP-41-Substance-Abuse-Treatment-Group-Therapy/SMA15-3991; Substance Abuse and Mental Health Servs. Admin., 
``TIP 63: Medications for Opioid Use Disorder--Full Document'' 
(2021), https://store.samhsa.gov/product/TIP-63-Medications-for-Opioid-Use-Disorder-Full-Document/PEP21-02-01-002.
---------------------------------------------------------------------------

Comments Opposing a New SUD Counseling Notes Definition or Requesting 
Clarification
Comment
    A county government asked that HHS make SUD records a specific 
category of PHI under HIPAA in a way similar to psychotherapy notes. It 
is inequitable, said the commenter, that patients have more 
confidentiality of their records when receiving SUD services from a 
part 2 program versus a primary care provider that is not a part 2 
program. A state agency said that the proposed definition of ``SUD 
counseling notes'' and the existing definition of ``psychotherapy 
notes'' in 45 CFR 164.501 do not accurately capture the intent of the 
right of access exclusion. The agency suggested using headings of ``SUD 
process notes'' and ``psychotherapy process notes'' to clarify that 
these are non-clinical notes and avoid creating confusion for patients 
in understanding what they are in fact requesting to exclude.
Response
    We appreciate suggestions concerning changes or clarifications to 
provisions concerning the definition of HIPAA ``psychotherapy notes'' 
at 45 CFR 164.501. However, changes to the HIPAA definitions are 
outside the scope of our part 2 rulemaking. With respect to SUD 
counseling notes, we clarify that the exclusion of psychotherapy notes 
from the right of access in the HIPAA Privacy Rule does not have a 
parallel in part 2 because part 2 does not contain a right of access. 
We do not believe that renaming these notes as process notes would 
promote understanding of their essential nature--that they are 
separately maintained and intended primarily for use by the direct 
treating clinician with few exceptions. Further, we do not categorize 
SUD counseling notes or psychotherapy notes as either clinical or non-
clinical. We expect that they contain a mix of information useful to 
the clinician but not necessary for routine uses or disclosures for 
TPO.
Comment
    A few HIE associations questioned the definition discussed in the 
NPRM stating that psychotherapy notes rarely exist as they are not 
considered in the HIPAA designated record set; therefore, such 
psychotherapy notes are not accessible under the patient right of 
access or available in the patient portal. These commenters and others, 
as discussed below in Sec.  2.31, expressed concern about the need to 
keep such records compartmentalized or distinct from other part 2 
records and associated burdens for data sharing, health IT, and other 
activities.
Response
    As the Department explained in guidance, ``[d]esignated record sets 
include medical records, billing records, payment and claims records, 
health plan enrollment records, case management records, as well as 
other records used, in whole or in part, by or for a covered entity to 
make decisions about individuals.'' \162\ Psychotherapy notes are used 
by the treating clinician to make decisions about individuals, and thus 
are part of the designated record set, but, they are expressly excluded 
from the individual right of access to PHI.\163\ However, the HIPAA 
Privacy Rule permits a treating provider to voluntarily grant an 
individual access to such notes.\164\ Similarly, Sec.  2.23 permits, 
but does not require, part 2 programs to provide a patient with access 
to part 2 records (including SUD counseling notes as finalized here), 
based on the patient's consent. As explained above, changes to the 
HIPAA Privacy Rule definition of ``psychotherapy notes'' are beyond the 
scope of this rulemaking.
---------------------------------------------------------------------------

    \162\ U.S. Dep't of Health and Human Servs., ``What personal 
health information do individuals have a right under HIPAA to access 
from their health care providers and health plans? '' (June 24, 
2016), https://www.hhs.gov/hipaa/for-professionals/faq/2042/what-personal-health-information-do-individuals/index.html.
    \163\ See ``Individuals' Right under HIPAA to Access their 
Health Information 45 CFR 164.524,'' supra note 159.
    \164\ The HIPAA Privacy Rule expressly permits disclosures of 
PHI to the individual who is the subject of the PHI. See 45 CFR 
164.502(a)(1)(i).
---------------------------------------------------------------------------

Comment
    A health care provider asserted that it is not necessary to create 
a separate term and definition of SUD counseling notes because the 
HIPAA term ``psychotherapy notes'' meets these

[[Page 12508]]

needs. The commenter supported applying the HIPAA standard to 
psychotherapy notes created within a part 2 program.
Response
    We appreciate this comment. As noted in the NPRM, we believe that 
it is important to include within part 2 a definition of ``SUD 
counseling notes'' specific to the notes of SUD counseling sessions by 
a part 2 program professional. SUD counseling notes under this final 
rule are part 2 records but cannot be disclosed based on a general 
consent for TPO. If this rule failed to include a definition of SUD 
counseling notes HIPAA's psychotherapy notes provisions and definitions 
in 45 CFR 164.501 and 164.508 would not apply to part 2 programs that 
are not covered entities and SUD counseling notes could be disclosed 
under a general TPO consent, which would undermine the utility of these 
notes being maintained separately from the designated record set by 
some SUD providers.
Comment
    A county health department stated that SUD counseling notes are 
different from psychotherapy notes, which often focus on more intimate 
and deeper clinical considerations, while SUD counseling notes often 
include more straightforward clinical details that do not require 
additional privacy protections. This commenter stated that the 
differences in the nature of such notes is due to differences in the 
scope of practice of the different workforces of SUD programs and 
therapists. The commenter also stated that, because most of the 
services provided by part 2 programs are documented via SUD counseling 
notes, requiring separate consent for SUD counseling notes would 
counteract the aim of facilitating greater information exchange without 
providing a clear benefit. As such, the commenter urged the Department 
to reject the idea of applying additional privacy protections for SUD 
counseling notes.
    Another county department similarly stated that the nature of SUD 
counseling notes is fundamentally different from psychotherapy notes, 
and does not warrant enhanced confidentiality. As described by this 
commenter, while psychotherapy notes focus on intimate and nuanced 
clinical considerations, the typical SUD counseling note is far less 
detailed and more like a standard progress note in a medical record. In 
addition, SUD counseling notes are usually kept by providers with less 
education and training than psychiatrists, who do not have a 
professional practice of maintaining separate counseling notes 
primarily for use by the originator of the notes.
    A state agency expressed concern that adopting special protections 
for SUD counseling notes would create additional administrative 
complexity and compliance challenges for part 2 programs and may have 
unintended adverse consequences by restricting patient access to, or 
beneficial disclosures of, a significant segment of their SUD treatment 
records. The commenter asserted that such a change seemed unlikely to 
facilitate information exchange for care coordination purposes, and 
thus would seem to be inconsistent with many of the other proposed 
amendments.
Response
    We acknowledge comments that SUD counseling notes and psychotherapy 
notes are not precisely equivalent. However, SUD counseling notes, like 
psychotherapy notes, may also include particularly sensitive details 
about a patient's medical conditions and personal history. Such 
concerns may be especially acute, for instance, with pediatric patients 
\165\ or patients who have or are at risk of conditions such as human 
immunodeficiency virus (HIV).\166\ While these commenters' anecdotal 
accounts are helpful to our understanding of the issues, these 
experiences and comments, do not necessarily apply to the majority of 
SUD counseling situations in which the clinician's notes may play an 
important role in patient treatment and necessitate the additional 
protections made available in this final rule. More than two-thirds of 
commenters on this issue expressed support for moving forward with a 
new definition and heightened protections for SUD counseling notes.
---------------------------------------------------------------------------

    \165\ See Substance Abuse and Mental Health Servs. Admin., 
``Treatment Considerations for Youth and Young Adults with Serious 
Emotional Disturbances and Serious Mental Illnesses and Co-occurring 
Substance Use'' (2021), https://www.samhsa.gov/resource/ebp/treatment-considerations-youth-young-adults-serious-emotional-disturbances-serious.
    \166\ See Substance Abuse and Mental Health Servs. Admin., 
``Prevention and Treatment of HIV Among People Living with Substance 
Use and/or Mental Disorders'' (2020), https://store.samhsa.gov/product/Prevention-and-Treatment-of-HIV-Among-People-Living-with-Substance-Use-and-or-Mental-Disorders/PEP20-06-03-001.
---------------------------------------------------------------------------

Comment
    A health care provider expressed support for an approach that 
destigmatizes SUD treatment and promotes access to clinically relevant 
information that is valuable and informative for all TPO purposes. As 
such, the provider did not believe that creating additional protections 
for SUD counseling notes would promote access and exchange of valuable 
information. An SUD treatment provider association urged the Department 
to limit disclosures of patient information that are not necessary for 
the purpose of the disclosure, such as details of trauma history that 
are not needed for TPO, except by the treating clinician. An insurance 
association suggested that a new definition of ``SUD counseling notes'' 
could be beneficial in some circumstances when heightened privacy is 
warranted. But a new definition also could impede care coordination 
because SUD counseling notes may contain clinically relevant 
information and help inform coordinated treatment plans, according to 
this commenter, who also asserted that some programs may have 
difficulty implementing the requirement and be unable to share the 
remainder of the record for TPO. The commenter urged the Department not 
to create a separate category for SUD counseling notes but instead to 
allow SUD providers to determine how to best record these notes. 
Another insurance association requested that the Department use this 
rule as an opportunity to: (1) reinforce the existing HIPAA 
restrictions on sharing psychotherapy notes; and (2) clarify that SUD 
counseling notes are not psychotherapy notes and maybe used and 
disclosed for TPO.
Response
    We acknowledge these comments and discuss additional related 
provisions below in Sec.  2.31. We do not believe the final ``SUD 
counseling notes'' definition will contribute to stigma or 
discrimination for SUD patients because it strengthens confidentiality 
for the most sensitive information shared during treatment and does so 
in a manner similar to what already exists in the HIPAA regulations. We 
do not agree that the ``SUD counseling notes'' definition will impede 
care coordination because the nature of these notes is that they are 
intended primarily for use by the direct treating clinician. We agree 
that the final rule may be an opportunity to provide additional 
education on existing HIPAA psychotherapy note provisions and will 
consider what additional guidance may be helpful after this rule is 
finalized. In addition, we note that a part 2 program's use of separate 
SUD counseling notes is voluntary and optional--although a program may 
adopt a facility-wide policy that either supports or disallows the 
creation and maintenance of such notes. As noted above, through the

[[Page 12509]]

separate definition adopted in this final rule in Sec.  2.11, SUD 
counseling notes under this final rule are part 2 records but cannot be 
disclosed based on a TPO consent.
Comment
    A medical professionals association expressed concern about 
potential challenges associated with maintaining SUD counseling notes, 
noting that the creation of a distinct class of psychotherapy notes in 
HIPAA provides an illustrative example of the challenge of implementing 
specific data protections within a medical record: although the 
``psychotherapy notes'' option was added to HIPAA to protect 
psychotherapist-patient privilege, this option specifically excludes 
key elements of psychotherapy session notes that are required for 
routine clinical care as well as for billing purposes (e.g., medication 
prescription and monitoring, summary of diagnosis, treatment plan). As 
a result, according to this commenter, if a HIPAA-defined 
``psychotherapy note'' is used, it must always be accompanied by a 
clinical note that includes the essential elements for routine clinical 
care and billing.
Response
    We acknowledge this comment and appreciate the analogy to HIPAA 
psychotherapy notes in clinical practice; however, we believe the 
framework is a valuable option for some clinicians, with the 
understanding that the notes are intended to be used only by the 
clinician. Neither the HIPAA Privacy Rule nor this final rule mandate 
the use within a mental health practice or a part 2 program of 
``psychotherapy notes'' or ``SUD counseling notes'' as defined within 
the respective regulations. However, clinicians who choose to keep 
separate notes for their own use are afforded some additional privacy 
and the patient's confidentiality is also protected by additional 
consent requirements under Sec.  2.31(b) (Consent required: SUD 
counseling notes).
Comment
    A medical professionals association suggested that the Department 
create a regulatory definition of an ``SUD professional'' who is 
qualified to perform treatment and prepare SUD counseling notes.
Response
    The definition of ``SUD counseling notes'' matches the definition 
of ``psychotherapy notes'' under the HIPAA Privacy Rule except for the 
references to SUD professionals and SUD notes. Historically, the 
Department has considered licensed providers as ``professionals.'' We 
did not propose and therefore are not finalizing a definition of SUD 
professionals either separately or in relation to SUD counseling notes. 
The exception to the consent requirement for use in a part 2 program's 
training program indicates that an ``SUD professional'' may be someone 
who is completing their practical experience to receive a degree or 
professional certification or license, and, additionally, that such 
notes may be used in clinical supervision.
Final Rule
    The final rule adopts the definition of ``SUD counseling notes'' as 
proposed in the NPRM.
Third-Party Payer
    The term ``third-party payer'' refers to an entity with a 
contractual obligation to pay for a patient's part 2 services and 
includes some health plans, which by definition are covered entities 
under HIPAA. The current regulation, at Sec.  2.12(d)(2), limits 
disclosures by third-party payers to a shorter list of purposes than 
the HIPAA Privacy Rule allows for health plans. The Department proposed 
to exclude covered entities from the definition of ``third-party 
payer'' to facilitate implementation of 42 U.S.C. 290dd-2(b)(1)(B), as 
amended by section 3221(b) of the CARES Act, which enacted a permission 
for certain recipients of part 2 records to redisclose them according 
to the HIPAA standards. The result of this proposed change would be 
that the current part 2 disclosure restrictions continue to apply to a 
narrower set of entities. The Department believes that this approach 
would carry out the intent of the CARES Act, while preserving the 
privacy protections that apply to payers that are not covered entities. 
The Department also proposed a wording change to replace the phrase 
``individual or entity'' with the term ``person'' as now proposed to 
comport with the HIPAA meaning of the term.
Comment
    The Department received overwhelmingly supportive comments on the 
intent to distinguish health plans, which are covered entities, from 
other third-party payers who would be subject to part 2 (but not 
HIPAA). The rationales offered for supporting this proposal were that 
it furthers the implementation of the CARES Act requirement to align 
part 2 with HIPAA, reduces the need to segment part 2 records, reduces 
health plan burden, and allows health plans to engage in more 
activities that improve health care, such as care coordination and 
accountable care.
Response
    We appreciate the comments.
Comment
    Several commenters stated that the definition could be confusing to 
some readers and requested clarification in the final rule along with 
additional examples of entities that would remain subject to part 2 as 
third-party payers. Specifically, a trade association requested that 
the Department exclude business associates of health insurance 
providers (i.e., a health plan/payer) from this definition because they 
are not independent ``third-party payers'' but rather are acting on 
behalf of a health insurance provider. A health system requested that 
the Department ensure that ACOs and population health providers have 
access to full part 2 information without a beneficiary having to 
explicitly opt-in to data sharing.
Response
    We appreciate the comments and clarify that business associates 
acting on behalf of health plans are not independent ``third-party 
payers'' who would fall within this definition. However, business 
associates are listed along with covered entities in the new language 
of Sec.  2.12(d)(2)(i)(C), which expressly states that covered entities 
and business associates are not required to segregate records or 
segment part 2 data once received from a part 2 program based on a TPO 
consent.
Comment
    One commenter asserted that the proposed rule did not clearly 
address the role of third-party payers, including the more active role 
of these entities in coordinating patient care. This commenter cited, 
for example, that third-party payers could provide direct care 
coordination; services such as home health visits as a covered entity; 
or function solely as a third-party payer, making payment and 
overseeing quality claims reporting for providers. The commenter cited 
the Ohio Medicaid Comprehensive Privacy Care or ``CPC'' alternative 
payment program as an example where health plans act as managed care 
organizations that oversee various avenues of payment as well as core 
coordination in conjunction with providers. This commenter also 
believed that the definition is intended to ensure that third-party 
payers that are not HIPAA covered entities are also subject to the same 
rules as a covered entities with respect to part 2 records

[[Page 12510]]

and recommended that HHS clarify the definitions of ``covered entity'' 
and ``third-party payer'' to explain the relationship between these 
groups and the obligations of each with respect to part 2 information.
Response
    We appreciate the commenter's description of new models of payment 
and care coordination. However, we believe the commenter misapprehends 
the intent of the proposed definition, which is finalized in this rule. 
The intent is to distinguish third-party payers, which are not covered 
entities, from health plans (which, by definition, are covered 
entities). If a third-party payer is not a covered entity, then it is 
not subject to part 2 provisions that apply to covered entities except 
when (a) specifically identified as being subject to these provisions 
or (b) in those instances where third-party payers are lawful holders 
by virtue of having received part 2 records under a written consent or 
an exception to the consent requirements. For example, some non-profit 
organizations provide health care reimbursement for individuals and 
some entities provide payment as part of an insurance policy that does 
not meet the definition of health plan in HIPAA.
Final Rule
    The final rule adopts all proposed modifications to the definition 
of ``third-party payer'' in Sec.  2.11, without further modification.
Treating Provider Relationship
    The Department proposed to modify the part 2 definition of 
``treating provider relationship'' by replacing the phrase ``individual 
or entity'' with ``person,'' in accordance with the proposed changes to 
the definition of ``person'' described above. Additionally, several 
minor wording changes were proposed for clarity.
Comment
    We received no comments on the proposed changes to this definition.
Final Rule
    The final rule adopts the proposed changes to the definition of 
``treating provider relationship'' without further modification.
Treatment
    The Department proposed to modify the part 2 definition of 
``treatment'' by adopting the HIPAA Privacy Rule definition in 45 CFR 
164.501 by reference. This would implement subsection (k) of 42 U.S.C. 
290dd-2, added by section 3221(d) of the CARES Act, requiring that the 
term be given the same meaning of the term for the purposes of the 
HIPAA regulations. As discussed in the NPRM, by replacing the existing 
language, the Department does not intend to change the scope of 
activities that constitute treatment. In this context, treatment 
includes the care of a patient suffering from an SUD, a condition which 
is identified as having been caused by the SUD, or both, to reduce or 
eliminate the adverse effects upon the patient.
Comment
    In addition to the supportive comments discussed above, a state 
government expressed specific support for the adoption of the HIPAA 
definition of the term ``treatment.''
Response
    We appreciate the comments.
Final Rule
    The final rule adopts all proposed modifications to the definition 
of ``treatment'' in Sec.  2.11, without further modification.
Unsecured Protected Health Information
    The Department proposed to adopt the same meaning of this term as 
used in the HIPAA regulations at 45 CFR 164.402 to mean PHI that is not 
rendered unusable, unreadable, or indecipherable to unauthorized 
persons through the use of a technology or methodology specified by the 
Secretary in guidance. This proposal would implement subsection (k) of 
42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring 
that the term in this part be given the same meaning as the term for 
the purposes of the HIPAA regulations.
Comment
    Other than the supportive comments discussed above pertaining to 
the changes to definitions generally, the Department did not receive 
specific comments for its proposed definition of this term in the 
regulation.
Response
    We appreciate the comments.
Final Rule
    The final rule adopts all proposed modifications to the definition 
of ``unsecured protected health information'' in Sec.  2.11, without 
further modification.
Unsecured Record
    In the NPRM, the Department explained its view that the proposed 
addition was necessary to implement the newly required breach 
notification standards for part 2 records. To align with the definition 
of ``unsecured protected health information'' in the HIPAA regulations 
at 45 CFR 164.402, the Department proposed to apply a similar concept 
to records, as defined in this part. Thus, an ``unsecured record'' 
would be one that is not rendered unusable, unreadable, or 
indecipherable to unauthorized persons through the use of a technology 
or methodology specified by the Secretary in the guidance issued under 
Public Law 111-5, section 13402(h)(2).\167\
---------------------------------------------------------------------------

    \167\ See U.S. Dep't of Health and Human Servs., ``Guidance to 
Render Unsecured Protected Health Information Unusable, Unreadable, 
or Indecipherable to Unauthorized Individuals'' (July 26, 2013), 
https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.
---------------------------------------------------------------------------

Comment
    The Department received one comment from a state government that 
suggested eliminating ``unsecured record,'' in favor of ``unsecured 
protected health information'' because two terms are unnecessary.
Response
    We appreciate the comment but believe both terms are needed to 
implement the newly required breach notification standards for part 2 
records, which are defined differently from PHI.
Final Rule
    The final rule adopts all proposed modifications to the definition 
of ``unsecured record'' in Sec.  2.11, without further modification.
Use
    The Department proposed to add a definition of this term that is 
consistent with the definition in the HIPAA regulations at 45 CFR 
160.103 and as the term is applied to the conduct of proceedings 
specified in 42 U.S.C. 290dd-2(c). As explained in the NPRM, the 
Department believes this addition is necessary to more fully align part 
2 with the HIPAA regulations' use of the phrase ``use and disclosure,'' 
as well as make clear, where applicable, that many of the activities 
regulated by this part involve not only disclosures but internal uses 
of part 2 records by programs or recipients of part 2 records. The 
Department also proposed this definition to clarify that in this part, 
the term ``use'' has a secondary meaning in accordance with the 
statutory requirements at 42 U.S.C. 290dd-2(c) for ``use'' of records 
in civil, criminal, administrative, and legislative investigations and 
proceedings. The

[[Page 12511]]

Department discusses in greater detail the addition of the term ``use'' 
to specific provisions throughout this rule.
Comment
    The Department received overwhelmingly supportive comments on the 
proposed changes throughout this rule to include ``use and'' preceding 
``disclosure.'' With respect to proposed definitions of ``use'' and 
``disclosure,'' one commenter stated that the term ``use'' was broad 
enough to incorporate both the current understanding (as applied to 
legal proceedings) and the HIPAA understanding (applied to use of 
records within a health care entity) without creating confusion and 
other commenters agreed the proposal would provide clarity. 
Additionally, several commenters recommended that the Department adopt 
the HIPAA definitions of ``use'' and ``disclosure'' to further align 
part 2 with the HIPAA regulations. Another commenter suggested further 
that the final rule eliminate the clause ``or in the course of civil, 
criminal, administrative, or legislative proceedings as described at 42 
U.S.C. 290dd-2(c)'' because the proposed language departs from the 
HIPAA definition and is unnecessary.
Response
    We appreciate the comments. Although we are declining to adopt the 
HIPAA definition of ``use,'' we believe that the definition finalized 
in this rule is consistent with HIPAA's definition and with the 
additional second meaning in this part in accordance with the statutory 
requirements at 42 U.S.C. 290dd-2(c) for ``use'' of records in civil, 
criminal, administrative, and legislative proceedings.
Comment
    One commenter, a health system, suggested that the Department 
revise the definition of ``use'' within the HIPAA regulations to match 
the understanding of its meaning as proposed here, to include the 
initiation of a legal proceeding.
Response
    We appreciate this comment, but it is not within the scope of this 
rulemaking to address the definition of ``use'' within the HIPAA 
regulations.
Final Rule
    The final rule adopts all proposed modifications to the definition 
of ``use'' in Sec.  2.11, without further modification.
Section 2.12--Applicability
Proposed Rule
    In addition to changes to the use and disclosure language in this 
section, discussed above, the Department proposed to modify paragraph 
(a) to update the terminology by replacing ``drug abuse'' with 
``substance use disorder.'' The Department also proposed to modify 
paragraph (c)(2) of this section, which excludes from part 2 
requirements certain interchanges of information within the Armed 
Forces and between the Armed Forces and the VA, by replacing ``Armed 
Forces'' with ``Uniformed Services.'' This proposed change would align 
the regulatory text with the statutory language at 42 U.S.C. 290dd-
2(e).
    As we noted in the 2021 HIPAA NPRM to modify the HIPAA Privacy 
Rule, the U.S. Public Health Service (USPHS) and the National Oceanic 
and Atmospheric Administration (NOAA) Commissioned Corps share 
responsibility with the Armed Services for certain critical missions, 
support military readiness and maintain medical fitness for deployment 
in response to urgent and emergency public health crises, and maintain 
fitness for deployment onto U.S. Coast Guard manned aircraft and 
shipboard missions. Because this part 2 proposal with respect to the 
Uniformed Services is consistent with the underlying statute, the 
Department does not believe the modification will change how SUD 
treatment records are treated for USPHS and NOAA Commissioned Corps 
personnel, but requested comment on this assumption.
    The Department proposed in paragraph (d)(1) of this section to 
expand the restrictions on the use of records as evidence in criminal 
proceedings against the patient by incorporating the four prohibited 
actions specified in 42 U.S.C. 290dd-2(c), as amended by the CARES Act, 
and expanding the regulatory prohibition on use and disclosure of 
records against patients to cover civil, administrative, or legislative 
proceedings in addition to criminal proceedings.\168\ Absent patient 
consent or a court order, the proposed prohibitions are: (1) the 
introduction into evidence of a record or testimony in any criminal 
prosecution or civil action before a Federal or State court; (2) 
reliance on the record or testimony to form part of the record for 
decision or otherwise be taken into account in any proceeding before a 
Federal, State, or local agency; (3) the use of such record or 
testimony by any Federal, State, or local agency for a law enforcement 
purpose or to conduct any law enforcement investigation; and (4) the 
use of such record or testimony in any application for a warrant.
---------------------------------------------------------------------------

    \168\ Administrative agencies may issue subpoenas pursuant to 
their authority to investigate matters and several statutes 
authorize the use of administrative subpoenas in criminal 
investigations. For example, these may be cases involving health 
care fraud, child abuse, Secret Service protection, controlled 
substance cases, inspector general investigations, and tracking 
unregistered sex offenders. See Charles Doyle, Administrative 
Subpoenas in Criminal Investigations: A Brief Legal Analysis, CRS 
Report RL33321 (Dec. 19, 2012), https://crsreports.congress.gov/product/pdf/RL/RL33321; Legislative investigations may also be 
conducted in furtherance of the functions of Congress or state 
legislative bodies. See U.S. Dept. of Justice, Off. of Legal Policy, 
Report to Congress on the Use of Administrative Subpoena Authorities 
by Executive Branch Agencies and Entities: Pursuant to Public Law 
106-544, https://www.justice.gov/archive/olp/rpt_to_congress.htm.
---------------------------------------------------------------------------

    The Department further proposed changes to paragraph (d)(2) 
(Restrictions on use and disclosures). In paragraph (d)(2)(i) (Third-
party payers, administrative entities, and others), the term ``third-
party payer'' as modified in Sec.  2.11 would have the effect of 
excluding covered entity health plans from the limits on redisclosure 
of part 2 records. To clarify the modified scope of this paragraph, the 
Department proposed to insert qualifying language in Sec.  
2.12(d)(2)(i)(A) to refer to ``third-party payers, as defined in this 
part.'' This approach implements the CARES Act changes in a manner that 
preserves the existing redisclosure limitations for any third-party 
payers that are not covered entities. The modified definition of 
``third-party payer'' in Sec.  2.11 excludes health plans by describing 
a ``third-party payer'' as ``a person, other than a health plan as 
defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or 
treatment furnished to a patient on the basis of a contractual 
relationship with the patient or a member of the patient's family or on 
the basis of the patient's eligibility for Federal, state, or local 
governmental benefits'' [emphasis added]. As a result of the proposal, 
health plans would be permitted to redisclose part 2 information as 
permitted by the HIPAA regulations and other ``third-party payers'' 
would remain subject to the existing part 2 prohibition on 
redisclosure.
    The Department also proposed to substitute the term ``person'' for 
the term ``entity'' and the phrase ``individuals and entities'' in 
Sec.  2.12(d)(2)(i)(B) and (C), respectively. As discussed above in 
relation to Sec.  2.11 (Definitions), the Department does not intend 
this to be a substantive change, but rather an alignment with the term 
as

[[Page 12512]]

it is defined in the HIPAA Privacy Rule at 45 CFR 160.103.
    In addition to these proposed changes to Sec.  2.12(d), the 
Department requested comment on how the proposed revisions to Sec.  
2.33 (Uses and disclosures with written consent), might affect the 
future data segregation practices of part 2 programs and recipients of 
part 2 records. We include comments on that topic in this section 
because it provides the only explicit reference to data segmentation 
and segregation of records within the regulation. Operationalizing 
consent for TPO, more narrow consent, revocation of consent, and 
requests for restrictions on disclosures for TPO may raise challenges 
concerning tagging, tracking, segregating and segmenting records and 
health data. These issues are addressed across multiple sections of the 
final rule, including Sec. Sec.  2.12, 2.22, 2.31, 2.32, and 2.33.
    The Department proposed to conform paragraph (e)(3) of Sec.  2.12 
to 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES 
Act, by expanding the restrictions on the use of part 2 records in 
criminal proceedings against the patient to expressly include 
disclosures of part 2 records and to add civil and administrative 
proceedings as additional types of forums where use and disclosure of 
part 2 records is prohibited, absent written patient consent or a court 
order. Additionally, the Department proposed to clarify language in 
paragraph (e)(4)(i) of Sec.  2.12, which excludes from part 2 those 
diagnoses of SUD that are created solely to be used as evidence in a 
legal proceeding. The proposed change would narrow the exclusion to 
diagnoses of SUD made ``on behalf of and at the request of a law 
enforcement agency or official or a court of competent jurisdiction'' 
to be used as evidence ``in legal proceedings.'' The Department 
believed the proposed clarification would tighten the nexus between a 
law enforcement or judicial request for the diagnosis and the use or 
disclosure of the SUD diagnosis based on that request, and requested 
comment on this approach.
    We respond to comments on all aspects of Sec.  2.12 below.
Comment
    A few health system commenters supported the proposed change in 
paragraph (c)(2) to replace Armed Forces with Uniformed Services to be 
more inclusive.
Response
    We appreciate the comments.
Comment
    A few commenters expressed concerns about paragraph (c)(6) of this 
section, which excludes from part 2 applicability the use and 
disclosure of part 2 records in reports of child abuse and neglect 
mandated by state law and the fact that the exception does not allow 
for reporting of vulnerable adult and elder abuse or domestic violence.
Response
    Modifications to this provision are outside of the scope of this 
rulemaking. Moreover, the exception that allows part 2 programs to 
disclose otherwise confidential records for child abuse reporting is 
based in a statutory exclusion in 42 U.S.C. 290dd-2(e). Because 
Congress had the opportunity to address this statutory exclusion in the 
CARES Act amendments and did not do so we do not believe we can 
unilaterally expand the exclusion by adding a regulatory exception for 
elder or vulnerable adult abuse similar to that for child abuse 
reporting. Congress could in the future choose to add to the statute an 
exception that would allow part 2 programs to report vulnerable adult 
and elder abuse and neglect. We further address options for disclosures 
to prevent harm in the discussion of Sec.  2.20 (Relationship to state 
laws).
Comment
    Some commenters supported the proposed changes in paragraph (d)(2) 
to the prohibition on use and disclosure of part 2 records against a 
patient or a part 2 program in investigations and proceedings absent 
patient consent or a court order. These commenters appreciated the 
expanded protection from use and disclosure in legislative and 
administrative investigations and proceedings and the express 
protection of testimony that conveys information from part 2 records 
within the consent or court order requirements. Some commenters thought 
that these express and expanded protections would serve as a beneficial 
counterweight to easing the flow of part 2 records for health care-
related purposes.
Response
    We appreciate the comments and agree that the expanded scope of 
protection to include not only records but testimony and to include 
legislative and administrative proceedings provides greater protection 
to patients and part 2 programs that are the subject of investigations 
and proceedings.
Comment
    Many commenters expressed concern about the use of written consent 
as a way to overcome the prohibition against the use of records in 
proceedings against patients, expressing alarm that this could allow 
coerced consent by law enforcement.
Response
    We address the concerns about allowing patient consent for use and 
disclosure of records in legal proceedings in the discussion of Sec.  
2.31 (Consent requirements). Patient consent was not the intended focus 
of the modifications to Sec.  2.12(d), but was included to mirror the 
statutory language in 42 U.S.C. 290dd-2(c), as amended by section 
3221(e) of the CARES Act. The final rule provides guardrails for the 
consent process in a new paragraph to Sec.  2.31, discussed below.
Comment
    A county board of supervisors commented on changes to paragraph 
(d)(2), stating that the current regulations require a special court 
order to authorize the use or disclosure of patient records in a 
criminal investigation or prosecution. The county expressed concern 
that a lack of meaningful safeguards when allowing the disclosure of 
patients' SUD records by patient consent may result in patients being 
asked to consent to disclosures of their protected SUD treatment 
records as a condition of a plea deal, sentencing, or release from 
custody, and that without adequate protections individuals may fear 
this information being used against them and may not seek treatment. 
According to the commenter, expanding the ability to access and use 
patients' SUD treatment records in criminal cases may result in harm to 
patients such as exacerbation of disparities in access to SUD 
treatment, criminalization of SUD, and treatment outcomes. The 
commenter recommended that HHS include meaningful protections in the 
final rule against patients being coerced into signing consent forms 
that can be used against them in a criminal or civil case.
Response
    We have added at Sec.  2.31(d) an express requirement that consent 
for use and disclosure of records in civil, criminal, administrative, 
and legislative investigations and proceedings be separate from consent 
to use and disclose part 2 records for other purposes. The existing 
rule, at Sec.  2.33(a), permits patients to consent to use and 
disclosure of their records and that part 2 programs may disclose the 
records according to the consent. We interpret

[[Page 12513]]

this to include consent for use and disclosure of records in legal 
proceedings, including those that are brought against a patient. Thus, 
we do not view this final rule's language about consent in Sec.  
2.12(d) as creating a substantive change to patients' rights or the 
existing procedures for legal proceedings, but as clarifying how 
consent is one option for achieving the use and disclosure of records 
in proceedings against a patient.
    Nonetheless, because the role of patient consent is expanding, we 
created the new requirement for separate consent as Sec.  2.31(d) in 
response to many comments about the potential for coerced consent and 
specific suggestions about ways to reduce instances of potential 
coercion, including requiring it to be separate from TPO consent or 
consent to treatment. This paragraph provides that patient consent for 
use and disclosure of records (or testimony relaying information 
contained in a record) in a civil, criminal, administrative, or 
legislative investigation or proceeding cannot be combined with a 
consent to use and disclose a record for any other purpose. Some 
commenters asserted that patients are particularly vulnerable to 
coerced consent at the initiation of treatment when they are suffering 
the effects of SUD and that they may not fully appreciate how their 
records may be used or disclosed in proceedings against them. Thus, 
requiring separate consent for use or disclosure of records in 
investigations or proceedings against a patient would help ensure that 
patients are better aware of the nature of the proceedings and how 
their records may be used. Signing a separate document specific to one 
purpose draws attention to the consent decision and provides greater 
opportunity for review of the nature of the consent. Comments about the 
proposed changes for legal proceedings are also addressed in Sec. Sec.  
2.2, 2.31, 2.66, and 2.67. Additional comments with similar concerns 
are discussed in Sec.  2.31.
Comment
    With respect to the applicability of part 2 to third-party payers, 
we received overwhelming support from the several organizations that 
commented on the proposed changed definition of third-party payer as 
applied in paragraph (d)(2)(i) of this section. These commenters 
supported the proposal to distinguish health plans, which are covered 
entities, from other third-party payers who are subject to part 2 (but 
not subject to HIPAA). One commenter explained their understanding that 
covered entity payers (e.g., health plans) would already be included in 
the meaning of covered entity for the purposes of part 2 and HIPAA, and 
therefore able to operate under the relaxation of the redisclosure 
prohibition for TPO purposes while ``third-party payers'' under this 
narrowed definition would not. The commenter stated its belief that the 
change was an important and useful clarification of the continued 
redisclosure prohibition on treatment uses by such third-party payers.
    A few HIE/HIN commenters strongly supported this change because the 
inability to segment the part 2-protected claims/encounter data from 
the non-part 2 data has often been a barrier to health plans 
contributing the clinical component of this administrative data to 
local, regional, and national HIE efforts. Additionally, a health 
system requested that the Department ensure that ACOs and population 
health providers have access to full part 2 information without a 
beneficiary having to explicitly opt-in to data sharing.
Response
    We appreciate the comments concerning how the proposed narrower 
definition of ``third-party payer'' operates in paragraph (d)(2) of 
this section. Applicability to health plans is now addressed under 
paragraph (d)(2)(C) within the reference to covered entities. 
Additionally, the new statement in paragraph (d)(2)(C) in this final 
rule provides that health plans are not required to segregate records 
or segment data upon receipt from a part 2 program. ACOs and population 
health providers will need to evaluate the applicability provision 
based on their status as covered entities or business associates.
Comment
    A medical professionals association voiced its strong support for 
data segmentation in support of data interoperability while maintaining 
patient privacy; capabilities for EHRs to track and protect sensitive 
information before it can be disclosed or redisclosed; and continuous 
monitoring and data collection regarding unintended harm to patients 
from sharing their sensitive information.
Response
    We appreciate the comment about improving the capabilities for EHRs 
to segment data to maintain patient privacy while also remaining 
interoperable. The final rule change expressly stating that data 
segmentation is not required by recipients under a TPO consent does not 
preclude the voluntary use of data segmentation or tracking as means to 
protect sensitive data from improper disclosure or redisclosure. As a 
result of the modifications to paragraph (d)(2) of Sec.  2.12, key 
recipients of part 2 records may choose the best method for their 
health IT environment and organizational structure to protect records 
from use and disclosure in legal proceedings against the patient, 
absent consent or a court order. For example, the use of the data 
segmentation for privacy (``DS4P'') standard as adopted as part of the 
ONC Health IT Certification Program criteria in 45 CFR 170.315(b) is a 
technical capability that would be acceptable/sufficient.\169\
---------------------------------------------------------------------------

    \169\ See The Off. of the Nat'l Coordinator for Health Info. 
Tech., ``Certification Companion Guide: Security tags'' (2015), 
https://www.healthit.gov/test-method/security-tags-summary-care-send.
---------------------------------------------------------------------------

Comment
    A few individual commenters, a police and community treatment 
collaborative, a health IT vendor, and an SUD recovery policy 
organization, requested changes to paragraph (e)(4), which applies to a 
``[d]iagnosis which is made on behalf of and at the request of a law 
enforcement agency or official or a court of competent jurisdiction 
solely for the purpose of providing evidence[.]'' Specifically, they 
recommended in Sec.  2.12(e)(4)(i) that we add language to include the 
purpose of determining eligibility for participation in deflection, 
diversion, or reentry alternatives to incarceration. The commenters 
stated that alternatives to incarceration require swift assessments, 
diagnoses, and referrals to treatment and care, and that the requested 
change is narrowly tailored and consistent with best practice and 
priorities within the justice field.
Response
    We decline to further modify paragraph (e)(4) in the manner 
suggested, although we appreciate the comment and the intent to support 
criminal justice deflection programs and alternatives to incarceration 
where appropriate. The changes we proposed to this paragraph were for 
clarification and not intended to create substantive modifications. 
However, we believe that as drafted, the final regulatory language 
supports the disclosure of diagnoses made for the purpose of providing 
evidence for any number of purposes, which could include determining 
eligibility for participation in deflection, diversion, or reentry 
alternatives to incarceration. Thus, in our view, the

[[Page 12514]]

suggested change is not necessary to meet the commenter's purposes.
Final Rule
    The final rule adopts all proposed changes to Sec.  2.12 and 
further modifies this section by: (1) clarifying that the restrictions 
on uses and disclosures of records in proceedings against a patient 
apply to persons who receive records from not only part 2 programs and 
lawful holders, but also from covered entities, business associates, 
and intermediaries to allow for the new operation of consent as enacted 
by the CARES Act; \170\ (2) modifying paragraph (b)(1) by replacing 
``Armed Forces'' with ``Uniformed Services'' to conform with the 
changes in paragraph (c)(2) and the statutory language at 42 U.S.C. 
290dd-2(e); (3) adding an express statement to paragraph (d)(2)(i)(C) 
that recipients of records under a TPO consent who are part 2 programs, 
covered entities, and business associates are not required to segregate 
the records received or segment part 2 data; and (4) removing a phrase 
in paragraph (d)(2)(ii) that implied a requirement for recipients of 
part 2 records to segregate or segment the data received, including 
removing the requirement from covered entities, business associates, 
and intermediaries, as well as from part 2 programs.
---------------------------------------------------------------------------

    \170\ The non-substantive wording changes to paragraphs (a), 
(c), and (e) are included in the amendatory language in the last 
section of this final rule.
---------------------------------------------------------------------------

Section 2.13--Confidentiality Restrictions and Safeguards
Proposed Rule
    The current provisions of this section apply confidentiality 
restrictions and safeguards to how part 2 records may be ``disclosed 
and used'' in this part, and specifically provide that part 2 records 
may not be disclosed or used in any civil, criminal, administrative, or 
legislative proceedings. The current provisions also provide that 
unconditional compliance with part 2 is required by programs and lawful 
holders and restrict the ability of programs to acknowledge the 
presence of patients at certain facilities. Changes to the Department's 
use of terms ``use'' and ``disclose'' in this section are discussed 
above. Paragraph (d) of Sec.  2.13 (List of disclosures), includes a 
requirement for intermediaries to provide patients with a list of 
entities to which an intermediary, such as an HIE, has disclosed the 
patient's identifying information pursuant to a general designation. 
The Department proposed to remove Sec.  2.13(d) and redesignate the 
content as Sec.  2.24, change the heading of Sec.  2.24 to 
``Requirements for intermediaries,'' and in Sec.  2.11 create a 
regulatory definition of the term ``intermediary'' as discussed above. 
The Department's proposal to redesignate Sec.  2.13(d) as Sec.  2.24 
would move the section toward the end of subpart B (General 
Provisions), to be grouped with the newly proposed Sec. Sec.  2.25 and 
2.26 about patient rights and disclosure. Section 2.24 is discussed 
separately below.
    In addition to these proposed structural changes, the Department 
also proposed minor wording changes to paragraphs (a) through (c) of 
Sec.  2.13 to clarify who is subject to the restrictions and safeguards 
with respect to part 2 records. The Department solicited comment on the 
extent to which part 2 programs look to the HIPAA Security Rule as a 
guide for safeguarding part 2 electronic records. The Department also 
requested comment on whether it should modify part 2 to apply the same 
or similar safeguards requirements to electronic part 2 records as the 
HIPAA Security Rule applies to ePHI or whether other safeguards should 
be applied to electronic part 2 records.
Comment
    We received general support from an HIE regarding our efforts to 
align the security requirements in part 2 for EHRs with the HIPAA 
Security Rule. An individual commenter said that similar safeguard 
requirements should apply to electronic part 2 records as the HIPAA 
Security Rule applies to ePHI. The commenter stated that, ideally, 
stronger safeguards should apply to electronic part 2 records because 
these records can function as a bridge to discrimination, sanctions, 
and adverse actions. An insurer commenter stated that it manages 
electronic part 2 records and information consistent with the HIPAA 
Security Rule currently and would--in keeping with the concept of 
treating SUD information the same as other PHI--support applying the 
same rules and protections of the HIPAA Security Rule to electronically 
stored and managed part 2 records and information. Noting that the 
HIPAA Privacy and Security Rules are widely adopted across the health 
care continuum, an HIE association encouraged the Department to pursue 
further alignment with HIPAA Security Rule requirements where 
appropriate. Another health insurer supported aligning part 2 
safeguards with the safeguards applicable under the HIPAA regulations. 
This commenter stated that, as HHS works to align part 2 regulations 
with HIPAA regulations, the ultimate goal should be to streamline 
policies while ensuring the protection of patient data across programs 
and data sharing platforms. The health plan and another commenter, a 
health insurer, believed that different types of PHI should share the 
same level of protection and supports Department efforts toward this 
end.
Response
    We appreciate the comments on our proposed changes and comments on 
modifying part 2 to apply the same or similar safeguard requirements to 
electronic part 2 records as apply to the HIPAA Security Rule. Prior to 
our changes in this final rule, part 2 programs and other lawful 
holders already were required to have in place formal policies and 
procedures to reasonably protect against unauthorized uses and 
disclosures of patient identifying information and to protect against 
reasonably anticipated threats or hazards to the security of patient 
identifying information. The provisions applied to paper records and 
electronic records.
    Consistent with the amendment enacted in the CARES Act and codified 
at 42 U.S.C. 290dd-2(j), the final rule applies breach notification 
requirements to ``unsecured records'' in the same manner as they 
currently apply to ``unsecured PHI'' in the Breach Notification Rule, 
including specific requirements related to the manner in which breach 
notification is provided. We are not making any additional 
modifications to align the HIPAA Security Rule and part 2 at this time, 
but will take these comments into consideration in potential future 
rulemaking.
Comment
    A few HIEs/HIE associations urged the Department to add new 
language to Sec.  2.13 that expressly provides: ``[c]onsent revocation. 
If a patient revokes a consent, the consent revocation is only 
effective to prevent additional disclosures from the part 2 program(s) 
to the consent recipient(s). A recipient is not required to cease using 
and disclosing part 2 records received prior to the revocation.''
    The commenters believed that adding this language to Sec.  2.13 
would mitigate part 2 program concerns that they might be held 
accountable for a recipient's continued use and disclosure of 
previously disclosed part 2 program records. The Department sought 
comment on whether it should require part 2 programs to inform an HIE 
when a patient revokes consent for TPO so that additional uses and 
disclosures by the HIE would not be imputed to the

[[Page 12515]]

programs that have disclosed part 2 records to the HIE. These 
commenters responded that requiring such notification would directly 
contradict the Department's statements in the preamble to the NPRM--and 
the purpose of the CARES Act--because a notification implies that it 
would be unlawful for the HIE to continue to use and disclose the part 
2 records it received prior to revocation. A better approach according 
to these commenters would be to clarify in the part 2 regulations what 
is and is not permitted after a revocation.
Response
    Revocation of consent is associated with a patient's wish to modify 
or rescind previously granted written consent provided under Sec.  2.31 
in subpart C. We do not agree that stating revocation requirements in 
this section would clarify these requirements and those issues are 
addressed in the discussion of Sec.  2.31.
Comment
    A medical professionals association generally supported the 
alignment of redisclosure processes with HIPAA. The commenter also 
supported prohibiting redisclosures of records for use in civil, 
criminal, administrative, and legal proceedings. Along with increased 
patient and provider education about disclosure and data protection, 
the association further encouraged the Department to support the 
development of technological infrastructure to manage these data once 
disclosed.
Response
    We appreciate this comment on the Department's proposed changes. We 
have revised the part 2 redisclosure requirements to align more closely 
with HIPAA requirements with respect to disclosures of PHI. We clarify 
applicability of these changes to business associates and covered 
entities. Subject to limited exceptions, such redisclosed records 
cannot be used in any civil, criminal, administrative, or legislative 
proceedings by any Federal, State, or local authority against the 
patient, unless authorized by the consent of the patient.
Final Rule
    The final rule adopts the changes to Sec.  2.13 as proposed, 
including removing paragraph (d) and redesignating it as Sec.  2.24 
(Requirements for intermediaries).\171\
---------------------------------------------------------------------------

    \171\ The changes to the remaining provisions of Sec.  2.13 are 
non-substantive and are included in the amendatory language in the 
last section of this final rule.
---------------------------------------------------------------------------

Section 2.14--Minor Patients
Proposed Rule
    The Department proposed to change the verb ``judges'' to 
``determines'' to describe a part 2 program director's evaluation and 
decision that a minor lacks decision making capacity, which can lead to 
a disclosure to the patient's parents without the patient's consent. 
This change is intended to distinguish between the evaluation by a part 
2 program director about patient decision making capacity and an 
adjudication of incompetence made by a court, which is addressed in 
Sec.  2.15. The Department also proposed a technical edit to Sec.  
2.14(c)(1) to correct a typographical error from ``youthor'' to ``youth 
or.''
    The Department also proposed to substitute the term ``person'' for 
the term ``individual'' in Sec.  2.14(b)(1) and (2), (c) introductory 
text, and (c)(1) and (2), respectively.
Overview of Comments
    The Department received general support for its proposed changes to 
Sec.  2.14. However, some commenters expressed concern about certain 
proposed changes or requested additional clarity, as described below.
Comment
    An HIE association urged the Department to align the part 2 
requirements regarding minors with the state-based requirements 
regarding minor access, consent, and disclosure of their health 
records. The commenter noted that some states have stringent rules for 
when a minor patient can control different sections of their health 
record and urged the Department to engage with patient advocacy 
organizations to fully understand the implications of the minor consent 
provisions in part 2.\172\ Another commenter noted that jurisdictions 
vary with respect to the age of majority, who is considered a legal 
guardian or authorized representative, emancipated minors, and specific 
consent for special health services (e.g., HIV testing, reproductive 
services, mental and behavioral health). Commenters cited examples of 
states such as California, which they perceived to have strong consent 
and privacy provisions for minors and argued that it was important that 
part 2 foster alignment between consent to receive care and access to 
medical information by the person authorized to provide consent to 
treatment.
---------------------------------------------------------------------------

    \172\ See, e.g., Marianne Sharko, Rachael Jameson, Jessica S. 
Ancker, et al., ``State-by-State Variability in Adolescent Privacy 
Laws,'' Pediatrics (May 9, 2022), https://doi.org/10.1542/peds.2021-053458.
---------------------------------------------------------------------------

Response
    We acknowledge that regulations and statutes pertaining to 
behavioral health, including treatment and access to records by those 
who consent, differ by state.\173\ The Department has previously 
highlighted that Sec.  2.14 states that ``these regulations do not 
prohibit a part 2 program from refusing to provide treatment until the 
minor patient consents to the disclosure necessary to obtain 
reimbursement, but refusal to provide treatment may be prohibited under 
a state or local law requiring the program to furnish the service 
irrespective of ability to pay.'' \174\ State laws may also vary with 
respect to access to records by parents or caregivers. As provided in 
Sec.  2.20 (Relationship to state laws), part 2 ``does not preempt the 
field of law which they cover to the exclusion of all state laws in 
that field.'' Thus, states may impose requirements for consent, 
including for minors, that are more stringent than what Federal 
regulations may require. The Department understands that there exist 
variations among jurisdictions concerning minor and parent or guardian 
consent requirements. Part 2 programs and other regulated entities are 
advised to seek legal advice on the application of their state and 
local laws when appropriate.
---------------------------------------------------------------------------

    \173\ Id. See also ``TAC Assessment Working Paper: 2016 
Compilation of State Behavioral Health Patient Treatment Privacy and 
Disclosure Laws and Regulations,'' supra note 122. See also, 82 FR 
6079 (Jan. 18, 2017).
    \174\ 82 FR 6052, 6083.
---------------------------------------------------------------------------

Comment
    One commenter urged the Department to proactively partner with 
states to design state-specific educational resources and tools to 
expedite access to SUD treatments. The commenter cited as one example 
the New York Civil Liberties Union 2018 pamphlet entitled ``Teenagers, 
Health Care and the Law: A Guide to Minors' Rights in New York State'' 
as one helpful resource.\175\ Other commenters also urged the 
Department to provide guidance about minor consent in relation to 
Medicaid, the Children's Health Insurance Program (CHIP), and other 
health coverage programs.
---------------------------------------------------------------------------

    \175\ New York Civil Liberties Union, ``Guide: Teenagers, Health 
Care, and the Law (English and Spanish)'' (Oct. 2, 2018), https://www.nyclu.org/en/publications/guide-teenagers-health-care-and-law-english-and-spanish.
---------------------------------------------------------------------------

Response
    The Department appreciates examples of what commenters view as 
relevant or

[[Page 12516]]

helpful resources and publications but does not necessarily endorse the 
content of specific publications not developed or reviewed by HHS. We 
will consider what additional guidance from HHS may be helpful after 
this rule is finalized.
Comment
    Commenters generally supported the proposed change from ``judges'' 
to ``determines'' to better distinguish a part 2 program director's 
evaluation and decision that a minor lacks decision-making capacity 
from when a court adjudicates (i.e., judges) a patient as lacking 
decision-making capacity. But one association noted that in addition to 
the Federal regulation, states can also have their own requirements 
related to minors, decision-making capacity, and their ability to make 
independent decisions regarding care and treatment. The commenter 
believed that part 2 programs, consumers, and other stakeholders could 
benefit from the Department discussing the Federal standard in the 
preamble to final regulations or in future guidance discussing how 
states can align with the standard and potential areas for Federal and 
state conflicts. Other commenters also urged the Department to provide 
additional guidance on the intersection of state and Federal laws, 
including for minors out of state and receiving SUD treatment.
Response
    The Department appreciates the comments about changing ``judges'' 
to ``determines'' and will consider what additional guidance on these 
issues may be helpful after this rule is finalized.
Comment
    Commenters supported the proposal to remove the term 
``incompetent'' and instead refer to patients who lack the capacity to 
make health care decisions to distinguish between lack of capacity and 
adjudication of incompetence.
Response
    The Department appreciates the comments on this proposed change.
Comment
    Commenters emphasized the importance of minors being able to 
control their health records but also ensuring that parents and 
guardians do not face unnecessary barriers to obtaining SUD treatment 
for youth in their care. Providers, one commenter asserted, are 
reluctant or even unwilling to include parents and guardians in 
treatment, even when their clinical judgment would dictate otherwise.
Response
    The Department agrees that it is important for minors to have input 
concerning the use and disclosure of their health records in a manner 
that is consistent with state law. The Department also has emphasized 
both with respect to HIPAA and part 2 that parents, guardians, and 
other caregivers should not face unnecessary barriers in supporting a 
loved one's care.\176\ SAMHSA has published resources for families 
coping with mental health and SUDs and OCR has issued guidance for 
consumers and health professionals on HIPAA and behavioral health.\177\
---------------------------------------------------------------------------

    \176\ See ``Frequently Asked Questions: Applying the Substance 
Abuse Confidentiality Regulations to Health Information Exchange 
(HIE),'' supra note 150; U.S. Dep't of Health and Human Servs., 
``Personal Representatives and Minors,'' https://www.hhs.gov/hipaa/for-professionals/faq/personal-representatives-and-minors/index.html.
    \177\ See Substance Abuse and Mental Health Services 
Administration, ``Resources for Families Coping with Mental and 
Substance Use Disorders'' (Mar. 14, 2023), https://www.samhsa.gov/families; U.S. Dep't of Health and Human Servs., ``The HHS Office 
for Civil Rights Responds to the Nation's Opioid Crisis'' (Mar. 11, 
2021), https://www.hhs.gov/civil-rights/for-individuals/special-topics/opioids/index.html.
---------------------------------------------------------------------------

Comment
    To allow for meaningful care coordination for minors, a state 
agency urged the Department to modify proposed Sec.  2.14(b)(2) as 
follows: ``[w]here state law requires parental consent to treatment, 
any consent required under this Part may be given by the minor's 
parent, guardian, or other person authorized under state law to act on 
the minor's behalf only if: * * *.''
Response
    We appreciate the suggestion; however, because we did not propose 
modifications to this language or request public comment related to it, 
making this change would be outside the scope of this rulemaking. For 
purposes of this rulemaking, finalizing the existing language, without 
modification, accurately reflects the current balance between part 2 
confidentiality requirements and state legal requirements concerning 
minor consent.
Comment
    One commenter expressed concern that, in their view, part 2 
provides no options for part 2 providers to involve parents or 
guardians in a minor's treatment without the minor's consent, even 
where state law explicitly permits such involvement or even requires 
providers to make determinations about the appropriateness of a parent 
or guardian's involvement. The commenter urged the Department to align 
Sec.  2.14 with provisions in the Privacy Rule permitting access to 
treatment records if a minor consents to care as provided under state 
law.
Response
    The Department acknowledges the complexity of the intersection of 
part 2 and state requirements concerning minor consent, including 
parental or caregiver involvement. After this rule is finalized, the 
Department may provide additional guidance on these issues. Part 2, in 
part, provides that ``[w]here state law requires consent of a parent, 
guardian, or other individual for a minor to obtain treatment for a 
substance use disorder, any written consent for disclosure authorized 
under subpart C of this part must be given by both the minor and their 
parent, guardian, or other individual authorized under state law to act 
in the minor's behalf.'' The Department has published relevant 
resources for families and guidance on applying behavioral health 
privacy laws to mental health and SUDs.\178\
---------------------------------------------------------------------------

    \178\ See, e.g., The Ctr. of Excellence for Protected Health 
Info., ``Families and minors,'' https://coephi.org/topic/families-and-minors/.
---------------------------------------------------------------------------

Comment
    With respect to the role of part 2 program director, one 
association of medical professionals asserted that the decision-making 
of a minor should be made in consultation with the treatment plan team 
and not in isolation by a part 2 program director.
Response
    The Department appreciates this input on clinician-based decisions 
about patients. While the part 2 program director has specific 
responsibilities under this section, the Department would expect most 
part 2 programs to have protocols detailing the program director's role 
and consultation with others on the treatment team as needed. As the 
person with authority over the part 2 program, the director would be 
responsible for how the program operates, so we do not view additional 
regulatory requirements as necessary.
Final Rule
    The Department is finalizing all proposed changes to Sec.  2.14 
without further modification. This includes a technical edit in Sec.  
2.14(c)(1) to correct a typographical error from ``youthor'' to ``youth 
or'' and changing the verb ``judges'' to ``determines'' to describe a 
part 2 program director's evaluation and decision that a minor lacks 
decision making capacity that could lead to a

[[Page 12517]]

disclosure to the patient's parents without the patient's consent.
Section 2.15--Patients Who Lack Capacity and Deceased Patients
Proposed Rule
    The Department proposed to replace outdated terminology in this 
section that referred to ``incompetent'' patients, refer to the ``use'' 
of records in addition to disclosures, and to substitute the term 
``person'' for the term ``individual'' as discussed above in relation 
to Sec.  2.11 (Definitions). The Department further proposed to clarify 
that paragraph (a) of this section refers to a lack of capacity to make 
health care decisions as adjudicated by a court while paragraph (b) 
refers to lack of capacity to make health care decisions that is not 
adjudicated by a court, and to add health plans to the list of entities 
to which a part 2 program may disclose records without consent to 
obtain payment during a period when the patient has an unadjudicated 
inability to make decisions. We also proposed updates to paragraph (b) 
of this section concerning consent by personal representatives.
Comment
    A health plan commenter supported inclusion of health plans to the 
list of entities to which a part 2 program can disclose records when a 
patient lacks capacity. An association of medical professionals also 
supported adding health plans to the list of entities to which a part 2 
program may disclose records without consent when a patient lacks 
capacity to make health care decisions to ensure that part 2 programs 
receive appropriate and timely payment for their services. A health 
system expressed general support for our proposed changes.
Response
    We appreciate the comments on the proposed changes.
Comment
    An association of medical professionals supported the proposed 
change from ``incompetent patients'' to ``patients who lack capacity to 
make health care decisions,'' whether adjudicated or not. The commenter 
also supported the addition of health plans to the list of entities to 
which a program may disclose records without consent. The commenter 
also said that families often request the records of deceased patients 
and there does not appear to be a consistent policy about this among 
SUD treatment centers. It would be helpful to have this matter 
addressed.
Response
    We appreciate the comment on our proposed changes. With respect to 
deceased patients, part 2 regulations as finalized ``do not restrict 
the disclosure of patient identifying information relating to the cause 
of death of a patient under laws requiring the collection of death or 
other vital statistics or permitting inquiry into the cause of death.'' 
Additionally, the regulations state that ``[a]ny other use or 
disclosure of information identifying a deceased patient as having a 
substance use disorder is subject to the regulations in this part. If a 
written consent to the use or disclosure is required, that consent may 
be given by the personal representative.'' In the preamble for Sec.  
2.11 of this rule, we discuss applying the HIPAA definition of 
``personal representative.'' We have stated in guidance for the HIPAA 
Privacy Rule that ``[s]ection 164.502(g) provides when, and to what 
extent, [a] personal representative must be treated as the individual 
for purposes of the [HIPAA Privacy] Rule.'' \179\ Section 164.502(g)(2) 
requires a covered entity to treat a person with legal authority to act 
on behalf of an adult or emancipated minor in making decisions related 
to health care as the individual's personal representative with respect 
to PHI relevant to such personal representation.\180\ The definition in 
this rule mirrors language in the HIPAA Privacy Rule at 45 CFR 
164.502(g).
---------------------------------------------------------------------------

    \179\ U.S. Dep't of Health and Human Servs., ``Personal 
Representatives'' (Sept. 19, 2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html.
    \180\ Id. See also, ``Personal Representatives and Minors,'' 
supra note 176.
---------------------------------------------------------------------------

Comment
    An association of medical professionals supported the proposed 
changes but urged the Department to reduce confusion and avoid 
potential conflicts with state law by amending Sec.  2.15(b)(2) to 
clarify that this section only applies if there are no applicable state 
laws governing surrogate decision making.
Response
    We decline to modify this section to refer to state law 
requirements, as we discuss intersections with state law in Sec.  2.20 
and we do not anticipate that the definition of ``personal 
representative,'' which mirrors the standard in the HIPAA regulations, 
will conflict with state law requirements.
Comment
    One commenter believed that even though the NPRM addressed the 
issue of a patient's lack of capacity to sign an informed consent, it 
failed to address circumstances involving diminished capacity 
associated with intoxication, withdrawal, medication induction, and 
early phases of treatment. The commenter asserted that addressing the 
issue of temporary diminished capacity is critical to the proposed 
perpetual consent for TPO purposes promoted by the NPRM. The commenter 
also stated that relying on a single enduring consent made at a time 
when a person is most vulnerable and cognitively compromised is 
unethical, and that a signed consent around the time of treatment entry 
should be valid for no more than six months. According to this 
commenter, it is important to stress that the authority of the part 2 
program director to exercise the right of the patient to consent to 
uses and disclosures of their records is restricted to that period 
where the patient suffers from a medical condition that creates a lack 
of capacity to make knowing or effective health care decisions on their 
own behalf. Further, according to this commenter, that authority is 
limited to obtaining payment for services from a third-party payer or 
health plan, and should not extend more than 30 days. After such time, 
the part 2 program director should seek a court order, according to the 
commenter.
Response
    We agree with the commenter that, as stated in the regulation, the 
part 2 program director's authority in Sec.  2.15(a)(2) extends only to 
obtaining payment for services from a third-party payer or health plan.
    In some cases, a patient who has diminished capacity due to 
overdose, intoxication, withdrawal, or other medical conditions may be 
considered by a medical provider to be experiencing a ``bona fide 
medical emergency in which the patient's prior written consent cannot 
be obtained.'' \181\ As the Department explained in preamble to its 
final 2020 rule,\182\ under Sec.  2.51, disclosures of SUD treatment 
records without patient consent are permitted in a bona fide medical 
emergency. Although not a defined term under part 2, a ``bona fide 
medical emergency'' most often refers to the situation in which an 
individual requires urgent clinical care to treat an immediately life-
threatening condition (including, but not limited to, heart attack, 
stroke, overdose), and in which it is infeasible to seek the 
individual's consent to release of relevant, sensitive

[[Page 12518]]

SUD records prior to administering potentially life-saving care. In 
such cases, the medical emergency provisions of part 2 would apply.
---------------------------------------------------------------------------

    \181\ See 42 CFR 2.51 (Medical emergencies).
    \182\ 85 FR 42986, 43018.
---------------------------------------------------------------------------

    In addition, provisions of Sec.  2.31 (Consent requirements), are 
pertinent to this comment. Section 2.31(a)(6) of this final rule 
requires that the consent must inform the patient of ``[t]he patient's 
right to revoke the consent in writing, except to the extent that the 
part 2 program, or other lawful holder of patient identifying 
information that is permitted to make the disclosure, has already acted 
in reliance on it, and how the patient may revoke consent.'' Thus, a 
patient, after their medical condition has been treated, will be able 
to modify any part 2 written consent at a later date.
Comment
    An academic health system believed that under Sec.  2.15(a)(2), 
patients who may lack capacity temporarily, without court intervention, 
have no one with the legal authority to consent to uses or disclosures 
other than for payment purposes. The commenter viewed this restriction 
as inconsistent with both state law and HIPAA and as an outdated and 
problematic limitation. The commenter said that at times its part 2 
programs admit a patient who lacks capacity temporarily (where there is 
no need for court intervention) and permit a surrogate to consent to 
treatment as permitted by state law, particularly in the inpatient 
context. The commenter added, the regulations should reflect that if a 
surrogate or personal representative has the ability under state law to 
consent to treatment, then that same surrogate or personal 
representative should have the ability to consent to the use and 
disclosure of part 2 records regardless of whether there has been an 
adjudication by a court. Otherwise, part 2 programs would be admitting 
a patient into treatment with no one who has the legal authority to 
consent to critical uses or disclosures that are essential or legally 
required to operate the part 2 program. According to the commenter, 
making this change would also better align part 2 with HIPAA and the 
concept that a personal representative has authority under state law to 
consent to both treatment and the uses and disclosures of information 
related to that treatment.
Response
    We refer the commenter to our responses above regarding the part 2 
medical emergency provisions that may apply to such circumstances and 
to our comments on the definition of personal representative. We 
discuss intersections with state law in Sec.  2.20.
Comment
    A commenter anticipated that once the proposed rule is finalized, 
part 2 programs will begin to utilize existing technologies and 
workflows that have been created to comply with HIPAA standards. The 
commenter stated that many part 2 programs may require all patients to 
sign a global consent as a condition of treatment to take advantage of 
these current technologies and workflows that will now be available to 
part 2 programs. The commenter expressed concern that, once these part 
2 programs change their practices to align with existing technologies 
and workflows, there would be no mechanism for a part 2 program to 
treat a patient who refuses to sign a global consent. The commenter 
suggested that the ``payment only'' limitation in Sec.  2.15(a)(2) 
would prevent part 2 programs from offering treatment to those most 
vulnerable patients because no one will have the authority to consent 
to the use and disclosure of part 2 information. Having a patient 
admitted into a part 2 program with no one able to provide TPO consent 
that would permit subsequent beneficial redisclosures, may penalize 
patients who are most in need of treatment, according to this 
commenter.
    Another commenter, a health plan association, also urged HHS to 
allow the part 2 program director to exercise the patient's right to 
consent to any use or disclosure under part 2 when the patient is 
incompetent but not yet adjudicated by a court as such. The commenter 
stated that the rule should not deprive incompetent persons most in 
need of care from the ability to access care and expressed particular 
concern about circumstances in which a part 2 program may be the only 
mental health provider in the area (e.g., in rural locations). The 
commenter stated that part 2 should not prevent part 2 programs from 
divulging information without which the incompetency adjudication 
process cannot proceed; otherwise, part 2 would create a barrier to 
access to care for incompetent patients because the information the 
part 2 program has might be the only information that would enable an 
adjudication of incompetence. The ``medical emergency'' exception, the 
commenter asserted, would sometimes be of little use if the emergency 
providers to whom information is disclosed cannot obtain consent to 
render care, and a court adjudication of incompetency is impossible to 
achieve without part 2 program information.
    Additionally, the commenter found that the proposed rule did not 
address advance directives like durable powers of attorney that do not 
involve court adjudication but physician adjudication to trigger the 
provisions conferring authority to the patient's personal 
representative. Therefore, according to the commenter, Sec.  2.15(a)(2) 
should read: ``[i]n the case of a patient, other than a minor or one 
who has been adjudicated as lacking the capacity to make health care 
decisions, that for any period suffers from a medical condition that 
prevents knowing or effective action on their own behalf, the part 2 
program director may exercise the right of the patient to consent to a 
use or disclosure under subpart C of this part.''
Response
    As noted above, the part 2 medical emergency provisions may apply 
to the circumstances described by the commenter if a patient cannot 
consent to treatment due to a bona fide medical emergency. Absent a 
medical emergency, under Sec.  2.15(a)(2) the part 2 program director 
may exercise the right of the patient to consent to disclosure for the 
sole purpose of obtaining payment for services from a third-party payer 
for an adult patient who for any period suffers from a medical 
condition that prevents knowing or effective action on their own 
behalf. Consistent with the Privacy Rule's provisions on personal 
representatives, we state in Sec.  2.11 that a personal representative 
means a person who has authority under applicable law to act on behalf 
of a patient who is an adult or an emancipated minor in making 
decisions related to health care. Also, consistent with the Privacy 
Rule, a personal representative under part 2 would have authority only 
with respect to patient records that are relevant to such personal 
representation.
Comment
    A state agency recommended modifying Sec.  2.15(a) to specifically 
address adult patients who lack capacity, but have appointed a personal 
representative. This change, according to the commenter, would allow 
for better care and coordination for patients who have a personal 
representative.
Response
    We believe our modifications to Sec.  2.15(a) as finalized in this 
rule respond to the commenter's concerns about the role of the personal 
representative. We decline to make additional changes to this section 
as requested by the commenter because the

[[Page 12519]]

new definition of ``personal representative'' defers to state law.
Comment
    A health plan commenter stated that when a patient has an 
unadjudicated inability to make decisions due to a medical condition, 
this section of the final rule should clarify that patients would be 
allowed to request that their billing information not be sent to a 
health plan if the patient (or third party other than the health plan) 
agrees to pay for services in full. The commenter also expressed 
concern about a general lack of guidance on how proof of an 
unadjudicated inability to made decisions (other than in an emergency) 
would be documented and sought further clarification. The commenter 
asked the Department to confirm that a health plan would not be 
required to (1) confirm how consent was obtained and (2) treat SUD 
information of patients who lack capacity in a special manner--for 
example, through specialized documentation and other procedures--or 
differently from information of patients who directly provided consent. 
The commenter said that these changes would help facilitate treatment 
and payment for patients who lack capacity temporarily, which may lead 
to more timely care and better outcomes. According to this commenter, 
relying on a part 2 program's director expertise to determine the 
patient's present capacity would facilitate more timely care decisions 
and reduce burden on health plans.
Response
    We discuss consent provisions elsewhere in this rule. We confirm 
that this final rule does not create new requirements for special or 
unique treatment of SUD information of patients who lack capacity.
    As we discuss above, when a patient suffers from a medical 
condition that prevents knowing or effective action on their own behalf 
for any period, the part 2 program director may exercise the right of 
the patient to consent to a use or disclosure under subpart C for the 
sole purpose of obtaining payment for services from a third-party payer 
or health plan. If a part 2 program director believes that this step is 
unnecessary after speaking with the patient or others, the director may 
choose not to exercise this right. If a patient has an unadjudicated 
inability to make decisions due to a medical condition that prevents 
them from knowing or taking action, he or she may be unable to consent 
to or refuse consent to a use or disclosure for the sole purpose of 
obtaining payment for services from a third-party payer or health plan; 
in such circumstances, the part 2 program director's ability to 
exercise the patient's right to consent for the sole purpose of 
obtaining payment may apply.
Final Rule
    In additional to finalizing changes such as replacing 
``individual'' with ``person'' and referring to ``use'' in addition to 
``disclosures,'' we are finalizing the proposal to remove the term 
``incompetent'' in this section and refer instead to patients who lack 
capacity to make health care decisions. We also are finalizing the 
proposal to clarify that paragraph (a) of this section refers to lack 
of capacity to make health care decisions as adjudicated by a court 
while paragraph (b) refers to lack of capacity to make health care 
decisions that is not adjudicated, and to add health plans to the list 
of entities to which a part 2 program may disclose records without 
consent to obtain payment during a period when the patient has an 
unadjudicated inability to make decisions. We also are finalizing 
updates to paragraph (b) of this section concerning deceased patients 
and consent by personal representatives.
Section 2.16--Security for Records and Notification of Breaches
Overview of Rule
    Section 2.16 (Security for records) contains several requirements 
for securing records. Specifically, Sec.  2.16(a) requires a part 2 
program or other lawful holder of patient identifying information to 
maintain formal policies and procedures to protect against unauthorized 
uses and disclosures of such information, and to protect the security 
of this information. Section 2.16(a)(1) and (2) set forth minimum 
requirements for what these policies and procedures must address with 
respect to paper and electronic records, respectively, including, for 
example, transfers of records, maintaining records in a secure 
location, and appropriate destruction of records. Section 2.16(a)(1)(v) 
requires part 2 programs to implement formal policies and procedures to 
address removing patient identifying information to render it non-
identifiable in a manner that creates a low risk of re-identification.
    The current part 2 requirements for maintaining the security of 
records are limited to these provisions requiring policies and 
procedures. In contrast, the HIPAA regulations include a HIPAA Security 
Rule with specific standards and implementation specifications for how 
covered entities and business associates are required to safeguard 
ePHI. Part 2 does not have similar requirements.
Application of Part 2 Security Requirements to Lawful Holders
    Current Sec.  2.16 applies security requirements to part 2 programs 
and lawful holders. The term ``lawful holder'' is a recognized term 
that is applied in several part 2 regulatory provisions; however, it is 
not defined in regulation. Generally, it refers to ``an individual or 
entity who has received such information as the result of a part 2-
compliant patient consent (with a prohibition on re-disclosure) or as a 
result of one of the exceptions to the consent requirements in the 
statute or implementing regulations and, therefore, is bound by 42 CFR 
part 2.'' \183\
---------------------------------------------------------------------------

    \183\ See 82 FR 6052, 6068; See also 81 FR 6988, 6997.
---------------------------------------------------------------------------

    The Department sought public comment on whether security 
requirements should apply uniformly across all persons who receive part 
2 records pursuant to consent such that certain failures, such as a 
failure to have ``formal policies and procedures'' or to ``protect'' 
against threats, would result in the imposition of civil or criminal 
penalties again all persons who receive these records pursuant to 
consent. The Department's request for comment in this regard asked, 
``whether the requirements of this section that apply to a lawful 
holder should in any way depend on the level of sophistication of a 
lawful holder who is in receipt of Part 2 records by written consent, 
or should depend on whether the lawful holder is acting in some 
official or professional capacity connected to or related to the Part 2 
records.''
Comment
    One commenter, an association, of medical professionals, opined 
that all entities that hold personal health information should be 
required to notify persons when their information is breached, but also 
that breach rules must not hold parties responsible for the actions of 
other parties over whom they do not have control.
Response
    We agree with the sentiments expressed in this comment and assume 
that the commenter's use of the term ``entity'' is referring to an 
organizational or professional entity and not an individual acting in a 
personal capacity. The final rule requires part 2 programs to provide 
breach notification for breaches of part 2 records in the same manner 
as breach notification is

[[Page 12520]]

required for breaches of PHI, which would include breaches of part 2 
records held on behalf of a program by QSOs or business associates. 
Under HIPAA, a business associate is required to notify a covered 
entity of breaches and we believe part 2 programs that are not covered 
entities could obligate their QSOs to notify the programs of breaches 
through contractual provisions. A part 2 program would not be 
responsible for breaches by QSOs or business associates. However, the 
part 2 program is responsible under this rule for having in place 
contractual requirements to ensure that it is timely notified of a 
breach by such entities so that it can meet its obligations to notify 
affected individuals.
Comment
    A few commenters, including a managed care organization and a 
county health department, opined that it is appropriate to apply breach 
notification requirements to QSOs. Another commenter, a health plan, 
requested confirmation from the Department that the part 2 breach 
notification requirements are the same as the requirements under the 
HIPAA Breach Notification Rule, and also sought confirmation that the 
requirements would not apply to lawful holders who are caregivers not 
acting in a professional capacity.
Response
    Our close review of the statute leads us to believe that there is 
no authority to apply notification requirements to QSOs as they are 
applied to business associates under the HIPAA Breach Notification 
Rule. We also agree that non-professional lawful holders, such as 
family members, friends, or other informal caregivers, are not the same 
as lawful holders acting in a professional capacity. However, non-
professionals should nonetheless take reasonable steps to protect 
records in their custody.
Final Rule for Lawful Holders and Security of Records
    We are re-organizing Sec.  2.16(a) and finalizing additional 
language to clarify to whom the security requirements apply. 
Specifically, we are creating a new exception for certain lawful 
holders in new paragraph (a)(2) that expressly excludes ``family, 
friends, and other informal caregivers'' from the requirements to 
develop formal policies and procedures. We expect that informal 
caregivers and other similar lawful holders who would be subject to 
this exception still recognize some responsibility to safeguard these 
sensitive records and exercise caution when handling such records. We 
clarify here that while we are not making informal caregivers subject 
to the final rule requirements to develop formal policies and 
procedures, we do encourage all lawful holders to protect records. For 
example, informal caregivers should at least take reasonable steps to 
protect the confidentiality of patient identifying information.
    We are finalizing breach notification requirements for part 2 
programs; lawful holders are not subject to breach notification 
requirements.
De-Identification
Proposed Rule
    Section 3221(c) of the CARES Act required the Department to apply 
the HIPAA standard in 45 CFR 164.514(b) for de-identification of PHI to 
part 2 for the purpose of disclosing part 2 records for public health 
purposes. To further advance alignment with HIPAA and reduce burden on 
disclosing entities, the Department proposed to apply 45 CFR 164.514(b) 
to the existing de-identification requirements in part 2: Sec. Sec.  
2.16 (Security for records) and 2.52 (Research) (discussed below). 
Specifically, the Department proposed to modify Sec.  2.16(a)(1)(v) 
(for paper records) and (a)(2)(iv) (for electronic records), to read as 
follows: ``[r]endering patient identifying information de-identified in 
accordance with the requirements of the [HIPAA] Privacy Rule at 45 CFR 
164.514(b), such that there is no reasonable basis to believe that the 
information can be used to identify a patient as having or having had a 
substance use disorder.''
    As proposed, this provision would permit part 2 programs to 
disclose records de-identified in accordance with the implementation 
specification in the HIPAA Privacy Rule (i.e., the expert determination 
method or the safe harbor method) but the provision does not reference 
the HIPAA Privacy Rule standard at 45 CFR 164.514(a) that the 
implementation specification is designed to achieve--that the 
information is de-identified such that there is no reasonable basis to 
believe that the information disclosed can be used to identify an 
individual.
Comment
    Many commenters expressed support for the Department's de-
identification proposal citing a variety of reasons. One health system, 
stating that many part 2 programs are embedded within covered entities 
or share workforces with such programs, commented that de-
identification standards within part 2 consistent with the HIPAA 
Privacy Rule would reduce workforce confusion, inadvertent non-
compliance, and unintentional leaks of confidential information. A 
government agency commented that the express alignment with the HIPAA 
Privacy Rule was a welcome clarification that would protect the privacy 
and confidentiality of SUD patients. An individual commented that it 
would be prudent to enact the standards in 45 CFR 164.514(b) to offer 
more protection to patients and that doing so would not create adverse 
consequences. A managed care organization suggested that HIPAA provided 
an appropriate existing regulatory standard for rendering part 2 
records non-identifiable. A few commenters, all health systems that 
partly specialize in providing SUD services, expressed strong support 
for the proposal and the principle that programs should not be required 
to obtain consent from individuals prior to de-identifying their 
information.
Response
    We appreciate these comments.
Comment
    Some commenters, including a health IT vendor and a few health 
information management associations, expressed support for the 
Department's proposal but also urged the Department to ``fully align'' 
the part 2 de-identification standard with the HIPAA Privacy Rule. For 
example, one of these commenters opined that the language ``such that 
there is no reasonable basis to believe that the information can be 
used to identify a patient as having or having had a substance use 
disorder'' is not the HIPAA de-identification standard, and that the 
Department should instead use the exact language of HIPAA. Other 
commenters urged the Department to expressly clarify that both the 
HIPAA safe harbor method and expert determination method could satisfy 
the proposed de-identification requirements for part 2 records. A 
behavioral health advocacy organization asked the Department to clarify 
that the definition of part 2 ``records'' does not include de-
identified records consistent with the HIPAA Privacy Rule's treatment 
of de-identified health information.
Response
    We agree that, as drafted, the Department's proposal does not fully 
align with the regulatory text of the full de-identification standard 
in the HIPAA Privacy Rule, which includes paragraphs (a) and (b) of 45 
CFR 164.514. We clarify here that by

[[Page 12521]]

incorporating the HIPAA standard codified at 45 CFR 164.514(b), either 
method of de-identification of PHI can be used to de-identify records 
under part 2. We also note here a critical difference between the 
definitions of PHI under the HIPAA Privacy Rule and records in this 
part. The definition of PHI is grounded in the recognition that it is 
``individually identifiable health information.'' \184\ The HIPAA 
Privacy Rule standard for de-identification therefore renders PHI no 
longer ``individually identifiable.'' In this part, the definition of 
records does not refer to ``individually identifiable'' information, 
but rather information ``relating to a patient'' and is already 
understood to relate to SUD records. The final rule modifies the de-
identification standard in Sec.  2.16(a)(1)(v) (for paper records) and 
(a)(2)(iv) (for electronic records) so it aligns more closely with the 
HIPAA language such that the de-identified part 2 information cannot be 
``used to identify a patient.''
---------------------------------------------------------------------------

    \184\ See 45 CFR 160.103 (definition of ``Protected health 
information'').
---------------------------------------------------------------------------

Comment
    A few HIEs asked the Department to re-examine the ``base minimum'' 
standards for de-identified data, opining that some data may be 
anonymized for some algorithms, but as technology continues to improve, 
``de-identification in perpetuity'' is truly unknown, and therefore the 
proposed standard may still represent a privacy risk for patients.
Response
    The Department acknowledges the concerns about the burgeoning 
ability of some technologists to re-identify data stored in large data 
sets. The Department is committed to monitoring these issues as it 
works to determine their application to the HIPAA and part 2 de-
identification standards.
Comment
    One commenter, a health system, suggested that the Department make 
explicit the right to use part 2 records for health care operations to 
create a de-identified data set without patient consent. Another 
commenter, a health plan, recommended that the Department remove the 
requirement to obtain express written consent to create a de-identified 
data set because it conflicts with the HIPAA Privacy Rule, is 
counterproductive, and confuses patients when they receive a notice 
requesting consent to use their SUD data once de-identified.
Response
    We appreciate the comment, but are constrained by the authorizing 
statute at 42 U.S.C. 290dd-2, which sets forth the circumstances for 
which records subject to part 2 may be disclosed. Where part 2 programs 
are not disclosing to a covered entity, the CARES Act amendments did 
not rescind the requirement to obtain consent prior to disclosing 
records for TPO.\185\
---------------------------------------------------------------------------

    \185\ The HIPAA term also includes a description of the 
activities that are excluded as not constituting a breach, and an 
explanatory paragraph that applies a breach presumption when an 
``acquisition, access, use, or disclosure'' of PHI occurs in a 
manner not permitted under the HIPAA Privacy Rule, and that fails to 
demonstrate a low probability of breach based on breach risk 
assessment. See discussion of proposed definition of the term 
``breach'' above.
---------------------------------------------------------------------------

Comment
    One commenter, an industry trade association for pharmacies, 
commented that Sec.  2.16 should simply refer to rendering the patient 
identifying information de-identified where practicable, and then 
define ``de-identified'' in section Sec.  2.11 as data which meets the 
standard for de-identification under HIPAA.
Response
    The proposed regulatory text is consistent with the intent 
expressed by the commenter, but still comports with the language 
required by the CARES Act for disclosures for public health activities. 
We therefore believe that we are finalizing a more workable standard 
because it is uniform across the regulation.
Comment
    Several commenters opposed the proposed de-identification standard 
for various reasons. A privacy advocacy organization commented that the 
target HIPAA standard is outdated and needs ``tightening.'' A few HIE 
organizations commented that the proposal would materially and 
detrimentally affect the use of SUD information from part 2 records in 
limited data sets. These organizations interpreted the current part 2 
regulations to only require removal of ``direct identifiers'' and 
believed that, under HIPAA, a limited data set can be used and 
disclosed for research, public health, and health care operations 
activities if the recipient agrees to a HIPAA data use agreement, which 
prohibits (among other things) re-identification of individuals. These 
organizations further suggested that changing Sec. Sec.  2.16 and 2.52 
to require use of the more stringent HIPAA de-identification standard 
under 45 CFR 164.514(b) will prevent researchers, public health 
authorities, quality improvement organizations, and others from using a 
limited data set containing part 2 SUD data. A limited data set is 
useful for research, public health, and quality improvement activities 
because it permits analysis of health data in connection with certain 
identifiers that are relevant to health outcomes, such as age, race, 
and gender. Prohibiting use of limited data sets for research involving 
part 2 records may ultimately deny SUD patients the benefits of better 
and more effective treatments and services. They recommended that the 
Department continue to consider limited data sets of SUD records as 
non-patient identifying information under part 2 at least for purposes 
of research, public health, and health care operations. With respect to 
consent models for de-identification, these entities requested that it 
be left up to part 2 programs and other lawful holders of part 2 data 
to decide--based on their patient populations and business needs--what 
is the most effective model for their community.
Response
    We acknowledge the relatively large number of commenters raising 
the possibility that the Department codify a limited data set option in 
this regulation. Because many of these comments were submitted in 
response to our proposal to incorporate the same de-identification 
standard proposed here into Sec.  2.52 (Scientific research), our 
response to the comments on limited data sets and similar comments 
related to research are addressed together, below.
Comment
    One individual commented that the proposal to re-align de-
identification with HIPAA lowers the part 2 standard from an objective 
standard to one that is subjective. The commenter believed that the 
phrase ``no reasonable basis to believe'' was subjective and would 
decrease the researcher's responsibility. By contrast, under existing 
Sec.  2.52 requirements information is de-identified ``such that the 
information cannot be re-identified and serve as an unauthorized means 
to identify a patient'' is a more objective standard. Another 
individual commented that the proposed standard is vague and likely 
unenforceable.
Response
    We disagree with the commenters' characterization of the proposed 
change as creating a standard that is subjective or vague and 
unenforceable. The HIPAA standard incorporated here clearly

[[Page 12522]]

identifies two methods for de-identifying records, the expert 
determination method and the safe harbor method, which set forth 
specific requirements that are long established and well understood in 
the health care industry.
Final Rule Related to De-Identification of Records
    We agree with commenters who urged the Department to fully align 
the de-identification standard in this part with the standard in the 
HIPAA Privacy Rule. Whereas the part 2 requirement protected records 
identifying a patient as having or having had an SUD, the HIPAA 
standard at 45 CFR 164.514(a) protects information that identifies or 
can be used to identify an individual. The existing part 2 standard 
focuses on protection of a limited number of data points based on one 
health condition (i.e., SUD) while HIPAA protects the identity of the 
individual in connection with any health care and thus already 
incorporates protection of the information in part 2. Because 45 CFR 
164.514(a) shields a wider range of data elements from disclosure, it 
is more protective of privacy than the existing part 2 de-
identification requirement. By complying with the HIPAA standard, a 
part 2 program would also be meeting the requirements of the existing 
part 2 de-identification standard.
    The final rule incorporates the HIPAA Privacy Rule de-
identification standard in 45 CFR 164.514(b) into Sec.  2.16 as 
proposed, and further modifies paragraph (a) of this section to more 
fully align with the complete HIPAA de-identification standard, 
including language that is similar to that in the HIPAA Privacy Rule at 
45 CFR 164.514(a). To achieve this, we are deleting the existing part 2 
phrase ``as having or having had a substance use disorder'' and 
retaining the phrase ``such that there is no reasonable basis to 
believe that the information can be used to identify a particular 
patient.'' Section 2.16(a)(1)(v) and (a)(2)(iv) are now modified as 
Sec.  2.16(a)(1)(i)(E) and (a)(1)(ii)(D) and read as ``[r]endering 
patient identifying information de-identified in accordance with the 
requirements of 45 CFR 164.514(b) such that there is no reasonable 
basis to believe that the information can be used to identify a 
particular patient.'' We removed the language ``the HIPAA Privacy 
Rule'' from in front of the regulatory references to 45 CFR 164.514(b) 
because we believe it unnecessary and for consistency throughout this 
final rule.
    By adopting the same de-identification standard as we are required 
to adopt for public health disclosures (in new Sec.  2.54) into this 
provision (and in Sec.  2.52 for scientific research purposes, 
discussed below), we provide a uniform method for de-identifying part 2 
records for all purposes and provide more privacy protection than our 
proposed incorporation of only HIPAA 45 CFR 164.514(b). We also make 
clear here that the inability to identify an individual, as consistent 
with the language in 45 CFR 164.514(a) of HIPAA, includes the inability 
to identify them as a person with SUD. The final rule therefore would 
include the interpretation that is consistent with our initial 
proposal, but we believe it also protects from reidentification a 
broader scope of identifiers. This approach is also most responsive to 
commenters who generally agreed that the de-identification standards 
for both HIPAA and part 2 should completely align.
Breach Notification
Overview
    Section 290dd-2(j) of 42 U.S.C., as amended by the CARES Act, 
requires the Department to apply the HIPAA breach notification 
provisions of the HITECH Act (codified as 42 U.S.C. 17932, Notification 
in the case of breach) to part 2 records ``to the same extent and in 
the same manner as such provisions apply to a covered entity in the 
case of a breach of unsecured protected health information.'' Paragraph 
(k)(1) of 42 U.S.C. 290dd-2 incorporated a definition of the term 
breach, giving it the same meaning as under the HIPAA regulations. The 
HIPAA Breach Notification Rule at 45 CFR 164.402 defines breach as 
``the acquisition, access, use, or disclosure of protected health 
information in a manner not permitted under subpart E of this part 
which compromises the security or privacy of the protected health 
information.'' \186\ Paragraph (k)(9) of the 42 U.S.C. 290dd-2 
incorporated a definition of ``unsecured protected health 
information,'' giving it the same meaning as under the HIPAA 
regulations. The HIPAA Breach Notification Rule defines ``unsecured 
protected health information'' to mean PHI ``that is not rendered 
unusable, unreadable, or indecipherable to unauthorized persons through 
the use of a technology or methodology specified by the Secretary in 
the guidance issued under section 13402(h)(2) of Public Law 111-5.''
---------------------------------------------------------------------------

    \186\ Id.
---------------------------------------------------------------------------

    Paragraph (a) of 42 U.S.C. 17932 contains the HIPAA \187\ breach 
notification requirements for covered entities; paragraph (b) requires 
a business associate of a covered entity to notify the covered entity 
when there is a breach and includes requirements for the notice; 
paragraph (c) sets forth the circumstances for when a covered entity or 
business associate shall treat a breach as discovered; and paragraphs 
(d) through (g) contain requirements related to timeliness of notice, 
method of notice, content of notice, and allowance for delay of notice 
authorized by law enforcement, respectively. Other paragraphs define 
``unsecured PHI,'' set forth requirements for congressional reporting, 
and authorize interim regulations. The Department implemented 42 U.S.C. 
17932 in the HIPAA Breach Notification Rule codified at 45 CFR 164.400 
through 164.414.
---------------------------------------------------------------------------

    \187\ The HIPAA Breach Notification Rule, codified at 45 CFR 
parts 160 and 164, subparts A and D, implements sec. 13402 of the 
HITECH Act (codified at 42 U.S.C. 17932).
---------------------------------------------------------------------------

Proposed Rule
    To implement the new requirements in paragraph (j) of 42 U.S.C. 
290dd-2, as amended by the CARES Act, the Department proposed to modify 
the heading of Sec.  2.16 to add ``and notification of breaches'' and 
add a new paragraph Sec.  2.16(b) to require part 2 programs to 
establish and implement policies and procedures for notification of 
breaches of unsecured part 2 records consistent with the requirements 
of 42 U.S.C. 17932. The HIPAA Breach Notification Rule refers to 
``unsecured protected health information.'' The existing part 2 
regulation does not have a definition of ``unsecured records'' but to 
align with HIPAA we proposed such a definition, as discussed in Sec.  
2.11, above.
Comment
    The commenters who addressed the breach notification proposals 
unanimously expressed support for applying breach notification 
requirements to part 2, with slightly more than half expressing general 
support without further elaboration. Other supportive commenters 
expressed additional views, including that the Department's proposal: 
implemented the CARES Act; was likely to ensure patient confidentiality 
in the same manner as HIPAA; and could provide a ``counterweight'' to 
the perceived lessening of part 2 protections brought about by the 
CARES Act.

[[Page 12523]]

Response
    The Department appreciates these comments.
Comment
    Almost half of all commenters on breach notification expressed 
support for the proposal but requested clarification or guidance, 
especially related to the interaction of newly proposed breach 
notification requirements and HIPAA breach notification requirements. 
For example, one commenter, a health plan association, recommended that 
the Department clarify that if a use or disclosure of part 2 records is 
permitted by the HIPAA Privacy Rule, then the same use or disclosure 
would not be considered a breach under part 2. This same commenter 
requested, in the alternative, that if the activity did amount to a 
breach under part 2, the rule should provide that states have the 
ability to exempt HIPAA covered entities and business associates from 
part 2 breach notification requirements to avoid overlap, confusion, or 
conflict among individuals who receive notification. A legal advocacy 
association commented that HHS should clarify that the breach 
notification requirement applies to disclosures that violate the part 2 
standard of confidentiality, and not just disclosures that violate the 
HIPAA Privacy Rule, and that the Department should amend the definition 
of ``breach'' in Sec.  2.11 or clarify in Sec.  2.16 that patients 
should be notified of any acquisition, access, use, or disclosure of 
part 2 records in a manner not permitted under 42 CFR part 2. Yet 
another commenter, a health system, requested clarification of whether 
overlapping breach reporting obligations triggered by an activity that 
violated both HIPAA and part 2 would involve communicating with OCR, 
SAMHSA, or both.
Response
    In the CARES Act, Congress replaced the criminal penalties for part 
2 violations with the HITECH civil penalty structure that is applied to 
violations of the HIPAA regulations, as well as criminal penalties for 
certain violations. The CARES Act did not include an exemption for 
persons who are subject to both regulatory schemes, and who commit acts 
that violate both regulatory schemes. We expect a new enforcement 
process to ensure efficient use of Department agencies' resources, 
emphasize bringing entities into compliance with part 2, and avoid 
duplicative reporting by part 2 programs.
Comment
    We received several comments related to breach notification and the 
impact of the proposed effective dates and compliance dates for a final 
rule. A hospital association and a health IT vendor recommended that 
the Department phase in the breach notification requirements or extend 
the period of time for compliance beyond the proposed timeline, noting 
that compliance with part 2 is already complex and a potential 
deterrent to treating patients with SUD, and that the risk of monetary 
penalties would further deter providers from taking on these patients. 
One of these commenters also noted that implementing breach 
notification capability could be a time-consuming process requiring 
time beyond what the Department estimated. Several commenters stated 
that many part 2 programs are also subject to HIPAA and thus are 
already complying with breach notification, so the proposal would not 
create any additional burden for such programs. One commenter believed 
that the number of entities or individuals affected by the proposal 
(part 2 programs not subject to HIPAA) would be small.
Response
    We appreciate the concerns expressed about the potential complexity 
of implementing breach notification among this community of providers 
but agree that many providers have already implemented breach 
notification because they are also covered entities under HIPAA and 
that overall, a relatively small number of entities will be affected. 
We are mindful, however, that this regulation must also still serve the 
community of part 2 programs that are not subject to HIPAA. We remind 
such entities that the required compliance date would not occur until 
almost two years after the rule becomes effective. These entities may 
wish to review existing guidance on breach notification.\188\
---------------------------------------------------------------------------

    \188\ See, e.g., U.S. Dep't of Health and Human Servs., ``Breach 
Notification Rule'' (July 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
---------------------------------------------------------------------------

Comment
    One anonymous commenter urged the Department to cease or disallow 
part 2 programs, covered entities, and investigative agencies from 
relying on TV and newspaper notification avenues because these methods 
are no longer likely to be seen by patients, and therefore should not 
be treated as meaningful or considered cost effective.
Response
    We note at the outset that we have not proposed to make breach 
notification applicable to lawful holders such as ``investigative 
agencies.'' We agree that breach notification provisions across types 
of entities should be uniform. We also believe the commenter's 
suggestion is reasonable; however, we believe that more breach 
notification options, rather than fewer options, are preferable.
Final Rule
    The Department adopts the proposal to add paragraph (b) to Sec.  
2.16 to require part 2 programs to establish and implement policies and 
procedures for notification of breaches of unsecured part 2 records 
consistent with the requirements of 45 CFR parts 160 and 164, subpart 
D. First, we believe this provision is consistent with the CARES Act 
requirement to apply breach notification to part 2 in the same manner 
as it applies to covered entities for breaches of unsecured PHI. 
Second, we believe the same public policy objectives of the HIPAA 
Breach Notification Rule as applied to covered entities are furthered 
by establishing analogous requirements for part 2 programs. In the NPRM 
we established those policy objectives as: (1) greater accountability 
for part 2 programs through requirements to maintain written policies 
and procedures to address breaches and document actions taken in 
response to a breach; (2) enhanced oversight and public awareness 
through notification of the Secretary, affected patients, and in some 
cases the media; (3) greater protection of patients through obligations 
to mitigate harm to affected patients resulting from a breach; and (4) 
improved measures to prevent future breaches as part 2 programs timely 
resolve the causes of record breaches.
    Finally, as we discuss in greater detail in Definitions, in Sec.  
2.11 above, we are finalizing proposed definitions for ``breach'' and 
``unsecured records.'' In addition to the term ``breach'' being 
required by the amended statute, we believe incorporating these terms 
and definitions, as proposed, helps bring clarity to regulated entities 
on how to operationalize breach notification requirements aligned with 
HIPAA in part 2. In keeping with these changes, we are finalizing the 
proposed modification of the heading of Sec.  2.16 so that it now reads 
``Security for records and notification of breaches.''

[[Page 12524]]

Section 2.17--Undercover Agents and Informants
    As we discussed above, the final rule adopts the proposed addition 
of the language ``or disclosed'' behind ``used'' in this section so 
that the use and disclosure of part 2 records is prohibited by this 
section pursuant to the statutory authority. We did not receive public 
comments on this proposal and there are no other substantive changes to 
this section.
Section 2.19--Disposition of Records by Discontinued Programs
Proposed Rule
    Section 2.19 requires a part 2 program to remove patient 
identifying information or destroy the records when a program 
discontinues services or is acquired by another program, unless patient 
consent is obtained or another law requires retention of the records. 
The Department proposed to create a third exception to this general 
requirement to clarify that these provisions do not apply to transfers, 
retrocessions, and reassumptions of part 2 programs pursuant to the 
ISDEAA, to facilitate the responsibilities set forth in 25 U.S.C. 
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25 
U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA 
regulations.\189\ The Department also proposed wording changes to 
improve readability and modernize the regulation, such as by referring 
to ``non-electronic'' records instead of ``paper'' records, and 
structural changes to the numbering of paragraphs.
---------------------------------------------------------------------------

    \189\ For further information on the ISDEAA, see Indian Health 
Service, Title 1, HHS, https://www.ihs.gov/odsct/title1/.
---------------------------------------------------------------------------

Comment
    One commenter asserted that the Department's proposed exception to 
clarify that these provisions do not apply to transfers, retrocessions, 
and reassumptions of part 2 programs pursuant to the ISDEAA is a 
logical addition that will promote continuity of patient treatment. 
However, the commenter requested further clarification of the rule's 
record retention requirements for discontinued or acquired programs, 
including the provision that requires labeling stored non-electronic 
record with specific regulatory language. The commenter asked if the 
reference in the NPRM preamble to ``another law'' that might require 
record retention was a reference to HIPAA for covered entities.
Response
    The Department appreciates the comments about clarifying in the 
final rule that these provisions do not apply to transfers, 
retrocessions, and reassumptions of part 2 programs pursuant to the 
ISDEAA. Part 2 has long had requirements pertaining to paper records 
which were updated in 2017 to apply to electronic records of 
discontinued programs as well.\190\
---------------------------------------------------------------------------

    \190\ 82 FR 6052, 6076; 81 FR 6987, 6999 (Feb. 9, 2016).
---------------------------------------------------------------------------

    When there is a legal requirement that the records be kept for a 
period specified by law which does not expire until after the 
discontinuation or acquisition of the part 2 program, the dates of 
record retention would be reflected in the requirements of that law 
under Sec.  2.19(a)(2). The NPRM discussion of this was not intended as 
a reference to a specific law, but more generally to records retention 
laws which are typically established in state law for medical records. 
The HIPAA regulations do not address the time period for retention of 
medical records, but contain requirements for how retained records must 
be safeguarded. The HIPAA regulations also address retention of 
compliance documentation that may be located within a medical record 
(such as a signed authorization) or stored separately (such as security 
risk analyses). HIPAA Security Rule requirements for proper storage and 
security of records also may apply to records maintained by part 2 
programs that also are covered entities.\191\
---------------------------------------------------------------------------

    \191\ See, e.g., U.S. Dep't of Health and Human Servs., 
``Security Rule Guidance Material'' (June 29, 2023), https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html. 
See also, ``Guidance on Risk Analysis,'' supra note 115; U.S. Dep't 
of Health and Human Servs., ``Does the HIPAA Privacy Rule require 
covered entities to keep patients' medical records for any period of 
time?'' (Feb. 18, 2009), https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html.
---------------------------------------------------------------------------

Comment
    Another commenter expressed concern that current EHR systems do not 
support removing only part 2 data from one program for a particular 
patient or subset of patients, so it may not be technically feasible to 
remove patient identifying information or destroy the data as required 
by Sec.  2.19. The commenter claimed that the requirements for this 
section as described in the NPRM would require EHRs to be redesigned 
and therefore recommends alignment with the HIPAA Privacy and Security 
Rules. The commenter asserted that the HIPAA Security Rule requires 
that covered entities implement policies and procedures that address 
the final disposition of ePHI and/or the hardware or electronic media 
on which it is stored, as well as to implement procedures for removal 
of ePHI from electronic media before the media are made available for 
re-use.
Response
    We appreciate the feedback. Distinct requirements for disposition 
of part 2 records for discontinued programs have existed since 
1987.\192\ In 2017 the Department applied this section to electronic 
records.\193\ At that time, we cited resources that may support 
compliance with this requirement including from OCR (e.g., Guidance 
Regarding Methods for De-identification of Protected Health Information 
in Accordance with the Health Insurance Portability and Accountability 
Act (HIPAA) Privacy Rule) and the National Institute of Standards and 
Technology (NIST) (e.g., Special Publication 800-88, Guidelines for 
Media Sanitization).\194\ These and other resources developed by OCR, 
NIST, ONC, and others can continue to aid compliance with this section. 
The Department also notes that part 2 has established distinct 
requirements in Sec.  2.19 for disposition of part 2 records that may 
be more stringent and specific than those articulated in the HIPAA 
Security Rule based on the purposes of part 2 and stigma and 
discrimination associated with improper disclosure of SUD records. This 
section was updated in the 2020 final rule to apply to use of personal 
devices and accounts.\195\
---------------------------------------------------------------------------

    \192\ See 52 FR 21796.
    \193\ 82 FR 6052, 6076.
    \194\ 82 FR 6052, 6075; 81 FR 6987, 6999.
    \195\ 85 FR 42986, 42988.
---------------------------------------------------------------------------

Final Rule
    The Department is finalizing all proposed changes to this section 
without further modification.
Section 2.20--Relationship to State laws
Proposed Rule
    Section 2.20 establishes the relationship of state laws to part 2 
and provides that part 2 does not preempt the field of law which it 
covers to the exclusion of all applicable state laws, but that no state 
law may either authorize or compel a disclosure prohibited by part 2. 
Part 2 records frequently are also subject to regulation by various 
state laws. For example, similar to part 2, state laws impose 
restrictions to varying degree on uses and disclosures of records 
related to

[[Page 12525]]

SUD \196\ and other sensitive health information, such as reproductive 
health, HIV, or mental illness.\197\ The Department stated in the NPRM 
its assumption that, to the extent state laws address SUD records, part 
2 programs generally are able to comply with part 2 and state law. The 
Department requested comment on this assumption and further requested 
examples of any circumstances in which a state law compels a use or 
disclosure that is prohibited by part 2, such that part 2 preempts such 
state law.
---------------------------------------------------------------------------

    \196\ See, e.g., Mich. Comp. Laws sec. 333.6111 (expressly 
excluding SUD records from an emergency medical service as 
restricted); and NJ Rev. Stat. sec. 26:2B-20 (2013) (requiring 
records to be confidential except by proper judicial order whether 
connected to pending judicial proceedings or otherwise).
    \197\ See, e.g., MO Rev. Stat. sec. 191.731 (requiring SUD 
records of certain pregnant women remain confidential). Ctrs. for 
Disease Control and Prevention, ``State Laws that address High-
Impact HIV Prevention Efforts'' (March 17, 2022), https://www.cdc.gov/hiv/policies/law/states/index.html; ``TAC Assessment 
Working Paper: 2016 Compilation of State Behavioral Health Patient 
Treatment Privacy and Disclosure Laws and Regulations,'' supra note 
122.
---------------------------------------------------------------------------

Comment
    Several commenters asserted that complete Federal preemption is 
needed on part 2 issues with respect to state law, or barriers to care 
coordination will continue to exist. One commenter, a county 
government, said that part 2 preemption of state law is a problem in 
California because it creates a barrier when parents attempt to obtain 
SUD treatment for their minor children over the objection of the minor. 
Part 2 prevents disclosure of the minor's records without the minor's 
consent. Another commenter believed that part 2 conflicts with state 
law regarding state-mandated reporting on other types of abuse other 
than child abuse (such as elder abuse or domestic violence) and creates 
a dilemma for part 2 providers who need to report because there is not 
a ``required by law'' exception within part 2.
Response
    We acknowledge that considerable variation in patient consent laws 
exists for minors at the state level and discuss these issues in more 
detail in responding to comments regarding Sec.  2.14.\198\ The 
Department also notes that state behavioral health privacy laws may 
vary.\199\
---------------------------------------------------------------------------

    \198\ See ``State-by-State Variability in Adolescent Privacy 
Laws,'' supra note 172.
    \199\ See ``TAC Assessment Working Paper: 2016 Compilation of 
State Behavioral Health Patient Treatment Privacy and Disclosure 
Laws and Regulations,'' supra note 122.
---------------------------------------------------------------------------

    With respect to reporting abuse and neglect, 42 U.S.C. 290dd-2 
expressly states that the prohibitions of part 2 ``do not apply to the 
reporting under State law of incidents of suspected child abuse and 
neglect to the appropriate State or local authorities.'' However, no 
similar references are made to domestic violence, elder abuse, animal 
abuse, or other similar activities. Moreover, such changes were not 
proposed in the NPRM. Part 2 does, however, permit reporting a crime on 
the premises or against part 2 program personnel (Sec.  2.12(c)(5)), or 
applying for a court order to disclose confidential communications 
about an existing threat to life or serious bodily injury (Sec.  2.62). 
The Department also advised in the 2017 rule that ``if a program 
determines it is important to report elder abuse, disabled person 
abuse, or a threat to someone's health or safety, or if the laws in a 
program's state require such reporting, the program must make the 
report anonymously, or in a way that does not disclose that the person 
making the threat is a patient in the program or has a substance use 
disorder.'' \200\ A program could file a report therefore in such a way 
that does not note that the subject of the report is a patient in a 
part 2 program or has an SUD.
---------------------------------------------------------------------------

    \200\ 82 FR 6052, 6071.
---------------------------------------------------------------------------

Comment
    One commenter supported balancing the alignment of Federal privacy 
law and regulations with HIPAA and applicable state law for the 
purposes of TPO. Another commenter believed that to foster care 
coordination the Department should work with states to better align 
with the Federal standards to improve care coordination and individual 
patient outcomes.
Response
    We appreciate the comments on our proposed changes to align part 2 
with HIPAA consistent with the CARES Act.
Comment
    A state agency requested express permission within the regulation 
to permit disclosures to state data collection agencies, such as APCDs, 
because there is not a ``required by law'' provision in this part that 
would otherwise permit SUD records to be submitted to the state 
agencies that collect other health and claims data. A state agency 
requested that the final rule clearly authorize state agencies that 
maintain repositories of health care claims and discharge data to 
receive SUD information under 42 CFR part 2. SAMHSA, the commenter 
said, addressed a similar issue with state-operated PDMPs by clarifying 
in its 2020 final rule that such disclosures were authorized under 42 
CFR part 2. The commenter reported that the PDMP modification 
strengthened a critical component of states' ability to monitor access, 
use, and abuse of prescription drugs, while protecting patient privacy 
and confidentiality.
Response
    We appreciate the comment and recommendation. The Department, in 
2020, added a new section Sec.  2.36 (Disclosures to prescription drug 
monitoring programs),\201\ based on a regulatory proposal. No provision 
was proposed in the NPRM pertaining to APCDs/multi-payer claims 
databases (MPCDs) and thus there is no basis to add such a provision in 
the final rule. The Department previously declined to include 
exceptions to various requirements for APCDs/MPCDs after consideration 
of comments received on these issues in 2017.\202\
---------------------------------------------------------------------------

    \201\ See 85 FR 42986, 43015; 84 FR 44568, 44576.
    \202\ 82 FR 6052, 6079.
---------------------------------------------------------------------------

Comment
    A state agency said that in its state, the majority of SUD 
treatment records are covered by part 2; it has communicated to 
licensed SUD treatment providers that they will not be cited for state 
regulatory violations if they disclose information as permitted by part 
2. Licensed providers who are not part 2 programs are currently asked 
to verify this status with the state if a disclosure is made under 
HIPAA that would not be permitted by part 2.
Response
    The Department appreciates this information in response to our 
request for input about these issues.
Comment
    For one commenter, the final rule provides an opportunity to 
encourage states to update regulations that can often be outdated and 
confusing with regard to applicability. Such updates could facilitate 
care coordination and access. A hospital association requested more 
guidance on the interaction of Federal and state laws and that 
hospitals in states with confidentiality laws specific to SUD or citing 
part 2 will have to invest significant time and financial resources 
into understanding the interaction between Federal and state laws and 
how to incorporate those laws into real-time care decisions. Some 
hospitals also may provide services in

[[Page 12526]]

multiple states, the commenter pointed out, and patients may therefore 
receive treatment at facilities in more than one state. Other 
commenters requested additional guidance on the interaction between 
Federal and state SUD confidentiality requirements and provide 
technical assistance to help providers operationalize these 
requirements. One commenter also requested guidance to address such 
issues as hospitals providing services in multiple states and 
application of state laws to out-of-state telehealth consultations.
Response
    We appreciate these comments and may provide additional guidance 
and technical support to states and others after this rule is 
finalized. As previously noted, the Department supports the Center of 
Excellence for Protected Health Information Related to Behavioral 
Health, that can provide guidance and technical support on behavioral 
health privacy laws.\203\ The Department will continue to support this 
Center. The Department supports efforts to facilitate telehealth use 
consistent with HIPAA, part 2, and other state and Federal 
requirements. The Department has developed and supported resources to 
promote appropriate use of telehealth for SUD and other behavioral 
health conditions.\204\ The Department acknowledges that hospitals or 
other providers providing services in multiple states may face more 
complex compliance burdens and may need to consult legal counsel to 
ensure compliance, as the Department has previously advised.\205\
---------------------------------------------------------------------------

    \203\ See ``About COE PHI,'' supra note 105.
    \204\ See The Ctr. of Excellence for Protected Health Info., 
``Telehealth,'' https://coephi.org/protecting-health-information/telehealth-resources/; U.S. Dep't of Health and Human Servs., 
``Telehealth for behavioral health care,'' https://telehealth.hhs.gov/providers/best-practice-guides/telehealth-for-behavioral-health; Substance Abuse and Mental Health Servs. Admin., 
``Telehealth for the Treatment of Serious Mental Illness and 
Substance Use Disorders'' (2021), https://www.samhsa.gov/resource/ebp/telehealth-treatment-serious-mental-illness-substance-use-disorders.
    \205\ 82 FR 6052, 6071.
---------------------------------------------------------------------------

Comment
    One commenter said that any changes need to take into account 
discrepancies between state and Federal laws regarding release of 
information and ways to protect patients from the consequences of their 
information being used against them.
Response
    The Department acknowledges that the complex intersection of state 
and Federal behavioral health privacy statutes and regulations may 
result in unnecessary or improper disclosures. As we have noted in this 
section, part 2 does not preempt more stringent state statutes or 
regulations. Likewise, we have stated that HIPAA constitutes a floor of 
privacy protection that does not preclude more stringent state 
laws.\206\
---------------------------------------------------------------------------

    \206\ See U.S. Dep't of Health and Human Servs., ``Preemption of 
State Law,'' https://www.hhs.gov/hipaa/for-professionals/faq/preemption-of-state-law/index.html. For surveys of state privacy 
laws and discussion of state requirements see, e.g., ``50-State 
Survey of Health Care Information Privacy Laws,'' supra note 107; 
George Washington Univ.'s Hirsh Health Law and Pol'y Program and the 
Robert Wood Johnson Found., ``States,'' Health Information & the 
Law, http://www.healthinfolaw.org/state; ``TAC Assessment Working 
Paper: 2016 Compilation of State Behavioral Health Patient Treatment 
Privacy and Disclosure Laws and Regulations,'' supra note 122.
---------------------------------------------------------------------------

Comment
    One commenter was concerned that Federal efforts to promote 
interoperability may intersect with conflicting state requirements, 
pointing to the Federal Trusted Exchange Framework and Common Agreement 
(TEFCA) initiative as an example.\207\ The commenter believed that the 
health care industry does not yet fully understand all the potential 
conflicts and how they will impact health information exchange. Another 
commenter suggested requiring electronic records to display the basis 
when certain information is not visible or accessible (e.g., due to 
state law, patient restriction, etc.).
---------------------------------------------------------------------------

    \207\ See The Off. of the Nat'l Coordinator for Health Info. 
Tech. (ONC), ``Trusted Exchange Framework and Common Agreement 
(TEFCA),'' https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca.
---------------------------------------------------------------------------

Response
    The Department will continue to support health IT and behavioral 
health integration by ensuring that TEFCA and other efforts are 
consistent with part 2 and take into account state requirements.\208\ 
As noted above, the Department has developed guidance for part 2 
programs on exchanging part 2 data and may update such guidance in the 
future.\209\ The Department continues to support EHRs and health IT 
compliant with part 2 and HIPAA requirements as well as care 
coordination and behavioral health integration.\210\
---------------------------------------------------------------------------

    \208\ See ``Behavioral Health,'' supra note 133.
    \209\ See ``Substance Abuse Confidentiality Regulations,'' supra 
note 113.
    \210\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------

Comment
    A commenter recommended that a Federal electronic consent standard 
should override conflicting state law.
Response
    While electronic signatures are beyond the scope of this rulemaking 
and no modifications to electronic signature requirements were proposed 
by the Department, both HIPAA and part 2 permit electronic signatures 
for authorizations or consents consistent with state law. As stated in 
HHS guidance, the HIPAA Privacy Rule ``allows HIPAA authorizations to 
be obtained electronically from individuals, provided any electronic 
signature is valid under applicable law.'' \211\ The Department also 
has stated in guidance and regulation that under part 2 electronic 
signatures are permissible.\212\ In 2017 the Department revised Sec.  
2.31 to ``to permit electronic signatures to the extent that they are 
not prohibited by any applicable law.'' However, the Department also 
advised that ``[b]ecause there is no single federal law on electronic 
signatures and there may be variation in state laws, SAMHSA recommends 
that stakeholders consult their attorneys to ensure they are in 
compliance with all applicable laws.'' \213\
---------------------------------------------------------------------------

    \211\ U.S. Dep't of Health and Human Servs., Off. for Civil 
Rights, ``How do HIPAA authorizations apply to an electronic health 
information exchange environment?'' (Sept. 17, 2021), https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/index.html; 
U.S. Dep't of Health and Human Servs., ``Does the Security Rule 
require the use of an electronic or digital signature?'' (July 26, 
2013), https://www.hhs.gov/hipaa/for-professionals/faq/2009/does-the-security-rule-require-the-use-of-an-electronic-signature/index.html.
    \212\ See ``Frequently Asked Questions: Applying the Substance 
Abuse Confidentiality Regulations to Health Information Exchange 
(HIE),'' supra note 150.
    \213\ 82 FR 6052, 6080.
---------------------------------------------------------------------------

    The requirements for providing consent under Sec.  2.31 and the 
notice and copy of consent to accompany disclosure under Sec.  2.32 
could be met in electronic form. The requirements of Sec.  2.32 would 
not require the written consent, copies of a written consent, or a 
notice to accompany a disclosure of part 2 records to be in paper or 
other hard copy form, provided that any required signatures obtained in 
electronic form would be valid under applicable law. This 
interpretation is consistent with the Department's approach under the 
HIPAA Privacy Rule. OCR has provided prior guidance stating that 
covered entities can disclose PHI pursuant to an electronic copy of a 
valid and signed authorization, and the

[[Page 12527]]

Privacy Rule allows HIPAA authorizations to be obtained electronically 
from individuals, provided that any electronic signature is valid under 
applicable law.\214\
---------------------------------------------------------------------------

    \214\ U.S. Dep't of Health and Human Servs., Off. For Civil 
Rights, ``How do HIPAA authorizations apply to an electronic health 
information exchange environment?'' https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/index.html.
---------------------------------------------------------------------------

Final Rule
    After considering the public comments on the relationship of part 2 
to state laws we are finalizing this section as proposed without 
further modification.
Section 2.21--Relationship to Federal Statutes Protecting Research 
Subjects Against Compulsory Disclosure of Their Identity
    The Department adopts the proposal in Sec.  2.21(b) to reorder 
``disclosure and use'' to read ``use and disclosure'' to better align 
the wording of this section with language used in the HIPAA Privacy 
Rule. A provider health system supported the proposal and no other 
comments were received on this proposal.
Section 2.22--Notice to Patients of Federal Confidentiality 
Requirements \215\
---------------------------------------------------------------------------

    \215\ In the NPRM, we included a detailed discussion of proposed 
modifications to HIPAA Privacy Rule 45 CFR 164.520, Notice of 
privacy practices for protected health information, in addition to 
modifications proposed to Sec.  2.22, Notice to Patients of Federal 
Confidentiality. Here, we include a brief explanation that HIPAA 
Privacy Rule proposed modifications and public comments will be 
considered in a separate rulemaking.
---------------------------------------------------------------------------

Patient Notice
Proposed Rule
    Section 3221(i) of the CARES Act required the Secretary to update 
the HIPAA NPP requirements at 45 CFR 164.520 to specify new 
requirements for covered entities and part 2 programs with respect to 
part 2 records that are PHI (i.e., records of SUD treatment by a part 2 
program that are transmitted or maintained by or for covered entities). 
By applying such requirements, entities that are dually regulated by 
both part 2 and HIPAA would be subject to the notice requirements. 
Discussed here and consistent with our approach throughout this 
rulemaking, in addition to proposing the required updates to 45 CFR 
164.520 (discussed below), we also proposed to revise the Patient 
Notice at Sec.  2.22.
    As explained in the NPRM, to the extent the HIPAA regulations and 
part 2 cover different, but often overlapping, sets of regulated 
entities, and the HIPAA NPP offers more robust notice requirements than 
the Patient Notice, the Department proposed to modify Sec.  2.22 to 
provide the same information to patients of part 2 programs as 
individuals receive under the HIPAA Privacy Rule. The Department's 
proposed modifications to the Patient Notice would also restructure it 
to substantially mirror the structure of the HIPAA NPP but exclude 
those elements that are inapplicable to part 2 programs. The specific 
proposed changes are described in detail in the NPRM and set forth 
below following the discussion of general comments.
Overview of Comments
    The Department received more comments about its approach to 
modifying the Patient Notice to align with the HIPAA NPP than comments 
about specific elements of the proposed notice. Some commenters 
supported aligning part 2 Patient Notice requirements with the HIPAA 
NPP. Other commenters expressed concerns, asked for clarity on certain 
specific proposed requirements, or urged the Department to provide 
resources or examples to support compliance.
Response
    We appreciate the comments about the proposed changes and discuss 
our response to specific concerns expressed by commenters below.
Patient Understanding
Comment
    Some commenters questioned whether the Patient Notice would ensure 
part 2 patients, programs, and recipients of part 2 records understand 
how part 2 records will be used, disclosed, and protected. Such 
requirements, these commenters said, should be delineated in easy-to-
understand wording in the patient's primary language. One commenter, 
describing their experiences as a patient and professional, said that 
they were not educated about the consent forms or what they were 
disclosing and their rights.
    Some commenters expressed concern that patients may not understand 
the revised notices, suggesting that the Department's approach could 
lead to additional downstream disclosures and legal consequences for 
patients even as it supported care coordination. A medical 
professionals association also emphasized its view that the Department 
should ensure standard and easily understandable notices of privacy 
practices. Other commenters suggested the Patient Notices be simplified 
and streamlined such as limiting notices to one page or gearing notices 
to a fifth-grade reading level. A state agency suggested that the 
Patient Notice adhere to language and disability access standards to 
the extent required under HIPAA. A privacy association opined that the 
proposed rule allows a patient to consent to a broad range of TPO 
disclosures, but also notes that SUD patients may at times lack 
capacity to understand the Patient Notice. These challenges may also 
apply to understanding consents and to managing revocation of consents. 
However, the association believes that this result is dictated by the 
statute rather than the Department's approach in the NPRM. A county 
government also expressed its view that it is difficult to provide 
these notices when the patient is undergoing detoxification or 
treatment for a SUD.
Response
    We appreciate these comments. We mirrored required elements of the 
HIPAA NPP in the Patient Notice because we believe that patients have 
become familiar with it and to reflect the closer alignment between 
part 2 and HIPAA in the final rule. We have provided further 
clarification concerning the substantive alignment of part 2 and HIPAA 
requirements through responses to public comments in several other 
sections of the final rule. The Department recognizes that outreach and 
further guidance will be needed both to persons with SUD and to 
providers in connection with the final rule. The Department will 
continue to monitor the response to part 2 in the SUD treatment 
community and will provide clarification of the final rule as needed. 
We discuss patients who lack capacity to make health care decisions in 
Sec.  2.15 above.
Single or Streamlined Form
Comment
    Commenters expressed different views as to whether they preferred 
using a single document or separate HIPAA and part 2 notices to provide 
notice statements to patients to aid compliance and patient 
understanding. One public health agency asked HHS to confirm that a 
single notice of privacy practices can fulfill both part 2 and HIPAA 
obligations. Some commenters said that for them that a single notice of 
privacy practices would reduce burdens or be the most effective way to 
convey privacy information to patients without creating unnecessary 
confusion and burden through excessive paperwork and asked for 
confirmation this was

[[Page 12528]]

permitted. An academic health center supported covered entities which 
have part 2 programs using one NPP addressing key elements of the HIPAA 
NPP such as a Header, Uses and Disclosures, Individual Rights. If a 
joint notice is acceptable, a commenter asked that proposed 42 CFR 
2.22(b)(1)(i) be updated to note that the 45 CFR 164.520(b)(1)(v)(C) 
header may be used in a combined notice. A trade association and health 
plan supported part 2 notices including elements of the HIPAA NPP such 
as a description of the permitted uses and disclosures of part 2 
records, the complaint process, and the patient's right to revoke their 
consent for the part 2 program to disclose records in certain 
circumstances.
Response
    We have stated both in HIPAA and part 2 guidance that notices for 
different purposes may be separate or joint/combined so long as the 
required elements are included.\216\ Thus, either using separate HIPAA, 
state law, or part 2 notices or combining these notices into one form 
would be acceptable so long as all required elements are included.
---------------------------------------------------------------------------

    \216\ See U.S. Dep't of Health and Human Servs., ``Notice of 
Privacy Practices for Protected Health Information'' (July 26, 
2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html; 
``Substance Abuse Confidentiality Regulations,'' supra note 113.
---------------------------------------------------------------------------

Comment
    Commenters also urged the Department to support a simplified or 
streamlined Patient Notice. One advocacy organization characterized the 
proposed notice as unwieldy and overly detailed for both patients 
seeking to understand their rights and covered entities. The Department 
should streamline both notices and develop model Patient Notices as it 
has done for HIPAA NPPs. A health plan encouraged the Department to 
align with the HIPAA Privacy Rule by developing two versions of the 
part 2 model notice language: (a) the minimum necessary additional 
language/verbiage, which would be required to be added to an existing 
HIPAA NPP for entities which already are subject to that requirement; 
and (b) a notice similar to what is in the proposed rule for entities 
which do not already have a notice.
    Other commenters urged the Department to develop notice templates 
or model forms in multiple languages. A state agency supported the 
HIPAA NPP's being translated, at a minimum, into the top three 
languages for a provider's client population. One commenter asked the 
Department to develop at least two example Patient Notices--one 
directed at providers, and the other directed at payers and health 
coverage issuers. Another commenter suggested that model Patient 
Notices were needed for a HIPAA covered entity that has an existing 
HIPAA NPP and therefore HHS should create a minimal addendum or 
template which highlights any additional language specifically required 
to be added to that existing HIPAA NPP relative to this rule. The 
commenter also urged the Department to develop a Patient Notice 
template for third-party payers or other entities which may not already 
use a HIPAA NPP. Commenters urged that given the HIPAA enforcement 
proposal, there should be a safe harbor for using these standard 
notices.
Response
    We appreciate this comment and understand the value of having a 
sample or model notice that incorporated the changes finalized in this 
rule. The Department may, at a future time, develop sample templates 
and forms to support compliance with Sec.  2.22. We also note that this 
final rule provides 24 months from the date of publication for 
compliance with its provisions.
Administrative Burdens
Comment
    The Department received several comments stating that proposed 
changes to the part 2 notice would either reduce or increase part 2 
program, provider, or covered entity burdens. While part 2 programs and 
covered entities would need to update both the Patient Notice and the 
HIPAA NPP, the benefits outweighed the burdens, according to some 
commenters. One commenter asked HHS to clarify that Sec.  2.22 only 
applies to part 2 programs that are not subject to HIPAA. Another 
commenter said that as a dually regulated entity it believed that 
aligning these two notices will reduce dually regulated entities' 
burden of compliance, and improve patient understanding by reducing the 
amount of reading required. The commenter said updating notices 
concurrently would reduce their burden. Many commenters said examples 
of the updated HIPAA NPP and Patient Notice would be helpful and reduce 
their administrative burdens. Others also suggested the Department 
reduce administrative burdens and improve compliance by providing 
educational resources and templates to providers and patients and work 
with advocacy organizations to ensure the notice requirements are 
understood by patients and practical for providers.
    Another commenter supported the proposed changes, stating that it 
anticipated an additional administrative burden on part 2 programs 
which are not covered by HIPAA but limited impact or additional burden 
on those part 2 programs covered by HIPAA. One commenter similarly 
described what it viewed as potential burdens but said that for 
entities which are both part 2 programs and covered entities, a portion 
of the burden would be offset by the ability to have consistent 
policies and procedures given the new alignment between the part 2 
rules and the HIPAA regulations. A medical professionals association, 
while supporting alignment of the part 2 notice with the HIPAA NPP, 
suggested there would be an additional burden that modifying the HIPAA 
NPP for physician practices, especially small practices and those in 
rural areas.
Response
    The Department detailed its analysis of potential costs and 
benefits in the NPRM and in the RIA below. As we earlier noted, we are 
finalizing the part 2 Rule only at this time. The Department intends to 
publish the CARES Act required revisions to the HIPAA NPP provision (45 
CFR 164.520) as part of a future HIPAA rulemaking. Thus, this final 
rule focuses only on changes to the Patient Notice under Sec.  2.22. We 
intend to align compliance dates for any required changes to the HIPAA 
NPP and part 2 Patient Notice to enable covered entities to makes such 
changes at the same time.
    After both this rule and the forthcoming HIPAA Privacy Rule changes 
are finalized, while entities initially may require time to update the 
content of the Patient Notice and HIPAA NPP, commenters stated many 
part 2 programs, such as those that also are covered entities, may be 
able to save time and patients may benefit from enhanced protections 
offered by the revised notices. The Department acknowledges that some 
smaller, rural, or other types of practices may face increased burdens 
relative to larger entities, though this may not be true in all cases 
as many smaller practices or providers may also have familiarity both 
with HIPAA and part 2. After this rule is finalized, the Department may 
develop template/model forms or other guidance subsequent to finalizing 
this rule.

[[Page 12529]]

Notifying Patients
Comment
    Some commenters expressed concerns about notifying patients of new 
or updated notices. A medical professionals association expressed 
concern that the notification process as described in the NPRM may be 
problematic for those patients who lack mailing addresses and 
substitute notice by publication still might not be sufficient to 
inform patients about release of their records.
Response
    We appreciate the comments and acknowledge that updating the 
Patient Notice will create some burden for part 2 programs, as may 
copying and mailing costs; however, we believe that the burdens will be 
balanced by the overall burden reduction as a result of the decreased 
number of consents that are required for routine uses and disclosures. 
Section 2.22 as revised in this rule requires part 2 programs to notify 
patients when requirements that pertain to a patient's treatment have 
materially changed. It specifically requires the updated Patient Notice 
to be provided by the first day the health care is provided to the 
patient after the compliance date for the program, or for emergency 
treatment as soon as reasonably practicable after the emergency. The 
Department's stated intention to hold in abeyance updates to the HIPAA 
NPP pending a future rulemaking does not negate the Department's 
expectation that part 2 programs will comply with the requirements in 
Sec.  2.22. However, as explained above, we intend to align compliance 
dates for any required changes to the HIPAA NPP and part 2 Patient 
Notice to enable covered entities to make such changes at the same 
time.
Recommendations To Change the Proposal
Comment
    One commenter noted that the proposed Patient Notice did not 
include notice that patients could obtain copies of their records at 
limited costs or in some case, free of charge. The commenter stated 
that, although Sec. Sec.  2.22 and 2.23 do not require a part 2 program 
to give a patient the right to inspect or get copies of their records, 
but the Department should use the general regulatory authority of the 
CARES Act (section 3221(i)(1)) to require part 2 programs to allow 
patients to inspect or get copies of their records. This commenter 
supported the Patient Notice statement describing the duties of part 2 
programs with respect to part 2 records even though it is not required 
by 42 U.S.C. 290dd-2.
Response
    The commenter is correct that these regulations do not create a 
patient right of access to their records analogous to the HIPAA Privacy 
Rule right of access.\217\ We discuss patient access and restrictions 
on use and disclosure in Sec.  2.23.
---------------------------------------------------------------------------

    \217\ See ``Individuals' Right under HIPAA to Access their 
Health Information 45 CFR 164.524,'' supra note 159.
---------------------------------------------------------------------------

Comment
    A commenter requested modification of the section of the notice 
pertaining to complaints so that complaints may be filed ``either to 
the Part 2 Program or the Secretary'' rather than to the program and 
the Secretary. Requiring the patient to complain to both entities may 
intimidate the patient especially if they are dependent on the part 2 
program for employment, child welfare, or criminal justice purposes, 
the commenter asserted.
Response
    As we state in Sec.  2.4 (Complaints of noncompliance), a person 
may file a complaint with the Secretary for a violation of this part by 
a part 2 program, covered entity, business associate, qualified service 
organization, or other lawful holder but is not compelled to file a 
complaint of violation both with the Secretary and the part 2 program. 
This ``no wrong door'' approach mirrors the language in the HIPAA NPP 
for the HIPAA Privacy Rule, and OCR has continued to receive thousands 
of privacy complaints annually. A patient who files a complaint with a 
provider may or may not receive a response, and we do not believe a 
patient should be required to wait before bringing their complaints of 
noncompliance to the Department's attention. Further, many complaints 
filed with the Department are readily resolved through voluntary 
compliance and technical assistance to aid the entity's compliance with 
the regulation. Thus, we do not believe it will overly burden part 2 
programs to allow patients to file complaints directly with the 
Department.
Final Rule
Header
    The Department proposed to require a header for the Patient Notice 
that would be nearly identical to the header required in the HIPAA NPP 
(and as proposed for amendment in the NPRM) at 45 CFR 164.520(b)(1)(i) 
except where necessary to distinguish components of the notice not 
applicable to 42 CFR part 2. For example, the Patient Notice that would 
be provided pursuant to this part would not include notice that 
patients could exercise the right to get copies of records at limited 
costs or, in some cases, free of charge, nor would it provide notice 
that patients could inspect or get copies of records under HIPAA.
    The final rule adopts the header as proposed without modification.
Uses and Disclosures
    The Department is finalizing its proposal, without modification, to 
require a part 2 program to include in its Patient Notice descriptions 
of uses and disclosures that are permitted for TPO, are permitted 
without written consent, or will only be made with written consent. The 
Department is finalizing its proposed requirement that a covered entity 
that creates or maintains part 2 records include sufficient detail in 
its Patient Notice to place the patient on notice of the uses and 
disclosures that are permitted or required. Although, as stated in the 
NPRM, the Department believes section 3221(k)(4) of the CARES Act--
stating that certain de-identification and fundraising activities 
should be excluded from the definition of health care operations--has 
no legal effect as a Sense of Congress, the Department will finalize 
its proposed new paragraph (b)(1)(iii) in Sec.  2.22. This provision 
requires that a part 2 program provide notice to patients that the 
program may use and disclose part 2 records to fundraise for the 
program's own behalf only if the patient is first provided with a clear 
and conspicuous opportunity to elect not to receive fundraising 
communications. This new notice requirement is consistent with the 
requirement at Sec.  2.31(a)(5)(iii) in which a part 2 program, when 
obtaining a patient's TPO consent, must provide the patient the 
opportunity to elect not to receive fundraising communications.
    Rather than referring to ``the HIPAA Privacy Rule'' we instead 
refer in this rule to ``HIPAA regulations'' to describe the 
redisclosure permission applicable to part 2 programs, covered 
entities, and business associates following an initial disclosure based 
on a TPO consent. We believe this modification to what we initially 
proposed is consistent with our incorporation of the new defined term 
``HIPAA regulations'' into part 2.
Patient Rights
    The Department is finalizing its proposal, with further 
modification, to require that a part 2 program include in

[[Page 12530]]

the Patient Notice statements of patients' rights with respect to part 
2 records. The structure mirrors the statements of rights required in 
the HIPAA NPP for covered entities and PHI but, be based on amended 42 
U.S.C. 290dd-2, and patient rights under the final rule. The patient 
rights listed include, for example, the rights to:
     Request restrictions of disclosures made with prior 
consent for purposes of TPO, as provided in 42 U.S.C. 290dd-2(b)(1)(C).
     Request and obtain restrictions of disclosures of part 2 
records to the patient's health plan for those services for which the 
patient has paid in full, in the same manner as 45 CFR 164.522 applies 
to restrictions of disclosures of PHI.
     Obtain an electronic or non-electronic copy of the notice 
from the part 2 program upon request.
     Discuss the notice with a designated contact person 
identified by the part 2 program pursuant to paragraph 45 CFR 
164.520(b)(1)(vii).
     A list of disclosures by an intermediary for the past 3 
years as provided in 42 CFR 2.24.
     Elect not to receive any fundraising communications.
Part 2 Program's Duties
    The Department is finalizing its proposal, without modification, to 
incorporate into the Patient Notice statements describing the duties of 
part 2 programs with respect to part 2 records that parallel the 
statements of duties of covered entities required in the HIPAA NPP with 
respect to PHI. Although this change is not required by 42 U.S.C. 
290dd-2, the statement of duties would put patients on notice of the 
obligations of part 2 programs to maintain the privacy and security of 
part 2 records, abide by the terms of the Patient Notice, and inform 
patients that it may change the terms of a Patient Notice. The Patient 
Notice also would include a statement of the new duty under 42 U.S.C. 
290dd-2(j) to notify affected patients following a breach of part 2 
records.
Complaints
    The Department is finalizing its proposal, without modification, to 
require that a part 2 program inform patients, in the Patient Notice, 
that the patients may complain to the part 2 program and Secretary when 
they believe their privacy rights have been violated, as well as a 
brief description of how the patient may file the complaint and a 
statement that the patient will not be retaliated against for filing a 
complaint. We are finalizing the new provision that patients may 
complain to the Secretary as well as the part 2 program. These changes 
support the implementation of the CARES Act enforcement provisions, 
which apply the civil enforcement provisions of section 1176 of the 
Social Security Act to violations of 42 U.S.C. 290dd-2.
Contact and Effective Date
    The Department is finalizing its proposal, without modification, to 
require that the Patient Notice provide the name or title, telephone 
number, and email address of a person or office a patient may contact 
for further information about the part 2 Notice, and information about 
the date the Patient Notice takes effect. We intend to align compliance 
dates for any required changes to the HIPAA NPP and part 2 Patient 
Notice to enable covered entities to make such changes at the same 
time.
Optional Elements
    The Department is finalizing its proposal, without modification, to 
incorporate into the Patient Notice the optional elements of a HIPAA 
NPP, which a part 2 program could include in its Patient Notice. This 
provision permits a program that elects to place more limits on its 
uses or disclosures than required by part 2 to describe its more 
limited uses or disclosures in its notice, provided that the program 
may not include in its notice a limitation affecting its ability to 
make a use or disclosure that is required by law or permitted to be 
made for emergency treatment.
Revisions to the Patient Notice
    The Department is finalizing the proposal, without modification, to 
require that a part 2 program must promptly revise and distribute its 
Patient Notice when there has been a material change and provide that, 
except when required by law, such material change may not be 
implemented prior to the effective date of the Patient Notice.
Implementation Specifications
    The Department is finalizing its proposal, without modification, to 
require that a part 2 program provide the Sec.  2.22 notice to anyone 
who requests it and provide it to a patient not later than the date of 
the first service delivery, including where first service is delivered 
electronically, after the compliance date for the Patient Notice. This 
provision also would require that the notice be provided as soon as 
reasonably practicable after emergency treatment. If the part 2 program 
has a physical delivery site, the notice would have to be posted in a 
clear and prominent location at the delivery site where a patient would 
be able to read the notice in a manner that does not identify the 
patient as receiving SUD treatment, and the Patient Notice would need 
to be included on a program's website, where available. These 
provisions would parallel the current requirements for provision of the 
HIPAA NPP by HIPAA-covered health care providers.
45 CFR 164.520 HIPAA Notice of Privacy Practices
    In the NPRM, we proposed to update the HIPAA NPP requirements 
consistent with requirements in the CARES Act using plain language that 
is easily understandable. We also proposed additional updates 
consistent with changes to the HIPAA NPP we proposed in January 2021 
(Proposed Modifications to the HIPAA Privacy Rule To Support, and 
Remove Barriers to, Coordinated Care and Individual Engagement).\218\ 
This part 2 final rule adopts changes to the part 2 Patient Notice 
only; it does not include finalized changes to the HIPAA NPP in 45 CFR 
164.520. The Department intends to publish modifications to 45 CFR 
164.520 as part of a future HIPAA rulemaking. Comments received 
regarding changes to the HIPAA NPP proposed in the 2022 NPRM will be 
addressed when those changes are published as part of a HIPAA final 
rule. As we consider public comments received related to the HIPAA NPP, 
we intend to carefully consider the progress made by affected entities 
working to implement changes to the Patient Notice.
---------------------------------------------------------------------------

    \218\ See 86 FR 6446.
---------------------------------------------------------------------------

Section 2.23--Patient Access and Restrictions on Use and Disclosure
Proposed Rule
    In addition to the paragraph (b) changes discussed above in the 
``use'' or ``disclosure'' section, the Department proposed wording 
changes to paragraph (b) to improve readability and to replace the 
phrase ``this information'' with ``records,'' which more accurately 
describes the scope of the information to which the regulation applies. 
The comments and the Department's responses regarding Sec.  2.23 are 
set forth below.
Comment
    While not proposed in the NPRM, a few commenters suggested adding a 
patient right to direct copies of PHI to a third party, as follows: (1) 
to define a right to direct copies to prevent

[[Page 12531]]

unintended parties from receiving records; (2) to allow covered 
entities to restrict or refuse requests from any entity that are not 
the individual or an entity authorized by the individual; and (3) to 
create a patient right to direct a copy of records to third parties 
without a consent form to align with HIPAA.
Response
    We appreciate the suggestion to create a patient right to direct 
copies of PHI to a third party; however, that suggestion is outside the 
scope of the current rulemaking.
Comment
    While not proposed in the NPRM, a few commenters also suggested 
creating a right of access for part 2 records to afford part 2 patients 
the same rights as individuals under the HIPAA Privacy Rule.
Response
    We appreciate the suggestion to create a right of access for part 2 
records and the intent to provide equity for those being treated for 
SUD with respect to their patient rights compared to the rights for 
patients with other health conditions under HIPAA. This proposal falls 
outside the scope of the part 2 rulemaking and we did not propose this 
change or request comment on this topic in the NPRM; therefore, there 
is not an adequate foundation for adopting a right of access in the 
final rule.
    The HIPAA Privacy Rule established for an individual the right of 
access to their PHI in a designated record set. The HIPAA right of 
access applies to records created by a part 2 program that is also a 
covered entity as well as part 2 records received by a covered 
entity.\219\ For part 2 programs that are not covered entities, Sec.  
2.23 does not prohibit a part 2 program from giving a patient access to 
their own records, including the opportunity to inspect and copy any 
records that the part 2 program maintains about the patient.
---------------------------------------------------------------------------

    \219\ See ``Individuals' Right under HIPAA to Access their 
Health Information 45 CFR 164.524,'' supra note 159.
---------------------------------------------------------------------------

Comment
    One commenter recommended that the Department not adopt the changes 
proposed to the right of access in its 2021 HIPAA NPRM on coordination 
of care \220\ because the proposed changes ``would create new pathways 
for third parties to easily access patient health information through 
personal health apps with little to no requirements for patient 
education and consent, thus eroding longstanding privacy protections 
and increasing burden on providers.''
---------------------------------------------------------------------------

    \220\ 86 FR 6446.
---------------------------------------------------------------------------

Response
    We appreciate the comment; however, the topic is outside the scope 
of the current rulemaking.
Comment
    One commenter appreciated knowing that once they receive SUD 
records, the records become PHI and are subject to the access 
requirements in the HIPAA Privacy Rule.
Response
    We appreciate the comment. We clarify that when part 2 records are 
received by or for a covered entity and are part of a designated record 
set they become PHI and are subject to the HIPAA Privacy Rule access 
requirements. Generally, the HIPAA Privacy Rule gives individuals the 
right to access all of their PHI in a designated record set.\221\ A 
``designated record set'' is a group of records maintained by or for a 
covered entity that are a provider's medical and billing records, a 
health plan's enrollment, payment, claims adjudication, and case or 
medical management record systems, and any other records used, in whole 
or in part, by or for the covered entity to make decisions about 
individuals.\222\ A covered entity's part 2 records usually fall into 
one of these categories and thus are part of the designated record set. 
This is true when a part 2 program is a covered entity, as well as when 
a covered entity receives part 2 records but is not a part 2 program. 
As such, the records held by a covered entity are subject to the HIPAA 
Privacy Rule's right of access requirements.
---------------------------------------------------------------------------

    \221\ See 45 CFR 164.524.
    \222\ See 45 CFR 164.501 (definition of ``Designated record 
set'').
---------------------------------------------------------------------------

Comment
    One commenter expressed concerns about any access or disclosures 
that could subject part 2 patients to criminal charges.
Response
    We appreciate this comment. The revisions to Sec.  2.23 clarify the 
existing prohibition on use and disclosure of information obtained by 
patient access to their record for purposes of a criminal charge or 
criminal investigation of the patient.
Comment
    One commenter believed that the Department was proposing to remove 
the written consent requirement for patient access to their own 
records.
Response
    Section 2.23 does not require a part 2 program to obtain a 
patient's written consent or other authorization to provide access by 
the patient to their own records, and the final rule is not changing 
this. Thus, the ability of a patient to obtain access to their record 
without written consent will be maintained.
Final Rule
    The final rule adopts all proposed modifications to Sec.  2.23(b), 
without further modification.
Section 2.24--Requirements for Intermediaries
Proposed Rule
    The Department proposed to address the role of intermediaries by: 
(a) creating a regulatory definition of the term in Sec.  2.11; (b) 
reorganizing the existing requirements for intermediaries and 
redesignating that provision as Sec.  2.24; and (c) clarifying in Sec.  
2.31(a)(4)(ii)(B) how a general designation in a consent for use and 
disclosure of records to an intermediary would operate. The definition 
as proposed would read as follows: Intermediary means a person who has 
received records under a general designation in a written patient 
consent to be disclosed to one or more of its member participant(s) who 
has a treating provider relationship with the patient. The current part 
2 consent requirements in Sec.  2.31 contain special instructions when 
making a disclosure to entities that fall within the proposed 
definition of intermediary: the consent must include the name of the 
intermediary and one of the following: (A) the name(s) of member 
participant(s) of the intermediary; or (B) a general designation of a 
participant(s) or class of participants, which must be limited to a 
participant(s) who has a treating provider relationship with the 
patient whose information is being disclosed. The NPRM proposed to 
replace ``entities that facilitate the exchange of health information 
and research institutions'' with ``intermediaries'' and add ``used 
and'' before ``disclosed'' in Sec.  2.31.
Comment
    We received comments both supporting and opposing the Department's 
proposal to define ``intermediary'' and retain consent requirements for 
disclosures to intermediaries. Most HIEs/HINs and health IT vendors 
that commented on this set of proposals, expressed concern about our 
changes. Opposing commenters stated their views that the special 
provisions for intermediaries

[[Page 12532]]

were a holdover from before the CARES Act and were inconsistent with 
its alignment of part 2 and HIPAA, especially with regard to the new 
provision to allow a single consent for all future TPO. Some commenters 
suggested that the CARES Act may require the Department to remove the 
intermediary provisions. Other commenters believed that these 
provisions did not support care coordination or were inconsistent with 
allowing a single consent for TPO.
    Commenters asked that we revise the HIPAA definition of ``covered 
entity'' to include examples of the intermediaries and remove the part 
2 definition of ``intermediary''; exclude business associates, health 
IT vendors, or health plans from the part 2 definition of intermediary; 
expressly allow intermediaries to disclose for TPO; expressly allow 
HIEs and HIE participants to be listed in a general designation in the 
consent for disclosures for TPO; and clarify what types of HIEs or 
health IT vendors are included in the definition (because some HIE 
technology or EHR software does not maintain data or have access to it 
when exchanging data between systems).
    One commenter asserted that the CARES Act does not define nor use 
the term ``intermediary'' and the Department should instead rely upon 
established terms of ``covered entity,'' ``business associate,'' and 
part 2 ``programs.'' Another commenter believed the NPRM created a 
``two-tiered'' system that perpetuates discrimination because patients 
with SUD cannot reap the benefits of integrated care that is 
facilitated by shared electronic records. A health plan said that there 
would not be sufficient oversight of intermediaries under the proposed 
definition because they include entities that are not subject to HIPAA.
    One commenter, a health plan association, asserted that business 
associates should be carved out from the definition of ``intermediary'' 
as most already defined as covered entities or business associates 
under HIPAA. Others agreed that the role of intermediaries such as 
HIEs/HINs or ACOs should be carved out from this definition. A few HIE 
commenters viewed requirements for intermediaries as based on 2017 rule 
changes, in which the Department attempted to limit those instances 
when a general designation consent could be used without specifically 
naming the persons entitled to receive the part 2 record. Additionally, 
the 2017 rule changes layered on additional accounting and consent 
requirements that--together with the operational challenge of 
determining when and whether a downstream entity has a ``treating 
provider relationship'' with the patient--resulted in low adoption due 
to the technical and administrative challenges in implementing these 
requirements and limitations. A county department argued that there is 
no analog to intermediary within HIPAA, thus these changes are 
inconsistent with the CARES Act effort to foster closer alignment 
between HIPAA and part 2.
Response
    We appreciate input from commenters and have made changes in 
response to their expressed concerns. Our final definition of 
``intermediary'' in Sec.  2.11 includes ``a person, other than a 
program, covered entity, or business associate, who has received 
records under a general designation in a written patient consent to be 
disclosed to one or more of its member participant(s) who has a 
treating provider relationship with the patient.'' We also are 
finalizing provisions that an intermediary must provide to patients who 
have consented to the disclosure of their records using a general 
designation, pursuant to Sec.  2.31(a)(4)(ii)(B), a list of persons to 
whom their records have been disclosed pursuant to the general 
designation. These changes will implement the CARES Act consent 
provisions by permitting HIEs that are business associates to receive 
part 2 records under a broad TPO consent and redisclose them consistent 
with the HIPAA regulations. These changes also will encourage HIEs to 
accept part 2 records and include part 2 programs as participants, 
facilitate integration of behavioral health information with other 
medical records, and reduce burdens on business associates that serve 
as HIEs. Our final rule also is consistent with previous SAMHSA 
guidance to ensure part 2 data exchanged by HIEs remains subject to 
protection under this final rule.\223\
---------------------------------------------------------------------------

    \223\ See U.S. Dep't of Health and Human Servs., ``Disclosure of 
Substance Use Disorder Patient Records: How Do I Exchange Part 2 
Data?'' https://www.samhsa.gov/sites/default/files/how-do-i-exchange-part2.pdf.
---------------------------------------------------------------------------

Comment
    According to one commenter, if a patient signed a consent form 
designating ``my health plan'' as the recipient, the part 2 program 
would be permitted to disclose such information directly to the health 
plan but would be prohibited from disclosing that information to the 
very same health plan if the disclosure was made via an intermediary 
without specifically naming the intermediary and the health plan. This 
approach could thus impede operations of HIEs/HINs.
Response
    We agree with the commenter's concerns that the proposed consent 
requirements for intermediaries may impede HIEs/HINs. The finalized 
definition of intermediary in Sec.  2.11 excludes part 2 programs, 
covered entities, and business associates. This approach should help 
remove barriers to HIEs'/HINs' inclusion of part 2 records from part 2 
programs that are also covered entities. As noted, we believe excluding 
business associates, in particular, will encourage HIEs to accept part 
2 records and include part 2 programs as participants and reduce 
burdens on business associates that serve as HIEs.
Comment
    One HIE commenter said that the NRPM provides an example of an 
intermediary being an electronic health vendor that enables entities at 
two different health systems to share records and would be bound by the 
requirements proposed under Sec.  2.24. However, that same vendor would 
not be an intermediary when used by employees in different departments 
of a hospital to access the same patient's records. The commenter finds 
this confusing and seeks clarification on the definition of 
intermediary and their associated requirements. Another commenter, a 
health IT vendor, also questioned our example in the NPRM claiming that 
the developer of the product used in an exchange of information is no 
more an intermediary to the exchange than the manufacturer of a fax 
machine is an intermediary to information faxed from one place to 
another. The EHR vendor described in the NPRM should only be considered 
an intermediary when it controls the exchange of health records between 
systems using its software or when it serves as the recipient of 
records.
Response
    We acknowledge that some commenters may have found this NPRM 
example confusing. We believe our revised definition and changes to 
Sec.  2.24 help clarify the role of intermediaries. We have in the NPRM 
and other past rules and guidance cited HIEs/health information 
networks or ``HINs,'' ACOs, coordinated care organizations, care 
management organizations, and research institutions as examples of

[[Page 12533]]

intermediaries but this may be a fact-specific inquiry.\224\
---------------------------------------------------------------------------

    \224\ Id. See also, 87 FR 74216, 74224; 82 FR 6052, 6055.
---------------------------------------------------------------------------

Comment
    Other comments on the proposal addressed the role of community-
based organizations (CBOs), such as those providing services to people 
experiencing homelessness. A few commenters requested that such CBOs be 
considered as intermediaries, and one pointed out that the limitation 
on sharing part 2 records through an intermediary would likely result 
in limiting the sharing of records with CBOs via an HIE because CBOs 
are not treating providers. A county HIE said that it fosters data 
sharing across dozens of health care providers, managed care, and CBOs 
to enable better care coordination to and address social determinants 
of health. The county asserted that allowing part 2 records to be 
shared based on a single consent for TPO would be ``deeply enhanced by 
pairing it with the technology of an HIE.''
Response
    We have noted the definition of ``intermediary'' and examples 
above. An intermediary may be named in a general designation in Sec.  
2.31(a)(4) though special instructions apply to such use. Under the 
final rule, we have excluded business associates, part 2 programs, and 
covered entities from the definition of ``intermediary'' in Sec.  2.11. 
Thus, HIEs that meet the definition of ``business associates'' are not 
intermediaries.
    Part 2 programs, covered entities, and business associates (notably 
HIEs) are permitted to disclose records for TPO under the new TPO 
consent requirements and redisclose records as permitted by the HIPAA 
Privacy Rule once a consent for all future uses and disclosures for TPO 
is obtained. Accordingly, when a part 2 program that is covered entity 
discloses records through an HIE, the intermediary consent requirements 
under Sec.  2.31(a)(4) do not apply because the HIE would be serving as 
a business associate of the part 2 program/covered entity, and as a 
business associate the HIE would be excluded from the definition of 
``intermediary.'' We believe that part 2 programs that rely on HIEs are 
those most likely to be covered entities and to benefit from the 
narrowed definition of intermediary in the final rule.
Comment
    A commenter said that definition of ``intermediary'' is broad 
enough that a primary care provider connecting a patient (and a 
patient's part 2 records) from one program to another could be seen as 
an intermediary. This commenter seeks guidance on the relationship 
between part 2 programs and intermediaries, and what unintended 
consequences the Department is seeking to avoid. The commenter suggests 
collaboration with ONC to leverage TEFCA, as there seems to be overlap 
between what constitutes an intermediary and how ONC defines a 
Qualified Health Information Network under TEFCA.
    An insurance association referenced TEFCA and said that it is 
expected to be operating this year, creating a national network for 
health care information exchange among both HIPAA covered and non-HIPAA 
covered entities. The part 2 rule, the association said, should be 
structured to ensure data can be seamlessly shared among covered 
entities for TPO and other purposes designated in an individual's 
consent. However, the commenter believed that robust privacy 
protections for part 2 records remain critical for all entities 
involved in health data exchanges. The TEFCA processes are building in 
governance and operating requirements parallel to the HIPAA privacy and 
security requirements for all participants in the system even if they 
are not covered entities under the law to ensure robust protections no 
matter what role the entity plays. The commenter was concerned that a 
single weak link in the chain could compromise the entire system.
    The commenter also stated that activities by HIEs that go beyond 
the role of a ``basic conduit'' should come with commensurate 
responsibilities for data protections. Therefore, the commenter 
questioned the definition of ``intermediary'' as proposed, asserting 
that it would minimize the accountability of these entities.
Response
    We appreciate input from commenters on the role of HIEs and TEFCA. 
ONC, OCR, SAMHSA and others are collaborating to support participation 
in TEFCA and implementation of health IT and EHRs within the behavioral 
health sector.\225\ When an HIE is acting as a business associate to a 
part 2 program that is also a covered entity, it would not be 
considered an ``intermediary'' as defined in this final rule because we 
have excluded business associates (along with programs and covered 
entities) from the definition. An HIE that is a ``business associate'' 
is subject to certain HIPAA requirements, including safeguards under 
the HIPAA Security Rule.\226\
---------------------------------------------------------------------------

    \225\ See ``Behavioral Health,'' supra note 133.
    \226\ See U.S. Dep't of Health and Human Servs., ``Business 
Associates'' (May 24, 2019), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
---------------------------------------------------------------------------

    For clarity, we also explain here that the exclusion of business 
associates from the ``intermediary'' definition in Sec.  2.11 results 
in far fewer entities being subject to intermediary consent 
requirements under Sec.  2.31(a)(4) and the list of disclosures 
obligations under Sec.  2.24 because most HIEs--which were the most 
typical example of an intermediary--are business associates. A QSO--
which is analogous to a business associate for a part 2 program--is 
only considered an intermediary when it is providing services to a 
program that is not a covered entity. We believe that part 2 programs 
that are covered entities are those most likely to make use of HIE 
services and that the burden reduction on HIE business associates in 
this final rule may incentivize them to accept part 2 records into 
their systems more frequently than under the existing part 2 
regulation.
Comment
    SUD recovery organizations recommended modifying the proposed 
definition of ``intermediary'' to also include ``a member of the 
intermediary named in the consent,'' rather than limiting it to members 
of the intermediary that have a treating provider relationship with the 
patient. A state data agency urged us to add intermediaries and other 
lawful holders to the language of Sec.  2.12(d)(2)(ii), which permitted 
a non-part 2 treatment provider who receives part 2 information to 
record it without it becoming a part 2 record, so long as any part 2 
records they receive are segregated from other health information.
Response
    Section 2.12(d)(2)(ii) applies to persons who receive records 
directly from a part 2 program or other lawful holder of patient 
identifying information and who are notified of the prohibition on 
redisclosure in accordance with Sec.  2.32. We are finalizing a 
modification to this provision to expressly state that: ``[a] program, 
covered entity, or business associate that receives records based on a 
single consent for all treatment, payment, and health care operations 
is not required to segregate or segment such records.'' Thus, an HIE 
that is a business associate of a covered entity

[[Page 12534]]

that operates a part 2 program cannot, by definition, be an 
intermediary, and thus would not be required to segregate the part 2 
records they receive. However, the records would still be considered 
part 2 records (as well as PHI) and there is a continuing obligation to 
protect the records from use or disclosure in proceedings against the 
patient.
    Because the concept of intermediary by its nature is limited to 
organizations that mediate the interactions between a program and an 
intended recipient of records, it would not be practical to include in 
the definition of ``intermediary'' language concerning ``a member of 
the intermediary named in the consent.''
Comment
    Several commenters requested clarification of certain aspects of 
the proposal, such as: whether entities already subject to HIPAA are 
included as intermediaries; whether QSOs can serve as intermediaries 
and how the QSO role would fit into the requirements; whether the 
intermediary definition is limited to facilitating access for treatment 
purposes or whether the definition contemplates facilitating access for 
other purposes (e.g., for payment purposes, patient access, etc.); and 
which entities have the responsibility for the required list of 
disclosures and exactly which responsibilities related to that 
requirement. One commenter requested that the Department expressly 
clarify that QSOs are not intermediaries since QSOs do not receive 
records under a general designation in a written patient consent, but 
rather they receive records through a QSOA.
Response
    We discuss our changes to the definition of ``intermediary'' here 
and in Sec.  2.11. As noted, in response to public comments we are 
excluding covered entities, business associates, and part 2 programs 
from the definition of ``intermediary.'' Further, the ``intermediary'' 
definition is not, in and of itself, expressly limited to facilitating 
access for treatment purposes; however, by the operation of the consent 
requirement in Sec.  2.31, the use of intermediaries is generally 
limited to facilitating the exchange of records among treating 
providers. The final rule definition of ``qualified service 
organization'' includes a person who meets the definition of ``business 
associate'' in 45 CFR 160.103, for a part 2 program that is a covered 
entity, with respect to the use and disclosure of PHI that also 
constitutes a part 2 record. Expressly including business associates as 
QSOs, where both definitions are met, responds to comments received on 
the NPRM noting that the role of QSOs is analogous to business 
associates, such that aligning terminology makes sense given the 
purpose of section 3221 of the CARES Act to enhance harmonization of 
HIPAA and part 2. Additionally, as commenters requested, we have carved 
out business associates from the definition of ``intermediary.'' Thus, 
while a QSO may be a business associate, it cannot at the same time 
also be considered an intermediary. As a result, an HIE/HIN that is a 
QSO and business associate for a part 2 program that is also a covered 
entity would not be subject to the intermediary requirements (e.g., a 
general designation in a consent and the list of disclosures).
Comment
    About half of the commenters on intermediaries opposed the 
requirement that intermediaries provide a list of disclosures for the 3 
years preceding the request. Many commenters expressed concern that the 
TPO consent provisions in Sec. Sec.  2.31 and 2.33 would result in an 
increase in requests for a list of disclosures made via an intermediary 
and that HIEs were not equipped to respond in volume. One commenter 
opined that millions of transactions will be facilitated by the 
intermediary daily and, as a result, it would be difficult for both the 
part 2 program and the intermediary to provide a full accounting of 
disclosure that would feasibly be usable and helpful to the patient. 
Others suggested the part 2 program directly assume this obligation.
    While supporting the proposed changes, a few commenters raised 
substantial concerns about the existing requirements, stating that it 
would be difficult for an intermediary to log individual accesses and 
reasons why data was accessed over a multi-year period. While patients 
should understand where and how their data is being transferred, it 
must be done while maintaining the interoperability pathway outlined by 
other HHS programs and with the full understanding of burden 
represented. A few commenters specifically supported the proposed 
extension for the list of disclosures from 2 to 3 years. A local 
government and a health system appreciated that the obligation for 
producing the list of disclosures remains with the intermediary and not 
the part 2 program. A few commenters asserted that the proposed changes 
would help address technological issues with HIEs that are compliant 
with part 2. Others suggested this process would be burdensome for HIEs 
and part 2 programs.
Response
    We acknowledge these comments. The final rule in Sec.  2.24 extends 
the ``look back'' period for the required list of disclosures by an 
intermediary from 2 years to 3 years as proposed. We made this change 
to align with the new right to an accounting of disclosures in Sec.  
2.25 for disclosures made with consent, that contains a 3-year look 
back period. As we have stated prior to this final rule, the 
intermediary, not the part 2 program itself, is responsible for 
compliance with the required list of disclosures under Sec.  2.24.\227\ 
We discuss costs and benefits associated with this rule below including 
for Sec. Sec.  2.24 and 2.25.
---------------------------------------------------------------------------

    \227\ 82 FR 6052, 6072.
---------------------------------------------------------------------------

Comment
    Comments asserted that the accounting requirement for 
intermediaries was duplicative of the accounting of disclosure for TPO 
from an EHR requirements under HIPAA (which have not been finalized in 
regulation) and had created barriers to the use of HIEs to exchange 
part 2 records. One commenter asserted that they have not allowed part 
2 records in their system due to the differing requirements and that 
the intermediary proposal would perpetuate this outcome. Another 
commenter explained that a group of organizations that tested part 2 
disclosure models did not ultimately adopt them because the part 2 
requirements were too problematic. Several commenters requested that 
the requirement for providing the list of disclosures be tolled until 
the finalization of the expected HIPAA accounting of disclosures 
regulation for TPO disclosures through an EHR.
Response
    We are not tolling the list of disclosures requirements for 
intermediaries because these obligations already exist in Sec.  2.13(d) 
and are simply being continued in a new section Sec.  2.24 with the 
time period covered being extended from 2 years to 3. Intermediaries 
are not subject to the HIPAA accounting of disclosures requirements, by 
definition, because we have excluded covered entities and business 
associates from the definition of ``intermediary'' in the final rule. 
Because the HIPAA accounting of disclosures requirement for TPO 
disclosures through an EHR has not yet been finalized, we believe this 
distinct list of disclosures requirement should remain effective.

[[Page 12535]]

Final Rule
    We are finalizing in this section, redesignated as Sec.  2.24, that 
an intermediary must provide to patients who have consented to the 
disclosure of their records using a general designation pursuant to 
Sec.  2.31(a)(4)(ii)(B), a list of persons to whom their records have 
been disclosed pursuant to the general designation.
Section 2.25--Accounting of Disclosures
Proposed Rule
    The Department noted in the NPRM that except for disclosures made 
by intermediaries, the current part 2 regulation did not have 
provisions that included a right for patients to obtain an accounting 
of disclosures of part 2 records.\228\ Section 290dd-2(b)(1)(B) of 42 
U.S.C., as amended by section 3221(b) of the CARES Act, applies section 
13405(c) of the HITECH Act, 42 U.S.C. 17935(c) (Accounting of Certain 
Protected Health Information Disclosures Required if Covered Entity 
Uses Electronic Health Record), to part 2 disclosures for TPO with 
prior written consent. Therefore, the Department proposed to add a new 
Sec.  2.25 (Accounting of disclosures) to establish the patient's right 
to receive, upon request, an accounting of disclosures of part 2 
records made with written consent for up to three years prior to the 
date the accounting is requested.
---------------------------------------------------------------------------

    \228\ 42 CFR 2.13(d) (specifying List of Disclosures requirement 
applicable to intermediaries).
---------------------------------------------------------------------------

    This proposal was intended to apply the individual right to an 
accounting of disclosures in the HITECH Act to disclosure of part 2 
records.\229\ The Department proposed at Sec.  2.25(a) that paragraph 
(a) would generally require an accounting of disclosures made with 
patient consent for a period of 6 years prior to the request, and 
paragraph (b) would limit the requirement with respect to disclosures 
made with TPO consent, which would only be required for disclosures 
made from an EHR system for a period of 3 years prior to the request. 
In both instances, the proposed changes would be contingent on the 
promulgation of HITECH Act modifications to the accounting of 
disclosures standard in the HIPAA Privacy Rule at 45 CFR 164.528.\230\
---------------------------------------------------------------------------

    \229\ OCR published an NPRM to implement this HITECH Act 
provision in 2011 but did not finalize it because of concerns raised 
by public comments. See 76 FR 31426 (May 31, 2011). OCR announced 
its intention to withdraw the 2011 NPRM and requested public input 
on new questions to help OCR implement the HITECH Act requirement as 
part of the 2018 HIPAA Rules Request for Information (RFI). See 83 
FR 64302, 64307 (Dec. 14, 2018). A final HIPAA regulation on the 
accounting of disclosures that would apply to TPO disclosures by 
covered entities has not been issued.
    \230\ See also sec. 13405(c) of the HITECH Act (codified at 42 
U.S.C. 17935(c). Since the HITECH Act requirement for accounting of 
disclosures was enacted in 2009, the Department published a RFI at 
75 FR 23214 (May 3, 2010) and an NPRM at 76 FR 31426 (May 31, 2011). 
Based in part on public comment on the RFI, the Department proposed 
to provide individuals with an ``access report'' as a means of 
fulfilling the requirement. Based on feedback on the NPRM in which 
commenters overwhelmingly opposed the report as ``unworkable,'' the 
Department, in a follow up RFI published at 83 FR 64302, explained 
its intent to withdraw the proposal of the 2011 NPRM. The Department 
received additional public comment about implementing sec. 13405(c) 
and will publish in a future Regulatory Unified Agenda notice about 
any future actions.
---------------------------------------------------------------------------

    The Department stated in the NPRM preamble that this proposed 
accounting requirement is consistent with section 3221(b) of the CARES 
Act, 42 U.S.C. 290dd-2(b)(1)(B), as amended. The Department noted that 
the CARES Act applied the HITECH Act ``look back'' time period for 
accounting of disclosures to ``all disclosures'' of part 2 records with 
consent and not just those disclosures contained in an EHR. From a 
policy perspective, the Department therefore proposed to apply the 3-
year ``look back'' to all accountings of disclosures with consent and 
not just for accountings of disclosures of records contained in an EHR.
    Because the Department has not yet finalized the HITECH Act 
accounting of disclosures modifications within the HIPAA Privacy Rule, 
the Department did not propose to require compliance with Sec.  2.25 
before finalizing the HIPAA Privacy Rule provision in 45 CFR 164.528. 
The comments and the Department's responses regarding Sec.  2.25 are 
set forth below.
Accounting of Disclosures for TPO
Comment
    A few commenters expressed opposition to the accounting of 
disclosures for TPO because: (1) the proposal does not align with the 
HIPAA Privacy Rule, including the exclusion pursuant to an 
authorization; (2) it would increase administrative burden; and (3) the 
existing and established technology lacks the capability, including 
manual collection of data from multiple systems (e.g., EHR and practice 
management system for payment and health care operations). Other 
commenters remarked that unless technical capabilities are developed 
within certified EHR technology to capture why someone has opened a 
patient record, providing a full accounting would be impossible and 
requiring providers to mark and maintain a full accounting would 
incentivize providers to forego going into a patient's record, even 
when it may be better for treatment coordination.
Response
    We appreciate the comments. However, the proposed change is 
required by section 290dd-2(b)(1)(B) of 42 U.S.C., as amended by 
section 3221(b) of the CARES Act, that applies section 13405(c) of the 
HITECH Act, 42 U.S.C. 17935(c), to part 2 disclosures for TPO with 
prior written consent. The final rule attempts to balance the potential 
compliance burden by tolling the effective and compliance dates for the 
HITECH accounting of disclosures requirement until it is finalized 
within the HIPAA Privacy Rule.
Comment
    A health system and a health IT vendor commented on the timeframes 
covered in accountings of disclosure and suggested that the period for 
which accountings can be requested be limited to those after the rule 
is effective because of different applicable privacy standards prior to 
rule finalization. For example, if the Department finalizes the 
accounting of disclosures provision to include data for six years prior 
to the request date, the first day for which part 2 programs would need 
to provide accountings would be the effective date of the rule.
Response
    We appreciate the comments. We clarify that the period for which an 
accounting can ``look back'' is limited to those disclosures occurring 
after the first day of the compliance date.
Comment
    An HIE association requested the Department provide a specific 
maximum allowable cost to a patient for fulfilling a requested 
accounting of disclosures for their PHI in the final rule. According to 
the commenter, the Department provides guidance in other resources on 
the maximum allowable cost that a patient can incur when requesting an 
accounting of disclosures but the NPRM did not provide a clear and 
concise regulatory specification.
Response
    We appreciate the comment and decline at this time to state a 
maximum patient cost; however, we will further consider the comment in 
drafting the HIPAA accounting of disclosures final rule to implement 
section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c). We are not 
aware of resources that discuss

[[Page 12536]]

the maximum allowable cost that a patient can incur when requesting an 
accounting of disclosure. However, the Department has provided guidance 
in other resources on the costs a covered entity may charge individuals 
to receive a copy of their PHI, which is a different cost from 
providing individuals an accounting of disclosures. For an accounting 
of disclosures, the HIPAA Privacy Rule at 45 CFR 164.528(c)(2) requires 
a covered entity provide the first accounting to an individual in any 
12-month period without charge. The covered entity may impose a 
reasonable, cost-based fee for each subsequent request for an 
accounting by the same individual within the 12-month period, provided 
that the covered entity informs the individual in advance of the fee 
and provides the individual with an opportunity to withdraw or modify 
the request.
Comment
    Several commenters were supportive of the proposal to add a new 
accounting of disclosures requirement in part 2 because it would align 
with an individual's rights under the HIPAA Privacy Rule. One health IT 
vendor said health IT and other digital technologies should incorporate 
audit trails to help detect inappropriate access to PHI. An advocacy 
organization supported the proposed timeframes an accounting of 
disclosures would cover, while a health system said the three-year 
timeframe for TPO disclosures should match the six-year timeframe in 
the HIPAA Privacy Rule.
Response
    We appreciate the comments. With respect to the ``look back'' 
period for accounting of disclosures in the HIPAA Privacy Rule, an 
individual has a right to receive an accounting of disclosures of PHI 
made by a covered entity in the six years prior to the date on which 
the accounting is requested.\231\ The HITECH accounting requirement 
covers disclosures for TPO made via an EHR and a look back period of 
only three years; however, this has not been finalized in the HIPAA 
Privacy Rule, so we cannot harmonize the part 2 TPO disclosure 
timeframe to that of the HIPAA Privacy Rule accounting of disclosure 
requirement. Additionally, a HIPAA accounting of disclosures rulemaking 
would implement the HITECH Act modification to 45 CFR 164.528 for 
disclosures for TPO to three years prior to the date which the 
accounting is requested.\232\
---------------------------------------------------------------------------

    \231\ See 45 CFR 164.528(a)(3).
    \232\ See sec. 13405(c) of the HITECH Act (codified at 42 U.S.C. 
17935(c)).
---------------------------------------------------------------------------

Comment
    A few trade associations and a health IT vendor requested the 
Department provide a template for the accounting of disclosures that 
includes the level of detail necessary to fulfill the requirement.
Response
    We appreciate the comments and will consider providing a template 
when the HITECH accounting of disclosures requirement is finalized 
within the HIPAA Privacy Rule.
Tolling of Compliance Date
Comment
    A few commenters addressed tolling the compliance date for part 2 
programs and each of them agreed with tolling the effective and 
compliance dates of the accounting of disclosures proposal until the 
effective and compliance dates of the modified HIPAA Privacy Rule 
accounting provision to provide consistency for part 2 providers, 
covered entities, and business associates.
Response
    We appreciate the comments. We are tolling the effective and 
compliance dates for part 2 programs until the effective and compliance 
dates of a final rule on the HIPAA/HITECH accounting of disclosures 
standard (section 13405(c) of the HITECH Act) to ensure part 2 programs 
do not incur new compliance obligations before covered entities and 
business associates under the HIPAA Privacy Rule are obligated to 
comply. We are also mindful that the alignment of the part 2 and HIPAA 
compliance dates for the accounting of disclosures is most important 
for part 2 programs that are also covered entities. We also note the 
part 2 programs are not required to include the statement of a 
patient's right to an accounting of disclosures in the Patient Notice 
under Sec.  2.22 until the future compliance date of the accounting of 
disclosures.
Other Comments on Requests for Accountings of Disclosures
    The Department, in the NPRM, asked for feedback on potential 
burdens such as staff time and other costs associated with accounting 
of disclosure requests.\233\ The Department also requested data on the 
extent to which covered entities receive requests from patients to 
restrict disclosures of patient identifying information for TPO 
purposes, how covered entities document such requests, and the 
procedures and mechanisms used by covered entities to ensure compliance 
with patient requests to which they have agreed or that they are 
otherwise required to comply with by law.
---------------------------------------------------------------------------

    \233\ 87 FR 74216, 74239, 74249.
---------------------------------------------------------------------------

Comment
    A few commenters said they rarely receive requests for an 
accounting of disclosures and a few commenters stated they receive 
between 1-10 requests annually. Some of these commenters said in their 
experiences a single request for an accounting of disclosures from a 
patient may take one staffer with the current functionality within an 
organization a full 40-hour week to respond.
Response
    We appreciate the comments and the information provided on the 
number and type of requests for an accounting of disclosures of PHI 
received annually and the staff time involved in responding to an 
individual's request for an accounting of disclosures of PHI.
Final Rule
    The final rule adopts all proposed modifications to Sec.  2.25, 
with a correction to the timeframe in paragraph (a) to require an 
accounting of disclosures made with consent in the 3 years prior to the 
date of the request.
Section 2.26--Right to Request Privacy Protection for Records
Proposed Rule
    Prior to the CARES Act amendments, the part 2 statute did not 
explicitly provide a patient the right to request restrictions on 
disclosures of part 2 records for TPO, although patients could tailor 
the scope of their consent, which would govern the disclosure of their 
part 2 records. Section 3221(b) of the CARES Act amended 42 U.S.C. 
290dd-2 such that section 13405(c) of the Health Information Technology 
and Clinical Health Act (42 U.S.C. 17935(c)) applies to subsection 
(b)(1). Therefore, the Department proposed to codify in Sec.  2.26 a 
patient's rights to: (1) request restrictions on disclosures of part 2 
records for TPO purposes, and (2) obtain restrictions on disclosures to 
health plans for services paid in full. The proposed provision would 
align with the individual right in the HITECH Act, as implemented in 
the HIPAA Privacy Rule at 45 CFR 164.522.\234\ As with the HIPAA 
Privacy Rule right to request

[[Page 12537]]

restrictions, a part 2 program that denies a request for restrictions 
still would be subject to any applicable state or other law that 
imposes greater restrictions on disclosures than part 2 requires.
---------------------------------------------------------------------------

    \234\ See 42 U.S.C. 17935(a).
---------------------------------------------------------------------------

    In addition to applying the HITECH Act requirements to part 2, the 
CARES Act emphasized the importance of the right to request 
restrictions in three provisions, including:
    (1) a rule of construction that the CARES Act should not be 
construed to limit a patient's right under the HIPAA Privacy Rule to 
request restrictions on the use or disclosure of part 2 records for 
TPO; \235\
---------------------------------------------------------------------------

    \235\ See sec. 3221(j)(1) of the CARES Act. The Department 
believes the effect of this rule of construction is that 45 CFR 
164.522 of the HIPAA Privacy Rule continues to apply without change 
to covered entities with respect to part 2 records.
---------------------------------------------------------------------------

    (2) a Sense of Congress that patients have the right to request a 
restriction on the use or disclosure of a part 2 record for TPO; \236\ 
and
---------------------------------------------------------------------------

    \236\ See sec. 3221(k)(2) of the CARES Act.
---------------------------------------------------------------------------

    (3) a Sense of Congress that encourages covered entities to make 
every reasonable effort to the extent feasible to comply with a 
patient's request for a restriction regarding TPO uses or disclosures 
of part 2 records.\237\
---------------------------------------------------------------------------

    \237\ See sec. 3221(k)(3) of the CARES Act.
---------------------------------------------------------------------------

Comment
    Commenters provided general support for the proposal to modify part 
2 to implement requirements in the CARES Act concerning a patient's 
right to request restrictions on uses and disclosures of part 2 
records. For instance, a medical professionals association supported 
this proposed change, stating that transparent privacy policies should 
accommodate patient preference and choice as long as those preferences 
and choices do not preclude the delivery of clinically appropriate 
care, public health, or safety. A county health system said the 
proposed changes will promote patient advocacy, privacy, and 
transparency. Health system and health plan commenters supported the 
proposed language allowing patients to request restrictions on the use 
or disclosure of their PHI if this request aligns with the HIPAA 
Privacy Rule, which gives covered entities the ability to approve or 
deny these requests. Others such as state agencies, health care 
providers, and a health IT vendor also supported provisions to request 
restrictions on disclosures including for disclosures otherwise 
permitted for TPO purposes.
Response
    We appreciate the comments about the proposed addition of a new 
patient right to request restrictions on uses and disclosures of part 2 
records for TPO and the alignment of the right with the parallel HIPAA 
provision.
Comment
    A health information association supported a mechanism for patients 
to request to restrict where and who can access their records in 
specific situations as this approach builds trust and allows the 
patient to control use and disclosure of their health record. The 
commenter further asserted that while data segmentation challenges 
exist, most providers follow HIPAA and align with state law privacy 
requirements regarding use and disclosure of part 2 records. However, 
the association urged that as the Department finalizes these 
requirements the ability for a patient to request restriction of 
disclosure should not be mandatory for providers to adhere to when they 
are otherwise required to provide disclosure. Another provider 
supported aligning the right to request a restriction with HIPAA 
language to include specific language which clarifies a covered entity 
and/or part 2 program is under no obligation to agree to requests for 
restrictions. Due to EHR functionality limitations, the provider cannot 
accommodate most requests for restrictions, especially related to 
treatment.
Response
    We appreciate the comments about our proposed change to align part 
2 and HIPAA requirements. As stated in Sec.  2.26(a)(5): ``[a] 
restriction agreed to by a part 2 program under paragraph (a) of this 
section is not effective under this subpart to prevent uses or 
disclosures required by law or permitted by this regulation for 
purposes other than treatment, payment, and health care operations, as 
defined in this part.'' Paragraph (a)(6) of Sec.  2.26 also states that 
``[a] part 2 program must agree to the request of a patient to restrict 
disclosure of records about the patient to a health plan if . . . [t]he 
disclosure is for the purpose of carrying out payment or health care 
operations and is not otherwise required by law [. . .].'' Therefore, a 
part 2 program that is a covered entity is not required by this section 
to agree to restrict a disclosure that otherwise is required by law 
\238\ or for a purpose permitted by part 2 other than TPO.\239\
---------------------------------------------------------------------------

    \238\ For further discussion of ``required by law'' in the HIPAA 
context, see 78 FR 5566, 5628.
    \239\ For further discussion of ``required by law'' in the HIPAA 
context, see 78 FR 5566, 5628.
---------------------------------------------------------------------------

Comment
    An individual commenter urged the Department to expand its proposal 
by using the general regulatory authority given it by the CARES Act to 
modify 42 CFR part 2 to indicate that a covered entity is required to 
agree to a patient's requested restriction of uses and disclosures of 
part 2 information. Thus, the commenter suggested the provisions of 45 
CFR 164.522(a)(1)(ii) and (a)(2)(iii) would be eliminated. The 
commenter asserted that a ``rule of construction'' in the CARES Act 
should not be construed to limit a patient's right under the HIPAA 
Privacy Rule to request restrictions on the use or disclosure of part 2 
records for TPO. The commenter stated its interpretation of the Sense 
of Congress in the CARES Act that patients have the right to request a 
restriction on the use or disclosure of a part 2 record for TPO and 
that encourages covered entities to make every reasonable effort to the 
extent feasible to comply with a patient's request for a restriction 
regarding TPO uses or disclosures of part 2 records.
    A health system also supported this change stating that this 
provision aligns with existing standards under the HIPAA Privacy Rule, 
which allows a patient to request restrictions, while a covered entity 
is not obligated to agree to that request (except when the service in 
question has been paid in full). The health system appreciated that HHS 
proposed to allow the same flexibility and decision-making capacity for 
part 2 programs. Another commenter proposed that the same standards are 
applied in part 2 as in HIPAA, which requires covered entities to 
evaluate requests and take reasonable means. The commenter believed 
that a covered entity is not mandated to honor a restriction for 
purposes of operation/treatment but would be for payment in 
circumstances where the patient pays out of pocket, in full. The 
commenter suggested applying the same standards to part 2 as applied to 
covered entities in the HIPAA restriction process. A health system said 
it supported aligning part 2 and HIPAA, but if there is a part 2 entity 
that is not already a covered entity under HIPAA, HHS should expand the 
HIPAA definition of covered entity rather than duplicate HIPAA 
provisions in this rule.
Response
    We acknowledge these comments and emphasize the Sense of Congress 
expressed in section 3221(k)(3) of the CARES Act that ``[c]overed 
entities should make every reasonable effort to the extent feasible to 
comply with a

[[Page 12538]]

patient's request for a restriction'' regarding such use or disclosure.
Comment
    A health system citing to 42 CFR 2.12(c)(3) supported HHS' attempt 
to better align part 2 with HIPAA as it relates to both uses and 
disclosures, stated that the introduction of restrictions on uses poses 
significant challenges for part 2 programs unless additional changes or 
clarifications to the regulations are made. The commenter urged the 
Department to clarify in the final rule that permitted uses also 
include those uses necessary to carry out the payment or health care 
operations of the part 2 program. Such clarification will ensure part 2 
programs may continue to use part 2 records internally for payment and 
health care operations that may not directly relate to the diagnosis, 
treatment, or referral for treatment of patients. Without this 
clarification, if a part 2 program fails to secure consent from a 
patient, the part 2 program would be prohibited from using part 2 
records for essential internal purposes, such as quality improvement, 
peer review, and other legally required patient safety activities.
Response
    Section 2.12(c)(3), which excludes from part 2 restrictions 
treatment-related internal communications among staff in a program and 
communications with entities that have direct administrative control of 
the program, is not inconsistent with the new patient right to request 
restrictions on disclosures for TPO purposes, and a patient's right to 
obtain restrictions on disclosures to health plans for services paid in 
full by the patient. Additional changes desired by the commenter to 
Sec.  2.12(c)(3) are outside the scope of this rulemaking.
Comment
    A medical professionals association asserted that given the 
sensitivity of SUD data patients may request that their SUD treatment 
data not be shared with other clinicians nor be accessible via various 
third-party applications. The commenter believed that physicians, 
especially those in primary care, generally lack the ability to segment 
out certain parts of a patient's record while maintaining the ability 
to meaningfully share the non-SUD treatment data with the patient's 
care team for the purposes of care coordination and management. The 
commenter explained its view that this lack of granular data 
segmentation functionality increases administrative burden and creates 
challenges for clinicians who are complying with requests not to 
disclose SUD treatment data while still complying with HIPAA and 
information blocking requirements. As a result, clinicians must either 
place sensitive data in the general medical record and institute 
policies and procedures outside of the EHR to protect this data or 
create a new location or shadow chart that houses and protects the 
data. These workarounds disrupt the flow of comprehensive health data 
within a patient's care team and increases administrative tasks. The 
association urges HHS to work with EHR vendors to modernize the 
functionality of health care data management platforms to ensure part 2 
programs can keep patients' data confidential when requested. Another 
medical association also reflected similar views.
    A health IT vendor claimed that several NPRM provisions, including 
Sec.  2.26, would require it to implement procedural changes. But the 
vendor stated that these updates are necessary to eliminate barriers to 
data sharing amongst patients, providers, and health care facilities. 
The vendor also believed these requirements can be implemented within 
the proposed 22-month compliance period.
    A health IT association supported alignment with a patient's right 
to request restrictions under the existing HIPAA Privacy Rule. But the 
commenter believed that it is important not to add a burden on covered 
entities participating in a shared electronic health information 
platform or with an HIE or HIN. The commenter urged OCR and SAMHSA to 
connect to health IT developers, technology companies, HIE, and HINs to 
ensure that technology exists to feasibly allow for covered entity 
compliance with interoperability and information blocking requirements.
Response
    We acknowledge concerns that data segmentation may be difficult for 
part 2 programs and covered entities and discuss this further in Sec.  
2.12. However, covered entities have had to address individuals' 
requests for restrictions of TPO uses and disclosures since the HIPAA 
Privacy Rule was implemented more than two decades ago. The renewed 
emphasis on the right to request restrictions on uses and disclosures 
of records for TPO is closely linked to the new permission to use and 
disclose records based on a single consent for all future TPO. We have 
stated in the discussion of the new consent permission that programs 
and covered entities that want to utilize the TPO consent mechanism 
should be prepared from a technical perspective to also afford patients 
their requested restrictions when it is otherwise reasonable to do so. 
Entities that are planning to benefit from streamlined transmission and 
integration of part 2 records by using the single consent for all TPO 
should be prepared to ensure that patients' privacy also benefits from 
the use of health IT.
    EHR systems' technical capabilities are outside the scope of this 
rulemaking, but we are cognizant of and refer throughout this rule to 
the existing health IT capabilities supported by data standards adopted 
by ONC on behalf of HHS in 45 CFR part 170, subpart B, and referenced 
in the ONC Health IT Certification Program certification criteria for 
security labels and segmentation of sensitive health data. ONC, SAMHSA, 
OCR, and others collaborate to support EHRs and health IT in behavioral 
health and integrated care settings.\240\
---------------------------------------------------------------------------

    \240\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------

Comment
    A provider association opined that the NPRM overemphasizes the 
social harms that disclosing SUD clinical information creates, at the 
risk of medical harms and overdose deaths that are a consequence of 
poor care coordination. The commenter urged the Department to provide 
guidance on precisely what is expected of providers as they incorporate 
processes to respect these patient rights if the provisions are 
finalized as proposed.
Response
    We appreciate this comment and the concern for patient safety. As 
noted above, providers are not required to agree to all patient 
requests for restrictions on uses and disclosures for TPO, but are 
encouraged to make reasonable efforts to do so. Providers retain the 
responsibility for patient care and determining what is reasonable 
under the circumstances. The final rule is emphasizing, however, that 
programs and covered entities are expected to do more than merely 
establish policies and procedures on the right to request 
restrictions--they need to make a concerted effort to evaluate how they 
can reasonably accommodate patients' requests.
Comment
    An academic health center stated its general support for patients' 
rights to limit access to their medical records but wanted to avoid 
creating further administrative and operational burdens on staff and 
avoid managing patient data retroactively.

[[Page 12539]]

Response
    We acknowledge this comment and concerns about burdens that could 
result from Sec.  2.26 implementation. However, part 2 programs that 
are covered entities are already subject to the HIPAA provisions on the 
right to request restrictions in 45 CFR 164.522. As finalized, we 
believe this section is consistent with HIPAA as well as CARES Act 
requirements.
Comment
    A medical professionals association asserted that the NPRM does not 
account for patient protections in plans self-funded through an 
employer. The association requested clarity on how TPO information will 
be kept protected from the employer and how patients will be protected 
against discriminatory practices, arguing that without further 
clarification, employees will be hesitant to seek treatment if there is 
an assumption that an employer will have knowledge of his or her SUD.
    In contrast, a national employee benefits association for large 
employers urged the Department to allow health plan sponsors (i.e., 
employers) to access part 2 records containing de-identified claims 
data that are held by third-party vendors that manage SUD programs. 
From the employer/health plan sponsors' perspective, these records are 
needed to evaluate and improve health benefits.
Response
    Self-funded group health plans are not permitted to retaliate 
against SUD or other patients/employees for seeking care. HHS has 
explained in guidance application of HIPAA to self-funded employer 
group health plans that: ``the [HIPAA] Privacy Rule does not directly 
regulate employers or other plan sponsors that are not HIPAA covered 
entities. However, the [HIPAA] Privacy Rule, in 45 CFR 164.504(f) does 
control the conditions under which the group health plan can share 
protected health information with the employer or plan sponsor when the 
information is necessary for the plan sponsor to perform certain 
administrative functions on behalf of the group health plan [. . . .] 
The covered group health plan must comply with [HIPAA] Privacy Rule 
requirements, though these requirements will be limited when the group 
health plan is fully insured.'' \241\
---------------------------------------------------------------------------

    \241\ U.S. Dep't of Health and Human Servs., ``As an employer, I 
sponsor a group health plan for my employees. Am I a covered entity 
under HIPAA?'' (Apr. 6, 2004), https://www.hhs.gov/hipaa/for-professionals/faq/499/am-i-a-covered-entity-under-hipaa/index.html.
---------------------------------------------------------------------------

    In discussing 45 CFR 164.530, HHS has further stated in guidance 
that ``group health plans are exempt from most of the administrative 
responsibilities under the [HIPAA] Privacy Rule. These health plans are 
still required, however, to refrain from intimidating or retaliatory 
acts, and from requiring an individual to waive their privacy rights.'' 
\242\
---------------------------------------------------------------------------

    \242\ See U.S. Dep't of Health and Human Servs., ``I'm an 
employer that offers a fully insured group health plan for my 
employees. Is the fully insured group health plan subject to all of 
the Privacy Rule provisions?'' (Apr. 6, 2004), https://www.hhs.gov/hipaa/for-professionals/faq/496/is-the-fully-insured-group-health-plan-subject-to-all-privacy-rule-provisions/index.html.
---------------------------------------------------------------------------

    As well, self-funded group health plans are subject to the Mental 
Health Parity and Addiction Equity Act (MHPAEA) which requires that 
most health plans providing mental health and SUD benefits must provide 
services comparable to those for medical/surgical conditions.\243\ 
While previously able to opt-out of these requirements, recent changes 
made by the Consolidated Appropriations Act of 2023 state that ``self-
funded, non-Federal governmental group health plans that opt out of 
compliance with MHPAEA are required to come into compliance with these 
requirements.'' \244\ This change too should mitigate the potential of 
employees to be subject to stigma and discrimination within self-funded 
group health plans because they have or are in recovery from an SUD.
---------------------------------------------------------------------------

    \243\ See Ctrs. for Medicare & Medicaid Servs., ``The Mental 
Health Parity and Addiction Equity Act (MHPAEA),'' https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/mhpaea_factsheet; Ctrs. for Medicare & Medicaid Servs., 
``Sunset of MHPAEA opt-out provision for self-funded, non-Federal 
governmental group health plans'' (June 7, 2023), https://www.cms.gov/files/document/hipaa-opt-out-bulletin.pdf.
    \244\ Ctrs. for Medicare & Medicaid Servs., ``Sunset of MHPAEA 
opt-out provision for self-funded, non-Federal governmental group 
health plans,'' at 1 (June 7, 2023), https://www.cms.gov/files/document/hipaa-opt-out-bulletin.pdf. See also, 42 U.S.C. 300gg-26, 
Parity in mental health and substance use disorder benefits.
---------------------------------------------------------------------------

    With respect to employer/health plan sponsor access to de-
identified part 2 records, the Department did not propose to create new 
use and disclosure permissions specific to employers/health plan 
sponsors and does not adopt such changes in this final rule. However, 
under this final rule, a covered entity or business associate that 
receives records under a TPO consent may redisclose them in accordance 
with the HIPAA Privacy Rule, which does not place limitations on the 
use or disclosure of de-identified information.
Comment
    A health plan asserted that, as written, the rule might be 
interpreted to prevent plans with part 2 data from redisclosing it 
without consent. Additional restrictions around TPO may negatively 
impact plans' business operations since plans would need to separate 
part 2 records from other records. This restriction would be burdensome 
and more operationally challenging even for the most sophisticated 
stakeholders, according to the commenter, who also asserted that 
patients may be more likely to receive unnecessary information in these 
broad disclosures. The commenter believed that the proposed expanded 
TPO restriction would overwhelm both patients and plans, ultimately 
hindering efforts toward more efficient care coordination for patients 
with SUD.
Response
    This section as finalized is consistent with the Sense of Congress 
as articulated in the CARES Act, which provides that patients have the 
right to request a restriction on the use or disclosure of a part 2 
record for TPO. The CARES Act similarly encourages covered entities to 
make every reasonable effort to the extent feasible to comply with a 
patient's request for a restriction regarding TPO uses or disclosures 
of part 2 record.
    A patient's right to request restrictions does not prevent health 
plans with part 2 records from redisclosing such records without 
patient consent as permitted under this rule, except in those 
situations where the plan has agreed to a requested restriction.
Comment
    A few commenters, including an advocacy organization, professional 
associations, and a recovery organization asserted that the proposed 
right is profoundly inequitable because it is only available to 
patients with the means to pay privately for SUD treatment. Pointing to 
what it views as disparities and the cost of SUD treatment, one 
commenter asserted that underserved communities and persons affected by 
poverty and inequality thus will be less able to exercise this right to 
restrict uses and disclosures of their SUD records. Other commenters 
expressed concern that some patients can afford to self-pay and may not 
wish to face the risks of restrictive health plan coverage policies, 
employers, and others finding out they are being treated for an SUD, 
but this right is not extended to those who cannot self-pay. These 
commenters believed that the rule

[[Page 12540]]

should not subject most Americans to these very real risks while 
acknowledging that persons of means can avoid them.
    The commenter recommended that HHS strengthen this provision so 
that providers comply with all patients' requests to restrict 
disclosures of this sensitive health information--not just those 
patients who are wealthy enough to pay in full and out-of-pocket. The 
commenter argued that strengthening the provision is also consistent 
with the CARES Act's ``Sense of Congress'' in section 3221(k)(3): 
``covered entities should make every reasonable effort to the extent 
feasible to comply with a patient's request for a restriction regarding 
such use or disclosure.'' The commenter asserted that when patients 
request a restriction on disclosure of their part 2 records, the 
default answer should be ``yes,'' subject to narrow exceptions such as 
disclosures to treat a medical emergency. In practice, however, 
providers' default answer is almost always ``no,'' which is why HHS 
should provide a more enforceable right here.
Response
    We acknowledge that, as structured, some elements of the right to 
request restrictions may benefit patients who can self-pay rather than 
those who are unable to do so. However, the provision requiring covered 
entities to agree to certain requests is statutory. For this reason and 
to align with HIPAA requirements pertaining to requests for 
restrictions by self-pay patients.\245\ The Department also 
acknowledges and is working to address disparities in access to SUD 
treatment.\246\
---------------------------------------------------------------------------

    \245\ U.S. Dep't of Health and Human Servs., ``Under HIPAA, may 
an individual request that a covered entity restrict how it uses or 
discloses that individual's protected health information (PHI)?'' 
(Dec. 28, 2022), https://www.hhs.gov/hipaa/for-professionals/faq/3026/under-hipaa-may-an-individual-request-that-a-covered-entity-restrict-how-it-uses-or-discloses-that-individuals-protect-health-information/index.html.
    \246\ See, e.g., Substance Abuse and Mental Health Servs. 
Admin., ``Behavioral Health Equity,'' https://www.samhsa.gov/behavioral-health-equity; Off. of the Assistant Secretary for 
Planning and Evaluation, ``Meeting Substance Use and Social Service 
Needs in Communities of Color'' (2022), https://aspe.hhs.gov/reports/substance-use-social-needs-people-color.
---------------------------------------------------------------------------

Comment
    One county government stated that in its experience there are very 
few requests for restriction received each year and virtually none are 
agreed to because of the related operational challenges. An academic 
health center said that in its experience of patients who request 
restrictions annually, only a relatively small number of restrictions 
are made in the context of self-pay for services. The center urged HHS 
to align the request for restriction process for part 2 records with 
what it views as the already established and operationally familiar 
process under HIPAA, explaining that from a technological perspective 
restricting patient information within the organization for TPO is 
burdensome, and highly error-prone. Restrictions for treatment purposes 
can endanger patients, as members of the treatment team need 
information to safely provide care, according to this commenter.
Response
    We appreciate this information in response to our request for input 
in the NPRM. Given that the number of requests for restrictions is 
small, the overall organizational burden for fulfilling such requests 
should not be overwhelming. When a regulated entity agrees to a 
requested restriction, we encourage it to explain to the patient any 
limits on its ability to ensure that the request is implemented fully.
Comment
    A commenter requested that notice of the right to request 
limitations of disclosures of health records, and the process for doing 
so comply with Federal guidance and best practices for individuals with 
limited English proficiency and individuals with limited literacy or 
health literacy skills.
Response
    We discuss notice requirements in Sec.  2.22 above. We have in the 
past stated that materials should take into consideration the cultural 
and linguistic needs of a provider's patients and be written to be 
clear and understandable.\247\
---------------------------------------------------------------------------

    \247\ 82 FR 6052, 6078.
---------------------------------------------------------------------------

Comment
    A privacy foundation cited one of its resources concerning HIPAA 
and why the right to request restrictions is in its view almost 
meaningless. The commenter suggested that the rule does not require a 
covered entity to agree to a restriction requested by a patient. More 
importantly, the covered entity does not have to agree even if the 
patient's request is reasonable. If HHS does not require a covered 
entity to respond to a patient's request for restriction, even to state 
whether the request is granted or declined, the right to request 
restrictions is meaningfully diminished, according to the commenter, 
which, added that in some cases, the right to request restrictions will 
be--for all intents and purposes--abrogated in cases where the request 
is never given any response.
Response
    As finalized, we believe this section is consistent with HIPAA as 
well as CARES Act requirements. We have provided guidance within HIPAA 
about requests for restrictions on disclosures of PHI in HIPAA under 45 
CFR 164.522.\248\ The right to request restrictions must be balanced 
with other regulatory requirements and patient needs, such as for 
emergency treatment even when use of records has been restricted. We 
also note that as required by Sec.  2.26(a)(6)(ii), a part 2 program 
must implement restrictions on disclosure when requested by a patient 
if a record pertains solely to a health care item or service for which 
the patient, or person other than the health plan on behalf of the 
patient, has paid the part 2 program in full.
---------------------------------------------------------------------------

    \248\ ``Under HIPAA, may an individual request that a covered 
entity restrict how it uses or discloses that individual's protected 
health information (PHI)?'' supra note 245; U.S. Dep't of Health and 
Human Servs., ``Uses and Disclosures for Treatment, Payment, and 
Health Care Operations'' (Apr. 3, 2003), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html.
---------------------------------------------------------------------------

Comment
    An SUD provider recommended eliminating the ability for tailored 
restrictions by patients. Additionally, should the Department implement 
this requirement, the provider requests requested that the regulations 
clarify whether a part 2 program is responsible for notifying other 
recipients of part 2 information if a patient decides to restrict 
future disclosures.
Response
    As explained, we are finalizing the proposed requirements. 
Redisclosure provisions are discussed in this rule in Sec. Sec.  
2.12(d) and 2.33. As we note, consistent with the Sense of Congress in 
the CARES Act, section 3221(k)(3), covered entities, including those 
covered entities that also are part 2 programs, should make every 
reasonable effort to the extent feasible to comply with a patient's 
request for a restriction regarding a particular use or disclosure. 
This would apply should a patient subsequently modify a request under 
this section.
Comment
    An advocacy group supported the proposed right of patients to 
request privacy protections as a means of

[[Page 12541]]

building trust with the patient but urged HHS to adopt a reasonable or 
as practicable a standard as possible when adopting this proposal. Some 
patient requests may not be feasible, and a part 2 program should not 
have to comply with requests that are overly burdensome or impractical.
Response
    We draw attention to the Sense of Congress expressed in the CARES 
Act that ``[c]overed entities should make every reasonable effort to 
the extent feasible to comply with a patient's request for a 
restriction regarding such use or disclosure,'' \249\ and we encourage 
part 2 programs to do so as well. We believe that this language makes 
it clear that reasonable effort is expected and that it may be balanced 
by what is feasible. We believe that a program should not condition 
treatment on a TPO consent unless it has some capacity to fulfill 
patients' requests for restrictions on uses and disclosures for TPO 
such that ``every reasonable effort'' has some meaning. We are 
finalizing as proposed in Sec.  2.22 a requirement to include in the 
Patient Notice a statement that the patient has the right to request 
restrictions on disclosures for TPO and in Sec.  2.26 a patient's right 
to request restrictions.
---------------------------------------------------------------------------

    \249\ See section 3221(k)(3).
---------------------------------------------------------------------------

Comment
    With respect to proposed Sec.  2.26(a)(4), a health system 
suggested that a request to restrict access to records for treatment 
purposes would likely not be granted since such a restriction could not 
be reasonably guaranteed in an EHR. In its system, part 2 programs have 
been implemented as restricted departments. Access controls have been 
implemented to permit emergency physicians to access such records by 
breaking the glass and documenting the purpose of access. At this time, 
the commenter believed that there is not a practical way to 
operationalize the inclusion of additional language in the break the 
glass process so emergency physicians could view language to not 
further use or disclose this information.
Response
    As finalized Sec.  2.26(a)(4) states that ``[i]f information from a 
restricted record is disclosed to a health care provider for emergency 
treatment under paragraph (a)(3) of this section, the part 2 program 
must request that such health care provider not further use or disclose 
the information.'' Section 2.26(a)(3) permits use of restricted records 
for emergency treatment. While we have stated in this rule that data 
segmentation is not required, we also stated in 2017 that ``data 
systems must be designed to ensure that the part 2 program is notified 
when a `break the glass' disclosure occurs and part 2 records are 
released pursuant to a medical emergency. The notification must include 
all the information that the part 2 program is required to document in 
the patient's records.'' \250\ We recognize that EHR systems have 
varying degrees of functionality for implementing requested 
restrictions and programs are in different stages of updating their 
systems; however, we believe that programs need to evaluate how the 
limitations of their EHRs may affect patient choice and develop 
policies accordingly. For example, if a program conditions treatment on 
a patient's TPO consent and the patient agrees to sign the consent, but 
only if their records are not provided to a certain provider, the 
program should have the means to accommodate the request and if not, 
allow the patient to sign a more limited consent as appropriate within 
the context. While lack of EHR system capability may be a valid 
rationale for not accommodating some patients' requests for 
restrictions, it may also be a basis for not adopting a policy of 
conditioning treatment on signing a single consent for all TPO if the 
program has no other mechanism available to limit disclosures of part 2 
records in the event that patients request restrictions.
---------------------------------------------------------------------------

    \250\ 82 FR 6052, 6096.
---------------------------------------------------------------------------

Final Rule
    We are finalizing this new section as proposed. We also note the 
Sense of Congress expressed in section 3221(k)(3) of the CARES Act 
stating that ``[c]overed entities should make every reasonable effort 
to the extent feasible to comply with a patient's request for a 
restriction regarding a particular use or disclosure.'' We also 
encourage part 2 programs that are not covered entities to make such 
efforts. OCR has provided examples in guidance about the analogous 
HIPAA provision that could demonstrate ``reasonable effort'' to 
operationalize compliance with a patient's request for a restriction 
including in circumstances when an individual is unable to pay for 
their health care in full. For instance, consistent with 45 CFR 
164.522(a)(1)(vi) we cite the example that ``if an individual pays for 
a reproductive health care visit out-of-pocket in full and requests 
that the covered health care provider not submit PHI about that visit 
in a separate claim for follow-up care to their health plan, the 
provider must agree to the requested restriction.'' \251\ If an 
individual wishes to not receive fundraising communications, we noted 
in preamble to the 2013 Omnibus Final Rule that ``[c]overed entities 
should consider the use of a toll-free phone number, an email address, 
or similar opt out mechanisms that provide individuals with simple, 
quick, and inexpensive ways to opt out of receiving further fundraising 
communications.'' \252\ For instance, a covered entity might develop a 
phone-based process that supports individuals in making appropriate 
requests for restrictions on use and disclosure of PHI.\253\
---------------------------------------------------------------------------

    \251\ ``Under HIPAA, may an individual request that a covered 
entity restrict how it uses or discloses that individual's protected 
health information (PHI)?'' supra note 245.
    \252\ 78 FR 5565, 5621 (Jan. 25, 2013).
    \253\ See Ctrs. for Medicare & Medicaid Servs., ``CMS Security 
and Privacy Handbooks,'' https://security.cms.gov/learn/cms-security-and-privacy-handbooks; Ctrs. for Medicare & Medicaid 
Servs., ``CMS Privacy Program Plan,'' https://security.cms.gov/policy-guidance/cms-privacy-program-plan.
---------------------------------------------------------------------------

    Some entities also have developed specific forms to facilitate 
compliance with 45 CFR 164.522 requirements.\254\ Similar reasonable 
efforts could be used to operationalize requests for restrictions in 
Sec.  2.26 as finalized, such as supporting options for a patient 
wishing to restrict disclosures for TPO.
---------------------------------------------------------------------------

    \254\ See Kyle Murphy, ``How IHS plans to implement the HIPAA 
Privacy Rule,'' HealthITSecurity (Jan. 11, 2013). https://healthitsecurity.com/news/how-ihs-plans-to-implement-the-hipaa-privacy-rule (discussing Indian Health Service efforts). See also, 
Indian Health Service, ``Patient Forms,'' https://www.ihs.gov/forpatients/patientforms/.
---------------------------------------------------------------------------

Section 2.31--Consent Requirements.
Section 2.31(a) Requirements for Written Consent
Proposed Rule
    The Department proposed to align the required elements for a part 2 
consent in paragraph (a) with the required elements of a HIPAA 
authorization, to include: the patient's name; the person or class of 
persons making the disclosure; a description of the information to be 
disclosed in a specific and meaningful fashion; a designation of 
recipients; a description of the purpose or if no stated purpose, ``at 
the request of the patient;'' the patient's right to revoke consent and 
how to do so; an expiration date or event; the patient's or authorized 
person's signature; and the date signed. In addition, the Department 
proposed several provisions in the consent requirements to support 
implementation of the CARES Act requirement to permit

[[Page 12542]]

a single consent for all future uses and disclosures for TPO, as listed 
below:
     The recipient may be a class of persons including a part 2 
program, covered entity, or business associate and the consent may 
describe the recipient as ``my treating providers, health plans, third-
party payers, and those helping operate this business'' or use similar 
language. The consent also may include a named intermediary under 
paragraph (a)(4)(ii), as applicable.
     The statement, ``for treatment, payment, and health care 
operations'' is a sufficient description of the purpose when a patient 
provides consent for all future uses or disclosures for those purposes.
     The required expiration date or event may be ``none'' for 
a consent for all future uses and disclosures for TPO.
     The consent must include:
    [cir] The statement that the patient's record (or information 
contained in the record) may be redisclosed in accordance with the 
permissions contained in the HIPAA regulations, except for uses and 
disclosures for civil, criminal, administrative, and legislative 
proceedings against the patient.
    [cir] A statement about the potential for the records used or 
disclosed pursuant to the consent to be subject to redisclosure by the 
recipient and no longer protected by this part.
    [cir] The consequences to the patient of a refusal to sign the 
consent.
    The Department proposed to require that a consent to disclose part 
2 records to intermediaries state the name(s) of the intermediary(ies) 
and one of the following:
     The name(s) of member participant(s) of the intermediary; 
or
     A general designation of a participant(s) or class of 
participants, which must be limited to a participant(s) who has a 
treating provider relationship with the patient whose information is 
being used or disclosed.
    The Department proposed to remove from the consent requirements a 
required statement of a patient's right to obtain a list of disclosures 
made by an intermediary.
    Finally, the Department proposed wording changes to replace the 
term ``individual'' with the term ``person'' to comport with the 
meaning of person in the HIPAA regulations and consistent with similar 
changes proposed throughout this part.
Required Elements of Consent
Comment
    Some commenters who supported the proposed alignment of part 2 with 
the HIPAA regulations expressed enthusiasm for what they described as a 
long-awaited change that would support the streamlining of 
administrative processes, improvements in care coordination, and 
reduced inequities in how SUD treatment is viewed compared with general 
health care. One commenter specifically appreciated the clarification 
that electronic signatures are permitted. An Indian health board noted 
that allowing American Indian/American Native patients to identify a 
``class of participants'' with a treating provider relationship (like a 
``health care team'') within a single prior consent would facilitate 
care within the Indian health system. Another supporter pointed out 
that including ``use'' as well as ``disclosure'' clarifies the consent 
form and noted that informing patients about the ability for 
information to be redisclosed it also important. A health information 
management association described the changes as ``removing regulatory 
morass.'' A health plan believed that the proposed changes ``mak[e] it 
easier to comply with both regulatory requirements [of part 2 and the 
HIPAA regulations] without adding an additional layer of regulatory 
burden. The statutorily required six elements [of a consent] noted 
above as well the additional explanations for failing to sign a consent 
will better ensure that patients are apprised of their rights under 
Part 2 and instill patients' trust.''
Response
    We appreciate the comments about our efforts to improve health care 
and reduce burdens on regulated entities by aligning the required 
elements of the written consent for disclosure of part 2 records with 
the required elements of a HIPAA authorization to disclose PHI.
Comment
    Many commenters requested clarification and simplification of the 
consent requirements. One commenter recommended that the Department 
develop model consent language, limited to a single comprehensible 
paragraph with an option to find further information online, such as 
through a scannable QR code. Some commenters stated that the part 2 
consent is vague, complicated, and difficult to read and should be 
simplified into plain language for an ordinary person and they opposed 
the proposed changes to consent. They also urged the Department to 
``prioritize transparency.'' Another commenter asserted that it is in 
providers' best interests to inform patients ``of their rights in a 
straightforward, easy-to-understand manner, focusing on how their 
information will be used and who will have access to it.''
Response
    We appreciate the comments recommending simplification and 
streamlining of the required consent and will consider the various 
suggestions for doing so as we develop guidance or other materials. We 
agree that consent should be in plain language that ordinary readers 
can understand and believe that the required statements can be drafted 
in that manner.
Comment
    Several commenters believed that since the proposed part 2 consent 
requirements are like a HIPAA authorization, it is confusing to have 
similar documents with different purposes. They recommended that the 
consent process be easily folded into existing HIPAA compliance 
processes, preferably incorporating the acknowledgment of receipt of 
the HIPAA NPP and the patient's part 2 consent into the same document.
Response
    We appreciate the concern and believe that aligning the required 
elements of a part 2 consent with those required for a HIPAA 
authorization will facilitate the use of a single form by part 2 
programs that are covered entities, and thus must meet both sets of 
requirements.
Comment
    Several commenters suggested ceasing use of the word ``consent'' 
when referring to disclosure of records and using the term 
``authorization'' instead.
Response
    We decline to make this change because covered entities and part 2 
programs, particularly those that are not covered entities, are still 
obligated to comply with differing sets of disclosure permissions. 
Moreover, 42 U.S.C. 290dd-2, as amended by the CARES Act, continues to 
expressly refer to consent and thus this final rule remains consistent 
with statutory terminology.
    Although we are modifying the requirements for a part 2 consent to 
align more closely with a HIPAA authorization, the scope and effect of 
these documents continue to differ in meaningful ways. For example, a 
part 2 consent is required for uses and disclosures of part 2 records 
for TPO, but a HIPAA authorization is not required for uses and 
disclosures of PHI for TPO. The part 2 consent is required for part 2 
programs and the

[[Page 12543]]

authorization is for covered entities and business associates. Because 
of these and other differences, we believe using the term 
``authorization'' for individual permission under HIPAA as well as for 
patient permission under part 2 would create confusion.
Comment
    An academic medical center suggested making no changes to part 2 
consent requirements for HIPAA covered entities, but instead allowing 
them to use the HIPAA authorization to obtain consent for TPO and to 
use the patient's right to request a restriction for more granular 
consents, such as for disclosure limited to a specific provider.
Response
    We assume in this response that the granular consent referred to in 
the comment is a consent for some aspects of TPO, but not the full 
scope of the TPO consent. We decline to adopt this suggestion in its 
entirety because the HIPAA authorization applies to a narrower set of 
uses and disclosures than part 2 and does not have all the required 
elements of a part 2 consent. For example, the consent, as finalized 
here, requires a statement about the potential for records to be 
redisclosed by the recipient when they are disclosed under a TPO 
consent, and it contains special requirements for disclosures through 
an intermediary. Covered entities that are also part 2 programs will 
have more flexibility under the final rule consent requirements, so 
that they may be able to use a single form that meets the applicable 
requirements of a part 2 consent and a HIPAA authorization. Covered 
entities that are recipients of part 2 records but are not operating a 
part 2 program do not need to create or use a part 2 consent. Instead, 
covered entities that are not part 2 programs may use a HIPAA 
authorization to disclose part 2 records they receive provided that the 
authorization is not for the release of medical or other information 
generally. The authorization form must be specific to part 2 records or 
records of SUD treatment rather than ``my medical records,'' so that it 
identifies the information in a specific and meaningful fashion 
according to Sec.  2.31.
Comment
    In addition to supporting the proposal to allow a single consent 
for all future uses and disclosures for TPO, a county government 
recommended that programs be allowed to rely on verbal consent when 
making patient referrals, particularly at the initial stages of patient 
access to and engagement in treatment and requested regulatory guidance 
on how to do so. The commenter explained the importance of verbal 
consent for referral or intake purposes before a treatment relationship 
has been established in many instances. In the alternative, the 
commenter suggested creating a safe harbor from part 2 violations ``for 
providers who share information based on a verbal consent to refer a 
patient for treatment (which may first take place through a call 
center) and then later request written consent at the first appointment 
with the patient to share for TPO purposes.''
Response
    We decline to adopt an express permission to accept a verbal 
consent to disclose part 2 records for purposes of intake and referral 
because prior written consent is a statutory requirement in 42 U.S.C. 
290dd-2(b)(1)(A); however, some options for handling referrals verbally 
may be available depending on the circumstances. One approach would be 
to provide de-identified information about the patient to a potential 
treatment provider to determine if a placement is suitable and 
available and then either provide referral information to the potential 
patient so that they can contact the new provider independently or 
include the patient in a three-way call with the second provider and 
allow the patient to provide identifying information directly to that 
provider. In a medical emergency, involving an attempted overdose, or 
similar crisis, a program could disclose part 2 records to a hotline 
call center as needed to provide treatment. Similarly, in 2020 the 
Department amended part 2 to permit disclosures of patient information 
to another part 2 program or other SUD treatment provider during State 
or federally-declared natural and major disasters when a part 2 program 
is closed or unable to provide services or obtain patient informed 
consent.\255\
---------------------------------------------------------------------------

    \255\ 85 FR 42986, 43018.
---------------------------------------------------------------------------

Comment
    A commenter recommended that, after obtaining the original written 
consent, programs should be required to notify patients before each 
use, disclosure, and redisclosure of their part 2 records and give them 
the opportunity to rescind consent.
Response
    This recommendation runs counter to the CARES Act requirement to 
allow a single consent for all future uses and disclosures for TPO. 
Further, we do not believe it would be practical to require that 
patients be notified and given the opportunity to rescind consent 
before each use, disclosure, and redisclosure of their part 2 records, 
and it would likely create a large increase in burdens for programs and 
other entities subject to part 2 requirements. That said, nothing in 
the rule prohibits programs from notifying a patient before a 
particular use or disclosure of their part 2 records.
Designation of Recipients and Purpose
Comment
    Several commenters recommended complete removal of the consent 
requirement for TPO, stating that the new disclosure permission does 
not go far enough to align with HIPAA.
Response
    This recommendation exceeds the scope of the changes authorized 
under the CARES Act amendments to 42 U.S.C. 290dd-2. The CARES Act did 
not eliminate the statutorily mandated consent requirement for TPO uses 
and disclosures.
Comment
    A few organizations requested clarification of whether the phrase, 
``people helping to operate this program,'' in the general designation 
for a TPO consent includes case management and care coordination 
providers and suggested that it should.
Response
    We agree with the commenters that within the part 2 context, 
``people helping to operate this program'' could include case 
management and care coordination providers who are QSOs. Disclosures to 
case management and care coordination providers who are not QSOs would 
also be permitted under a TPO consent as disclosures for treatment. 
Regarding the TPO consent, the phrase ``people helping to operate this 
program'' is intended to cover those who are not part 2 program 
personnel and who would be QSOs (or business associates for part 2 
programs that are covered entities).
Comment
    Some commenters generally opposed the proposed change to permit a 
single consent for all future uses and disclosures for TPO in part 
because it would not require designating specific recipients.
Response
    The CARES Act amended 42 U.S.C. 290dd-2 to restructure the 
statutory permission to disclose part 2 records with consent for TPO. 
Thus, the Department is required to implement

[[Page 12544]]

the consent requirements for the new disclosure and redisclosure 
permissions. The CARES Act amendments preserved the requirement to 
obtain initial consent and the prohibition against use of records in 
proceedings against a patient--both core elements of the part 2 
confidentiality protections for SUD records. We further discuss the 
single TPO consent in Sec.  2.33.
Uses and Disclosures With Written Consent
Comment
    Commenters opposing use of a single TPO consent recommended that 
the consent provide clear options for the types of consent a patient 
may sign, which would include a consent for a specific, one-time use or 
disclosure. The commenters believed that this approach would allow 
patients to understand their options and to avoid being pressured into 
signing a TPO consent because they mistakenly believe it is their only 
option.
Response
    We agree that part 2 programs should ensure that patients 
understand their consent options--which include signing a consent for a 
specific, one-time use or disclosure--and we encourage programs to 
draft their consent in a manner that is clear and easy to understand. 
Congress urged the Department to provide incentives to programs for 
explaining to patients the benefits of sharing their records.\256\ 
Accordingly, the manner in which programs offer information about 
different consent options should not undermine efforts to explain to 
patients the benefits of TPO consent. Sections 2.22 and 2.31(a) of this 
final rule require that part 2 programs notify patients of their rights 
and obtain consent before using and disclosing records for TPO.
---------------------------------------------------------------------------

    \256\ See sec. 3221(k)(5) of the CARES Act.
---------------------------------------------------------------------------

Comment
    Approximately half of commenters on intermediaries opposed the 
Department's proposal to retain consent requirements for disclosures to 
intermediaries that differ from consent requirements for disclosures to 
business associates generally. Of the HIEs and health IT vendors that 
commented on this set of proposals, most expressed opposition. Opposing 
commenters believed that the special provisions for intermediaries were 
a holdover from before the CARES Act and were inconsistent with 
aligning part 2 with the HIPAA regulations, especially with regard to 
the new provision to allow a single TPO consent.
    The board of supervisors for a large county explained the county's 
view that the combination of consent proposals (allowing TPO consent 
and retaining the consent provision for intermediaries) would result in 
a system where health plans, third-party payers, and business 
associates may be generally described in a consent as recipients, but 
these same recipient entities must be specifically named if the 
disclosure is made through an HIE. According to the commenter, ``[t]his 
imposes a burden on the use of HIEs for enhancing patient care while 
providing no discernable privacy benefit.''
    A state-wide e-health collaborative that administers a network of 
HINs similarly remarked that if a patient signed a consent form 
designating ``my health plan'' as the recipient, the part 2 program 
would be permitted to disclose such information directly to the health 
plan, but the program would be prohibited from disclosing that 
information to the very same health plan if the disclosure was made via 
an intermediary without specifically naming the intermediary and the 
health plan. A large health IT vendor also voiced these concerns, 
describing the potential result as a ``two-tiered'' system that 
perpetuates discrimination because patients with SUD cannot reap the 
benefits of integrated care that is facilitated by shared electronic 
records.
Response
    We appreciate the comments and information about how intermediaries 
operate and acknowledge that the CARES Act changes to consent for uses 
and disclosures for TPO and redisclosures by business associates have 
significantly reduced the need for a regulatory provision for 
intermediaries. In response to public comments the final rule excludes 
covered entities and business associates from the definition of 
``intermediary'' in Sec.  2.11. Thus, an HIE, for example, that meets 
the definition of ``business associate'' is excluded from the 
definition of ``intermediary'' and would not need to be specifically 
named in the consent--it would fall under the provision for a general 
designation under a TPO consent in Sec.  2.31(a)(4). Other issues 
regarding intermediaries are discussed in Sec. Sec.  2.11, 2.13, and 
2.24.
Comment
    A commenter recommended changes to Sec.  2.31 that would modify the 
wording of a consent to specifically permit disclosures to the Food and 
Drug Administration (FDA) even after revocation of consent.
Response
    We appreciate the comment, but believe expressly permitting 
additional disclosures after revocation of consent, where consent is 
required, is inconsistent with respecting patient choice. However, 
there may be circumstances where consent is not required for 
disclosures to the FDA, for example, if they fall within the provision 
for program audits and financial evaluations in Sec.  2.53 or public 
health disclosures of de-identified records under Sec.  2.54.
Comment
    One commenter recommended that disclosures to public health 
authorities be included in the general TPO consent.
Response
    The CARES Act mandated that disclosures to public health 
authorities are permitted without consent, but this permission applies 
only to records that have been de-identified. Further, the general 
consent authorized by the CARES Act applies only to uses and 
disclosures for TPO. Under the HIPAA Privacy Rule, disclosures to 
public health authorities are not considered disclosures for TPO and we 
apply this same interpretation to part 2. To the extent that a patient 
elects to consent to the disclosure of identifiable records to a public 
health authority, the consent must include a specific designation of 
the recipient.
Consent for Fundraising and De-Identification Activities
Comment
    A commenter suggested that consent for fundraising be offered as an 
opt-out rather than an opt-in process. Other commenters requested that 
fundraising not be allowed or that consent for use or disclosure of 
part 2 information for fundraising be obtained using a separate consent 
form (i.e., not combined with any other consent). A few commenters 
stated that part 2 programs did not need to use part 2 records for 
fundraising purposes.
Response
    Under the HIPAA Privacy Rule, fundraising falls within the 
definition of health care operations.\257\ The CARES Act required us to 
incorporate the definition of health care operations wholesale into 
this regulation. However, the CARES Act also included a Sense of

[[Page 12545]]

Congress that health care operations do not include fundraising for 
purposes of part 2.\258\ Thus, taking into account the Sense of 
Congress, a general TPO consent, without more, is not sufficient to 
allow the use and disclosure of records for fundraising purposes by a 
part 2 program that obtains a TPO consent. We considered whether to 
require a separate consent for an entity's fundraising activities, but 
determined that offering an opt-out for fundraising on the same form as 
consent for TPO would place appropriate guardrails on fundraising uses 
and disclosures consistent with the Sense of Congress without 
increasing burdens for part 2 programs. Part 2 programs, covered 
entities, and business associates that receive part 2 records under a 
TPO consent would be permitted to use and redisclose the records 
according to the HIPAA requirements. We are implementing the 
requirement at 42 U.S.C. 290dd-2(k)(4) to add the definition of 
``health care operations'' to this regulation as it is defined in 
HIPAA, and operationalizing the Sense of Congress for fundraising 
purposes.
---------------------------------------------------------------------------

    \257\ 45 CFR 164.501 (definition of ``Health care operations,'' 
paragraph (6)(v)).
    \258\ See section 3221(k)(4) stating that paragraph (6)(v) of 
``health care operations'' in 45 CFR 164.501 shall not apply.
---------------------------------------------------------------------------

Comment
    In the NPRM, we requested comment on whether the Department should 
require entities subject to part 2 requirements to obtain consent to 
use records for de-identification purposes and whether such consent 
should be structured to provide patients with the ability to opt-in or 
opt-out of having their records used in this manner. One commenter, an 
HIE, opined that the Department should not mandate either option 
because when de-identification is done appropriately through expert 
determination method or safe harbor method under 45 CFR 164.514(b), 
there is no possibility that information will be reidentified.
Response
    As we explained in the NPRM, although we believe that an opt-in 
requirement would offer more patients more control over their records 
and best fulfill privacy expectations, we also believe that requiring 
patient consent for de-identification activities would be inconsistent 
with--and potentially hinder--the new permission to disclose de-
identified information for public health purposes under 42 U.S.C. 
290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES Act. Such 
a requirement also would create a barrier to de-identification in a 
manner that negatively affects patient privacy by increasing 
permissible but unnecessary uses and disclosures of identifiable part 2 
records in circumstances when de-identified records would serve the 
intended purpose.
Implementation Concerns
Comment
    One commenter recommended that the Department work with ONC and 
provide guidance, technical assistance, and model forms to assist 
regulated entities to comply with the proposed changes to consent.
Response
    We will continue to work with our Federal partners, including ONC, 
as needed to provide guidance, technical assistance, and model forms 
for regulated entities.
Comment
    Another commenter requested clarification of whether consent could 
be broadly obtained and apply to a patient's entire historical record 
maintained by a part 2 program.
Response
    Yes, a consent may apply broadly to all future uses and disclosures 
for TPO and may apply to a patient's entire treatment record.
Expiration of Consent
Comment
    A managed care organization requested clarification that an 
expiration date is not required, consistent with the HIPAA Privacy 
Rule.
Response
    The commenter is correct in observing that an expiration date is 
not required under the modified consent requirements if the consent is 
for all future uses and disclosures for TPO. As noted in the NPRM, the 
Department does not intend to create substantive change by replacing 
``expiration date, event, or condition'' with ``expiration date or an 
expiration event that relates to the individual patient or the purpose 
of the use or disclosure.'' However, the example proposed in Sec.  
2.31(a)(7) that allows ``none'' to be entered if the consent is for a 
use or disclosure for TPO represents a change from the current part 2 
consent. Although the HIPAA Privacy Rule allows an authorization to 
have ``none'' as an expiration date or event only in limited 
circumstances,\259\ the ability to enter ``none'' for TPO consent under 
part 2 creates greater consistency with the HIPAA Privacy Rule because 
the HIPAA Privacy Rule neither requires consent nor authorization for 
TPO uses or disclosures.\260\ Under Sec.  2.31(a)(7) a blank expiration 
date or event is insufficient, but an actual date is not always 
required. Other expiration language for a TPO consent that is 
consistent with 42 U.S.C. 290dd-2(b)(1)(C) is a phrase such as ``until 
revoked by the patient.''
---------------------------------------------------------------------------

    \259\ 45 CFR 164.508(c)(1)(v).
    \260\ U.S. Dep't of Health and Human Servs., ``Guidance: 
Treatment, Payment, and Health Care Operations'' (July 26, 2013), 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html.
---------------------------------------------------------------------------

Comment
    One commenter stated that the consent should not be indefinite and 
suggested that, at a minimum, the written consent should be renewed 
annually.
Response
    Annual renewal of consent is not required under HIPAA, and we are 
not finalizing a requirement to do so under part 2. This would run 
counter to the permission to provide consent for all future uses and 
disclosures for TPO. However, we recognize that it may be valuable to 
periodically ensure that all patient documentation is up to date and 
that it may be a good practice to invite patients to review their 
consent choices and any documents designating surrogate decision 
makers, such as medical powers of attorney. We view this as a matter of 
good practice, rather than a legal requirement.
Conditioning Treatment on Consent
Overview of Comments
    A professional association for SUD providers and 10 state 
affiliates as well as a major health plan/health insurer (who otherwise 
supported the TPO consent) opposed allowing part 2 programs to 
condition treatment on the signing of a single consent for all future 
uses and disclosures for TPO.
Comment
    An SUD provider requested clarification about conditioning 
treatment on signing consent to disclose records and whether the 
Department intended the required statement about the consequences of 
not signing the consent to mean that part 2 programs will not have to 
comply with the HIPAA Privacy Rule (which generally prohibits 
conditioning treatment on signing an authorization).

[[Page 12546]]

Response
    A part 2 program is not subject to the HIPAA Privacy Rule unless it 
is also a covered entity. The substantive differences between the HIPAA 
Privacy Rule and part 2 regarding conditioning treatment on signing a 
consent or authorization arise from the fact that the HIPAA Privacy 
Rule does not require any type of consent or authorization for TPO. 
Thus, the need to condition treatment, for example, on an authorization 
for payment disclosures, does not arise under HIPAA. However, part 2 
expressly allows conditioning treatment on a consent for disclosures 
for payment, for example, in Sec.  2.14 (Minor patients). And we stated 
in the NPRM preamble that a ``Part 2 program may condition the 
provision of treatment on the patient's consent to disclose information 
as needed, for example, to make referrals to other providers, obtain 
payment from a health plan (unless the patient has paid in full), or 
conduct quality review of services provided.'' Because the prohibition 
on conditioning treatment on a signed authorization under HIPAA does 
not track closely to part 2,\261\ we are adopting, as proposed, only 
language from paragraph (c)(2)(ii)(B) of 45 CFR 164.508, and only a 
modified version of the first part of that paragraph. Thus, with 
respect to conditioning treatment on consent, Sec.  2.31 requires a 
statement of ``the consequences to the patient of a refusal to sign the 
consent.''
---------------------------------------------------------------------------

    \261\ U.S. Dep't of Health and Human Servs., ``What is the 
difference between `consent' and `authorization' under the HIPAA 
Privacy Rule? '' (Dec. 28, 2022), https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html.
---------------------------------------------------------------------------

Comment
    Several commenters asserted that part 2 programs should not be 
permitted to condition treatment on a requirement that the patient sign 
the general TPO consent. They asserted that could create a barrier to 
treatment or harm patients' privacy interests. A few of these 
commenters recommended that if conditioned consent was allowed the 
minimum necessary requirement should apply to any such disclosures.
Response
    The availability of a single consent for all future uses and 
disclosures for TPO raises new considerations for patient 
confidentiality and ethical practice if access to treatment is 
conditioned on signing such a consent. Congress did not directly 
address whether a program may condition treatment on a TPO consent, but 
emphasized guardrails to ease privacy concerns in section 3221 of the 
CARES Act. We believe that a program should not condition treatment on 
a TPO consent unless it has taken reasonable steps to establish a 
workable process to address patients' requests for restrictions on uses 
and disclosures for TPO. We are finalizing as proposed in Sec.  2.22 
the rule of construction that a patient has the right to request 
restrictions on disclosures for TPO and in Sec.  2.26 a patient's right 
to request restrictions. Additionally, the existing rule provides that 
all disclosures of part 2 records should include only the information 
necessary for the purpose of the disclosure.
Comment
    Several other commenters requested clarification of what is needed 
to give patients notice that treatment may be conditioned on signing 
consent for TPO.
Response
    The regulation does not require specific language; however, consent 
for TPO use and disclosure should include a statement that patient 
consent is needed (or required) to allow the program to use and 
disclose the patient's records for TPO (or ``to help the program 
operate its health care business'') or something similar. The final 
rule also requires a statement or statements explaining the 
consequences of failing to sign, based on the program's consent 
policies. For example, a program may decide not to provide ongoing 
treatment although it allows for an initial evaluation, or it may 
require payment before services are provided, or it may offer a more 
narrow or specific consent option. The program is not required to do 
so, but may find it helpful to point to the patient's right to request 
restrictions on TPO disclosures and the program's commitment to 
accommodate such requests. We assume that programs will carefully 
consider their goals, treatment population, and professional standards 
in deciding how to fashion a statement about conditioning treatment on 
signing a TPO consent. New patients are likely to be more hesitant 
about signing broad disclosure permissions than existing patients who 
have an established rapport with staff.
Final Rule
    The final rule adopts all proposed modifications to Sec.  2.31(a), 
but refers to ``HIPAA regulations'' in place of the references to 45 
CFR 164.502 and 164.506. This modification aligns with the addition of 
the new defined term, ``HIPAA regulations.''
Section 2.31(b) Consent Required: SUD Counseling Notes
    In the NPRM, we requested comments on a potential definition of 
``SUD counseling notes'' and specific consent provisions regarding 
these notes. We offered for consideration that a separate consent 
requirement, if adopted, would not apply to SUD counseling notes in 
certain specific situations such as when such information was required 
for the reporting of child abuse or neglect, needed for the program to 
defend itself in a legal action or other proceeding brought by the 
patient, or required for oversight of the originator of the SUD 
counseling notes.\262\
---------------------------------------------------------------------------

    \262\ See full discussion at 87 FR 74216, 74231.
---------------------------------------------------------------------------

Overview of Comments
    We received comments in support of the proposal, asking for 
modification, and expressing concern about consent provisions related 
to SUD counseling notes. We also received comments on such issues as 
whether a separate consent should be required for SUD counseling notes, 
the similarity or distinctions between psychotherapy notes under HIPAA 
and SUD counseling notes, and patient rights to access such notes. We 
respond to these comments below. Comments primarily relating to the 
proposed definition of ``SUD counseling notes'' are discussed in Sec.  
2.11.
Comment
    We received support for the proposals in the NPRM concerning SUD 
counseling notes from commenters such as HIE/HINs, state and local 
agencies, and recovery organizations for treating SUD counseling notes 
under Sec.  2.31 similar to psychotherapy notes in the HIPAA Privacy 
Rule by requiring a separate written consent for their disclosure. 
These commenters believed a separate consent would serve as an added 
layer of protection to patients receiving service under Sec.  2.31. A 
medical professionals association believed that parties are already 
familiar with how to comply with psychotherapy notes under HIPAA. If 
such a category is created, the association urged the Department to 
issue clear guidance to make the segregation of these counseling notes 
as easy as possible so that part 2 programs do not have to take 
repetitive actions that would add to their administrative burden.
Response
    We appreciate these comments and are finalizing provisions in this 
section that require a program to obtain separate

[[Page 12547]]

consent for any use or disclosure of SUD counseling notes subject to 
certain specific listed exceptions. We will consider what additional 
guidance may be helpful on these issues after the rule is finalized.
Comment
    According to several SUD and recovery associations, notes often 
contain highly sensitive information that supports therapy. Limiting 
access to these notes is critical to protect the therapeutic alliance 
due to the unique risks that patients face due to the risks of 
inappropriate sharing of highly sensitive information in these notes. A 
health care provider believed the SUD counseling note provision would 
allow a SUD provider the ability to more accurately capture critical 
impressions of his or her patient without running the risk that it 
could adversely impact the patient or the provider-patient 
relationship.
    A few HIE associations commented that providers rarely use the 
option to keep psychotherapy notes as defined in the HIPAA regulations; 
instead, the type of information previously envisioned to be included 
in the psychotherapy note is now included in ``progress notes'' or the 
information is not captured and documented in an EHR. If organizations 
move towards utilizing a separate category for SUD counseling notes, it 
could lead to information either not being documented, or to important 
information not being captured at all, which is against the principles 
of interoperability supported by these associations and the Federal 
Government, these commenters asserted. A hospital said that in its 
experience clinicians, both internal and external to its organization, 
usually refer to these types of notes as ``process notes'' which are 
not part of the designated record set and are not documented in the 
EHR. This commenter also has heard from clinicians that these types of 
notes are rarely used.
    A medical professionals association believed that SUD counseling 
notes should be separated from the rest of the patient's health record, 
to allow a firewall between notes used by the individual therapist or 
treating professional and the rest of the patient's health record (such 
as diagnosis, functional status, treatment plan, symptoms, prognosis, 
start and stop times, modalities and frequencies of treatment, 
medication prescription and monitoring, and results of clinical tests) 
that is designed to be shared, as appropriate, with other health care 
entities. According to this association, psychotherapy notes provide a 
vital tool for psychologists to protect sensitive therapy details from 
third parties. These notes are a way for psychologists to protect 
patient privacy as to sensitive details that are important for the 
psychologist to remember, but that do not need to be shared with other 
health care entities.
Response
    We discuss our changes to the definition of ``SUD counseling 
notes'' in Sec.  2.11 above. We intend for SUD counseling note 
provisions in 42 CFR part 2 to parallel the HIPAA psychotherapy note 
provisions.\263\
---------------------------------------------------------------------------

    \263\ As discussed elsewhere in this rule, psychotherapy notes 
are part of the designated record set. See ``Individuals' Right 
under HIPAA to Access their Health Information 45 CFR 164.524,'' 
supra note 159.
---------------------------------------------------------------------------

    Providers may vary in their use of SUD counseling or psychotherapy 
notes. Moreover, some providers in behavioral health or other medical 
practices also may use ``open notes'' intended to permit patient access 
to EHRs, including provider notes.\264\ The preamble to the 2000 HIPAA 
Privacy Rule explained that ``process notes capture the therapist's 
impressions about the patient, contain details of the psychotherapy 
conversation considered to be inappropriate for the medical record, and 
are used by the provider for future sessions.'' The preamble further 
noted that ``[w]e were told that process notes are often kept separate 
to limit access, even in an electronic record system, because they 
contain sensitive information relevant to no one other than the 
treating provider. These separate `process note' are what we are 
calling `psychotherapy notes.' '' \265\ By contrast, progress notes 
(referred to as ``progress to date'' in our definition of ``SUD 
counseling notes'') would be included in the patient's medical record 
or part 2 record.
---------------------------------------------------------------------------

    \264\ See Steve O'Neill, Charlotte Blease, Tom Delbanco, ``Open 
Notes Become Law: A Challenge for Mental Health Practice,'' 
Psychiatric Services (2021), https://pubmed.ncbi.nlm.nih.gov/33971748/ 33971748/.
    \265\ 65 FR 82461, 82623.
---------------------------------------------------------------------------

    We also believe that licensed part 2 program providers that are 
especially trained in the handling of these types of records (i.e., 
familiar with and qualified to maintain separate session notes) will 
likely be able to understand and apply special requirements to protect 
these types of notes. We also reiterate from the NPRM that ``[i]f SUD 
treatment is provided by a mental health professional that is a Part 2 
program and a covered entity, and the provider creates notes of 
counseling sessions that are kept separate from the individual's 
medical record, those notes would be [considered] psychotherapy notes 
as well as Part 2 records.'' \266\
---------------------------------------------------------------------------

    \266\ 87 FR 74216, 74230.
---------------------------------------------------------------------------

Comment
    A health IT vendor was not opposed to the proposal to create 
special protections for SUD counseling notes but urged the Department 
to develop guidance for effective implementation. Also, although it 
seems reasonable to this commenter to align the SUD counseling note 
consent requirements to the HIPAA psychotherapy note consent 
requirements, any requirement for ``a separate written consent that is 
not combined with a consent to disclose any other type of health 
information'' could be burdensome for providers who provide services to 
dually diagnosed (mental health and SUD) consumers.
Response
    We are finalizing a modification to permit consent for use and 
disclosure of SUD counseling notes to be combined with another consent 
for use and disclosure of SUD counseling notes. Combining a consent for 
disclosure of SUD counseling notes with an authorization for the use 
and disclosure of psychotherapy notes is not permitted under the HIPAA 
Privacy Rule. Further, we are not aware that psychotherapy notes or SUD 
counseling notes are disclosed with such frequency as to create a 
burden for providers.
Comment
    A medical professional association interpreted the NPRM to suggest 
that SUD counseling notes, like psychotherapy notes, would generally 
not be accessible to patients. The association said that in most 
states, patients have full or only slightly limited access to these 
notes. The reason is that HIPAA's preemption requirement gives priority 
to state laws that give patients greater access to their records. Since 
most state laws on access to mental health records do not contain an 
exemption for psychotherapy notes, those laws are not preempted by the 
HIPAA provision denying patients access to psychotherapy notes. The 
association believed that the main exception to this effect is in the 
minority of states that have changed their patient access laws to align 
with HIPAA, including the exclusion of psychotherapy notes from the 
patient's right to access their mental health records. The association 
anticipated that the creation of SUD counseling notes would have a 
similar effect on patient access except to the extent that state

[[Page 12548]]

laws on patient access to records exclude, or are otherwise different 
for, SUD records.
Response
    Under the HIPAA Privacy Rule, patients do not have a right of 
access to psychotherapy notes.\267\ We have noted that while there is 
no right of access to psychotherapy notes, ``HIPAA generally gives 
providers discretion to disclose the individual's own protected health 
information (including psychotherapy notes) directly to the individual 
or the individual's personal representative.'' \268\ Under HIPAA, 
psychotherapy notes must be maintained separately from the rest of the 
individual's medical record. We establish a similar expectation with 
respect to SUD counseling notes in this final rule.
---------------------------------------------------------------------------

    \267\ See 65 FR 82461, 82554; 45 CFR 164.524(a)(1)(i).
    \268\ See U.S. Dep't of Health and Human Servs., ``Information 
Related to Mental and Behavioral Health, including Opioid Overdose'' 
(Dec. 23, 2022), https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html.
---------------------------------------------------------------------------

    Under the existing (and final) rule, part 2 programs are vested 
with discretion about providing patients with access to their records. 
Section 2.23 neither prohibits giving patients access nor requires it 
and a part 2 program is not required to obtain a patient's written 
consent or other authorization to provide such access to the patient. 
We confirm here that SUD counseling notes fall within the scope of part 
2 records although they are separated from the rest of the patient's 
SUD and medical record under Sec.  2.11 (SUD counseling notes). The 
final rule therefore does not require under Sec.  2.23 that SUD 
counseling notes be disclosed to the patient, but a clinician may 
choose to do so voluntarily.
    We assume that SUD treating professionals are aware of the 
statutory and regulatory requirements in their state pertaining to 
patient access to records, including access to separately maintained 
notes of counseling sessions, and considered state requirements when 
making decisions about whether to adopt the use of the SUD counseling 
notes provision in this final rule.
Comment
    A medical professional association commented that since SUDs are 
frequently a dual diagnosis with mental health disorders, it is 
appropriate for SUD counseling notes to be like psychotherapy notes. 
This approach would lessen the provider's burden when treating dual 
diagnoses by requiring the same type of notes.
    The association described its concerns, however, that a separate 
consent requirement, if adopted, not apply to training programs in 
which students, trainees, or practitioners use to improve their skills 
in a SUD treatment environment. The commenter requested that we 
consider patient consent for educational training using audio or video 
recordings. Another professional association echoed support for 
allowing use or disclose of SUD counseling notes for a program's 
supervised student training activities.
Response
    The final rule expressly provides an exception from requirements 
for consent to disclose SUD counseling notes when such use or 
disclosure is made ``by the part 2 program for its own training 
programs in which students, trainees, or practitioners in SUD treatment 
or mental health learn under supervision to practice or improve their 
skills in group, joint, family, or individual SUD counseling.'' This 
parallels the exception for psychotherapy notes in the HIPAA Privacy 
Rule for training of mental health professionals. With respect to audio 
or video recording, the definition of ``SUD counseling notes,'' like 
the definition of ``psychotherapy notes'' under HIPAA, does not include 
such recordings.
Comment
    We received many comments on segregation or separation of SUD 
counseling notes from other parts of a patient's medical record. A 
medical professionals association recommended that SUD counseling notes 
be handled in the same manner that psychotherapy notes are treated 
under HIPAA. This category would provide greater protection for SUD 
counseling notes and limit the notes from being shared under a TPO 
consent. Providers are already familiar with how to comply with 
psychotherapy notes under HIPAA. If such a category is created, the 
association encouraged the Department to issue clear guidance to make 
the segregation of these counseling notes as easy as possible so that 
part 2 programs do not have to take repetitive actions that will add 
administrative burden.
    A medical school trade association echoed these comments stating 
that it supports not disclosing SUD counseling session notes without a 
separate written authorization or consent. These notes, which are 
maintained primarily for use by the originator of the notes, should 
have heightened protections and accountability. This policy would be 
consistent with the approach that limits the individual's right of 
access to psychotherapy notes under HIPAA. The association requested 
HHS explore, in partnership with stakeholders, how these SUD counseling 
session notes would be best protected while minimizing data 
segmentation challenges. The association also asked that the Department 
issue guidance on how these counseling notes could be segregated.
    A health IT vendor indicated that it understands the importance of 
maintaining the confidentiality of counseling sessions and supports 
maintaining strict protections for counseling session notes. Its 
platform enables providers to maintain these notes as strictly 
confidential.
    A few professional associations and an individual commenter 
asserted that segregation of client notes under this section creates an 
extra burden, which is harder for publicly funded without money for the 
systems.
    According to a medical professionals' association, the creation of 
a distinct class of psychotherapy notes in HIPAA provides an 
illustrative example of the challenge of implementing specific data 
protections within a medical record: options for segregating SUD 
records from other records that require manual or duplicative action by 
the clinician are likely not viable at scale. Further, the personnel 
time and infrastructure costs of configuring such an option in the EHR 
is not negligible.
    A county department believed that SUD counseling notes are 
appropriate to share with the patient upon request. The agency asserted 
that it would be inadvisable to segregate these notes from the 
remainder of the medical record, and that it would add undue burden to 
subject them to a separate patient consent requirement.
    An academic medical center stated that even if SUD counseling notes 
were included in the final rule, it did not anticipate using them. 
Segregating a progress note would be administratively burdensome to do. 
Additionally, segregation of information impacts the overall care of 
the patient by not providing quality continuity of care to patients 
being treated in SUD programs, according to this commenter. The 
commenter added, allowing all SUD progress notes related to a patient's 
care to be accessible and integrated in the EHR would allow the medical 
team to view and use notes from the patient's SUD course of treatment 
to care for the patient.
    A health insurer asserted that segregation of SUD notes could 
impede the sharing of information that should

[[Page 12549]]

be part of the patient's overall part 2 record and information that is 
critical to support necessary treatment and care coordination. In 
addition, the commenter stated that such segregation and the attendant 
requirements attached to these notes (e.g., separate consent required 
for release) would unduly burden patients, providers, and other 
stakeholders with no demonstrated justification or value. The commenter 
requested that, if the Department created a separate category of record 
information for ``SUD counseling notes,'' the final rule clarify that 
this narrow category is limited to contemporaneous notes from an in-
person counseling session and not, as was noted in the proposed rule, 
summary information from the overall part 2 record and information such 
as diagnosis, treatment plan, progress notes, etc.
Response
    We appreciate comments concerning the potential challenges of 
maintaining SUD counseling notes apart from the medical or part 2 
record. ``SUD counseling notes'' as defined in this rule ``are 
separated from the rest of the patient's SUD and medical record.'' 
Although the definition is neutral regarding the format in which SUD 
counseling notes are maintained, a key aspect is that they are not 
generally available to anyone other than the treating clinician. Thus, 
session notes of an SUD provider that are maintained in an EHR 
environment where they are accessible by multiple members of the 
treatment team would not qualify as SUD counseling notes nor receive 
the additional protection from disclosure.
    The final rule's approach to SUD counseling notes and requiring 
that such notes be separate from other portions of the record is 
entirely consistent with the long-standing approach regarding 
psychotherapy notes within HIPAA which dates back to 2000. In the 2000 
HIPAA Privacy Rule, we explained that ``any notes that are routinely 
shared with others, whether as part of the medical record or otherwise, 
are, by definition, not psychotherapy notes, as we have defined them. 
To qualify for the definition and the increased protection, the notes 
must be created and maintained for the use of the provider who created 
them . . . [.]'' \269\
---------------------------------------------------------------------------

    \269\ 65 FR 82461, 82623.
---------------------------------------------------------------------------

    We further elaborated that ``[t]he final rule retains the policy 
that psychotherapy notes be separated from the remainder of the medical 
record to receive additional protection.'' We noted that mental health 
providers told the Department that ``information that is critical to 
the treatment of individuals is normally maintained in the medical 
record and that psychotherapy notes are used by the provider who 
created them and rarely for other purposes.'' Similarly, SUD counseling 
notes support provider recollections of sessions with the patient but 
are not intended to supplant other information, such as the patient's 
test results and diagnosis, within the part 2 record or medical record.
Comment
    Several commenters raised concerns about SUD counseling notes being 
distinct from psychotherapy notes under HIPAA. One commenter did not 
believe these SUD counseling notes with additional protections promote 
access and exchange of valuable information and prefers an approach 
that destigmatizes SUD treatment and promotes access to clinically 
relevant information which is valuable and informative for all TPO 
purposes.
    A state agency believed that SUD counseling notes are qualitatively 
different than psychotherapy notes and are most frequently maintained 
by unlicensed providers. The agency is concerned that this change would 
create additional administrative complexity and compliance challenges 
for part 2 programs and may have unintended consequences by restricting 
patient access to, or disclosure of, a significant segment of their SUD 
treatment records. This change seems unlikely to facilitate information 
exchange for care coordination purposes, and as such would seem to be 
inconsistent with many of the other proposed amendments, according to 
this commenter.
    One county health department asserted that the utility of this 
category of records is likely minimal, and another said that requiring 
separate consent for SUD counseling notes would counteract the aim of 
facilitating greater information exchange, with unclear benefits. HHS' 
proposed consent framework for part 2 records provides patients with 
sufficient control to limit what substance use treatment information is 
shared and does not require creation of a category of ``SUD counseling 
notes'' with different protections.
    A health care provider recommended a different approach whereby all 
part 2 data is used in a similar manner to psychotherapy notes. This 
policy would reduce the need for new part 2 workflows and 
interoperability frameworks. Additionally, by deeming part 2 
information identical to a psychotherapy note, that data could also be 
carved out of the definition of ``electronic health information'' and 
would not be subject to the 21st Century Cures Act, but still maintain 
critical clinical information. For example, results of clinical tests, 
summaries of diagnosis, functionality status, treatment plan, symptoms, 
prognosis and progress to date are all excluded from a psychotherapy 
note. By treating part 2 data or SUD data similar to psychotherapy 
notes, the most sensitive information made available in a part 2 
encounter would continue to be restricted but critical information for 
treatment and continuity of care would remain available.
    A health care provider commented that it did not recommend 
including special protection for SUD counseling notes by requiring a 
separate written consent for their disclosure because they are 
concerned that it would impede care coordination. SUD counseling notes 
may contain clinically relevant information and be useful to inform 
coordinated treatment plans. Also, given the variety of part 2 program 
structures, as well as differences in state licensing laws, the 
categorization of personnel who could create or view counseling notes 
would be confusing to implement and would require significant 
administrative burden to designate records within the SUD counseling 
notes category. As a result, the commenter believed that some programs 
may have difficulty implementing the requirement and be deterred from 
sharing vital information within the record for TPO purposes.
Response
    Use of the SUD counseling notes provision by an SUD professional is 
voluntary and optional, although a program may adopt a facility-wide 
policy that either supports or disallows the creation and maintenance 
of such notes. Also, SUD counseling notes are a subset of a part 2 
record and the separate consent requirement would only apply to such 
notes when they are maintained separately from the rest of the part 2 
record. Additionally, the CARES Act, while supporting alignment of 
HIPAA and part 2, continues to recognize the importance of applying 
additional protections to SUD information. Accordingly, the Department 
cannot treat psychotherapy notes and SUD counseling notes as synonymous 
as this would be contrary to the CARES Act and 42 U.S.C. 290dd-2 as 
amended. Regarding requests for additional guidance, we may provide

[[Page 12550]]

additional guidance on these issues after the rule is finalized.
Comment
    An academic health center said that as proposed, an SUD counseling 
note, created by and used by the creating provider, segments patient 
care and could introduce patient safety risks. Information known to 
only one member of the treatment team is antithetical to an integrated 
care approach. The commenter believed that once the patient has 
provided consent to be treated in our SUD program those records should 
be visible to the rest of the care team across the covered entity, not 
just the SUD treatment counselor who created the note or the SUD team.
Response
    ``SUD counseling notes'' as defined in this rule ``excludes 
medication prescription and monitoring, counseling session start and 
stop times, the modalities and frequencies of treatment furnished, 
results of clinical tests, and any summary of the following items: 
diagnosis, functional status, the treatment plan, symptoms, prognosis, 
and progress to date.'' SUD counseling notes are intended, like 
psychotherapy notes, to support an individual provider and are not 
routinely shared with others. Information critical to patient diagnosis 
and treatment such as prognosis and test results, should be within the 
patient's medical record or part 2 record. We do not believe the use of 
separate SUD counseling notes will impede either integrated care or 
patient safety; however, a program may adopt its own policy with 
respect to the use by its clinicians of such notes.
Comment
    According to a health IT vendor, the treatment of SUD counseling 
notes under part 2 raises complexities similar to HIPAA with respect to 
limits on patient access and for the need for a distinct specific 
consent from the patient. Addressing such matters depends on whether 
the notes are included in a specific medical record document or record 
type or comingled with other documentation. The health IT vendor stated 
that many part 2 providers have not been in a habit of maintaining 
distinct forms of documents or records that would allow for these 
provisions to be so simply applied. The commenter urged the Department 
develop guidance for their effective implementation. The commenter 
suggested a single consent option to cover both psychotherapy and SUD 
counseling notes, not combined with any consent to disclose any other 
type of health information, to facilitate the release of notes for 
dually diagnosed consumers being treated by the same provider/provider 
group. For this and other reasons, it would seem beneficial to this 
commenter to align these consent requirements as closely as possible to 
avoid confusion, and variations in data exchange rules.
Response
    As noted, the Department, including ONC, is working to support 
implementation of EHRs and health IT within the behavioral health 
sector. We believe that separate consent for release of SUD counseling 
notes is important because these notes will be maintained distinctly 
from other parts of the patient's medical record. This approach is 
consistent with our approach to psychotherapy notes under HIPAA.\270\ 
According to SAMHSA's National Survey on Drug Use and Health, we know 
that many patients will have both mental health and SUDs as well as 
other comorbidities or co-occurring conditions. We believe the 
definition of ``SUD counseling notes'' in this final rule and the 
consent provisions will support integration of care and care 
coordination for dually diagnosed SUD and mental health patients.\271\
---------------------------------------------------------------------------

    \270\ See ``Does HIPAA provide extra protections for mental 
health information compared with other health information? '' supra 
note 157.
    \271\ See Substance Abuse and Mental Health Servs. Admin., 
``SAMHSA Announces National Survey on Drug Use and Health (NSDUH) 
Results Detailing Mental Illness and Substance Use Levels in 2021'' 
(Jan. 4, 2023), https://www.samhsa.gov/newsroom/press-announcements/20230104/samhsa-announces-nsduh-results-detailing-mental-illness-substance-use-levels-2021.
---------------------------------------------------------------------------

Comment
    An insurer suggested that the final rule make clear that this 
narrow category of SUD counseling notes is limited to contemporaneous 
notes from an in-person counseling session and not, as is noted in the 
proposed rule, summary information from the overall part 2 record and 
information such as diagnosis, treatment plan, and progress notes. The 
commenter asserted that in practice the HIPAA Privacy Rule's provision 
on ``psychotherapy notes'' has been used by some parties as a 
justification for information blocking and refusal to provide 
information for TPO in some cases. The commenter believed that similar 
behavior could occur with this provision if boundaries and limitations 
are not clearly articulated both in the definition and related 
provisions of the final rule.
Response
    The Department is collaborating to ensure successful implementation 
of information blocking requirements and acknowledges this commenter's 
concerns.\272\ That said, we believe the final definition of ``SUD 
counseling notes'' makes clear that for the purposes of part 2 SUD 
counseling notes do not include medication prescription and monitoring, 
counseling session start and stop times, the modalities and frequencies 
of treatment furnished, results of clinical tests, and any summary of 
the following items: diagnosis, functional status, the treatment plan, 
symptoms, prognosis, and progress to date.
---------------------------------------------------------------------------

    \272\ See ``Information Blocking,'' supra note 160.
---------------------------------------------------------------------------

Comment
    An HIE/HIN stated its view that adding an additional level of 
complexity in the consent process is likely to cause confusion and have 
the practical result of eliminating data sharing in circumstances where 
Congress intended to facilitate the sharing of data. Should the 
Department decide to add such a definition, the commenter asked that 
HHS not prohibit a consent permitting the release of such notes from 
being combined with a general consent to release part 2 records. The 
commenter believed that any heightened security requirements could be 
met by requiring that a consent for release of SUD counseling notes to 
explicitly reference such notes in conspicuous language separate and 
apart from any other permissions to disclose data.
Response
    As noted, consistent with the Department's approach to 
psychotherapy notes in HIPAA, we are requiring a separate consent for 
disclosure of SUD counseling notes and specifically prohibiting 
combining a consent for disclosure of SUD counseling notes with a 
consent for disclosure of any other type of health information other 
than for release of psychotherapy notes. A part 2 consent form may have 
a combination of options, including a check box for SUD counseling 
notes. However, when a patient is consenting for SUD counseling notes 
that is the only type of information that can be indicated on the 
consent (other than psychotherapy notes). For instance, if a patient 
checks both ``billing information'' and ``SUD counseling notes'' this 
consent is not valid to release the SUD notes.

[[Page 12551]]

Comment
    With respect to the proposed exception for disclosure of SUD 
counseling notes to lessen a serious and imminent threat to the health 
or safety of a person or the public, an individual commenter said that 
this proposed language reflecting this otherwise known as Tarasoff 
\273\ exception is too broad.\274\
---------------------------------------------------------------------------

    \273\ Tarasoff v. Regents of the Univ. of Cal., 17 Cal. 3d 425 
(Cal. 1976).
    \274\ For an analysis of how this applies under HIPAA, see U.S. 
Dep't of Health and Human Servs., ``If a doctor believes that a 
patient might hurt himself or herself or someone else, is it the 
duty of the provider to notify the family or law enforcement 
authorities? '' (Sept. 12, 2017), https://www.hhs.gov/hipaa/for-professionals/faq/2098/if-doctor-believes-patient-might-hurt-himself-or-herself-or-someone-else-it-duty-provider.html.
---------------------------------------------------------------------------

    The commenter stated the objective in this exception is to 
``lessen'' a serious and imminent threat to the health or safety of a 
person or the public. The commenter believed that this approach was 
discriminatory because it equated being in treatment for SUD with being 
an imminent threat from a physical or health perspective. Specifically, 
the commenter said inclusion of the term ``health'' was too vague and 
suggested that if a person in SUD treatment has HIV, hepatitis B or C, 
or any other communicable disease, that it is the responsibility of the 
SUD counselor to determine whether to report that information if the 
patient is in a conjugal relationship or might expose another person. 
The commenter argued that it is sufficient to characterize the nature 
of the imminent physical threat, assert that the reporter has reason to 
believe that the imminent physical threat is serious, and any personal 
information that would allow a person to avoid the instigator of the 
threat or to allow a person(s) reasonably able to prevent or lessen the 
threat.
Response
    We acknowledge the commenter's concerns about the suggested 
exception, which we decline to include in the final rule. HIPAA and 
part 2 provisions on serious and imminent threats and disclosure 
differ. With respect to preventing harm, the final rule permits use or 
disclosure of SUD counseling notes under Sec.  2.63(a)(1) and (2) based 
on a court order to disclose ``confidential communications'' made by a 
patient to a part 2 program when necessary to protect against an 
existing threat to life or of serious bodily injury, or in connection 
with the investigation or prosecution of an extremely serious crime, 
such as one which directly threatens loss of life or serious bodily 
injury, including homicide, rape, kidnapping, armed robbery, assault 
with a deadly weapon, or child abuse and neglect. When such a use or 
disclosure is made, Sec.  2.13 provides that ``[a]ny use or disclosure 
made under the regulations in this part must be limited to that 
information which is necessary to carry out the purpose of the use or 
disclosure.'' Thus, the information shared under these circumstances or 
with respect to any disclosure without consent should be the minimum 
necessary to carry out the purposes of the disclosure.\275\
---------------------------------------------------------------------------

    \275\ See 83 FR 239, 244; 85 FR 42986, 43003.
---------------------------------------------------------------------------

Final Rule
    As noted, we have finalized a definition of ``SUD counseling 
notes'' discussed above in section Sec.  2.11. With respect to consent 
for use and disclosure of SUD counseling notes we are finalizing the 
provision as Sec.  2.31(b). The consent requirement does not apply to 
SUD counseling notes in certain specific situations such as the: (1) 
use by the originator of the SUD counseling notes for treatment; (2) 
use or disclosure by the program for its own training programs; or (3) 
use or disclosure by the program to defend itself in a legal action or 
other proceeding brought by the patient.
Section 2.31(c) Expired, Deficient, or False Consent
Proposed Rule
    The NPRM proposed in paragraph (c)(4) of this section to replace 
the phrase ``individual or entity'' with the term ``person'' to comport 
with the meaning of person in the HIPAA regulations and as consistent 
with similar changes proposed throughout this part. The revised 
language would read, ``[a] disclosure may not be made on the basis of a 
consent which . . . [i]s known, or through reasonable diligence could 
be known, by the person holding the records to be materially false.'' 
Additionally, the Department solicited comments on whether the final 
rule should require part 2 programs to inform an HIE when a patient 
revokes consent for TPO so that additional uses and disclosures by the 
HIE would not be imputed to the programs that have disclosed part 2 
records to the HIE.
False or ``Uninformed'' Consent
Comment
    Several commenters said that the rule should require that programs 
engage in an ``informed consent'' process where they explain the nature 
of the consent and potential consequences to the patient. These 
commenters urged the Department to adopt an informed consent process.
Response
    ``Informed consent'' generally refers to consent to receive 
treatment or consent to participate in research.\276\ As such, the 
obligation to ensure that patient consent is informed is outside of the 
scope of part 2, but is addressed in other law and is part of the 
professional and ethical requirements for licensed SUD professionals. 
However, we expect programs to ensure that consent is knowing and 
voluntary in the sense that the patient understands the consequences of 
signing or not signing the consent or authorization or that a personal 
representative provides consent when needed. We believe that consent 
that has been coerced or unknowing would be invalid and that, in the 
context of an application for a part 2 court order, the court would 
decide such matters. In addition, we believe that a consent that is 
based on false information or a lack of material information about the 
nature of the disclosure would be considered an invalid consent, as 
would any consent if the part 2 program knows or has reason to know 
that the signature was forged.
---------------------------------------------------------------------------

    \276\ See Off. of Human Research Protections, ``Informed Consent 
FAQs'' (Sept. 24, 2003), https://www.hhs.gov/ohrp/regulations-and-policy/guidance/faq/informed-consent/index.html (discussing the HHS 
Common Rule and other requirements); Food and Drug Admin., 
``Informed Consent Guidance for IRBs, Clinical Investigators, and 
Sponsors,'' (August 2023) https://www.fda.gov/regulatory-information/search-fda-guidance-documents/informed-consent; American 
Medical Ass'n, Code of Medical Ethics. Chapter 2, Informed Consent, 
Opinion 2.1.1, https://code-medical-ethics.ama-assn.org/ethics-opinions/informed-consent; R. Walker, TK Logan, JJ Clark et. al. 
Informed consent to undergo treatment for substance abuse: a 
recommended approach. 29 J Subst Abuse Treat. 241-51 (2005); Johns 
Hopkins Medicine, Off. of Human Subjects Research, ``Relevant State 
Law Requirements'' (August 2020), https://www.hopkinsmedicine.org/institutional-review-board/guidelines-policies/guidelines/marylandlaw. See also, e.g., 42 CFR 482.24(c)(4)(v)).
---------------------------------------------------------------------------

Revocation of Consent
Comment
    Some commenters addressed revocation of consent for use and 
disclosure of part 2 records, including several member organizations of 
an HIE/HIN that co-signed a comment letter. Some of these commenters 
urged that the final rule expressly state that disclosed part 2 records 
cannot be pulled back from the recipient once released, following a 
patient's revocation of the original signed consent as stated in the 
NPRM preamble discussion.

[[Page 12552]]

Response
    We appreciate the comments and information provided about the 
consent revocation process, particularly when it occurs in an HIE 
environment. We reaffirm the statement in the NPRM preamble that 
revocation does not require pulling back records that have been 
disclosed and do not believe it is necessary to so state in regulatory 
text.
Comment
    Several commenters recommended that HIEs be informed when a patient 
revokes consent, including an HIE association, health IT vendors, and a 
state government agency. One health IT vendor explained that consent 
revocation mechanisms may be implemented through the Trusted Exchange 
Framework when made by HIEs and HINs. The vendor asserted that most 
HIEs already receive notice of revocation when they use a model of 
exchange in which a potential recipient seeks medical records from 
another exchange participant and the current status of a patient's 
consent permission to have their records exchanged is known, including 
whether a patient has revoked consent. A health plan requested that 
recipients should be notified so they can stop redisclosing information 
they already received based on consent.
    One commenter asserted that the existing pathways for complying 
with a more granular consent (e.g., that is specific to a certain 
recipient or purpose) should remain available and that HIEs should be 
informed about changes to consent for disclosures made through the HIE. 
This commenter recommended that the Department explore further how HIEs 
learn of the consent status, whether it means that the HIE must 
directly record the status of a revocation or if the HIE relies on some 
kind of electronic ``polling'' of the part 2 program to ascertain if a 
valid consent remains or has been revoked.
    In contrast, a behavioral health network/HIE opposed requiring 
notice of revocation to an HIE, opining that it is not necessary 
because--under the CARES Act--once part 2 records are disclosed to a 
covered entity or business associate they are no longer part 2 records. 
As such, the commenter stated, the records can be redisclosed without 
limitation under part 2 even after a part 2 consent to disclose has 
been revoked.
Response
    We appreciate these comments, which provided perspectives on how 
consent and revocation are communicated through an electronic health 
exchange. We disagree with the view that once records are disclosed 
they are no longer part 2 records. Once received by a covered entity or 
business associate, the part 2 records are also PHI but, under this 
final rule, do not have to be segregated or segmented from other PHI. 
However, the records remain subject to the part 2 prohibitions against 
uses and disclosures for certain proceedings against a patient without 
written consent or a court order under this part. We agree that 
programs should convey to recipients when a consent is provided and, 
where feasible, when it has been revoked. This effort should include 
using whatever tools are at the disposal of the program to ensure that 
only consented information is exchanged.
    While we appreciate the comments stating that HIEs are able to 
operationalize a requirement to provide notice of revocation, we are 
concerned about the burdens that would apply to all programs if we 
imposed a requirement that programs ``must'' notify recipients upon 
consent revocation. Thus, while we are finalizing additional 
requirements for a copy of consent to travel with each disclosure of 
records for which consent is required, we decline to adopt a 
requirement for programs to notify recipients of records of each 
revocation. The new requirement to attach a copy of consent is 
discussed under Sec.  2.32 (Notice and copy of consent to accompany 
disclosure). Regarding revocation, we intend for programs to convey to 
recipients when a patient has provided written revocation where 
feasible. When the records have been disclosed through an HIE, the 
mechanism for informing recipients of a revocation would likely depend 
on the consent model used by the HIE. But our expectation is that all 
programs make efforts to initiate actions needed to accomplish the 
notification and to give full effect to the patient right to revoke 
consent as stated in the Patient Notice.
    Consistent with the recommendation of one commenter to explore 
further how HIEs learn of the consent status, we intend to monitor how 
provision of notice of revocation could work across all types of 
entities, including in a fully electronic environment such as an HIE, 
but also for stand-alone systems and paper-based exchanges.
Comment
    A health information association recommended requiring programs to 
inform HIEs, and HIEs to follow, a patient's request to revoke consent 
for distribution of their information for TPO. If patients are not able 
to stop the exchange of their information once it is released to an 
HIE, they may hesitate to consent to information being released to an 
HIE or HIN. If a patient's data is out of date at one provider and the 
patient cannot revoke consent for that information to be exchanged by 
an HIE, then they will continue to fight a losing battle to ensure 
every subsequent record is correct as the HIE may still be exchanging 
the incorrect information.
Response
    The language in the final rule for Sec.  2.31(a)(6) regarding 
``[t]he patient's right to revoke the consent in writing, except to the 
extent that the part 2 program, or other lawful holder of patient 
identifying information that is permitted to make the disclosure, has 
already acted in reliance on it [. . .]'' is broadly applicable and 
therefore would include HIEs/HINs. As a result, when an HIE/HIN learns 
of a patient's revocation of consent they would need to cease using or 
redisclosing the patient's part 2 record to other entities.
Comment
    An academic medical center compared the proposed part 2 TPO consent 
to a HIPAA authorization for TPO disclosures and explained that during 
the entire period that the HIPAA Privacy Rule has been effective they 
were not aware of any patient that sought to revoke a HIPAA 
authorization for use of their PHI for purposes of TPO.
Response
    We acknowledge the similarities and differences between part 2 
consent and HIPAA authorization. Under HIPAA, neither consent nor 
authorization is required for TPO, so the opportunity to revoke such an 
authorization is unlikely to exist. Revocation of consent is further 
discussed under Sec.  2.31.
Comment
    Some commenters addressed the question of whether a revocation 
should halt all future uses and disclosures by a recipient or whether a 
revocation should only prevent any further disclosures to that 
recipient. Commenters did not show a strong consensus on one approach, 
although more comments than not supported allowing additional 
redisclosures following revocation when the information is limited to 
records already in possession of the initial recipient. HIE-related 
comments uniformly affirmed the Department's statement in the NPRM 
preamble that information did not need to be ``clawed back'' following 
a revocation and several further asserted that an HIE needs to cease 
making redisclosures of health

[[Page 12553]]

information it retains once it learns of a revocation of consent or 
HIPAA authorization. These commenters also urged express clarification 
that revocation of consent only applies going forward. Commenters that 
supported the ability to continue making redisclosures of information 
retained by the recipient requested clarification to reduce concerns by 
part 2 programs that they could be liable for redisclosures made by 
recipients after consent has been revoked. As described in the 
discussion of Sec.  2.13 above, a few HIE/HINs proposed addressing 
revocation in Sec.  2.13 and limiting it to new information received 
after the revocation and to allow continued use and disclosure of part 
2 records the recipient has receiving prior to the revocation.
Response
    As stated in the NPRM, the Department does not expect a part 2 
program to ``pull back'' records that it has disclosed under a valid 
consent based on a patient's revocation of consent. At a minimum we 
intend that a written revocation serves to prohibit a part 2 program 
from making further uses and disclosures of a patient's record 
according to the scope of the revocation. Based on the public comments 
received, we also intend that when records have been transmitted 
through an HIE, the HIE should cease making further disclosures of the 
patient's record to other member participants. As stated in the NPRM, 
to fully accomplish the aims of the right to revoke consent, we expect 
that part 2 programs will work to ensure that any ongoing or automatic 
disclosure mechanisms are halted upon receipt of a request for 
revocation.
    Certain recipients under a consent for TPO (part 2 programs, 
covered entities, and business associates) are permitted to redisclose 
records according to the HIPAA regulations. Under 45 CFR 164.508(b)(5) 
a covered entity or business associate is required to cease making 
further uses and disclosures of PHI received once they are informed of 
an authorization revocation, except to the extent they have already 
taken action in reliance on the authorization or if it was obtained as 
a condition of obtaining insurance coverage and other law provides the 
insurer with the right to contest a claim. We believe this requirement 
applies equally to revocation of a part 2 consent. This interpretation 
is revised from the NPRM preamble discussion that proposed a revocation 
would only be effective to prohibit further disclosures by a program 
and would not prevent a recipient part 2 program, covered entity, or 
business associate from using the record for TPO, or redisclosing the 
record as permitted by the HIPAA Privacy Rule.
    Taking into account covered entities' obligations under HIPAA once 
they are informed of a revocation, we believe they are also obligated 
to comply with a revoked consent about which they are aware. We do not 
see a reason for a recipient covered entity to treat a patient's 
revocation of part 2 consent differently that a revoked HIPAA 
authorization. For example, if a part 2 program disclosed part 2 
records under a TPO consent to a health plan and the patient later 
revoked said consent, the health plan that is processing a claim may 
complete the transaction but may not process new part 2 claims for that 
patient/plan member. In another example, a covered entity health care 
provider who is currently treating a patient and has received a 
patient's part 2 records will necessarily need to continue relying on 
the records it received to continue treating the patient (e.g., the 
provider cannot ``unlearn'' the patient's history); however, it is 
prohibited from redisclosing the records once the patient revokes 
consent in writing. Handling revoked authorizations is not a new 
process for covered entities and they should therefore be capable of 
handling revoked consents in the same manner.
Comment
    An academic medical center expressed concern about scenarios in 
which the part 2 program relied on the original consent for a specific 
use or disclosure, but such use or disclosure may need to occur after 
such revocation has occurred. Examples include when a patient signs a 
consent to permit the part 2 program to disclose records for payment 
purposes, to ensure the program receives appropriate reimbursement for 
its services but then revokes his or her consent prior to the part 2 
program submitting the bill to the patient's payor. According to this 
commenter, the NPRM seems to suggest that the part 2 program would no 
longer be permitted to make such a disclosure, despite the fact that 
the part 2 program agreed to treat the patient on the condition of 
receiving reimbursement from the patient's payor.
Response
    If a disclosure cannot practically or feasibly be stopped after 
revocation because it is already in process or due to technological 
limitations, this would constitute such reliance. For example, such 
reliance could occur in research or if the patient is being treated for 
co-occurring disorders for which close consultation among specialists 
is paramount. Revocation of consent raises some of the same issues as 
withholding consent and conditioning treatment on consent for necessary 
disclosures. Thus, a program would need to explain to the patient when 
it is not feasible to stop or prevent a disclosure from occurring and 
discuss with a patient the consequences of revoking their consent in 
some circumstances. It is reasonable that a patient who seeks to revoke 
consent for disclosure to their health plan would be expected to make 
another arrangement to ensure payment which may include paying out of 
pocket for services.
Comment
    Some commenters specifically addressed whether oral revocation of 
consent should be permitted and were nearly even in opposition and 
support. The several organizations favoring oral revocation expressed 
very strong support for recognizing this as a valid expression of 
patient choice. The rationales offered by commenters that did not 
support the proposed changes were the following:
     HIPAA requires written revocation.
     The CARES Act requires written revocation.
     Equating oral revocation with oral consent because part 2 
programs are most likely to document oral consent in the part 2 record.
     Concern about how oral revocation would be documented and 
communicated to all entities that receive part 2 records.
Response
    The statute, 42 U.S.C. 290dd-2(b)(C), states that revocation of a 
TPO consent must be in writing. At the same time, consideration should 
be given to other civil rights implicated in this interaction and the 
entity's obligation under the relevant civil rights laws to provide 
assistance as needed to ensure meaningful access by enabling patients 
to effectuate a revocation.
Final Rule
    The final rule adopts the proposed changes to the consent 
requirements in paragraph (a) with further modifications to paragraph 
(a)(4)(iii) to replace ``HIPAA Privacy Rule'' with ``HIPAA 
regulations'' and remove part 2 program from the statement about 
redisclosure according to the HIPAA regulations and to paragraph 
(a)(5)(iii) to require an opportunity to opt out of fundraising 
communications rather than requiring patient consent. The final rule 
adopts the proposed changes to the existing paragraph (b) of Sec.  2.31 
(Expired, deficient, or false consent) and

[[Page 12554]]

redesignates the content of paragraph (b) as a new paragraph (c). 
Additionally, the final rule adds a new paragraph (b) to require 
separate consent for the use and disclosure of SUD counseling notes, 
and a new paragraph (d) to require a separate consent for use and 
disclosure of records in civil, criminal, administrative, or 
legislative proceedings.
Section 2.32--Notice and Copy of Consent To Accompany Disclosure
Heading of Section
Proposed Rule
    The Department proposed to change the heading of this section from 
``Prohibition on re-disclosure'' to ``Notice to accompany disclosure'' 
because Sec.  2.32 is wholly a notice requirement, while other 
provisions (Sec.  2.12(d)) prohibit recipients of part 2 records from 
redisclosing the records without obtaining a separate written patient 
consent. To ensure that recipients of part 2 records comply with the 
prohibition at Sec.  2.12(d), Sec.  2.32(a) requires that part 2 
programs attach a notice whenever part 2 records are disclosed with 
patient consent, notifying the recipient of the prohibition on 
redisclosure and of the prohibition on use of the records in civil, 
criminal, administrative, and legislative proceedings against the 
patient.
Comments
    We received no comments on the proposed change to the heading of 
this section.
Final Rule
    The final rule is adopting the language of the proposed heading 
with a further modification to take into account the new paragraph (b) 
that we are adding, as discussed below. The new heading reads, ``Notice 
and copy of consent to accompany disclosure.''
Expanded Notice of Prohibited Uses and Disclosures
Proposed Rule
    The Department proposed to modify paragraph (a)(1) of Sec.  2.32 to 
reflect the expanded prohibition on use and disclosure of part 2 
records in certain proceedings against the patient, which includes 
testimony that relays information in a part 2 record and the use or 
disclosure of such records or testimony in civil, criminal, 
administrative, and legislative proceedings, absent consent or a court 
order.
    In addition, the proposed language of the notice listed exceptions 
to the general rule prohibiting further use or disclosure of the part 2 
records by recipients of such records, which would allow covered 
entities, business associates, and part 2 programs who receive part 2 
records for TPO based on a patient's consent to redisclose the records 
as permitted by the HIPAA Privacy Rule. This exception also would apply 
to entities that received part 2 records from a covered entity or 
business associate under the HIPAA Privacy Rule disclosure permissions, 
although the legal proceedings prohibition would still apply to covered 
entities and business associates that receive these part 2 records. The 
Department stated that these changes are necessary to conform Sec.  
2.32 with 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of 
the CARES Act, and proposed a statement in paragraph (a)(1) as follows:

    This record which has been disclosed to you is protected by 
Federal confidentiality rules (42 CFR part 2). These rules prohibit 
you from using or disclosing this record, or testimony that 
describes the information contained in this record, in any civil, 
criminal, administrative, or legislative proceedings by any Federal, 
State, or local authority, against the patient, unless authorized by 
the consent of the patient, except as provided at 42 CFR 2.12(c)(5) 
or as authorized by a court in accordance with 42 CFR 2.64 or 2.65. 
In addition, the Federal rules prohibit you from making any other 
use or disclosure of this record unless at least one of the 
following applies:
     Further use or disclosure is expressly permitted by the 
written consent of the individual whose information is being 
disclosed in this record or is otherwise permitted by 42 CFR part 2;
     You are a covered entity or business associate and have 
received the record for treatment, payment, or health care 
operations as defined in this part; or
     You have received the record from a covered entity or 
business associate as permitted by 45 CFR part 164, subparts A and 
E.
Comment
    An individual commenter asserted that disclosures made by a part 2 
program to a covered entity or a business associate for TPO and 
redisclosures made by a covered entity or business associate in 
accordance with the HIPAA regulations should not require a notice 
accompanying the disclosure as set out in Sec.  2.32 of the proposed 
revisions.
    The commenter stated that under the CARES Act, with the prior 
written consent of the patient, the contents of a part 2 program record 
may be used or disclosed by a covered entity, business associate, or 
program for TPO as permitted by the HIPAA regulations. Further, once 
disclosed to a covered entity or business associate, the CARES Act 
provides that the information so disclosed may be redisclosed in 
accordance with the HIPAA regulations. The requirement of an 
accompanying written notice for each disclosure imposes a hurdle to the 
electronic exchange of information though a HIE and is not required 
under 42 U.S.C. 290dd-2. The commenter suggested that the provisions of 
42 U.S.C. 290dd-2(c) operate independently and refer to uses and 
disclosures in proceedings rather than uses and disclosures by covered 
entities or business associates. Thus, the prohibition can be enforced 
independently by the patient in the course of any such proceeding. To 
the extent that an accompanying notice is determined to be necessary, 
it should be permissible to reference the provisions of 42 U.S.C. 
290dd-2(c) in contractual agreements between the program, covered 
entities, and business associates rather than requiring that a notice 
accompany each disclosure.
    An HIE described its reliance on contractual requirements in its 
agreements with data providers to ensure that it is notified of any 
limitations on its ability to share data prior to receiving that data. 
That practice will continue in response to the proposed changes 
contained in the NPRM. The commenter said that if the final rule 
includes a requirement for part 2 programs to notify data recipients, 
that requirement should be that they notify recipients when data is not 
received pursuant to a global consent for TPO, and that the operating 
assumption of parties receiving all forms of health data should be that 
it can be used consistently with the requirements of HIPAA and any 
relevant state laws or express contractual limitations.
Response
    The notice does not establish a limitation on redisclosure but 
rather is intended to align the content of Sec.  2.32 (Notice to 
accompany disclosure) with the requirements of 42 U.S.C. 290dd-2(b), as 
amended by the CARES Act.
    As the Department noted in its 2010 HIE guidance and regulations, 
this notice was intended to inform downstream record recipients of part 
2 and restrictions on redisclosure.\277\ The notice as we have 
finalized it in this rule, like the existing notice, continues to 
inform record recipients that the information they receive may not be

[[Page 12555]]

used in legal proceedings absent patient consent or a court order. We 
believe that the notice remains applicable to redisclosures by part 2 
programs, covered entities, and business associates to operationalize 
the continuing prohibition on use and disclosure of part 2 records in 
proceedings against the patient, which applies to redisclosures by 
recipients under Sec.  2.12(d).
---------------------------------------------------------------------------

    \277\ 83 FR 239, 241; See ``Frequently Asked Questions: Applying 
the Substance Abuse Confidentiality Regulations to Health 
Information Exchange (HIE),'' supra note 150.
---------------------------------------------------------------------------

    Also, consistent with 42 U.S.C. 290dd-2 and previous part 2 final 
rules, this final rule states in Sec.  2.33 that ``[w]hen disclosed for 
treatment, payment, and health care operations activities [. . .] to a 
covered entity or business associate, the recipient may further use or 
disclose those records as permitted by 45 CFR part 164, except for uses 
and disclosures for civil, criminal, administrative, and legislative 
proceedings against the patient.''
    Simply citing 42 U.S.C. 290dd-2(c) in contractual agreements 
between the program, covered entities, and business associates rather 
than providing a notice to accompany each disclosure also is 
insufficient because this approach would fail to convey to the 
recipient of part 2 records essential information provided in the 
Notice to Accompany Disclosure under Sec.  2.32 as finalized in this 
rule. However, business associate or other contractual agreements may 
refer to these provisions. Additionally, part 2 programs do not 
necessarily have contractual agreements with every recipient of records 
for uses and disclosures for TPO.
    The text of 42 U.S.C. 290dd-2, as amended by the CARES Act, 
continues to emphasize limitations on use of part 2 records in civil, 
criminal, administrative, and legislative proceedings absent patient 
consent or a court order. Consistent with the statute and congressional 
intent reflected in the CARES Act, limitations on sharing information 
in proceedings within part 2 as finalized also remain distinct and more 
restrictive than analogous provisions within the HIPAA Privacy 
Rule.\278\
---------------------------------------------------------------------------

    \278\ See U.S. Dep't of Health and Human Servs., ``Court Orders 
and Subpoenas'' (Nov. 2, 2020), https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html.
---------------------------------------------------------------------------

Comment
    A commenter opined that the notice prohibiting redisclosure, which 
accompanies records disclosed with patient consent, should clearly 
identify whether the records are subject to the new redisclosure 
permissions or still protected by part 2.
Response
    We believe this comment assumes a false dichotomy--that records are 
either subject to redisclosure or protected by part 2. Records that may 
be redisclosed according to the HIPAA standards--those for which a TPO 
consent was obtained--are still protected by the part 2 prohibition on 
use and disclosure in proceedings against the patient, absent consent 
or a court order under this part. However, assuming that the commenter 
is questioning how the recipient would identify records that are 
disclosed under a single consent for all TPO versus those that are 
disclosed under a more limited consent, we are finalizing an additional 
modification in Sec.  2.32(b) to require that ``[e]ach disclosure made 
with the patient's written consent must be accompanied by a copy of the 
consent or a clear explanation of the scope of the consent provided.'' 
We believe this will provide the information recipients of records need 
to understand the redisclosure permissions that may be available.
Comment
    A few medical professionals' associations and other commenters said 
that retaining the Notice to Accompany Disclosure requirement means 
that the need to identify, segment, and segregate the data will persist 
to append the notice with each disclosure. One association requested 
that the Department exclude covered entities from this requirement.
Response
    We do not believe that the notice requirement in Sec.  2.32 is what 
may prompt segmentation of records or segregation of part 2 data. The 
continuing prohibition in Sec.  2.12(d) on a recipient's use or 
disclosure of records in legal proceedings must be effectively 
operationalized, and it is unclear how that can be accomplished unless 
the recipient is aware that the records are subject to the prohibition. 
We believe this can be accomplished within an electronic health 
exchange environment, and we are finalizing additional modifications to 
Sec.  2.12(d)(2)(i)(C) to expressly state that ``[a] part 2 program, 
covered entity, or business associate that receives records based on a 
single consent for all treatment, payment, and health care operations 
is not required to segregate or segment such records.'' We believe 
health IT vendors are capable of updating or creating systems that 
manage consent, revocation, and other limitations on disclosure and 
redisclosure so long as the users of the system have current knowledge 
of the type of data and the limitations on its use and disclosure. The 
final rule neither requires nor prohibits segregation of records or 
segmentation of data to accomplish these tasks. The short form of the 
notice has not changed and was created for use in an electronic health 
information exchange environment. We further recognize that the notice 
is required only for disclosures made with consent, and thus the notice 
would not be required for redisclosures as permitted by HIPAA for TPO 
or other permitted purposes when the initial disclosure was based on a 
TPO consent.
Comment
    Some commenters supported proposed changes in whole or part and 
other commenters opposed or expressed mixed views of proposed changes.
    A health care provider supported the proposed heading 
clarification, and further clarification of redisclosure rights for TPO 
by covered entities, business associates and part 2 programs as allowed 
by the HIPAA Privacy Rule. A health insurer supported aligning notices 
to accompany disclosures with the HIPAA Privacy Rule, particularly 
adding exceptions for the prohibition on use or disclosure of part 2 
records for TPO. A few health information associations supported the 
Department's proposal to include a Notice to Accompany Disclosure of 
records to instruct an organization of their ability to redisclose this 
information at the direction of the patient. A health system commenter 
said that it includes a disclosure statement on all records it 
releases. Therefore, it supported a Notice to Accompany Disclosure of 
part 2 records. However, the commenter recommended that the disclosure 
statement apply to all disclosures, including for TPO, stating that 
this would minimize time and operational burden of determining which 
records would require the disclosure statement.
Response
    We appreciate the comments.
Comment
    A health plan and at least a few associations recommended that the 
Notice to Accompany Disclosures be eliminated. A couple of commenters 
stated that retaining the notice to accompany the disclosure 
requirement will ensure that certain protections for part 2 records 
continue to ``follow the record,'' as compared to HIPAA, whereby 
protections are limited to PHI held by a covered entity or business 
associate. A few commenters stated that

[[Page 12556]]

this Notice means that the need to identify, segment, and segregate the 
data will persist to append the notice with each disclosure. And a few 
commenters requested that the Department eliminate this notice to align 
with HIPAA. At a minimum, the Department should excuse covered entity 
and business associate recipients of the part 2 records from the notice 
requirement, according to one commenter.
    A few HIEs suggested that the Sec.  2.32 notice requirement has 
been difficult to implement in electronic systems and across electronic 
networks in part because it requires the part 2 data to be treated and 
maintained differently than the rest of the clinical record. The 
commenters also suggested that it may also be legally impermissible 
under the CARES Act amendments, which mandate that once a patient's TPO 
consent is obtained, the disclosed part 2 record may be redisclosed in 
accordance with HIPAA and HIPAA does not require use of a prohibition 
on redisclosure notice.
    Continuing to require the notice, according to these commenters, 
may effectively require the continued downstream identification, 
segmentation, and segregation of part 2 records, because segmentation/
segregation will be necessary to properly apply, transmit, and display 
the notice in an electronic environment. Even though the Department 
emphasizes that the Notice to Accompany Disclosure is not a consent 
requirement (that is, it is not necessary for there to be a valid 
disclosure), these commenters believed that it was still a legal 
requirement that would carry stringent penalties under the HIPAA 
enforcement structure. Thus, requiring the notice would perpetuate the 
same barriers to SUD data sharing that the CARES Act amendment's 
changes were intended to eliminate.
Response
    We appreciate input from these commenters, including concerns about 
continued segmentation of part 2 records that may result from providing 
the required notice. The introductory sentence of paragraph (a) of 
Sec.  2.32 applies to each disclosure made with the patient's written 
consent, which includes the TPO consent finalized in this rule. We do 
not intend for this requirement to impede the integration of part 2 
records with other PHI and have expressly removed any requirement to 
segregate or segment such records in this final rule at Sec.  
2.12(d)(2)(i)(C). Additionally, we believe the notice remains necessary 
to operationalize the continuing prohibition on redisclosures for use 
in civil, criminal, administrative, and legislative proceedings against 
the patient, absent written consent or a court order under this part. 
We also believe that Congress attempted to balance permitting multiple 
redisclosures under a TPO consent for programs, covered entities, and 
business associates who are recipients of part 2 records and retaining 
the core patient protection against use of the records in proceedings 
against the patient. Congress could have amended part 2 to strike 
entirely the regulatory Notice to Accompany Disclosure or removed the 
consent requirement for disclosures to programs, covered entities, and 
business associates, but it did not do so; instead, Congress mandated a 
modified version of consent. Therefore, we interpret the existing 
requirement of a notice that accompanies each disclosure to apply to 
disclosures under a TPO consent in the same manner as for other 
disclosures with consent.
Comment
    A commenter asserted that the proposed Notice to Accompany 
Disclosure language might confuse both patients and part 2 program 
recipients because it uses legalese and confusingly requires provision 
of the notice while simultaneously notifying covered entity and 
business associate recipients (and their downstream recipients) that 
they are not subject to part 2's use and disclosure restrictions. The 
commenter stated that proposed Sec.  2.32 was silent regarding 
``intermediaries,'' which also seemingly conflicted with the part 2 
consent form elements that restrict redisclosures by covered entities 
and business associate that function as ``intermediaries'' to only 
named member participants or participants that have a ``treating 
provider relationship'' with the patient. For these reasons, the 
commenter encouraged the Department to remove the notice requirement 
under this section or, at the least, not to require it for 
redisclosures made by covered entities and business associates 
(including those that operate as ``intermediaries'') and their 
downstream recipients pursuant to a patient's TPO consent.
Response
    We appreciate input from these commenters and agree that the 
language of paragraph (a)(1) is more detailed and involved than 
paragraph (a)(2) but provide it as an option for programs that would 
find a complete explanation more useful and that are providing a paper 
copy of the notice. Providing the short form of the notice in paragraph 
(a)(2) is permitted. Thus, any program that prefers to do so may 
continue to use the language of the abbreviated notice in paragraph 
(a)(2) rather than paragraph (a)(1). The shorter notice in paragraph 
(a)(2) states simply that ``42 CFR part 2 prohibits unauthorized use or 
disclosure of these records,'' and should be readily understandable to 
recipients. The longer notice in paragraph (a)(1) further aligns with 
HIPAA. Both notices are consistent with a 2017 NPRM \279\ discussion 
and requirements that have been in place since 2018 \280\ (for the 
abbreviated notice). The requirement added in paragraph (b) of this 
section that ``[e]ach disclosure made with the patient's written 
consent must be accompanied by a copy of the consent or a clear 
explanation of the scope of the consent provided'' also should help 
clarify to recipients when records are subject to part 2 because it 
would indicate that SUD treatment records are being disclosed.
---------------------------------------------------------------------------

    \279\ 82 FR 5485, 5487.
    \280\ 83 FR 239, 240.
---------------------------------------------------------------------------

    We disagree with the commenter's interpretation that paragraph 
(a)(1) notifies ``covered entity and business associate recipients (and 
their downstream recipients) that they are not subject to part 2's use 
and disclosure restrictions'' because the paragraph (a)(1) explicitly 
prohibits the recipient from using or disclosing the record in any 
civil, criminal, administrative, or legislative proceedings against the 
patient, absent consent or a court order.
    With respect to the role of intermediaries, addressed in Sec. Sec.  
2.11 and 2.24, we have excluded programs, covered entities, and 
business associates from the definition of intermediary in this final 
rule. This relieves HIEs that are business associates from the 
requirements for intermediaries; however, all HIEs that receive part 2 
records with consent (whether they are intermediaries or business 
associates) would need to provide the notice to accompany disclosure 
when redisclosing such records with consent.
Comment
    Commenters urged OCR and SAMHSA to engage technology companies and 
intermediaries most likely involved in these types of disclosures and 
the accompanying notices to understand the feasibilities and technical 
capacities in current technology. As the health system moves away from 
paper and the transmission of paper through processes like fax 
machines, having the technical capabilities in place for providers to 
move this information with the record is crucial, the commenter 
believed.

[[Page 12557]]

Engaging the organizations that govern this work will give OCR and 
SAMHSA a clearer picture of understanding related to the ability for an 
accompanying notice of disclosure to be included with a part 2 record 
and consent form.
Response
    We acknowledge the commenter's concerns about EHRs and the need to 
ensure they have the capabilities necessary to transmit information 
about prohibited uses and disclosures and the scope of consent on which 
a disclosure is based. ONC, OCR, SAMHSA, and other Federal partners are 
collaborating to support EHRs and health IT within the behavioral 
health sector.\281\ We also may provide additional guidance on this 
section after the rule is finalized.
---------------------------------------------------------------------------

    \281\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------

Comment
    A commenter said that one concern they had with including a Notice 
to Accompany Disclosure on every patient record that is being 
redisclosed is the ability of EHR systems to ingest that information. 
The commenter explained that a v2x HL7 ADT message (or for that matter 
a lab message) does not include this type of language.\282\
---------------------------------------------------------------------------

    \282\ Note Health Level 7 is discussed in ONC guidance at 
https://www.healthit.gov/topic/standards-technology/standards/fhir-fact-sheets. ADT is a reference to admit, discharge, transfer.
---------------------------------------------------------------------------

    The commenter suggested that even if an HL7 message could be 
created with the information, it is unclear that receiving systems are 
currently able to populate the field in the ADT message or will be able 
to consume the message. The commenter is not aware of any designated 
spot for that type of language on any interstate event notification 
specification. Therefore, if a hospital wanted to share an admission or 
discharge notice for a patient admitted to a substance use unit, they 
couldn't easily include the language in the notification. Even if the 
sending part 2 program could transmit the message, the downstream 
receiver may not be able to receive it.
    The commenter suggested that it would be possible to put a 
confidentiality/protection flag on an ADT message--but not general 
language like the notice to accompany disclosure language.
Response
    We have previously noted that EHR systems are beyond the scope of 
this rulemaking. However, the abbreviated notice in Sec.  2.32(a)(2) is 
intended to support use of EHRs, and the abbreviated notice remains a 
valid option. ONC, SAMHSA, and OCR continue to work to support EHR 
implementation and may provide guidance on these issues after this rule 
is finalized.
Comment
    An academic medical center said that it saw no value in adding the 
language regarding redisclosure to part 2 records and believed that 
recipients of these notices were not familiar with part 2 restrictions. 
The commenter stated that it is able to affix stamps on records that 
are being disclosed but from a practical perspective does not believe 
the stamp is value added. Recipients may not know what a part 2 program 
is. The commenter has other patients throughout the medical center that 
are not being discharged from part 2 program that also have been or are 
being treated for SUD conditions and receive medications specific to 
SUDs.
Response
    We appreciate the commenter's perspective on patients' and 
recipients' lack of understanding about part 2 protections. We hope 
that the revised Patient Notice will improve part 2 patients' 
understanding of their confidentiality rights under part 2 which should 
also enhance their appreciation for the prohibition on redisclosure in 
proceedings against patients. As explained in this rule, we continue to 
believe that the Notice to Accompany Disclosures under Sec.  2.32 
provides important protections to part 2 patients, and the lack of 
these protections for other patients is not a justification for 
reducing or removing protections for part 2 patients. As stated in the 
2017 final rule, part 2 does not apply to health information unrelated 
to SUDs, such as patient treatment for unrelated medical 
conditions.\283\
---------------------------------------------------------------------------

    \283\ 82 FR 6052, 6089.
---------------------------------------------------------------------------

Comment
    A SUD provider and a health plan requested clarification about the 
applicability of the notice requirement to recipients who redisclose 
records, including whether the requirement for the Notice to Accompany 
Disclosure applies only to part 2 programs, or whether it also applies 
to covered entities, business associates, and intermediaries that might 
receive and redisclose the patient's PHI. The commenters asked, 
collectively, whether an HIE, covered entity, and business associate 
must attach the notice on part 2 records being redisclosed in 
accordance with the HIPAA privacy regulations, such as in paragraph 
(a)(2): ``42 CFR part 2 prohibits unauthorized use or disclosure of 
these records.''
Response
    The existing introductory language of paragraph (a) applies the 
notice requirement to ``[e]ach disclosure made with the patient's 
written consent.'' \284\ The abbreviated notice under paragraph (a)(2) 
was primarily intended to support EHR systems. As the Department 
explained in 2018, ``SAMHSA has adopted an abbreviated notice that is 
80 characters long to fit in standard free-text space within health 
care electronic systems.'' \285\ Though the notice under paragraph 
(a)(2) has been modified in this final rule to include the word 
``use,'' it remains largely as adopted in 2018. At that time the 
Department also said that it ``encourages part 2 programs and other 
lawful holders using the abbreviated notice to discuss the requirements 
with those to whom they disclose patient identifying information.'' 
\286\ An HIE may elect to use the abbreviated notice under paragraph 
(a)(2) or can choose to use one of the notices permitted under 
paragraph (a)(1). Covered entities and business associates are 
referenced in Sec.  2.32(a)(1).
---------------------------------------------------------------------------

    \284\ 52 FR 21796, 21810.
    \285\ 83 FR 239, 240.
    \286\ 83 FR 239, 240.
---------------------------------------------------------------------------

Comment
    An HIE urged the Department to include language that will resonate 
with the patient as opposed to those in the health care space. The 
commenter stated that in the NPRM, the Department proposed to require 
the consent form to notify the patient about how covered entities and 
business associate recipients may use and redisclose information as 
permitted by HIPAA. The commenter expressed concern that this was 
problematic for two reasons. First, this is not an existing requirement 
under HIPAA and the objective of the rule is to align part 2 with 
HIPAA. Second, the terms covered entity and business associate are not 
terms some patients may be aware of. To include this requirement, 
according to the commenter, could introduce legalese in the patient-
facing workflow and be contrary to calls to improve the rule's utility 
for patients. The commenter asked the Department to use standard 
language required under HIPAA that notifies individuals that not all 
recipients are subject to the same laws.

[[Page 12558]]

Response
    We appreciate input from these commenters and acknowledge the 
concerns they express. But we disagree that the Notice to Accompany 
Disclosure will confuse patients. First, we anticipate that most 
recipients of these notices will be health professionals or staff such 
as those working for part 2 programs, covered entities, and business 
associates rather than patients themselves. Second, the provisions of 
this rule, including Sec. Sec.  2.22, 2.31, and 2.32 are consistent 
with the provisions of the HIPAA Privacy Rule as explained above. 
However, even with this rule and additional alignment with HIPAA 
fostered by the CARES Act some part 2 provisions remain distinct from 
requirements in HIPAA. Likewise, while part 2 consent forms under Sec.  
2.31 must include specified required elements for written consent there 
is no requirement these forms use such terms as ``covered entity'' or 
``business associate.'' As noted above, we may provide additional 
guidance or template notices or model forms to help clarify 
requirements of this final rule. Finally, the abbreviated notice in 
Sec.  2.32(a)(2) is especially brief and easy to understand, although 
we believe the lengthier notice in paragraph (a)(1) is fairly easy to 
understand as well.
Comment
    A health plan recommended that the Department clarify that these 
redisclosures do not need to be included in an accounting of 
disclosures under Sec.  2.25. Requiring a notice to accompany 
redisclosures would run counter to the general exemption of TPO 
disclosures under HIPAA's accounting provisions.
Response
    With respect to the right to an accounting of redisclosures, the 
applicability of Sec.  2.25 would depend on the status of the 
recipient. For example, a covered entity or business associate would be 
subject to 45 CFR 164.528 for redisclosures. A part 2 program that 
rediscloses records received from another part 2 program would be 
subject to Sec.  2.25 for such redisclosures that fall within the scope 
of Sec.  2.25 in the same manner as for disclosures. The accounting of 
disclosures requirements under Sec.  2.25 do not distinguish between 
disclosures and redisclosures, but focus on whether a disclosure is 
made with consent and the purpose of the disclosure or redisclosure. 
The Sec.  2.25 requirements are distinct from the required notices to 
accompany disclosures under Sec.  2.32. Therefore, the accounting of 
disclosures under Sec.  2.25 would not need to include a separate and 
distinct list of redisclosures accompanied by a notice under Sec.  
2.32.
Comment
    A commenter recommended that HHS move proposed item (iv) of the 
statement in Sec.  2.32(a)(1) to the main text of the statement, so 
that it does not appear to be one of the exceptions following items 
(i), (ii), and (iii) of the statement. The commenter also suggested 
revised language for these provisions.
Response
    We retain in the statement in Sec.  2.32(a)(1) the following 
notification: ``[a] general authorization for the release of medical or 
other information is NOT sufficient to meet the required elements of 
written consent to further use or redisclose the record (see 42 CFR 
2.31).'' We have moved this information to the main text which is 
consistent with the commenter's suggestion.
Comment
    An advocacy group opined that proposed changes to this section will 
cause confusion. The commenter said that at this time all recipients of 
records are subject to the same redisclosure prohibition: they may only 
use or disclose the records with patient consent, pursuant to a court 
order, or subject to one of the other limited exceptions in part 2 that 
apply to lawful holders. However, according to this commenter, this 
rulemaking introduces a new standard for some recipients who receive 
records pursuant to a TPO consent: these recipients may redisclose 
records pursuant to the HIPAA Privacy Rule, except if the records will 
be used against the patient in a legal proceeding. A recipient of part 
2 records, however, will have no way of knowing which redisclosure 
standard applies to the records they receive: the standard part 2 
redisclosure prohibition, described in proposed item (i) in the 
statement in Sec.  2.32(a)(1), or redisclosures as permitted by the 
HIPAA Privacy Rule except for legal proceedings against the patient, 
described in proposed item (ii) in the statement in Sec.  2.32(a)(1).
Response
    We appreciate the comment and agree that with the additional 
changes to consent in Sec. Sec.  2.31 and 2.33, the Notice to Accompany 
Disclosure is insufficient to provide needed information to the 
recipient about the scope of consent that pertains to the disclosed 
records. To address this issue, we are also finalizing a new provision 
in paragraph (b) of this section to require each disclosure made with 
the patient's written consent to be accompanied by a copy of the 
consent or a clear explanation of the scope of the consent provided, as 
discussed below.
Comment
    A medical professionals association said that we should require 
part 2 programs to give health care providers adequate written notice 
well in advance of sharing any part 2 record, clearly explaining that 
such records are subject to additional Federal confidentiality 
regulations and include clear guidance for non-part 2 providers to 
understand their obligations and options concerning such records once 
received.
Response
    We believe that Sec.  2.32(a) as finalized clearly notifies the 
recipient of redisclosed records whether the records are subject to 
part 2. The new requirement in paragraph (b) of this section, discussed 
below, will provide additional information to recipients about the 
scope of the consent that applies.
Final Rule
    The final rule adopts the proposed language of Sec.  2.32(a) 
without further substantive modification, and finalizes proposed item 
(i) of the statement in Sec.  2.32(a)(1) as part of the statement in 
Sec.  2.32(a)(1).
Copy of Consent To Accompany Disclosure
Request for Comment
    Although we did not propose requirements for consent management, we 
requested comment throughout the NPRM on how proposed changes to 
consent, revocation, and requests for restrictions could be 
implemented, the experience of entities that have already 
operationalized aspects of the proposed changes, potential unforeseen 
negative consequences from new or changed requirements, and data 
relating to any of these.
Overview of Comments
    We received many comments addressing cross-cutting issues involving 
data segmentation and segregation of records, use of HIEs for exchange 
of ePHI and part 2 records, how to track consent and consent 
revocation, and how to operationalize patients' requests for 
restrictions on disclosures for TPO. We have responded to these 
comments throughout the preamble to the final rule in relation to 
applicable regulatory provisions, and here we respond to comments that 
pertain to tracking consent (which is

[[Page 12559]]

required in Sec. Sec.  2.31 and 2.33), both global (i.e., TPO consent) 
and granular (for a specific use and disclosure). Of the commenters 
that addressed whether the rule should require a copy of consent to be 
attached with each disclosure of records, a majority opposed such a 
requirement, several supported it, and a few responded with other 
viewpoints. A mix of professional associations, SUD providers, and 
advocacy organizations provided views on both sides of the question; 
however, all health plans, health IT vendors, and HIE/HIN organizations 
that weighed in opposed the idea and all government entities that 
voiced an opinion supported providing a copy of the consent.
Comment
    A medical professionals association urged the Department to ensure 
that, going forward, patient information will be tagged and limited to 
the purpose of TPO. The agencies can incentivize compliance with these 
goals through enforcement actions and penalties for noncompliance. The 
commenter believes that technology can assist physicians with 
increasing the flow of information while maintaining privacy and a 
patient's consent. To do so, information should be tagged to identify 
where the information originated, for what purposes it can be 
disclosed, and to whom. Another medical professionals' association 
asked the Department to facilitate collaboration with ONC and health IT 
vendors to develop technical standards and feasible certification 
criteria to identify, tag, segregate, and remove specific data based on 
type of care, provider, and patient consent. The commenter also stated 
that HHS should provide incentives and support to clinicians, 
practices, and EHR vendors--particularly those designed for specialty 
settings or small practices--in designing and adopting health IT that 
meets these objectives. A provider health system believed that even if 
HIPAA and part 2 records are treated as PHI for most of the situations, 
there will still be the need to identify part 2 records due to any 
directed restrictions and the legal proceedings prohibition. This could 
become further complicated as part 2 records and PHI are intermingled. 
While the provider health system supported alignment of HIPAA and part 
2, it requested the Department provide guidance about how records will 
be denoted and differentiated to ensure compliance.
Response
    We appreciate input from these commenters, including suggestions to 
tag or segregate part 2 records. We acknowledge concerns about data 
segmentation and address it further in the discussion of Sec.  2.12. 
The continuing prohibition in Sec.  2.12(d) on a recipient's use or 
disclosure of records in legal proceedings must be effectively 
operationalized, and it is unclear how that can be accomplished unless 
the recipient is aware that the records are subject to the prohibition. 
Although the Department may provide further guidance in relation to 
data segmentation, tagging, or tracking, we are not requiring specific 
technology or software solutions.
Comment
    A trade association suggested that HHS is maintaining separate 
underlying regulatory structures for SUD patient records and all other 
patient data, meaning EHR vendors will need to distinguish between the 
two types of records. Some SUD patients may not provide consent or 
revoke their consent throughout the course of their treatment, meaning 
their record will need to be flagged differently. This is a significant 
health IT challenge that is not addressed in the NPRM. The commenter 
stated that HHS should ensure that there is ample time and resources 
for health IT vendors to update their capabilities and adapt to the 
evolving operational needs of health care providers.
    An academic medical center suggested that information about the 
scope of consent be included in the notice that is required to 
accompany disclosures of part 2 records and that this would be the 
simplest way to communicate the patient's intent and have that intent 
stay with the actual records downstream.
    A health IT vendor recommended that the Department explore further 
how revocation becomes known, and if it means that the HIE must 
directly record the status of a revocation (and how this is done) or if 
the HIE relies on some kind of ``polling'' of the part 2 program to 
ascertain if a valid consent remains effective by interrogating the 
part 2 program electronically for whether a valid consent exists or if 
an applicable consent has been revoked. In the end, a revocation needs 
to not only limit future disclosures but also limit disclosures of any 
part 2 records an HIE already may possess should they store patient 
records.
    Among others, a health IT vendor, a health care provider, and a 
health insurer believed that part 2 programs should not be required to 
provide a copy of the written patient consent when disclosing records. 
They believe the notice to accompany disclosures already required under 
the Sec.  2.32 is sufficient to alert the recipient of potential 
restrictions regarding redisclosure and the requirement would not align 
with disclosures for TPO under HIPAA. A health insurer suggested that 
allowing a part 2 program to retain the consent for future auditing and 
use or disclosure needs is sufficient and also helps to share only the 
minimum necessary PHI. If the Department were to also require provision 
of the written consent authorizing the disclosure, it would place an 
unnecessary administrative burden on both the part 2 program and the 
recipient of records. Even more problematic, such a requirement would 
create a corresponding duty for the recipient of records to evaluate 
the legal sufficiency of the consent related to the part 2 program's 
disclosure. The recipient of records should not be placed in the 
position of identifying and correcting errors in a part 2 program's 
disclosure, or assuming any potential downstream liabilities that may 
result.
    An insurance association supported the use of electronic processes 
whenever feasible. In addition, to reduce the burden on part 2 programs 
and to ensure that HIPAA entities can act promptly on part 2 data, the 
association asked that the Department clarify in final regulations that 
HIPAA entities that receive part 2 data may accept that the data was 
disclosed pursuant to a TPO consent unless otherwise notified in 
writing. This is particularly important in industries such as pharmacy 
benefits management, where data is transmitted in huge volumes in real 
time, and there is no consistent mechanism currently available to 
``flag'' certain records as containing part 2 data, nor explain the 
legal basis on which the data were disclosed.
Response
    We acknowledge commenter concerns about how to manage consent and 
any limitations on consent within EHRs and through HIEs and the 
disadvantages of segmenting data and segregating records. Although we 
are finalizing a modification to Sec.  2.12 to expressly state that 
``[a] program, covered entity, or business associate that receives 
records based on a single consent for all treatment, payment, and 
health care operations is not required to segregate or segment such 
records[,]'' some means to ensure that records are used and disclosed 
according to the scope of the

[[Page 12560]]

consent will be needed. Thus, we look to the consent provided by the 
patient and the existing requirement to attach a Notice to Accompany 
Disclosure as solutions and are adding a new requirement in Sec.  
2.32(b) to require that a copy of the consent be attached to each 
disclosure for which consent is required. The attached consent may be 
combined with the required Notice to Accompany Disclosure in Sec.  
2.32(a). This will significantly reduce any administrative burdens 
associated with the new requirement.
    We are finalizing a new requirement in this section to require that 
each disclosure made with the patient's written consent must be 
accompanied by a copy of the consent or a clear explanation of the 
scope of the consent provided. We believe that by putting in regulatory 
text that the consent must accompany the disclosure or provide a clear 
description of the scope of the consent, the recipient will be able to 
accurately use and disclose the part 2 records as the patient intended. 
Additionally, where feasible, part 2 programs should convey to 
recipients when a consent has been revoked to ensure that only 
consented information is exchanged. Combining a copy of the consent 
with the required Notice to Accompany Disclosures in Sec.  2.32 is one 
way this requirement may be implemented, though it is not the only 
potential approach to tracking consent, redisclosure and revocation of 
consent. Both paragraphs (a) and (b) of this section address concerns 
about ensuring recipients of records understand whether or not the 
records are subject to part 2.
    We acknowledge that there are technical challenges associated with 
complying concurrently with HIPAA and part 2 and that time and 
resources are needed to update technical and procedural capabilities. 
The recommendation for recipients to assume TPO consent has been 
provided unless otherwise notified in writing does not address how 
recipients other than programs, covered entities, and business 
associates would learn about this assumption. Nor does this 
recommendation address how a program (i.e., a discloser) would know in 
advance whether a recipient is a program, covered entity, or business 
associate to whom the TPO consent assumption applies. We evaluated this 
recommendation, but are concerned that the negative requirement (e.g., 
not to provide consent unless it is other than for TPO) places undue 
burden on the disclosing program to decide when and when not to attach 
a copy of the consent.
    We believe the concern that receipt of notice may transfer 
liability for improper disclosures from the part 2 program to the 
recipient is misplaced. However, the recipient incurs an obligation for 
complying with part 2 requirements that apply to them, namely, the 
prohibition on use or disclosure of the records for use in proceedings 
against the patient, absent consent or a court order under this part.
Comment
    Regarding intermediaries and tracking consent, an HIE association 
suggested that part 2 providers may need to include in the consent form 
a place for patients to indicate whether they provide consent for 
disclosure to the intermediary. For additional information on how an 
intermediary would accept or track patient consent for data 
redisclosure, the commenter recommended OCR and SAMHSA consult 
nationwide HINs, as well as ONC, to understand how current state HINs 
and the TEFCA could impact this landscape.
Response
    We appreciate the comment and the reference to TEFCA. As discussed 
above in relation to Sec.  2.31 (Consent requirements), a consent to 
disclose records via an intermediary must contain a general designation 
as well as additional information about the recipient(s). Thus, we 
believe the final rule provides for the consent form to have space for 
an intermediary to be named as the commenter suggests. We note, 
however, that we are excluding business associates from the final rule 
definition of ``intermediary,'' thus HIE business associates will not 
be subject to the intermediary consent requirements. Instead, HIEs that 
are business associates will fall within the requirements for a general 
designation for the TPO consent which does not require specifically 
consenting to use of an HIE. We received many informative public 
comments from HIEs/HINs with respect to consent (and revocation) 
management and will continue to consult with our partner agencies 
within the Department. OCR, SAMHSA, and others are collaborating to 
support participation by behavioral health entities in health IT and 
EHRs, including TEFCA.
Final Rule
    This final rule adopts further modifications in Sec.  2.32 by 
adding a new paragraph (b) providing that each disclosure made with the 
patient's written consent must be accompanied by a copy of the consent 
or a clear explanation of the scope of the consent provided.
Section 2.33--Uses and Disclosures Permitted With Written Consent
Proposed Rule
    Section 2.33 currently permits part 2 programs to disclose records 
in accordance with written patient consent in paragraph (a) and permits 
lawful holders, upon receipt of the records based on consent for 
payment or health care operations purposes, to redisclose such records 
to contractors and subcontractors for certain activities, such as those 
provided as examples in paragraph (b). The Department proposed 
substantial changes to paragraph (b) to apply the new consent structure 
in Sec.  2.31 for a single consent for all TPO by: applying HIPAA 
standards for uses and initial disclosures for TPO, creating two new 
categories of redisclosure permissions, and revising the existing 
redisclosure permission. This would align Sec.  2.33 with the statutory 
authority in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of 
the CARES Act. The first change would permit part 2 programs, covered 
entities, and business associates that have obtained a TPO consent to 
use and disclose a part 2 record for TPO as allowed by HIPAA. With 
respect to redisclosures, proposed (b)(1) would permit part 2 programs, 
covered entities, and business associates that have received a part 2 
record with consent for TPO to redisclose the records as permitted by 
the HIPAA Privacy Rule, except for proceedings against a patient which 
require written consent or a court order. The second category, in 
proposed paragraph (b)(2), would permit part 2 programs that are not 
covered entities or business associates that have received a part 2 
record with consent for TPO to further use or disclose the records as 
permitted by the consent. The third category, in proposed paragraph 
(b)(3), would apply to lawful holders that are not business associates, 
covered entities, or part 2 programs and have received part 2 records 
with written consent for payment and health care operations purposes. 
This provision would permit the recipient to redisclose the records for 
uses and disclosures to its contractors, subcontractors, and legal 
representatives to carry out the intended purpose, also subject to the 
limitations of proposed subpart E of part 2 pertaining to legal 
proceedings. A lawful holder under this provision would not be 
permitted to redisclose part 2 records it receives for treatment 
purposes before obtaining an additional written consent from the 
patient.

[[Page 12561]]

    Paragraph (c) proposed to require lawful holders that are not 
covered entities or business associates and that receive records based 
on written consent to have contracts in place if they wish to 
redisclose the records to contractors and subcontractors. The 
Department proposed to exclude covered entities and business associates 
from the requirements of paragraph (c) because they are already subject 
to the HIPAA Privacy Rule requirements for business associate 
agreements.
Overview of Comments
    Most commenters on the single consent for all future TPO supported 
the proposal, and all but one of the supportive commenters represented 
organizations. Supportive organizations included several professional 
associations, health systems, and state or local governments. A few SUD 
providers also supported the proposal. The views expressed by these 
commenters in support of the proposal included the following:
    (a) reducing stigma of persons with SUD by integrating SUD 
treatment and SUD treatment records, respectively, with general health 
care and PHI;
    (b) reducing burdens on the health care system by aligning part 2 
requirements more closely with the HIPAA regulations; and
    (c) improving care coordination, continuity of care, and patient 
safety as a result of greater access to complete information to treat 
patients comprehensively and obtain services to support their recovery.
    As an example, a commenter asserted that the proposal may make it 
easier for the state Medicaid agency to gain input about barriers for 
patients receiving SUD services such as co-occurring medical or 
behavioral conditions, or to address social determinants of health that 
impede treatment or recovery. An association of state hospitals and 
health systems illustrated what it views as the need for an aligned 
consent process, citing what it regards as differing regulatory 
requirements that may ``cause confusion, and even fear, among treating 
providers, at times leading them to withhold information that may be 
shared.''
Response
    We appreciate the comments about the proposed changes to implement 
the statutory requirements for uses and disclosures with a single 
consent for all future TPO and permitted redisclosures by certain 
recipients. The rationales offered in support--reducing stigma, 
integrating and coordinating behavioral health care, and reducing 
health care entities' burdens--are key aims of this final rule.
Comment
    Commenters favoring the proposal also appreciated the reduction in 
the number of consents needed for uses and disclosures of part 2 
records as well as the reduction in consents required for redisclosures 
of records. A health plan remarked that ``requiring multiple consents . 
. . adds confusion and distrust to an already underserved population,'' 
and further stated that ``[a] single consent will give stakeholders a 
single reference point to review the patient's permissions and any 
relevant requested restrictions.''
Response
    We agree that the changes to allow a single consent for all future 
TPO will reduce the number of consents that part 2 programs will need 
to obtain from patients as well as the number of consents that 
recipients will need to obtain for redisclosures of part 2 records. We 
have estimated the amount of that reduction and describe it more fully 
in the costs-benefits analysis in the RIA for this final rule.
Comment
    A health system pointed out that people suffering from untreated 
SUD are among the highest utilizers of health care services and 
asserted the importance of reducing barriers to integrated care. The 
commenter stated its belief that the existing part 2 regulation was 
written before the current models of care and related best practices 
were established and that it now is a barrier to coordinated care for 
patients with SUD.
Response
    We appreciate this feedback and recognize the importance of 
integrated health records for providing integrated and coordinated 
health care, including for treatment of SUD in a whole person context. 
This perspective underpins one of the key purposes of section 3221 of 
the CARES Act that is being implemented in this final rule.
Comment
    Several commenters who supported the TPO consent and redisclosure 
proposal thought that it did not go far enough to align with the HIPAA 
Privacy Rule and urged the Department to allow for Patient Notice to 
replace consent for TPO disclosures of part 2 records.
Response
    The CARES Act amendments to 42 U.S.C. 290dd-2 did not remove the 
written consent requirement for disclosure of part 2 records. Thus, the 
Department lacks authority to replace a patient's written consent with 
Patient Notice. We anticipate that patient consent will remain as a 
foundation for protection of part 2 records.
Comment
    The commenters that opposed the proposals for a single TPO consent 
and redisclosure as allowed by HIPAA presented a largely unified set of 
views developed by a core group of organizations representing addiction 
treatment professionals, advocacy and policy organizations, and SUD 
providers. These commenters strongly believed that the current 
requirement of consent for each disclosure and segregation of part 2 
records offers patients the needed confidence to enter and remain in 
treatment and develop the necessary therapeutic trust to share details 
of their lives and struggles with SUD. The commenters acknowledged that 
discrimination is often perpetuated by those outside of the health care 
system as a result of the criminalization of the use of certain 
substances and they oppose finalizing the loosened consent provisions 
until the Department issues the statutorily required antidiscrimination 
protections. These commenters strongly supported regulatory 
requirements to ensure patients' trust in the SUD treatment and the 
health care system. Several other commenters agreed with this set of 
core comments.
Response
    We appreciate these comments and the concerns expressed for access 
to SUD treatment, patient trust in the relationship with treatment 
providers, patients' privacy expectations, the societal harms of 
discrimination against patients with SUD, and the Department's 
obligations to fully implement section 3221 of the CARES Act. We 
believe that the changes finalized to Sec.  2.33 herein are necessary 
and reasonable as a means to implement to 42 U.S.C. 290dd-2(b), as 
amended by the CARES Act.
Comment
    Several commenters addressed whether recipients of records based on 
a TPO consent (part 2 programs, covered entities, and business 
associates) should be able redisclose the part 2 information for any 
purposes permitted by HIPAA or only for TPO purposes. And some of these 
asserted or recommended that the rule should permit redisclosures as 
permitted by the HIPAA Privacy Rule (not limited to TPO). A few medical

[[Page 12562]]

professional associations recommended that redisclosures by recipients 
under a TPO consent should only be permitted for TPO purposes. This 
would maintain patient privacy and be consistent with the consent 
provided. One association suggested this could be accomplished by 
tagging data associated with the TPO consent. Another suggested that 
limiting redisclosure to TPO would permit PHI to be integrated into 
part 2 records systems, thus partially furthering the goal of 
integrating health information.
Response
    The changes to consent finalized in this rule are based on 42 
U.S.C. 290dd-2, as amended by the CARES Act. With respect to 
redisclosures by recipients under a TPO consent, paragraph (b)(1)(B) of 
the statute states that once records are used and disclosed for TPO 
they may be further disclosed in accordance with the HIPAA regulations. 
The clear terms of the statute apply the initial use and disclosure 
permission to a part 2 program, covered entity, or business associate 
for TPO as permitted by the HIPAA regulations, and then allow disclosed 
records to be more broadly redisclosed provided that it is according to 
the HIPAA regulations. We interpret the broader HIPAA redisclosure 
permission to apply only to the recipient. Thus, a part 2 program that 
obtains a TPO consent is limited to using or disclosing the record for 
TPO purposes--it cannot obtain a TPO consent and ``disclose'' the 
records to itself to trigger the permission to redisclose according to 
the HIPAA regulations and avoid overall compliance with part 2. We 
believe that a disclosure implies a recipient other than the entity 
making the disclosure and the only recipients authorized by the statute 
to redisclose records according to the HIPAA regulations are those that 
are otherwise subject to HIPAA, which are covered entities (including 
those that are also part 2 programs), and business associates. The 
redisclosure permission refers to ``in accordance with HIPAA,'' and we 
believe that part 2 programs that are not subject to HIPAA would not be 
qualified to make such redisclosures in that manner. Such part 2 
programs are not subject to the same obligations as covered entities, 
such as adopting written policies and procedures for handling PHI, 
training members of the workforce on their policies and procedures, and 
adhering to the HIPAA Security Rule requirements for safeguarding 
electronic PHI.
    The prohibition on using and disclosing records in civil, criminal, 
administrative, and legislative proceedings against a patient remains 
effective once records are disclosed and this raises the issue for 
recipients of potentially tracking, tagging, or otherwise identifying 
the part 2 data that must be protected from such uses and disclosures 
absent written consent or a court order under subpart E of part 2.
    The last sentence of paragraph (b)(1)(B) of the statute provides 
that the patient's right to request restrictions on uses and 
disclosures for TPO applies to all disclosures under paragraph (b)(1), 
which includes redisclosures by recipients of records. Thus, a 
recipient entity that complies with a patient's request for 
restrictions on disclosures for TPO is acting in accordance with the 
HIPAA regulations. We believe that Congress intended to emphasize the 
availability of patient-requested restrictions by the placement of this 
right in the part 2 statute with the redisclosure permission and 
including it in both the Rules of Construction and the Sense of 
Congress in section 3221 of the CARES Act.
Final Rule
    The final rule adopts the proposed changes to the header and to 
paragraph (c) of Sec.  2.33 without modification. For clarity, the 
final rule further modifies paragraph (a) by adding ``use and'' before 
``disclosure'' and by redesignating the content of the paragraph as 
paragraph (a)(1) and adding a new paragraph (a)(2) that provides, 
``[w]hen the consent provided is a single consent for all future uses 
and disclosures for treatment, payment, and health care operations, a 
part 2 program, covered entity, or business associate may use and 
disclose those records for treatment, payment, and health care 
operations as permitted by the HIPAA regulations, until such time as 
the patient revokes such consent in writing.'' This new provision 
clarifies the regulatory permission for use and disclosure for TPO that 
previously was only implied by a general reference to the consent 
requirements in Sec.  2.31, and it more explicitly states what the 
statute provides relating to reliance on the HIPAA standards. As a 
result of this change, part 2 programs will be able to rely on the 
HIPAA regulations when using or disclosing part 2 records for TPO in 
many instances, and covered entities and business associates will not 
need to silo part 2 records once a TPO consent has been obtained.
    This rule also finalizes proposed paragraph (b)(1) with 
modifications to more closely align with the statutory language by 
changing ``further use and disclose'' to ``further disclose'' and 
replacing ``as permitted by 45 CFR part 164'' with ``in accordance with 
the HIPAA regulations.'' For clarity, the final rule also removes ``a 
program'' from paragraph (b)(1) because part 2 programs that are not 
covered entities or business associates are separately addressed in 
paragraph (b)(2). The rule finalizes proposed paragraph (b)(2) with the 
further modification of changing ``further use and disclose'' to 
``further disclose'' as in paragraph (b)(1). The rule finalizes 
proposed paragraph (b)(3) with the further modification of removing the 
exclusion of ``part 2 program.'' This has the effect of applying the 
existing requirements of paragraph (b)(3) to a part 2 program when it 
is a lawful holder (i.e., a recipient of part 2 records) and ensures 
that redisclosure in accordance with HIPAA is limited to covered 
entities and business associates. We clarify here that paragraph (b)(3) 
applies in situations where the written consent is only for payment 
and/or health care operations and does not include treatment.
Section 2.34--Uses and Disclosures To Prevent Multiple Enrollments
Comment
    While not proposed in the NPRM, an individual stated that central 
registries have not been classified as a QSO or a business associate 
and therefore, there are no safeguards protecting the information 
exchanged between central registries and non-member treating providers 
under Sec.  2.34(d). The commenter further stated that the patient 
consents to the use or disclosure of their SUD information to the 
central registry but not to a non-member treating prescriber.
Response
    We appreciate the suggestion to classify central registries as a 
QSO or a business associate; however, that suggestion is outside the 
scope of the current rulemaking.
Final Rule
    The final rule adopts the proposed addition of the language in 
Sec.  2.34(b) of ``use of information in records'' instead of just 
``use of information'' in this section to make clear that this 
provision relates to part 2 records. The final rule also adopts the 
proposed replacement of the phrase ``re-disclose or use'' to ``use or 
redisclose'' as it relates to preventing a registry from using or 
redisclosing part 2 records, to align the language of this provision 
with the HIPAA Privacy Rule. A provider health system supported the 
alignment of ``use or redisclose'' and there were no other comments on 
these proposals.

[[Page 12563]]

Section 2.35--Disclosures to Elements of the Criminal Justice System 
Which Have Referred Patients
Proposed Rule
    Section 2.35 outlines conditions for disclosures back to persons 
within the criminal justice system who have referred patients to a part 
2 program for SUD diagnosis or treatment as a condition of the 
patients' confinement or parole. The Department proposed to clarify 
that the permitted disclosures would be of information from the part 2 
record and to replace the term ``individual'' within the criminal 
justice system with ``persons'' consistent with similar changes 
throughout this rule. The Department also proposed to add the phrase 
``from a record'' after the term ``information'' to make clear that 
this section regulates ``records.'' In addition to requesting comment 
on the proposed wording changes, the Department invited comments on 
whether the alternative term ``personnel'' would more accurately cover 
the circumstances under which referrals under Sec.  2.35 are made.
Comment
    One individual commenter asserted that the alternative term 
``personnel'' was too broad in this context and would create 
circumstances that could compromise patient confidentiality. This 
individual also commented that replacing the term ``individual'' with 
the term ``person'' would be more acceptable. Another commenter, a 
provider health system, expressed support for the term change from 
``individual'' to ``person'' and stated that the term ``person'' is 
preferable to ``personnel'' since the term ``personnel'' may 
inadvertently imply employment status while the term ``persons'' would 
accurately reflect referrals from the criminal justice system 
regardless of status as an employee, independent contractor or other 
individual on behalf of the criminal justice system.
Response
    We agree with these commenters for the reasons discussed in the 
NPRM.
Comment
    Several advocacy organizations and a health IT vendor commented 
that the Department's proposed changes unnecessarily limit diversion to 
court based programs. These commenters recommended certain changes to 
the proposal that, in their opinion, would include pre-arrest diversion 
as well as other types of law enforcement deflection to avoid the court 
system and direct the patient into treatment and services. In Sec.  
2.35(a), these commenters recommended changing ``A part 2 program may 
disclose information from a record about a patient to those persons 
within the criminal justice system who have made participation in the 
part 2 program a condition of the disposition of any criminal 
proceedings against the patient or of the patient's parole or other 
release from custody if . . .'' to ``A part 2 program may disclose 
information from a record about a patient to those persons within the 
criminal justice system who have made participation in the part 2 
program a condition of the filing, prosecution, or disposition of any 
criminal proceedings against the patient or of the patient's parole or 
other release from custody if . . .'' (emphasis added).
    For Sec.  2.35(a)(1), these commenters recommended changing 
``(e.g., a prosecuting attorney who is withholding charges against the 
patient, a court granting pretrial or post-trial release, probation or 
parole officers responsible for supervision of the patient)'' to 
``(e.g., a police officer or a prosecuting attorney who is withholding 
charges against the patient, a court granting pretrial or post-trial 
release, probation or parole officers responsible for supervision of 
the patient)'' (emphasis added).
Response
    We appreciate the detailed recommendations for regulatory text in 
these comments. We also acknowledge the important social policy raised, 
to promote treatment over referral to courts. However, we believe the 
consent process is sufficient for the operation of diversion and 
deflection initiatives, without a need for the Department to loosen 
confidentiality restrictions, because it allows patients to consent to 
the release of part 2 records for such initiatives if they wish to do 
so.
Final Rule
    The Department adopts the proposed changes without modification.
Subpart D--Uses and Disclosures Without Patient Consent \287\
---------------------------------------------------------------------------

    \287\ As described below, the Department adopts the proposal to 
add ``Uses and'' to this heading to more accurately reflect the 
scope of activities regulated in this subpart.
---------------------------------------------------------------------------

Section 2.51--Medical Emergencies
Proposed Rule
    In Sec.  2.51(c)(2) the Department proposed for clarity replacing 
the term ``individual'' with ``person'' such that this now requires a 
part 2 program to document the name of the person making the disclosure 
in response to a medical emergency.
Comment
    An advocacy group recommended that the proposed change to Sec.  
2.51 (Medical emergencies), be withdrawn. The commenter suggested that 
as part of its efforts throughout the rulemaking to standardize 
regulatory language, HHS proposed to replace the word ``individual'' 
with the word ``person'' in the documentation requirements. HHS 
proposed to define ``person'' by reference to the HIPAA Privacy Rule as 
a ``natural person, trust or estate, partnership, corporation, 
professional association or corporation, or other entity, public or 
private.'' The commenter said that in its view even though the 
Department states this change will promote clarity it will actually 
result in less clarity for patients, who may no longer be able to tell 
who disclosed their part 2-protected information to 911 and medical 
personnel. The patient already knows that the part 2 program was the 
``person'' making a disclosure of part 2 records during a medical 
emergency. For this reason, it is the identity of the individual making 
the disclosure that is important to document. In general, the 
organization supported the efforts throughout the rulemaking to 
streamline language by replacing the phrase ``individual or entity'' 
with the word ``person,'' but in this instance the change will diminish 
patients' rights and transparency with no clear benefit to impacted 
patients.
Response
    We discuss our changes to definitions, including the term 
``person'' in Sec.  2.11. Commenters generally supported this proposed 
change as providing clarity and helping to align with HIPAA. However, 
we acknowledge that in this instance replacing the term ``individual'' 
with the term ``person'' could result in less transparency about who 
disclosed the patient's record during an emergency; however, under the 
wording change a part 2 program is not prevented from identifying the 
individual who disclosed the part 2 information. Further, there may be 
instances or treatment settings where documenting only the name of the 
disclosing entity, rather than the individual, is needed to protect the 
safety of program staff.
Comment
    A few health information associations supported the ability for 
providers, under certain circumstances such as medical emergencies, to 
access, use, and disclose patient part 2 data when necessary. It is 
important for providers

[[Page 12564]]

to have access to all points of decision-making in a medical emergency 
to ensure patients are protected physically both in the short and the 
long term. A health care provider and medical professionals' 
association also supported the proposed changes in this section.
Response
    We appreciate the comments on our changes in this section of the 
rule.
Comment
    Another commenter asserted that a workflow obstacle occurs when 
patients previously treated in their part 2 program present to the 
emergency department for care. The emergency department personnel are 
blinded from accessing care notes which can be relevant to the 
emergency event. In addition, the current part 2 requirements 
complicate this commenter's ability to meet interoperability 
requirements included in the CARES Act. Under current regulations, the 
commenter has not released part 2 patient records, as they view the EHR 
is an all or nothing proposition; and consenting is unique to the 
patient.
Response
    We acknowledge the commenter's concerns about lack of access to 
needed information by treating providers. As the Department stated in 
the 2020 final rule ``[a]lthough not a defined term under part 2, a 
`bona fide medical emergency' most often refers to the situation in 
which an individual requires urgent clinical care to treat an 
immediately life-threatening condition (including, but not limited to, 
heart attack, stroke, overdose), and in which it is infeasible to seek 
the individual's consent to release of relevant, sensitive SUD records 
prior to administering potentially life-saving care.'' \288\ In the 
2017 final rule, the Department stated that ``[w]ith regard to the 
request that a `medical emergency' be determined by the treating 
provider, SAMHSA clarifies that any health care provider who is 
treating the patient for a medical emergency can make that 
determination.'' \289\ While workflow barriers may exist in particular 
institutions or situations during medical emergencies, patient 
identifying information may be disclosed to medical personnel to meet 
the bona fide medical emergency and support patient treatment.\290\
---------------------------------------------------------------------------

    \288\ 85 FR 42986, 43018.
    \289\ 82 FR 6052, 6095.
    \290\ 85 FR 42986, 43018; 82 FR 6052.
---------------------------------------------------------------------------

Comment
    A medical professionals association opined that the proposed rule 
does not make any changes to the current part 2 exemption for medical 
emergencies, which states that SUD treatment records can be disclosed 
without patient consent in a ``bona fide medical emergency.'' However, 
the commenter stated that there are both real and perceived barriers to 
providing emergency care and coordinating appropriate transitions of 
care for patients with SUD. For example, patients with SUD can have 
separate charts that are not visible to physical health clinicians in 
the EHR that could influence the acute care provided or in some 
instances even the existence of those behavioral health charts. When 
information is requested related to emergency treatment, there is often 
confusion about what type of information can be shared without 
violating part 2 requirements. Thus, in practice, when there is any 
amount of uncertainty, part 2 providers and physical health providers 
trying to provide and coordinate care that falls under part 2 revert to 
the most restrictive access possible even if not indicated at that 
time. The commenter provided another potential concern related to 
methadone dosing. Unless patients disclose that they are taking 
methadone or it is indicated in prior notes in the physical health EHR, 
a treating emergency physician would have no way of knowing that the 
patient is even taking methadone, let alone their dosage.
    The commenter believed that aligning the rules governing physical 
health and behavioral health, as this proposed rule attempts to do, 
will hopefully reduce stigma and better enable emergency physicians to 
care for the whole individual, working in parallel with other 
clinicians.
Response
    We acknowledge the commenter's concerns and appreciate that the 
aims of the changes throughout this regulation are to reduce stigma for 
patients with SUD and improve integrated care. Additionally, this final 
rule provides in Sec.  2.12(d) that a part 2 program, covered entity, 
or business associate that receives records based on a single consent 
for all TPO is not required to segregate or segment such records, 
therefore more integrated care may be available for patients who sign a 
TPO consent.
Final Rule
    The final rule adopts the proposed changes to Sec.  2.51(c)(2) 
without further modification.
Section 2.52--Scientific Research
Proposed Rule
    Section 2.52 permits part 2 programs to disclose patient 
identifying information for research, without patient consent, under 
limited circumstances. Paragraph (a) sets forth the circumstances for 
when patient identifying information may be disclosed to recipients 
conducting scientific research. Paragraph (b) governs how recipients 
conducting the research may use patient identifying information. In 
Sec.  2.52(b)(3), any individual or entity conducting scientific 
research using patient identifying information may include part 2 data 
in research reports only in non-identifiable aggregate form. Paragraph 
(c) governs how researchers may use patient identifying information to 
form data linkages to data repositories, including requirements for how 
researchers must seek Institutional Review Board approval to ensure 
patient privacy concerns are addressed.
    The Department proposed to change the title of this section from 
``Research'' to ``Scientific Research'' for consistency with 42 U.S.C. 
290dd-2(b)(2)(B) that permits programs to disclose to ``qualified 
personnel for the purpose of conducting scientific research . . . .''
    The Department also proposed to change the de-identification 
standard in Sec.  2.52(b)(3) to more closely align with the HIPAA 
Privacy Rule de-identification standard. Specifically, the current text 
for Sec.  2.52(b)(3) permits a person conducting scientific research 
using patient identifying information that has been disclosed for 
research to ``include part 2 data in research reports only in aggregate 
form in which patient identifying information has been rendered non-
identifiable such that the information cannot be re-identified and 
serve as an unauthorized means to identify a patient, directly or 
indirectly, as having or having had a substance use disorder.''
    Consistent with proposed changes to Sec.  2.16(a)(1)(v) and 
(a)(2)(vi) (Security for records and notification of breaches), 
discussed above, the Department proposed to modify the language in this 
section related to rendering information non-identifiable so that it 
also refers to the HIPAA Privacy Rule de-identification standard. Under 
our proposal, a person conducting scientific research using patient 
identifying information disclosed for research

[[Page 12565]]

would have been permitted to ``include part 2 data in research reports 
only in aggregate form in which patient identifying information has 
been de-identified in accordance with the requirements of the HIPAA 
Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable 
basis to believe that the information can be used to identify a patient 
as having or having had a substance use disorder.''
    As explained above in section Sec.  2.16, section 3221(c) of the 
CARES Act required the Department to apply the HIPAA Privacy Rule de-
identification standard for PHI codified in 45 CFR 164.514(b) to part 2 
for the purpose of disclosing part 2 records for public health 
purposes. The change here (and in Sec.  2.16 above) was proposed to 
further advance alignment with HIPAA and reduce burden on disclosing 
entities that would otherwise have to apply differing de-identification 
standards.
    The Department also proposed for clarity and consistency to replace 
several instances of the phrase ``individual or entity'' with the term 
``person,'' which would encompass both individuals and entities, and to 
replace the term ``individual'' with the term ``person.''
Comment
    As discussed above in connection to Sec.  2.16, commenters that 
addressed de-identification largely voiced support for adopting a 
uniform standard in this regulation that aligns with HIPAA, including 
adopting a de-identification standard applicable to research data. Many 
of these commenters believed that doing so could facilitate alignment 
and understanding among covered entities and part 2 programs.
Response
    The Department appreciates these comments.
Comment
    One commenter questioned whether the Department should define the 
terms ``research'' and ``researcher'' because it is not clear how the 
terms apply outside a traditional academic or medical research setting. 
This commenter also urged the Department to clarify whether the 
definitions of these terms in the HIPAA Privacy Rule at 45 CFR 164.501 
be used as the standard in Sec.  2.52.
Response
    We appreciate the comment and have not applied the HIPAA 
definitions of ``research'' and ``researcher'' with the final rule 
because those were not adopted by the CARES Act amendments to 42 U.S.C. 
290dd-2. We acknowledge that the HIPAA Privacy Rule definition of 
``research'' is useful and could be applied to research using part 2 
records; however, we decline in this rule to require that. Within the 
Privacy Rule, ``research'' is defined as ``a systematic investigation, 
including research development, testing, and evaluation, designed to 
develop or contribute to generalizable knowledge.'' \291\ The HIPAA 
Privacy Rule does not define the term ``researcher'' but in guidance 
the Department has explained when a researcher is considered a covered 
entity (``[f]or example, a researcher who conducts a clinical trial 
that involves the delivery of routine health care such as an MRI or 
liver function test, and transmits health information in electronic 
form to a third party payer for payment, would be a covered health care 
provider'').\292\ We continue to believe that the purpose behind each 
term is sufficiently clear without having to incorporate regulatory 
terms in this part.
---------------------------------------------------------------------------

    \291\ 45 CFR 164.501 (definition of ``Research''). The 
definition is based on the Common Rule definition of the same term, 
45 CFR 46.102 (July 19, 2018).
    \292\ See U.S. Dep't of Health and Human Servs., ``When is a 
researcher considered to be a covered health care provider under 
HIPAA'' (Jan. 9, 2023), https://www.hhs.gov/hipaa/for-professionals/faq/314/when-is-a-researcher-considered-a-covered-health-care-provider-under-hipaa/index.html.
---------------------------------------------------------------------------

Comment
    More than half of all commenters that expressed support for the 
Department's research proposal urged the Department to expressly permit 
disclosure of part 2 records in limited data sets protected by data use 
agreements as allowed in the HIPAA Privacy Rule. These commenters 
asserted that doing so may greatly facilitate the exchange of public 
health information and research about SUDs. One commenter, a research 
company that expressed support for the de-identification proposal, 
believed that it failed to address the creation of limited data sets as 
defined by HIPAA, including that patient consent should not be required 
to create limited data sets. The commenter urged recognition in Sec.  
2.52(a) of what the commenter referred to as the ``right'' of part 2 
programs or responsible parties conducting scientific research to use 
identifiable part 2 data for making de-identified data or limited data 
sets without the need for obtaining individual consent in the same 
manner as is permitted under 45 CFR 164.514.
Response
    We decline to finalize a provision that would incorporate limited 
data sets into this regulation. We understand that commenters have 
questions and suggestions regarding the interaction of the HIPAA 
limited data set requirements and the part 2 research requirements. We 
did not propose any changes to this regulation to expressly address 
limited data sets and are not finalizing any such changes in this rule; 
however, we will take these comments into consideration for potential 
future rulemaking or guidance.
Comment
    One commenter, a research association, perceived a discrepancy in 
how part 2 and HIPAA would treat de-identified information under the 
proposal. This commenter argued that under proposed Sec.  2.52(b)(3), 
part 2 programs must limit the use of de-identified part 2 data in 
``research reports'' to data presented in aggregate form instead of 
treating it as non-PHI as in the HIPAA Privacy Rule. The commenter 
asserted that this unnecessarily restricts research without benefiting 
patients and defeats the CARES Act objective to align part 2 with 
HIPAA. The commenter recommended that the Department consider alternate 
language in Sec.  2.52(b)(3) such as: ``[m]ay use Part 2 data in 
research if the patient identifying information (a) has been de-
identified in accordance with any of the standards of the HIPAA Privacy 
Rule at 45 CFR 164.514(b); or (b) is in the format of a limited data 
set as defined in 45 CFR 164.514(e), which limited data set is used in 
accordance with all requirements of Sec.  164.514(e), including the 
requirement for a data use agreement.''
Response
    As stated previously, the Department did not propose to incorporate 
limited data sets into this regulation and is not finalizing such a 
change in this final rule. Additionally, the statute limits the 
disclosure of records in reports, not the use of records in conducting 
research. Section 290dd-2(b)(2)(B) of title 42 provides that records 
may be disclosed without consent ``[t]o qualified personnel for the 
purpose of conducting scientific research . . . but such personnel may 
not identify, directly or indirectly, any individual patient in any 
report [emphasis added] of such research . . .[.]''
Comment
    A few individual commenters claimed that researchers consistently 
demonstrate the ability to re-identify data so de-identification of SUD 
records offers no protection to this sensitive information and exposes 
patients to stigmatization.

[[Page 12566]]

Response
    As noted above in connection to a similar comment regarding the de-
identification proposal in Sec.  2.16, the Department is aware of the 
concerns related to the potential to re-identify data. The Department, 
however, also recognizes that the HIPAA standard for de-identification 
incorporated here is largely viewed as workable and understandable. We 
believe this sentiment is borne out in the much larger set of 
supportive comments.
Final Rule
    Similar to the approach adopted in Sec.  2.16 (Security for records 
and notification of breaches), above, the final rule incorporates the 
HIPAA Privacy Rule de-identification standard at 45 CFR 164.514(b) into 
Sec.  2.52 as proposed, and further modifies this section to more fully 
align with the complete HIPAA de-identification standard that adopts 
and includes language from 45 CFR 164.514(a). The final rule deletes 
the phrase in Sec.  2.52(b)(3), ``as having or having had a substance 
use disorder,'' and modifies this language to: ``such that there is no 
reasonable basis to believe that the information can be used to 
identify a patient.'' In so doing, we are aligning with the HIPAA 
standard in paragraph (a) of 45 CFR 164.514 which refers to ``no 
reasonable basis to believe that the information can be to identify an 
individual,'' and is not limited to removing information about a 
particular diagnoses or subset of health conditions. In this way, the 
final standard incorporated here is more privacy protective than the 
proposed standard. Moreover, as we also stated in connection with the 
final de-identification standard incorporated in Sec.  2.16 above, our 
adoption of the same de-identification standard for public health 
disclosures (new Sec.  2.54) into this provision provides a uniform 
method for de-identifying part 2 records for all purposes. Finally, we 
removed the language ``the HIPAA Privacy Rule'' from regulatory 
references to 45 CFR 164.514(b) because we believe it to be 
unnecessary.
Section 2.53--Management Audits, Financial Audits, and Program 
Evaluation
Proposed Rule
    The Department proposed to change the heading of Sec.  2.53 to 
specifically refer to management audits, financial audits, and program 
evaluation to more clearly describe the disclosures permitted without 
consent under 42 U.S.C. 290dd-2(b)(2)(B). The Department also proposed 
to replace several instances of the phrase ``individual or entity'' 
with the term ``person'', which would encompass both individuals and 
entities. The Department also proposed to modify the audit and 
evaluation provisions at Sec.  2.53 by adding the term ``use'' where 
the current language of Sec.  2.53 refers only to disclosure and by 
adding paragraph (h) (Disclosures for health care operations).
    Section 2.53 permits a part 2 program or lawful holder to disclose 
patient identifying information to an individual or entity in the 
course of certain Federal, State, or local audit and program evaluation 
activities. Section 2.53 also permits a part 2 program to disclose 
patient identifying information to Federal, State, or local government 
agencies and their contractors, subcontractors, and legal 
representatives when mandated by law if the audit or evaluation cannot 
be carried out using de-identified information.
    The Department explained in the NPRM that there is significant 
overlap between activities described as ``audit and evaluation'' in 
Sec.  2.53 and health care operations as defined in the HIPAA Privacy 
Rule at 45 CFR 164.501. For example, the following audit and evaluation 
activities under part 2 align with the health care operations defined 
in the HIPAA Privacy Rule, as cited below:
     Section 2.53(c)(1) (government agency or third-party payer 
activities to identify actions, such as changes to its policies or 
procedures, to improve care and outcomes for patients with SUDs who are 
treated by part 2 programs; ensure that resources are managed 
effectively to care for patients; or determine the need for adjustments 
to payment policies to enhance care or coverage for patients with SUD); 
\293\
---------------------------------------------------------------------------

    \293\ See, e.g., 45 CFR 164.501 (definition of ``Health care 
operations,'' paragraph (5)).
---------------------------------------------------------------------------

     Section 2.53(c)(2) (reviews of appropriateness of medical 
care, medical necessity, and utilization of services); \294\ and
---------------------------------------------------------------------------

    \294\ See, e.g., 45 CFR 164.501 (definition of ``Health care 
operations,'' paragraph (1)).
---------------------------------------------------------------------------

     Section 2.53(d) (accreditation).\295\
---------------------------------------------------------------------------

    \295\ See, e.g., 45 CFR 164.501 (definition of ``Health care 
operations,'' paragraph (2)).
---------------------------------------------------------------------------

    In addition, activities by individuals and entities (``persons'' 
under the final rule) conducting Medicare, Medicaid, and CHIP audits or 
evaluations described at Sec.  2.53(e) parallel those defined as health 
oversight activities in the HIPAA Privacy Rule at 45 CFR 164.512(d)(1). 
Part 2 programs and lawful holders making disclosures to these persons 
must agree to comply with all applicable provisions of 42 U.S.C. 290dd-
2, ensure that the activities involving patient identifying information 
occur in a confidential and controlled setting, ensure that any 
communications or reports or other documents resulting from an audit or 
evaluation under this section do not allow for the direct or indirect 
identification (e.g., through the use of codes) of a patient as having 
or having had an SUD, and must establish policies and procedures to 
protect the confidentiality of the patient identifying information 
consistent with this part. Patient identifying information disclosed 
pursuant to Sec.  2.53(e) may be further redisclosed to contractor(s), 
subcontractor(s), or legal representative(s), to carry out the audit or 
evaluation, but are restricted to only that which is necessary to 
complete the audit or evaluation as specified in paragraph (e).\296\
---------------------------------------------------------------------------

    \296\ See 42 CFR 2.53(e)(6).
---------------------------------------------------------------------------

    We confirm here that nothing in the proposed or final rule is 
intended to alter the existing use and disclosure permissions for the 
conduct of audits and evaluations, including for investigative agencies 
that conduct audits. Thus, an investigative agency that is performing 
an oversight function may continue to review records under the Sec.  
2.53 requirements as they did under the previous rule. At such time 
within a review that an audit needs to be referred for a criminal 
investigation or prosecution, that investigative agency would be 
expected to follow the requirements under subpart E for seeking a court 
order. In the event an investigative agency fails to seek a court order 
because it is unaware that it has obtained part 2 records, it may rely 
on the newly established safe harbor within Sec.  2.3, provided that it 
first exercised reasonable diligence in trying to ascertain if the 
provider was providing SUD treatment. In making use of the safe harbor, 
an investigative agency would then be obligated to follow the new 
requirements in Sec.  2.66 or Sec.  2.67, as applicable.
    Section 3221(b) of the CARES Act amended the PHSA to permit part 2 
programs, covered entities, and business associates to use or disclose 
the contents of part 2 records for TPO after obtaining the written 
consent of a patient.\297\ Covered entities, including those that are 
also part 2 programs, and business associates are further permitted to 
redisclose the same information in accordance with the HIPAA Privacy 
Rule. As the Department noted throughout the NPRM, these new

[[Page 12567]]

disclosure pathways are permissive, not required.
---------------------------------------------------------------------------

    \297\ Codified at 42 U.S.C. 290dd-2(b)(1)(B).
---------------------------------------------------------------------------

    To implement the new TPO permission that includes the ability of 
the entities above to use or disclose part 2 records for health care 
operations with a general consent, the Department proposed to modify 
the audit and evaluation provisions at Sec.  2.53 by adding the term 
``use'' where the current language of Sec.  2.53 refers only to 
disclosure and by adding paragraph (h) (Disclosures for health care 
operations). This new paragraph as proposed would clarify that part 2 
programs, covered entities, and business associates are permitted to 
disclose part 2 records pursuant to a single consent for all future 
uses and disclosures for TPO when a requesting entity is seeking 
records for activities described in paragraph (c) or (d) of Sec.  2.53. 
Such activities are health care operations, but do not include 
treatment and payment. To the extent that a requesting entity is itself 
a part 2 program, covered entity, or business associate that has 
received part 2 records pursuant to a consent that includes disclosures 
for health care operations, it would then be permitted to redisclose 
the records for other purposes as permitted by the HIPAA Privacy Rule. 
Thus, if an auditing entity is a part 2 program, covered entity, or 
business associate that has obtained TPO consent and is not performing 
health oversight, it would not be subject to all the requirements of 
Sec.  2.53 (e.g., the requirement to only disclose the records back to 
the program that provided them). Requesting entities that are not part 
2 programs, covered entities, or business associates would not have 
this flexibility but would still use existing permissions in Sec.  2.53 
to obtain access to records for audit and evaluation purposes, and they 
would remain subject to the redisclosure limitations and written 
agreement requirement therein.
    The Department proposed paragraph (h) which would leave intact 
existing disclosure permissions and requirements for audit and 
evaluation activities without consent, including health care oversight 
activities, such as described in paragraph (e). At the same time, the 
proposal would provide a new mechanism for programs and covered 
entities to obtain patient consents for all future TPO uses and 
disclosures (including redisclosures), which in some instances may 
include audit and evaluation activities.
Comment
    We received several comments about audit and evaluation provisions. 
Most commenters expressed support for our proposed changes to this 
section. A major health plan expressed support without further comment. 
Others expressed support and offered additional recommendations or 
suggestions for further alignment or clarity. A state data center 
requested clarity on whether there could be other permissible 
disclosures for licensing proceedings and hearings before an 
administrative tribunal brought by an agency that provides financial 
assistance to the part 2 program or is authorized by law to regulate 
the part 2 program and administratively enforce remedies authorized by 
law to be imposed as a result of the findings of the administrative 
tribunal. The commenter suggested adding a new subsection Sec.  
2.53(c)(3) to address these issues and add appropriate restrictions.
    One state regulatory agency expressed concerns about Sec.  2.53 
describing its recent experience with licensed health care facilities 
significantly disrupting the department's regulatory responsibilities 
by using 42 CFR part 2 as justification. Specifically, it expressed 
concern that licensed health care facilities may rely on the proposed 
public health authority exception to prevent the state from accessing 
SUD records without patient consent or a court order. This same agency 
further commented that the final rule should clarify the scope of the 
``public health authority'' exception and affirm the ability of state 
licensing authorities to access identifiable patient records pursuant 
to Sec.  2.53 for surveys and investigations.
Response
    We appreciate the comments on our proposed changes. We discuss 
redisclosure provisions in Sec.  2.33. We clarify here that although 
the new disclosure permission for public health in Sec.  2.54 is 
limited to records that are de-identified, the existing permission for 
access to identifiable patient information in Sec.  2.53 remains a 
valid and viable means for government agencies with audit and 
evaluation responsibilities to review records without obtaining a court 
order. We believe that Congress enacted the public health disclosure 
permission to enhance the ability of part 2 programs and other lawful 
holders of part 2 records to report to public health authorities. This 
is distinct from the regulatory and oversight authority over programs 
and lawful holders that permits them to review records that are not de-
identified, providing the conditions of Sec.  2.53 are met. We decline 
to add a new subsection to Sec.  2.53(c) to clarify other disclosure 
provisions for use by regulatory agencies with enforcement authority 
over part 2 programs and lawful holders, but Sec. Sec.  2.62, 2.63, 
2.64, and 2.66 may govern use of audit and evaluation records in 
criminal and non-criminal proceedings against a program. These 
provisions also are clear that a court order will not be granted unless 
other means of obtaining the records are unavailable or would be 
ineffective. Therefore, use of the disclosure permission under Sec.  
2.53 is encouraged as courts are unlikely to grant these orders given 
the provisions of this rule.
Comment
    Several commenters addressed APCDs or MPCDs. One non-profit agency 
which administrates a state-based APCD commented that the rule should 
expressly include a permission to disclose to state-mandated APCDs for 
audit and evaluation purposes required by statute or regulation. It 
also recommended that the Department clarify that a state mandated APCD 
housed in a non-state nonprofit entity does not need to be providing 
oversight and management of a part 2 program as a prerequisite for 
relying on Sec.  2.53 to conduct an audit or evaluation on behalf of a 
state agency. It asserted that in many states the APCD is the most 
comprehensive source of cross-payer data and analytics, and the lack of 
clarity around APCD authority to hold SUD data is actively hampering 
the ability to use APCDs to provide information about the current 
opioid epidemic, to evaluate what and where progress is being made, and 
to determine if there are populations with inequitable access to the 
programs and mitigation strategies used across the country. Another 
non-government agency and a state agency made similar comments and a 
recommendation for guidance or an express permission to disclose SUD 
records to a state agency for APCDs.
    One commenter remarked that there continues to be confusion within 
the data submitter community about the ability of health insurance 
carriers to legally submit data to state health database organizations 
without patient consent. According to the commenter, there is an 
opportunity for the Department to expressly identify this use as an 
authorized release of data to state agencies. Alternatively, the 
Department could provide guidance for the existing rules with this 
necessary clarification rather than use the rule-making process. The 
commenter also suggested that HHS provide clarification to understand 
better if the limitations in Sec.  2.53(f) apply to audits/evaluations

[[Page 12568]]

conducted under all of Sec.  2.53 or only those preceding Sec.  
2.53(f).
    A state agency recommended that restrictions against law 
enforcement accessing the database and against information in the 
databases being used for legal proceedings against the patient should 
accompany the permission to disclose to state APCDs. It further 
requested clarity on whether it has authority to request SUD data from 
downstream HIPAA covered entities (such as health plans and non-part 2 
providers) and business associates if those entities received part 2 
records for TPO purposes with patient consent. The commenter also 
opined that although, by law, it receives data to determine what 
actions are needed at a health plan level to improve care and outcomes 
for patients in part 2 programs, it was not clear if the limitations in 
Sec.  2.53(f) prohibited another state agency also conducting mandated 
audit or evaluations under Sec.  2.53(g) from providing or sharing that 
data. If not, the state agency noted government agencies may not be 
able to ``directly use'' its databases, even if they are conducting 
proper but separate audit or evaluations under Sec.  2.53. Such a 
result, according to the commenter, could result in lost efficiencies 
and added burdens on part 2 programs or lawful holders because they 
would need to provide the data to the requesting government agencies, 
instead of the government agencies utilizing existing state databases. 
The commenter also asserted that per Sec.  2.53(g), this data release 
would only occur in cases where the work could not be carried out using 
de-identified information (and subject to the government agency 
recipient accepting privacy and security responsibilities consistent 
with applicable law).
Response
    We appreciate the comments on APCDs or MPCDs and other provisions 
under this section and may provide additional guidance after this rule 
is finalized. In preamble to the 2017 Part 2 Final Rule, the Department 
stated ``that MPCDs [. . .] are permitted to obtain part 2 data under 
the research exception provided in Sec.  2.52, provided that the 
conditions of the research exception are met. Furthermore, an MPCD [ . 
. .] that obtains part 2 data in this fashion would be considered a 
`lawful holder' under these final regulations and would therefore be 
permitted to redisclose part 2 data for research purposes, subject to 
the other conditions imposed under Sec.  2.52.'' \298\
---------------------------------------------------------------------------

    \298\ 82 FR 6052, 6102.
---------------------------------------------------------------------------

    In the preamble to the 2020 Part 2 Final Rule, the Department 
explained that under Sec.  2.53, government agencies and third-party 
payer entities would be permitted to obtain part 2 records without 
written patient consent to periodically conduct audits or evaluations 
for purposes such as identifying agency or health plan actions or 
policy changes aimed at improving care and outcomes for part 2 
patients.\299\ Such purposes could include, e.g., provider education 
and recommending or requiring improved health care approaches.\300\ The 
Department also noted that government agencies and private not-for-
profit entities granted authority under applicable statutes or 
regulations may be charged with conducting such reviews for licensing 
or certification purposes or to ensure compliance with Federal or state 
laws. The 2019 Part 2 NPRM explained ``that the concept of audit or 
evaluation is not restricted to reviews that examine individual part 2 
program performance.'' \301\
---------------------------------------------------------------------------

    \299\ 85 FR 42986, 43023.
    \300\ Id.
    \301\ 85 FR 42986, 43023; 84 FR 44568, 44579.
---------------------------------------------------------------------------

    In this final rule we also provide in this section that a part 2 
program, covered entity, or business associate may disclose records in 
accordance with a consent that includes health care operations to the 
extent that the audit or evaluation constitutes a health care operation 
activity, and the recipient may redisclose such records as permitted 
under the HIPAA Privacy Rule if the recipient is a covered entity or 
business associate. Health care operations include a broad range of 
quality improvement and related activities, some of which overlap with 
the audit and evaluations under Sec.  2.53.\302\
---------------------------------------------------------------------------

    \302\ See ``Uses and Disclosures for Treatment, Payment, and 
Health Care Operations,'' supra note 248.
---------------------------------------------------------------------------

    As worded, Sec.  2.53(f) applies to the entirety of Sec.  2.53 and 
states that ``[e]xcept as provided in paragraph (e) of this section, 
patient identifying information disclosed under this section may be 
disclosed only back to the part 2 program or other lawful holder from 
which it was obtained and may be used only to carry out an audit or 
evaluation purpose or to investigate or prosecute criminal or other 
activities, as authorized by a court order entered under Sec.  2.66.''
Comment
    One managed care entity asserted that the proposed rule should 
fully align the part 2 audit and evaluation provisions with the HIPAA 
Privacy Rule to avoid distinctions between disclosures that would be 
permitted as part of health care operations but might not fit within 
the scope of audits and evaluations. It further commented that such 
misalignment could be administratively challenging and inadvertently 
impact the results of audits and evaluations due to incomplete or 
inaccurate data sets.
    A large pharmacy provider commented that it strongly supported 
alignment of HIPAA and 42 CFR part 2, and to achieve full alignment, 
the Department should clarify that HIPAA governs all part 2 records 
that are PHI when in the hands of covered entities and business 
associates for any TPO purposes, including not applying the audit and 
evaluation provisions of Sec.  2.53 to covered entities when the 
subject activities fall within TPO for HIPAA purposes. A major health 
system commented that the redisclosure permission granted to part 2 
providers, covered entities, and business associates for records 
received under a TPO consent (including for the clarified health care 
operations provision at Sec.  2.53) may lead to better SUD treatment 
and payment for such treatment, and a reduction of operational issues 
between and among providers and their business associates.
Response
    The changes to Sec.  2.53 as finalized more closely align with the 
HIPAA Privacy Rule because this section now expressly addresses 
disclosures for health care operations that are permitted with a single 
consent for all future uses and disclosures for TPO under Sec. Sec.  
2.31 and 2.33. However, full alignment of Sec.  2.53 with the HIPAA 
Privacy Rule is not authorized by the CARES Act because most of this 
section includes additional protections for part 2 records when used or 
disclosed for oversight, such as vesting the part 2 program director 
with discretion to determine whether a requester is qualified, 
prohibiting redisclosure of the records by the recipient, and requiring 
the return or destruction of records after completion of the audit and 
evaluation. We address redisclosures in more depth in the discussion of 
Sec.  2.32 and TPO disclosures in Sec.  2.33 above.
Comment
    Although the CARES Act does not expressly address Sec.  2.53, one 
commenter believed that leaving out health oversight activities while 
including the CARES Act provisions for TPO purposes makes SUD patients 
more vulnerable. This individual commenter further suggested that the 
general regulatory authority given to the

[[Page 12569]]

Department by the CARES Act would permit incorporating health oversight 
into this provision, which the commenter views as an acceptable 
tradeoff for diminished patient autonomy in terms of consent.
Response
    Even though section 3221(e) of the CARES Act does not expressly 
address audits and evaluations, 42 U.S.C. 290dd-2 continues to 
reference audits and evaluations. The CARES Act emphasized use and 
disclosure of records for TPO and restrictions on use and disclosure in 
civil, criminal, administrative, or legislative proceedings. We note 
and have discussed in the 2018 and 2020 final rules \303\ and 2022 NPRM 
that Sec.  2.53 is comprised of many activities that many would view as 
constituting health care oversight, including audits and quality 
improvement activities. Paragraph (e) specifically concerns Medicare, 
Medicaid, CHIP, or related audit or evaluation. In addition, Sec.  2.62 
expressly precludes records that are obtained under this section from 
being used and disclosed in proceedings against the patient.
---------------------------------------------------------------------------

    \303\ See 83 FR 239, 247 and 85 FR 42986, 43025, respectively.
---------------------------------------------------------------------------

Final Rule
    The final rule adopts the proposed changes to Sec.  2.53, with two 
modifications to paragraph (h). The first is to limit redisclosure to 
recipients that are covered entities and business associates and the 
second is to refer to ``HIPAA regulations'' instead of 45 CFR 164.502 
and 164.506. We believe this is consistent with the changes to Sec.  
2.33(b) and the addition of the defined term ``HIPAA regulations.''
Section 2.54--Disclosures for Public Health
Proposed Rule
    The existing part 2 regulations do not permit the disclosure of 
part 2 records for public health purposes. Section 3221(c) of the CARES 
Act added paragraph (b)(2)(D) to 42 U.S.C. 290dd-2 to permit part 2 
programs to disclose de-identified health information to public health 
authorities and required the content of such de-identified information 
to meet the HIPAA Privacy Rule de-identification standard for PHI 
codified in 45 CFR 164.514(b). Accordingly, the Department proposed to 
add a new Sec.  2.54 to permit part 2 programs to disclose part 2 
records without patient consent to public health authorities provided 
that the information is de-identified in accordance with the standards 
in 45 CFR 164.514(b).
    We proposed this change in conjunction with 42 U.S.C. 290dd-
2(b)(2)(D), as added by CARES Act section 3221(d), which directed the 
Department to add a new definition of ``public health authority'' to 
this part. We also proposed the new definition in Sec.  2.11, as 
discussed above.
Comment
    Most commenters voiced support for the proposal to permit 
disclosures of de-identified records to public health authorities. 
Comments included assertions that the proposal may: promote awareness 
of SUDs; align goals between providers and public health authorities 
regarding SUD treatment; better help address the drug overdose crisis 
by ensuring information was available to develop useful tools while not 
impinging on individuals' privacy; assist with addressing population 
health matters; improve population health; and assist vulnerable 
populations by ensuring SUD records are available (e.g., addressing the 
COVID-19 pandemic).
Response
    The Department appreciates the comments and takes the opportunity 
to reiterate here that the proposal is consistent with the new 
authority enacted in the CARES Act.
Comment
    Some commenters asserted that while the regulation should allow the 
disclosure of SUD records for public health purposes, it should permit 
the disclosure of identifiable information rather than limit it to de-
identified data. A few of these commenters acknowledged that the CARES 
Act modified title 42 to permit disclosure only of health information 
de-identified to the HIPAA standard in 45 CFR 164.512(b). Despite 
awareness of the CARES Act, these commenters gave multiple reasons why 
they thought the Department should promulgate a rule that permits the 
disclosure of identifiable data to a public health authority. For 
example, several of these commenters, including an academic medical 
center, a private SUD recovery center, and a state-affiliated HIE, 
asserted that state laws often require public health reporting for 
communicable/infectious disease surveillance. A Tribal consulting firm 
asserted that part 2 rules for disclosing data to public health 
authorities contradict state, Tribal, local, and territorial public 
health laws when other health care providers are required to submit 
individually identifiable information. A SUD treatment provider cited 
the potential vulnerability of this patient population to sexually 
transmitted diseases and the need for individual level data (e.g., age, 
address) to accomplish effective disease surveillance and resource 
allocation. A managed care organization, a health system, and a few 
state/local health departments commented that the limitation of 
disclosing only de-identified information could hinder public health 
efforts. A few HIE/HINs commented that in their role as Health Data 
Utilities, they regularly share critical health data with public health 
authorities. They gave examples such as overdose death information, 
which facilitates public health authorities' provision of appropriate 
follow-up services and resources to those affected by SUD. The HIE/HINs 
also have a role in producing public and population health information 
such as data maps or other rendering showing utilization of SUD 
facilities and open bed counts for the purpose of referrals. These 
organizations commented that the differences between HIPAA and the 
proposed part 2 public health disclosure permission may complicate the 
IT landscape.
Response
    We acknowledge the many good explanations of how identifiable 
information could be useful for public health purposes that would not 
involve public reporting of patient identifying information. However, 
we lack authority to permit disclosures of identifiable information for 
public health purposes absent patient consent. This limitation is 
reflected in the amended statute at 42 U.S.C. 290dd-2(b)(2)(D).
Comment
    Several other commenters supported the proposal but suggested other 
modifications or accompanying guidance. For example, one commenter, a 
regional HIN, asserted that part 2 and HIPAA already permit the 
disclosure of de-identified data without patient consent, and therefore 
the revision is a clarification rather than a substantive change. It 
urged the Department to clarify that the use of a general designation 
on an authorization form could allow disclosures to public health 
authorities operating in their state of residence. It also requested 
the Department to clarify--either in regulation or in guidance--when 
disclosures to public health authorities may fall into the research or 
audit and evaluation consent exceptions. A major health plan commented 
that conducting public health activities using a limited

[[Page 12570]]

data set would be more useful and could advance important public health 
goals, as de-identified data lacks dates of service and ages which are 
often important variables for both research and public health 
activities. A state commented that the Department should specify what 
constitutes ``public health purposes.'' A large health care provider 
commented that the Department could help clarify the general right to 
de-identify part 2 records and disclose such de-identified part 2 
records by including an explicit right to do so in the regulations as a 
permitted use, including an express right to use part 2 records for 
health care operations and to create a de-identified data set without 
patient consent.
Response
    We appreciate these comments but have proposed this provision 
consistent with statutory authority. With respect to limited data sets, 
we address this topic in the discussion of Sec.  2.52 above. We decline 
at this time to issue guidance related to distinctions between public 
health activities, research activities, and audit and evaluation. We 
have not received a large number of comments or requests to do so but 
will monitor for the need to address once this rule is finalized.
Comment
    A health information management organization opposed the proposal 
and commented that the Department should fully understand the realities 
of de-identified data and should engage patient advocacy focused 
organizations to understand if transmitting de-identified data to 
public health entities would jeopardize patient trust in part 2 
programs. It further commented that the de-identification standard for 
data within health care continues to evolve and change overtime as 
technology and artificial intelligence is better able to reidentify 
patients.
Response
    The CARES Act now requires the Department to finalize a standard 
that permits disclosure of information that is de-identified according 
to the HIPAA standard. Although we are obligated to implement the 
standard, we will monitor developments in accepted de-identification 
practices and how emerging technology developments may reduce the 
effectiveness of current standards.
Comment
    One commenter, a health system, recommended that the Department 
ensure the de-identification standard for records conforms with various 
state reporting requirements and patient expectations. It cited the 
example of the state being required to track and report certain 
statistical information. The commenter also believed that adopting the 
HIPAA standard should be done in a way to allow for continued 
compliance with these state regulations. Another commenter, a medical 
professionals association, urged the Department to facilitate 
coordination between physicians and health IT entities to improve de-
identification technology and make it more widely accessible for 
physician practices. A few other commenters, another medical 
professional association and a trade association representing health 
plans, commented that it was important for best practices for de-
identification to be adhered to and reflected in regulations, and that 
regulated entities should specify which de-identification methods are 
being used for each data set.
Response
    We have found that in most cases, state reporting requirements 
contemplate the disclosure of aggregate data, which may include de-
identified records. Similarly, our authority to override state public 
health report requirements is statutorily limited. We express support 
for and encourage physicians to work with their respective technology 
vendors to assure the availability of compliant technology in physician 
practices.
Final Rule
    The final rule adopts the proposed addition of a new Sec.  2.54 
into this regulation, and the accompanying definition of ``public 
health authority'' discussed in Sec.  2.11. The proposal is adopted 
with further modification, but we believe it remains within our 
authority as enacted by the CARES Act. Consistent with the approach 
adopted above in Sec. Sec.  2.16 (Security for records and notification 
of breaches) and 2.52 (Scientific research), we are further modifying 
the language proposed to align with the full HIPAA de-identification 
standard, which includes 45 CFR 164.514(a). As such, the final standard 
here permits a part 2 program to disclose records for public health 
purposes if made to a ``public health authority'' and the content has 
been de-identified in accordance with the requirements of the HIPAA 
Privacy Rule standard at 45 CFR 164.514(b), ``such that there is no 
reasonable basis to believe that the information can be used to 
identify a patient.'' This final language strikes from the proposal the 
limiting phrase after this language that is in the existing rule: ``as 
having or having had a substance use disorder.'' In addition, we 
removed the language ``the HIPAA Privacy Rule'' from the regulatory 
reference to 45 CFR 164.514(b) because we believe it unnecessary.
    We reiterate here that the proposed change should not be construed 
as extending the protections of part 2 to de-identified information, as 
such information is outside the scope of Sec.  2.12(a). Thus, once part 
2 records are de-identified for disclosure to public health 
authorities, part 2 no longer applies to the de-identified records.
Subpart E--Court Orders Authorizing Use and Disclosure
    The CARES Act enacted significant statutory changes governing how 
records could be used in legal proceedings. Section 290dd-2(c) (Use of 
Records in Criminal, Civil, or Administrative Contexts), as amended by 
section 3221(e) of the Act, newly emphasizes the allowance of written 
consent as a basis for disclosing records for proceedings. Revised 
paragraph (c) of 42 U.S.C. 290dd-2, as amended, now provides ``[e]xcept 
as otherwise authorized by a court order under subsection (b)(2)(c) or 
by the consent of the patient, a record referred to in subsection (a), 
or testimony relaying the information contained therein, may not be 
disclosed or used in any civil, criminal, administrative, or 
legislative proceedings [. . .] against a patient [. . .].'' Thus, 
paragraph (c) of the amended statute also applies restrictions beyond 
records to ``testimony relaying the information contained therein.'' In 
the NPRM, the Department proposed to implement this amended statutory 
provision across every subpart E section as applicable, and in 
addition, proposed changes to Sec. Sec.  2.12(d) and 2.31, discussed 
above, to more generally address how restrictions on use and disclosure 
of records apply in legal proceedings, and requirements for the 
structure of written consents for uses and disclosures of record and 
information in testimony in legal proceedings.\304\
---------------------------------------------------------------------------

    \304\ As discussed above, the Department is finalizing changes 
to Sec.  2.12, Applicability. Paragraph (d) of Sec.  2.12, as 
finalized, provides that restrictions on the use and disclosure of 
any record to initiate or substantiate criminal charges against a 
patient or to conduct any criminal investigation of a patient, or to 
use in any civil, criminal, administrative, or legislative 
proceeding against a patient, applies to any person who obtains the 
record from a part 2 program, covered entity, business associate, 
intermediary, or lawful holder regardless of the status of the 
person obtaining the record or whether the record was obtained in 
accordance with part 2.

---------------------------------------------------------------------------

[[Page 12571]]

    To properly reflect that subpart E regulates uses and disclosures 
of records, information, and testimony therein, the Department is 
finalizing the proposed heading so that it now refers to ``Court Orders 
Authorizing Use and Disclosure.'' We received no comments addressing 
the proposed change in heading. We also note with respect to proposed 
modifications throughout this subpart, many public comments were 
intermingled across sections or intended to provide comment related to 
multiple regulatory sections. To the best of our ability, we responded 
to such comments in the regulatory section where we believe them most 
applicable.
Section 2.61--Legal Effect of Order
    Section 2.61 includes the requirement that in addition to a court 
order that authorizes disclosure, a subpoena is required to compel 
disclosure of part 2 records. The final rule adopts the proposed 
addition to add the word ``use'' to paragraphs (a) and (b)(1) and (2) 
to clarify that the legal effect of a court order with respect to part 
2 records would include authorizing the use of part 2 records, in 
addition to the disclosure of part 2 records. The Department did not 
propose substantive changes to this section although in relation to 
other provisions of this rulemaking, a few commenters expressed concern 
that the rule contemplates the added expense of a subpoena. Those 
comments are addressed below.
Section 2.62--Order Not Applicable to Records Disclosed Without Consent 
to Researchers, Auditors, and Evaluators
Proposed Rule
    Section 2.62 provides that a court order issued pursuant to part 2 
may not authorize ``qualified personnel'' who have received patient 
identifying information without consent for conducting research, audit, 
or evaluation, to disclose that information or use it to conduct any 
criminal investigation or prosecution of a patient. As we explained in 
the NPRM, the term ``qualified personnel'' has a precise meaning but 
does not have a regulatory definition within 42 CFR part 2 and is used 
only once within the regulation. For greater clarity, the Department 
proposed to refer instead to ``persons who meet the criteria specified 
in Sec.  2.52(a)(1)(i) through (iii),'' and later in the paragraph to 
``such persons.'' The individual paragraphs of Sec.  2.52(a)(1)(i) 
through (iii) describe the circumstances by which the person designated 
as director, managing director, or authoritative representative of a 
part 2 program or other lawful holder may disclose patient identifying 
information to a recipient conducting scientific research.
Comment
    The Department did not receive comments specific to this section.
Final Rule
    The Department adopts the proposed change and additionally inserts 
``and Sec.  2.53'' as a technical correction given that the regulatory 
text references audit and evaluation but not Sec.  2.53. The final text 
provides that the court ``may not authorize persons who meet the 
criteria specified in Sec. Sec.  2.52(a)(1)(i) through (iii) and 2.53, 
who have received patient identifying information without consent for 
the purpose of conducting research, audit, or evaluation, to disclose 
that information or use it to conduct any criminal investigation or 
prosecution of a patient.''
Section 2.63--Confidential Communications
Proposed Rule
    Section 2.63 contains provisions that protect the confidential 
communications made by a patient to a part 2 program. Paragraph (a) of 
Sec.  2.63 provides that a court order may authorize disclosure of 
confidential communications made by a patient to a part 2 program 
during diagnosis, treatment, or referral only if necessary: (1) to 
protect against an existing threat to life or of serious bodily injury; 
(2) to investigate or prosecute an extremely serious crime, such as one 
that directly threatens loss of life or serious bodily injury, 
including homicide, rape, kidnapping, armed robbery, assault with a 
deadly weapon, or child abuse and neglect; or (3) in connection with 
litigation or an administrative proceeding in which the patient 
introduces their own part 2 records. Paragraph (b) of current Sec.  
2.63 is reserved.
    To implement changes to 42 U.S.C. 290dd-2 that could properly be 
applied to this section, the Department proposed to specify in Sec.  
2.63(a)(3) that civil, as well as criminal, administrative, and 
legislative proceedings are circumstances under which a court may 
authorize disclosures of confidential communications made by a patient 
to a part 2 program. Specifically, the Department proposed in Sec.  
2.63(a)(3) to expand the permission's application from ``litigation or 
administrative proceeding'' to ``civil, criminal, administrative, or 
legislative proceeding'' in which the patient offers testimony or other 
evidence pertaining to the content of the confidential communications.
Comment
    One commenter expressed support for the proposal with the caveat 
that the part 2 program or covered entity be permitted to use the 
records, without a requirement that the patient first introduce the 
records into a legal proceeding, if the purpose of the use is for 
defense against professional liability claims brought by the patient.
    One health plan also expressed unconditional support for this 
proposal.
Response
    We appreciate the comments. We reaffirm here that this regulation 
is intended to protect those communications that are narrow in scope 
and limited to those statements made by a patient to a part 2 program 
in the course of diagnosis, treatment, or referral for treatment. We 
believe continuing to permit disclosure only under circumstances of 
serious harm coupled with a patient's own ``opening the door'' in legal 
proceedings strikes the right balance against an obvious disincentive 
to seeking care when such communications are not kept confidential. On 
the other hand, should an applicant believe it necessary to seek a 
court order and subpoena authorizing and compelling disclosure, 
respectively, there is nothing in this section that would restrict the 
ability of the applicant to attempt to convince a court that the 
information sought is broader than that governed by Sec.  2.63, such as 
information contained in records subject to disclosure under Sec.  2.64 
and evaluation by a competent court with jurisdiction.
Final Rule
    The final rule adopts the proposed changes to this section without 
further modification.
Section 2.64--Procedures and Criteria for Orders Authorizing Uses and 
Disclosures for Noncriminal Purposes
Proposed Rule
    Section 2.64 describes the procedures and criteria that permit any 
person having a legally recognized interest in the disclosure of 
patient records for purposes ``other than criminal investigation or 
prosecution'' to apply for a court order authorizing the disclosure of 
the records.
    The current language of Sec.  2.64 refers only to ``purposes other 
than criminal investigation or prosecution'' and ``noncriminal 
purposes'' in the heading. To implement the changes to 42 U.S.C. 290dd-
2(c), the Department proposed to

[[Page 12572]]

modify paragraph (a) of Sec.  2.64 to expand the forums for which a 
court order must be obtained, absent written patient consent, to permit 
use and disclosure of records in civil, administrative, or legislative 
proceedings. The Department also proposed, consistent with the language 
of the amended statute, to apply the requirement for the court order to 
not only records, but ``testimony'' relaying information within the 
records.
Comment
    One commenter, a state Medicaid Office, sought guidance from the 
Department on determining the appropriateness of applying redisclosure 
procedures under HIPAA or part 2 when the underlying disclosure relates 
to a judicial or administrative proceeding. Specifically, this 
commenter noted that following a receipt of records pursuant to a TPO 
consent, proposed Sec.  2.33(b) authorizes subsequent redisclosures 
under HIPAA regulations. As an example, it described a covered entity 
that receives an order for part 2 records of a Medicaid recipient as 
part of a civil, administrative, legislative, or criminal proceeding or 
criminal investigation. The proceeding in this situation is not against 
the Medicaid recipient who is instead, a witness, an alternate suspect, 
or other third-party individual. In these cases, this commenter asked 
if it should review and respond to the order under 45 CFR 164.512(e) 
\305\ pursuant to the proposed Sec.  2.33(b) or under the procedures 
required by Sec.  2.64.
---------------------------------------------------------------------------

    \305\ 45 CFR 164.512(e) grants permissions to covered entities 
to disclose PHI for judicial and administrative proceedings.
---------------------------------------------------------------------------

Response
    As we understand the commenter's example and question, the 
underlying proceedings are not against the subject of the records or 
``patient,'' and therefore the covered entity would be permitted to 
redisclose the records in accordance the HIPAA Privacy Rule permission 
at 45 CFR 164.512(e). This response is consistent with the part 2 
statute and with revised Sec.  2.33(b) which provides that ``[i]f a 
patient consents to a use or disclosure of their records consistent 
with Sec.  2.31, the recipient may further use or disclose such records 
as provided in subpart E of this part, and as follows . . . [w]hen 
disclosed for treatment, payment, and health care operations activities 
[. . .] the recipient may further use or disclose those records in 
accordance with the HIPAA regulations, except for uses and disclosures 
for civil, criminal, administrative, and legislative proceedings 
against the patient [emphasis added].''
    Although revisions to Sec.  2.33 permit a covered entity or 
business associate to redisclose records obtained pursuant to a TPO 
consent ``in accordance with the HIPAA regulations,'' any person 
seeking to redisclose such records or information in a proceeding 
against the patient is required to comply with the procedures in Sec.  
2.64 or Sec.  2.65 to obtain the part 2 court order or a separate 
consent of the patient that meets the requirements of new Sec.  
2.31(d).
Comment
    One supportive commenter, a health system, asserted that a 
reasonable and necessary exception to the rule requiring patient 
consent or court order is in the case of a health care entity and 
provider needing access to records to vigorously defend their positions 
in legal proceedings against a patient, such as with a professional 
liability claim. This commenter further asserted that redacted records 
would be inadequate for preparation or case presentation.
Response
    We do not believe that a professional liability claim brought by a 
patient against a provider is a proceeding ``against a patient.'' If a 
provider believes that a part 2 record or information is required to 
mount a defense against a professional liability claim brought by a 
patient, there is nothing in this regulation which would prevent the 
provider from seeking relief from a court.
Comment
    One commenter did not object to the Department's proposal extending 
the current provision to apply to administrative and legislative 
proceedings, but objected to the requirement that a part 2 program or 
covered entity may incur legal expenses to obtain an instrument that 
would compel compliance (i.e., a subpoena, in addition to a court 
order).
Response
    We appreciate the comment but even before this rulemaking, Sec.  
2.61 made clear that the sole purpose of a court order issued pursuant 
to subpart E was to authorize use or disclosure of patient information 
but not to compel the same. Additionally, under the current Sec.  2.61, 
a subpoena or a similar legal mandate must be issued in order to compel 
disclosure. There is nothing in the CARES Act amendments that suggests 
we should modify these requirements.
Comment
    Several commenters expressed support for this proposal, including a 
county department of public health and several individuals. One 
individual expressed strong support for restricting disclosures for 
civil and non-criminal procedures to promote racial equity. Another 
individual commenter thanked the Department for protecting patients 
from having records used against them, including the content of records 
in testimony.
Response
    We appreciate the comments, but historically part 2 has always 
placed some restriction on disclosure of records in both civil and 
criminal types of proceedings.
Final Rule
    The final rule adopts Sec.  2.64 as proposed in the NPRM without 
further modification.
Section 2.65--Procedures and Criteria for Orders Authorizing Use and 
Disclosure of Records To Criminally Investigate or Prosecute Patients
Proposed Rule
    Section 2.65 establishes procedures and criteria for court orders 
authorizing the use and disclosure of patient records in criminal 
investigations or prosecutions of the patient. Under Sec.  2.65(a), the 
custodian of the patient's records or a law enforcement or 
prosecutorial official responsible for conducting criminal 
investigative or prosecutorial activities, may apply for a court order 
authorizing the disclosure of part 2 records to investigate or 
prosecute a patient. Paragraph (b) describes the operation of notice to 
the holder of the records about the application for a court order under 
this section and opportunity to be heard and present evidence on 
whether the criteria in paragraph (d) for a court order have been met. 
Paragraph (d) sets forth criteria for the issuance of a court order 
under this section, including paragraph (d)(2), which requires a 
reasonable likelihood that the records would disclose information of 
substantial value in the investigation or prosecution. Paragraph (e) 
sets forth requirements for the content of a court order authorizing 
the disclosure or use of patient records for the criminal investigation 
or prosecution of the patient. Paragraph (e)(1) requires that such 
order must limit disclosure and use to those parts of the patient's 
record as are essential to fulfill the objective of the order, and 
paragraph (e)(2) requires that the order limit the disclosure to those 
law enforcement and

[[Page 12573]]

prosecutorial officials who are responsible for, or are conducting, the 
investigation or prosecution, and limit their use of the records to 
investigating and prosecuting extremely serious crimes or suspected 
crimes specified in the application.\306\ Paragraph (e)(3) requires 
that the order include other measures as are necessary to limit use and 
disclosure to the fulfillment of only that public interest and need 
found by the court.
---------------------------------------------------------------------------

    \306\ Section 2.63(a)(1) and (2) of the current rule specifies 
that the type of crime for which an order to disclose confidential 
communications could be granted would be one ``which directly 
threatens loss of life or serious bodily injury, including homicide, 
rape, kidnapping, armed robbery, assault with a deadly weapon, or 
child abuse and neglect.'' Thus, the use of an illegal substance 
does not in itself constitute an extremely serious crime.
---------------------------------------------------------------------------

    The Department proposed to modify Sec.  2.65 (a) to expand the 
types of criminal proceedings related to the enforcement of criminal 
laws to include administrative and legislative criminal proceedings for 
which a court order is required for uses and disclosures of records, 
and in paragraphs (a), (d) introductory text, (d)(2), (e) introductory 
text, and (e)(1) and (2), to include testimony relaying information 
within the records. The Department also proposed a non-substantive 
change to move the term ``use'' before ``disclosure'' in paragraphs (e) 
introductory text and (e)(1) and (3). As noted in the NPRM, criminal 
investigations may be carried out by executive agencies and legislative 
bodies as well as in criminal prosecutions through the judicial 
process. These changes implement 42 U.S.C. 290dd-2(c), as amended by 
section 3221(e) of the CARES Act by widening the scope of 
confidentiality protections for patients in all of these forums where 
an investigation or action may be brought against them.
    Notably, the statute, as amended by the CARES Act, also expressly 
permits disclosures and uses of records and testimony in legal 
proceedings against the patient if a patient consents. To address 
concerns about consent for use and disclosure of records in proceedings 
against the patient, the Department is adding a separate consent 
requirement in Sec.  2.31(d), as discussed above.
Comment
    Nearly half of all commenters that addressed subpart E proposals 
opposed the proposal to allow patients to consent to the use and 
disclosure of their part 2 records in proceedings against the patient. 
Many of these commenters contended that permitting disclosures of 
records and testimony in proceedings against the patient, based on the 
patient's consent, only makes patients vulnerable to coercion from law 
enforcement who condition certain outcomes in the matter underlying the 
dispute on obtaining consent.
    While several commenters acknowledged the statutory language that 
expressly allows consent for court proceedings, most nonetheless urged 
the Department not to implement the statutory change and instead 
finalize a regulatory provision that will protect patients from law 
enforcement seeking to condition outcome in criminal and civil 
proceedings on signed consent forms. Other commenters expressed alarm 
that the consent provision would further disincentivize historically 
vulnerable populations experiencing SUD, including pregnant 
individuals, from seeking SUD treatment. One commenter asserted that 
recipients of records released with consent for criminal, civil, 
administrative, and legislative proceedings are lawful holders under 
the regulations and recommended they be expressly barred from using 
these records or patient information in ways that discriminate against 
the patient.
Response
    We appreciate the sentiments expressed by many of these commenters 
regarding the risks of a consent option. However, the language of the 
statute, as amended by the CARES Act, is clear and unambiguous and 
emphasizes the existing ability of patients to consent to the use or 
disclosure of their records or testimony within such records in legal 
proceedings against them. We also view patient consent as one of the 
cornerstones of privacy protection. Consistent with the statute and 
principle of empowering the patient to control the flow of their own 
information, the existing rule at Sec.  2.33(a) clearly allows patient 
consent for disclosure of records for any purpose, which may include 
investigations and proceedings against the patient. The final rule 
expands this to encompass consent for use of records as well as 
disclosures. Additionally, in Sec. Sec.  2.12 and 2.31 above, we 
discuss the specific regulatory modifications that refer to consent for 
legal proceedings and newly require separate consent for use and 
disclosure of records in civil, criminal, administrative, and 
legislative proceedings. We reiterate here that we intend for 
references to such proceedings to also encompass investigations, as 
stated in 42 U.S.C. 290dd-2.
Comment
    One commenter, a mental health advocacy organization, commented 
that the Department should establish a safe harbor that would protect 
health plans from civil and criminal penalties when violations arise 
from good faith redisclosures that comply with the HIPAA Privacy Rule 
but not part 2. According to this commenter this provision could 
support sharing information on claims databases since there are 
disparate state approaches to protecting and administering these 
records.
Response
    We are sympathetic to concerns related to disparate state laws that 
conflict with or overlap with this Part, and understand the issues 
faced by plans that consistently interact with or disclose information 
to state claims databases. However, we believe the extent of our 
statutory authority is clear in how this regulation only permits use 
and disclosures of records and information therein, in legal 
proceedings against patients, when consent or the requisite court order 
is obtained. Having said that, under the newly promulgated enforcement 
structure required by statute, criminal liability inures only when a 
willful or knowing violation occurs. Moreover, the crux of this 
requirement remains as it did prior to this rulemaking and the CARES 
Act did nothing to modify the added protection afforded to records that 
would otherwise be used to prosecute a patient. Given the continuity of 
this requirement, we anticipate that plans and state claims databases 
should have already built-in mechanisms to accommodate this regulation.
Comment
    Approximately one-third of commenters on this topic supported 
requiring patient consent or a court order for use and disclosure of 
part 2 records against a patient or a part 2 program. Some of these 
commenters expressed appreciation for the expanded protection from use 
and disclosure in legislative and administrative investigations and 
proceedings, and express protection of testimony that conveys 
information from part 2 records within the consent or court order 
requirements. Some commenters expressed the sentiment that these 
express and expanded protections would serve as a counterweight to 
easing the flow of part 2 records for health care-related purposes.

[[Page 12574]]

Response
    We appreciate these comments. As we've stated above, the revised 
language of this section, and our revision to Sec.  2.12(d), discussed 
above, implement key CARES Act statutory modifications. We agree that 
the expanded protections for testimony arising from information 
contained in records, and the extension of protection to additional 
types of legal proceedings could counterbalance, in some respects, the 
expanded permission to use and disclose of part 2 records under a 
single consent for all future TPO.
Comment
    One commenter, a health system, expressed support for this proposal 
but suggested that a covered entity should be able to rely and act upon 
a court order issued by a court of competent jurisdiction without 
potentially incurring additional legal expenses for an instrument 
compelling compliance.
Response
    Consistent with our response above, the requirement for a subpoena 
has been firmly enshrined in part 2 and was not proposed for revision 
in this rulemaking.
Comment
    An individual appreciated the emphasis in the Sec.  2.65 NPRM 
discussion that ``the use of an illegal substance does not in itself 
constitute an extremely serious crime'' and recommended reiterating 
that neither substance use nor engagement in SUD treatment services 
should in and of themselves be considered evidence of child abuse or 
neglect, including for people who are pregnant.
Response
    We agree and state that the regulation continues to place emphasis 
on crimes that pose threats to loss of life or serious bodily injury, 
such as homicide, rape, kidnapping, armed robbery, assault with a 
deadly weapon, and child abuse and neglect.\307\
---------------------------------------------------------------------------

    \307\ See Sec. Sec.  2.65(d)(1) (criteria for court issuance of 
an order authorizing use and disclosure of records in a criminal 
proceeding against a patient) and 2.63(a)(2) (limiting disclosure of 
confidential communications to investigations or prosecution of 
serious crimes).
---------------------------------------------------------------------------

Final Rule
    The final rule adopts Sec.  2.65 as proposed without further 
modification.
Section 2.66--Procedures and Criteria for Orders Authorizing Use and 
Disclosure of Records To Investigate or Prosecute a Part 2 Program or 
the Person Holding the Records
Proposed Rule
    The Department proposed to add a new paragraph (a)(3) that details 
procedures for investigative agencies to follow in the event they 
unknowingly obtain part 2 records during an investigation or 
prosecution of a part 2 program or person holding part 2 records 
without obtaining a court order as required under subpart E. Section 
2.66 specifies the persons who may apply for an order authorizing the 
disclosure of patient records for the purpose of investigating or 
prosecuting a part 2 program or ``person holding the records (or 
employees or agents of that part 2 program or person holding the 
records)'' in connection with legal proceedings, how such persons may 
file the application, and provides that, at the court's discretion, 
such orders may be granted without notice to the part 2 program or 
patient.
    In conjunction with a new definition of ``investigative agency'' 
that the Department proposed and is finalizing in Sec.  2.11 above, the 
Department modified paragraph (a) to refer only to ``investigative 
agency'' as the type of organization that may apply for an order under 
this section. The new term includes, by definition, the other types of 
organizations referenced in the current provision (i.e., state or 
Federal administrative, regulatory, supervisory, investigative, law 
enforcement, or prosecutorial agency having jurisdiction over the 
activities of part 2 programs or other person holding part 2 records) 
as well as local, Tribal, and territorial agencies. The Department also 
proposed a new paragraph (a)(3). The Department's proposed change would 
require an investigative agency (other than one relying on another 
disclosure provision, such as Sec.  2.53(e)) \308\ that discovers in 
good faith that it has obtained part 2 records to secure the records 
consistent with Sec.  2.16 and immediately cease using or disclosing 
them until it obtains a court order authorizing the use and disclosure 
of the records and any records later obtained. A court order must be 
requested within a reasonable period of time, but not more than 120 
days after discovering it received the records. As proposed, if the 
agency does not seek a court order, it must return the records to the 
part 2 program or person holding the records if it is legally 
permissible to do so, within a reasonable period of time, but not more 
than 120 days from discovery; or, if the agency does not seek a court 
order or return the records, it must destroy the records in a manner 
that renders the patient identifying information non-retrievable, 
within a reasonable period of time, but not more than 120 days from 
discovery. Finally, if the agency's application for a court order is 
rejected by the court and no longer subject to appeal, the agency must 
return the records to the part 2 program or person holding the records, 
if it is legally permissible to do so, or destroy the records 
immediately after notice of rejection from the court.
---------------------------------------------------------------------------

    \308\ Section 2.53 also permits a person to disclose patient 
identifying information for the purpose of conducting a Medicare, 
Medicaid, or CHIP audit or evaluation. However, subpart E 
proceedings are distinguished from those under Sec.  2.53 in that 
Sec.  2.53 audits and evaluation are limited to that conducted by a 
governmental agency providing financial assistance to a part 2 
program or other lawful holder or an entity with direct 
administrative control over the part 2 program or lawful holder, and 
is determined by the part 2 program or other lawful holder to be 
qualified to conduct an audit or evaluation. See Sec.  2.53 for the 
provision in its entirety.
---------------------------------------------------------------------------

    The Department proposed in paragraph (b) to provide an option for 
substitute notice by publication when it is impracticable under the 
circumstances to provide individual notification of the opportunity to 
seek revocation or amendment of a court order issued under Sec.  2.66. 
Additionally, the Department proposed to reorganize paragraph (c) by 
expressly incorporating the provisions from Sec.  2.64(d) \309\ that 
would require an applicant to obtain a good cause determination from a 
court and adding the proposed Sec.  2.3(b) requirements as elements of 
good cause for investigative agencies that apply for a court order 
under proposed Sec.  2.66(a)(3)(ii).
---------------------------------------------------------------------------

    \309\ In addition to incorporating the provisions in Sec.  
2.64(d), the Department proposed a slight modification to Sec.  
2.66(c)(1) to add that other ways of obtaining the information would 
yield incomplete information.
---------------------------------------------------------------------------

    We note at the outset of the discussion of comments for this 
section and Sec.  2.67 that some comments were intertwined with 
comments in response to Sec.  2.3(b), limitation of liability for 
investigative agency personnel. Those comments are addressed above in 
the discussion of comments related to Sec.  2.3(b).
Comment
    A large health system expressed support for providing a remedy when 
an investigative agency discovers in good faith that it has received 
part 2 records, that allows the agency to either seek a court order or 
return records in lieu of an order.

[[Page 12575]]

Response
    We appreciate the comments.
Comment
    Several commenters, including a Medicaid fraud unit and a large 
health system, expressed support for the proposal to allow for 
substitute notice under Sec.  2.66 when individual notice is infeasible 
or impractical. One commenter, a state-based regional Medicaid fraud 
unit, asked the Department to consider applying the ``substitute notice 
by publication'' requirement retroactively.
Response
    We appreciate the comments regarding substitute notice. In 
consideration of the burden that would inure to part 2 programs and 
holders of records, we decline to make this requirement retroactive.
Comment
    A state Medicaid fraud unit recommended that it not be considered 
an ``investigative agency'' as defined in Sec.  2.11 and used in this 
section and Sec.  2.67, and that it be permitted to access records 
without a court order. In the alternative, it expressed support for the 
proposed safe harbor and related procedures proposed in Sec. Sec.  2.66 
and 2.67.
Response
    We believe that a state Medicaid fraud unit meets the definition of 
``investigative agency'' in Sec.  2.11. The definition that we are 
finalizing provides that ``[i]nvestigative agency means a Federal, 
state, Tribal, territorial, or local administrative, regulatory, 
supervisory, investigative, law enforcement, or prosecutorial agency 
having jurisdiction over the activities of a part 2 program or other 
person holding part 2 records.'' We are aware that in some states, 
Medicaid fraud units are created within state attorney general offices 
under Federal authority.\310\
---------------------------------------------------------------------------

    \310\ See, e.g., Maryland Office of the Att'y Gen., ``Medicaid 
Fraud Control Unit,'' https://www.marylandattorneygeneral.gov/Pages/MFCU/default.aspx.
---------------------------------------------------------------------------

Comment
    A commenter, a state-based data center requested that language be 
added to Sec.  2.66(a)(2), (b), and (c) to clarify that an 
administrative tribunal can issue orders under this section, and that a 
separate court proceeding is not required.
Response
    As we have noted previously, we lack authority to circumvent the 
statutory requirement in 42 U.S.C. 290dd-2(c) for a court order to 
authorize use and disclosure of records for civil, criminal, 
administrative, and legislative proceedings, including administrative 
tribunals.
Comment
    One commenter, a managed care organization, requested that the 
Department require investigative agencies to notify the program when it 
unknowingly is in receipt of part 2 records but lacks the required 
court order and whether it intends to seek a court order, return, or 
destroy the records. The organization also requested clarification that 
the rule does not authorize an investigative agency to destroy records 
unless it has confirmed that they are not originals.
Response
    We believe the proposed rule adequately protects the records from 
misuse by requiring the person holding the records to either return the 
records in a timely manner or destroy the records in a manner that 
renders the patient identifying information non-retrievable in a timely 
manner. We do not believe additional notice to the part 2 program or 
other holder of the record, as described by this commenter, is 
necessary and believe such a notice would go beyond the current rule in 
Sec.  2.66 which does not require notice to be made until such time as 
a court order is granted. We agree that it is a best practice to 
confirm with the part 2 program that produced the records whether they 
are originals before an investigative agency destroys them.
Comment
    One commenter, a state Medicaid agency recommended that the 
Department include language outlining what ``good faith'' means and 
what will happen if the standard is not met.
Response
    We believe it unnecessary to define in regulation the phrase ``good 
faith,'' which is required to support a finding that an investigative 
agency unknowingly acquired part 2 records in the course of an 
investigation in Sec.  2.66, Sec.  2.67, or a finding that the safe 
harbor applies to shield from liability investigators who are holding 
such records.\311\ We believe the phrase is generally understood to 
mean without malice or without bad intent. We also believe that the 
operation of this provision is clear, in the event a finding of good 
faith is not met. First, if investigators are found to have acted in 
bad faith in obtaining the part 2 records, penalties could result. 
Second, in Sec. Sec.  2.66 and 2.67, a finding of good faith is 
necessary to trigger the ability of the agency to apply for a court 
order to use records that were previously obtained.
---------------------------------------------------------------------------

    \311\ See our NPRM discussion at 87 FR 74216, 74227 where we 
stated, ``The proposed safe harbor could promote public safety by 
permitting government agencies to investigate or prosecute Part 2 
programs and persons holding Part 2 records for suspected criminal 
activity, in good faith without risk of HIPAA/HITECH Act 
penalties.''
---------------------------------------------------------------------------

Comment
    One commenter, an advocacy organization, requested that additional 
protections be added to Sec.  2.66 (as well as Sec.  2.3) for cloud 
service providers (CSPs). Such protections, the commenter believed, 
would apply to a ``person holding the record'' who coordinates with the 
SUD data owner (to the extent permitted by the legal request) and, 
despite such coordination unknowingly makes a record available in 
response to an investigatory court order or subpoena. This same 
commenter further requested that the Department allow CSPs to, at their 
discretion: (1) require requestors of records to certify or attest 
that, to the best of the requestor's knowledge, part 2 records are not 
part of the request or that information sought will not be used as part 
of proceedings against a patient of a part 2 program; and (2) rely on 
such certifications or attestations of requestors when making 
disclosures in response to an investigatory court order or subpoena.
Response
    We understand the challenges faced by CSPs and agree that under 
some circumstances they may be treated as the ``person holding the 
record'' under this regulation. However, under many service agreements 
the person that stores data in a CSP system is the one with the legal 
capability to disclose the data. We decline to adopt additional rules 
for CSPs that are different than the rules for other lawful holders of 
a part 2 record. The rule does not prevent a person holding the record 
to inquire of the requestor whether they have knowledge as to the 
nature of the records within the scope of the request. However, we 
believe that a holder of the record, as a baseline, has some 
responsibility to know whether they are maintaining records that are 
PHI or subject to part 2. We also believe that in most cases, a CSP 
should be acting under the purview of a valid business associate 
agreement or other contract that specifies the particular protections

[[Page 12576]]

needed with respect to the type of data being held and disclosed.\312\
---------------------------------------------------------------------------

    \312\ See U.S. Dep't of Health and Human Servs., ``Guidance on 
HIPAA & Cloud Computing'' (Dec. 23, 2022), https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html (``The BAA also contractually 
requires the business associate to appropriately safeguard the ePHI, 
including implementing the requirements of the Security Rule.'' From 
an enforcement standpoint, we would apply this same principle to any 
agreement between a CSP and originator of part 2 data under part 2 
obligations.).
---------------------------------------------------------------------------

Comment
    One commenter, a medical professionals association, expressed 
concern that the patient notification process is insufficient 
(including under existing policies). In particular, according to this 
commenter the notification process may be problematic for those 
patients who lack mailing addresses, and it is not clear that the 
allowance for substitute notice by publication would increase its 
effectiveness. Instead, this commenter recommended instituting further 
notice requirements such as more detailed information provided to part 
2 patients regarding the potential for court-ordered disclosure of 
records, the absence of an initial notice requirement, and the 
potential for substitute notice by publication. This same commenter 
recommended such information be included in the HIPAA NPP and included 
on the part 2 program's website; further, if a part 2 program comes 
under investigation and receives a court order authorizing disclosure, 
the part 2 program be required to post information on its website 
regarding the investigation and court order.
Response
    We assume the crux of this comment is that the proposal does not 
account for an initial notice to a patient upon an application for a 
court order by a person seeking to use or disclose the patient's 
record. We disagree that the regulation does not provide for adequate 
notice to patients and part 2 programs about the entry of court orders. 
With respect to patients, we have proposed and are finalizing in a 
revised Patient Notice required by Sec.  2.22 a requirement that part 2 
programs include in the Patient Notice a statement such as ``[r]ecords 
shall only be used or disclosed based on a court order after notice and 
an opportunity to be heard is provided to the patient or the holder of 
the record, where required by 42 U.S.C. 290dd-2 and this part''. We 
believe this statement provides adequate notice to the patient such 
that the patient is made aware that he or she will be provided with 
some type of notice in the event a court order authorizes a use or 
disclosure of the patient's records. As we have stated above, the HIPAA 
Privacy Rule proposed modifications and public comments will be 
considered in a separate rulemaking.
    While we agree with the sentiment that website notice of a court 
ruling permitting use or disclose of a patient's records is generally 
reasonable, we decline to adopt this as a regulatory requirement. Given 
the court involvement in these proceedings, we believe it best left to 
the discretion of the court to determine the means of substitute notice 
that is reasonable under the specific circumstances that exist at the 
time.
Comment
    One individual expressed negative views about this section and 
opined that the Department's proposed new paragraph Sec.  2.66(a)(3) is 
not related to any requirement in the CARES Act. It is instead, 
according to this commenter, a means to excuse efforts by investigative 
agencies that fail to presume, as they should, that an investigation of 
a part 2 program would result in obtaining part 2 records. This 
commenter further recommended that the investigative agency be required 
to seek court authorization prior to any investigation and that the 
good faith standard is ``disingenuous.'' Finally, this commenter opined 
that the proposed option in Sec.  2.66(b) for a substitute notice by 
publication when it is deemed ``impracticable'' under the circumstances 
to provide individual notification of the opportunity to seek 
revocation or amendment of a court order runs counter to the protection 
of patients in that an ability to locate a patient should not diminish 
their right to confidentiality.
Response
    We understand the underlying concerns expressed in this comment and 
in response, are making some additional modifications to the proposed 
rule as discussed below. Also, in response, we point to the robust 
requirements that relate to obtaining the court order under paragraph 
(c) of this section, including that other ways of obtaining the 
information are not available (or would not be effective or would yield 
incomplete results), there is a public interest that outweighs 
potential injury to the patient, and the required diligence that must 
be exercised on the part of the investigative agency related to 
determining the application of this part. Additionally, with respect to 
substitute notice, it is only permitted once it is determined that 
individual notice is not available. Further, we assume that agencies 
obtaining a court order under Sec.  2.66 have already complied with the 
requirement to use a pseudonym for the patient in the application for 
the court order (or to ensure the court seals the record of the 
proceedings) and expect them to comply with the requirement not to 
disclose any patient identifying information in any public mention of 
the court order, which would include any public form of substitute 
notice.
Final Rule
    We are appreciative of the many comments in response to this 
section, but as we note above, the requirement of a court order or 
consent to make uses and disclosures regulated under this section has 
not changed, despite the widening of application to types of 
proceedings and testimony contained in records. In addition, as 
proposed, this change is consistent with the revised statute. The final 
rule therefore adopts Sec.  2.66 as proposed with one additional 
modification. We are modifying paragraph (c)(3) to clarify that with 
respect to an application pursuant to Sec.  2.66(a)(3)(ii), it is not 
permissible to use information from records obtained in violation of 
part 2 to support an application for a court order under 42 U.S.C. 
290dd-2(b)(2)(C). We adopted this modification in response to 
commenters' concerns about the potential misuse of the safe harbor 
established in Sec.  2.3(b) by investigative agencies. We are adding 
this express prohibition on the use of records obtained in violation of 
part 2 to counterbalance the latitude provided to investigative 
agencies and to disincentivize improper uses of information to support 
applications for court orders.
Section 2.67--Orders Authorizing the Use of Undercover Agents and 
Informants To Investigate Employees or Agents of a Part 2 Program in 
Connection With a Criminal Matter
Proposed Rule
    Section 2.67 authorizes the placement of an undercover agent in a 
part 2 program as an employee or patient by law enforcement or a 
prosecutorial agency pursuant to court order when the law enforcement 
organization has reason to believe the employees of the part 2 program 
are engaged in criminal misconduct. Paragraph (a) authorizes the 
application of an order by law enforcement or prosecutorial agencies 
for placement of undercover agents or informants in part 2 program 
based on

[[Page 12577]]

reason to believe criminal activity is taking place. Paragraph (c) 
includes the ``good cause'' criteria by which an order under this 
section may be entered.
    The Department proposed to replace the phrase ``law enforcement or 
prosecutorial'' with ``investigative'' in paragraph (a), and clarify 
that the good cause criteria for a court order in paragraph (c)(2) 
includes circumstances when obtaining the evidence another way would 
``yield incomplete evidence.'' The Department also proposed to create a 
new paragraph (c)(4) addressing investigative agencies' retroactive 
applications for a court order authorizing placement of an undercover 
informant or agent to investigate a part 2 program or its employees 
when utilizing the safe harbor under Sec.  2.3. This provision would 
require the investigative agency to satisfy the conditions at proposed 
Sec.  2.3(b) before applying for a court order for part 2 records after 
discovering that it unknowingly had received such records.
Comment
    Several commenters, including a large health system and managed 
care organization, expressed support for the requirement that an 
investigative agency placing an undercover agent or informant must seek 
a court order and promote strict adherence to the requirements, 
including limitations and restrictions on uses and disclosures of part 
2 information, of the court order. One of the commenters asserted that, 
if finalized, the proposal may ensure appropriate conduct by local and 
state agencies.
Response
    We appreciate the comments.
Comment
    One commenter, a regional state-based Medicaid fraud unit, 
recommended that the Department define or issue guidance about the 
meaning of ``yield incomplete evidence.''
Response
    Paragraph (c)(3) addresses one of the criteria under which a court 
must make a good cause determination for the entry of an order 
permitting placement of an undercover agent by an investigative agency, 
and requires a finding that other ways of obtaining information are not 
available or would ``yield incomplete evidence.'' We believe the court 
evaluating the application of this criteria is best situated to 
determine the facts and whether said facts support this finding.
Comment
    An individual commenter expressed strong concern that proposed 
Sec.  2.67 represents an unnecessary concession to law enforcement. 
Citing what this individual believes to be a prior concession in the 
2020 rulemaking related to an extension of time from six to twelve 
months in which an undercover agent could be placed in a part 2 
program,\313\ this commenter expressed the belief that this proposal 
relies on a second concession, grounded in ``convenience'' for law 
enforcement that uses the ``good cause'' criteria for a court order in 
paragraph (c)(2) as a justification circumstance when obtaining the 
evidence another way would ``yield incomplete evidence.'' This 
commenter specifically objected to modifying the current in paragraph 
(c)(2) by adding ``or would yield incomplete evidence'' after ``other 
ways of obtaining evidence of the suspected criminal activity are not 
available or would not be effective.''
---------------------------------------------------------------------------

    \313\ 85 FR 42986, 43039.
---------------------------------------------------------------------------

Response
    We appreciate the sentiment expressed in this comment, but believe 
that the newly imposed statutory civil penalties require us to 
consider, and finalize, a more workable standard for law enforcement. 
We also believe that the commenter fails to appreciate the difficulty 
in determining at times whether a health care entity has records that 
are subject to part 2. The need for a means for law enforcement to 
investigate crimes related to activity by part 2 programs or their 
employees remains a reality, as does the need to keep sensitive records 
confidential. Overall, we believe that because the standard applied 
will be adjudicated by a court of competent jurisdiction from which 
appeals may be taken, the modified criteria is appropriate.
Final Rule
    The final rule adopts Sec.  2.67 as proposed with one additional 
modification to paragraph (c)(4) to clarify that with respect to an 
application submitted after the placement of an undercover agent or 
informant has already occurred, the applicant is prohibited from using 
information from records obtained in violation of part 2 by that 
undercover agent or informant. We adopt this modification in response 
to those public comments expressing concern about the potential for 
misuse of the limitation on liability established in Sec.  2.3(b) to 
persons who under the purview of investigative agencies, are granted 
safe harbor for unknowingly and in good faith obtaining part 2 records. 
Similar to our consideration of comment in response to Sec.  2.66, we 
believe the express prohibition on the use of records obtained in 
violation of part 2 will disincentivize improper uses of information to 
support applications for court orders.
Section 2.68--Report to the Secretary
Proposed Rule
    The Department proposed to create a new Sec.  2.68 to require 
investigative agencies to file an annual report with the Secretary of 
the applications for court orders filed after obtaining records in an 
investigation or prosecution of a part 2 program or holder of records 
under Sec.  2.66(a)(3)(ii) and after placement of an undercover agent 
or informant under Sec.  2.67(c)(4). The report as proposed would also 
include the number of instances in which such applications were denied 
due to findings by the court of violations of this part during the 
calendar year, and the number of instances in which the investigative 
agency returned or destroyed part 2 records following unknowing receipt 
without a court order, in compliance with Sec.  2.66(a)(3)(iii), (iv), 
or (v), respectively during the calendar year. The Department proposed 
that such reports would be due within 60 days following the end of the 
calendar year. The comments and the Department's responses regarding 
Sec.  2.68 are set forth below.
Comment
    A state government asserted that requiring investigative agencies 
to file an annual report of the number of applications for court 
orders, the number of requests for court orders denied, and the number 
of instances of records returned following unknowing receipt without a 
court order could be extremely time consuming and unduly burdensome. 
Further, according to this commenter, calendar year reporting of this 
data does not align with Federal and state fiscal year reporting 
causing additional burden on investigative agencies.
Response
    We appreciate the comment. An investigative agency should file a 
court order in advance of receiving part 2 records or placing an 
undercover agent or informant in a part 2 program in accordance with 
Sec. Sec.  2.66 and 2.67, respectively. A report is only required for 
investigative agencies that discover in good faith that they received 
part 2 records that required a court order in

[[Page 12578]]

advance and a court order was not initially sought. Additionally, we 
did not receive data in public comments from investigative agencies 
about how frequently this occurs, and we will monitor this requirement 
after the final rule to gain an understanding of how widespread these 
retroactive discoveries are. To limit the burden, the Department has 
made this an annual report, rather than per incident reporting, with 60 
days to compile the data after the end of the calendar year. And the 
calendar year reporting aligns with the HIPAA breach reporting 
requirements for breaches of unsecured PHI affecting fewer than 500 
individuals. Also, the Federal, state, and local fiscal year reporting 
dates may differ across jurisdictions, and it is not feasible for the 
Department to align all reporting dates.
Comment
    The Department received a few supportive comments about the 
benefits to the annual reporting requirement which may include: 
assuring appropriate conduct by local and state investigative agencies; 
assuring ongoing compliance; auditing the use of the limitation on 
liability within this regulation; and promoting the privacy and 
security of part 2 information.
Response
    We appreciate the comments.
Comment
    One commenter asked: (1) how the Department will advise Federal, 
state, and local law enforcement about the requirement to submit annual 
reports; (2) what the consequences of failing to submit an annual 
report will be; (3) what the purpose is and what criteria the 
Department will apply; and (4) how the Department will use the 
information in the annual reports to safeguard patient privacy rights 
and improve law enforcement's understanding of the rule.
Response
    We appreciate the comment. A report is only required for 
investigative agencies that discover in good faith that they have 
received part 2 records for which a court order was required in advance 
and that a court order was not initially sought. We do not have data on 
how frequently this occurs and one purpose of the requirement is to 
gain an understanding of how widespread these retroactive discoveries 
are. The consequences of failing to meet the reporting requirement are 
the same as for other violations of the part 2 rule under the newly 
established penalties which utilize the four culpability tiers that are 
applied to HIPAA violations; however, part 2 programs, covered 
entities, and business associates that create or maintain part 2 
records are the primary focus of this regulation. In determining 
compliance with the safe harbor reporting requirement, the Department 
would focus on an investigative agency rather than an employee of that 
agency. The Department will provide guidance or instructions on how to 
submit the reports to the Secretary on its website and through press 
releases and OCR listserv announcements.\314\ The reporting obligation 
is not intended to be a public reporting requirement, but for the 
Department's internal use in evaluating the utility and effectiveness 
of the safe harbor provision in Sec.  2.3. The Department will review 
the annual reports and consider what guidance or other resources are 
needed by investigative agencies that are lawful holders of part 2 
records.
---------------------------------------------------------------------------

    \314\ OCR has established two listservs to inform the public 
about health information privacy and security FAQs, guidance, and 
technical assistance materials. To sign up for the OCR Privacy & 
Security Listserv, visit: https://www.hhs.gov/hipaa/for-professionals/list-serve/index.html.
---------------------------------------------------------------------------

Final Rule
    The final rule adopts the proposed language of new Sec.  2.68, 
without modification.
Re-Ordering ``Disclosure and Use'' to ``Use and Disclosure''
Proposal
    The Department proposed throughout the NPRM to re-order the terms 
``disclosure and use'' in the part 2 regulation to ``use and 
disclosure.'' \315\ The new order of these terms is consistent with 
their usage in the HIPAA Privacy Rule which generally regulates the 
``use and disclosure'' of PHI and relies on the phrase as a term of 
art.\316\
---------------------------------------------------------------------------

    \315\ See 87 FR 74216, 74225, fn 109.
    \316\ Consistently, the Department refers to ``uses and 
disclosures'' or ``use and disclosure'' in the HIPAA Privacy Rule. 
See, e.g., 45 CFR 164.502 Uses and disclosures of protected health 
information: General rules.
---------------------------------------------------------------------------

Comment
    The Department received no substantive comments other than a few 
commenters that expressed general support for re-ordering terms to 
align with the HIPAA Privacy Rule.
Final Rule
    The final rule adopts each proposal to re-order these terms,\317\ 
although not discussed in detail here. As stated in the NPRM, we 
believe these changes fall within the scope of our regulatory authority 
and further the intent and implementation of the CARES Act by improving 
the ability of regulated entities to use and disclose records subject 
to protection by part 2 and HIPAA.
---------------------------------------------------------------------------

    \317\ See final regulatory text for Sec.  2.2(a)(2) and (3) and 
(b)(1); Sec.  2.12(c)(5) and (6); Sec.  2.13(a) and (b); Sec.  
2.21(b); Sec.  2.34(b); Sec.  2.35(d); Sec.  2.53(a), (b)(1)(iii), 
(e)(1)(iii), (e)(6), (f); subpart E heading; Sec.  2.61(a); Sec.  
2.62; Sec.  2.65 heading, (a), (d), (e) introductory text, and 
(e)(1) and (3); Sec.  2.66 heading, (a)(1), and (d).
---------------------------------------------------------------------------

Inserting ``Use'' or ``Disclose'' To Reflect the Scope of Activity
Proposal
    The Department also proposed to add the term (or related forms of 
the term) ``use'' where only the term ``disclose'' was present in the 
part 2 regulation or in some cases the term ``disclose'' (or related 
forms) where only the term ``use'' was present.\318\ This proposed 
change was intended to more accurately describe the scope of the 
activity that is the subject of the regulatory provision. In the NPRM, 
the Department described these changes as non-substantive, but we did 
receive comments opining in some instances that adding the term ``use'' 
in particular, changes the scope of part 2. We also explained in the 
NPRM that we believe these changes are necessary to align with changes 
made to 42 U.S.C. 290dd-2(b)(1)(A), as amended by section 3221(b) of 
the CARES Act (providing that part 2 records may be used or disclosed 
in accordance with prior written consent); to 42 U.S.C. 290dd-
2(b)(1)(B) and (b)(1)(C), as amended by section 3221(b) of the CARES 
Act (providing that the contents of part 2 records may be used or 
disclosed by covered entities, business associates, or part 2 programs 
as permitted by the HIPAA regulations for TPO purposes); and to 42 
U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES Act 
(prohibiting disclosure and use of part 2 records in proceedings 
against the patient).
---------------------------------------------------------------------------

    \318\ See 87 FR 74216, 74225, fn 111.
---------------------------------------------------------------------------

Overview of General Comments
    The Department requested comment on these proposed modifications 
and received generally supportive or positive comments in response. 
Several commenters suggested the Department go further than the 
proposed changes and the proposed definition of ``use'' by adopting the 
HIPAA definitions of ``use'' and ``disclosure'' to further align part 2 
with the HIPAA regulations. A few HIE associations indicated that they 
did not believe that the addition of ``use'' or ``uses'' to existing 
regulatory text would substantively expand the

[[Page 12579]]

scope of requirements and prohibitions where previously the text stated 
only ``disclosure.'' One commenter stated the addition of ``use'' or 
``uses'' may actually narrow the scope for which part 2 data can be 
obtained, as disclosure does not require the implication that the data 
is being used for TPO and could just be held by an entity. A state 
agency said that it would not anticipate adverse consequences to part 2 
programs or to its own operations from the revisions throughout the 
rule that add the terms ``use'' or ``uses'' to references to 
``disclose'' or ``disclosure.''
    A health plan said that these changes may limit confusion around 
obligations with respect to ``use'' and ``disclose.'' The plan said 
that these words are often considered terms of art in contracts and 
other privacy-related policies and documents. As such, clarifying when 
requirements apply to either or both terms by re-ordering or adding 
such terms to provisions may help covered entities and their business 
associates better understand their regulatory requirements under a 
final rule.
    Another health plan supported these changes asserting that with 
this understanding, a part 2 record could be both used and disclosed 
for purposes related to the provision of care, but also for purposes 
such as the initiation of a legal proceeding. This change, the 
commenter said, can be supported by revising the definition within the 
HIPAA regulations.
    An advocacy organization agreed with the Department that these 
changes are not substantive in nature, given that under part 2 and 
HIPAA, ``use'' and ``disclosure'' can be mutually exclusive, 
independent actions, and that the proposed definition of ``use'' is 
inclusive of the historical definition of ``use'' related to legal 
proceedings under part 2. A provider said this change adds clarity and 
better aligns the proposed rule with HIPAA terminology.
    A health IT vendor had no concerns with expanding the focus of the 
part 2 regulations to make reference to uses in addition to disclosures 
in the regulatory text in a manner consistent with the HIPAA Privacy 
Rule construction for how uses and disclosures are defined and used 
throughout the HIPAA Privacy Rule. The commenter opined that part 2 
regulations have not addressed the uses of SUD records for purposes 
within part 2 programs as they have focused on how disclosure and 
redisclosure of part 2 records must be handled. However, the proposed 
changes seem appropriate to this commenter for purpose of parallel 
structure and regulatory consistency between part 2 and the HIPAA 
Privacy Rule.
    A provider contended that this change is necessary and within the 
Department's regulatory authority, even if not expressly included in 
the CARES Act. A health system characterized this proposal as a good 
basic change that sets the stage for several other proposed changes 
toward meeting the goal of aligning with HIPAA. This change also may 
help reduce the existing differences in describing how we manage and 
protect our patient's health information, across service locations.
Comment on Specific Sections
     A few commenters expressed support for proposed changes to 
replace the phrase ``disclosure and use'' by re-ordering the phrase to 
``use or disclosure'' at Sec.  2.2(a) introductory text, (a)(4), and 
(b)(1), to align the language with that used in the HIPAA Privacy Rule.
     A health plan expressed support for proposed changes to 
Sec.  2.13 for adding the term ``use'' to clarify that confidentiality 
restrictions and safeguards apply to both uses and disclosures.
     A few commenters expressed support for adding the term 
``disclosure'' to Sec.  2.23.
Response
    We appreciate the comments about these changes. We decline to adopt 
the HIPAA formal definitions for the terms ``use'' or ``disclosure'' or 
change the definitions of the terms in the HIPAA Privacy Rule as we 
believe their application is understood as applied to part 2 records 
and PHI, respectively. The overall sentiment of the comments is that 
these modifications bring clarity and the understanding about how the 
terms are used across the two regulations. The Department disagrees 
with the suggestion that adding the term ``use'' in some cases may 
narrow the scope of activity under part 2. In no regulatory provision 
are we changing the term ``disclose'' to ``use'' and we remind 
stakeholders that many TPO activities contemplate ``uses.''
Overview of Final Rule
    The final rule adopts all proposed modifications to add the term 
``use'' or some form of it or ``disclose'' or some form of it to the 
scope of certain covered activities under part 2. The Department also 
defines the term ``use'' in regulation (discussed above in Sec.  
2.11).\319\ As discussed in the NPRM, historically, the part 2 
regulation associated ``use'' with the initiation of legal proceedings 
against a patient and associated ``disclosure'' with sharing records to 
an external entity. In contrast, the HIPAA Privacy Rule applies the 
term ``use'' to refer to internal use of health information within an 
entity, such as access by staff members.\320\ The part 2 and HIPAA 
definitions for the term ``disclose'' are fairly consistent \321\ and 
therefore a part 2 record can be both used and disclosed for purposes 
related to the provision of health care and for purposes such as the 
initiation of a legal proceeding. Where made, these changes are also 
consistent with section 3221(b) of the CARES Act that addresses 
permissions and restrictions for both uses and disclosures of records 
for TPO purposes by part 2 programs and covered entities, and 
proscribes the rules related to certain legal proceedings.
---------------------------------------------------------------------------

    \319\ See final regulatory text of: Sec.  2.2(a)(2) and (3) and 
(b)(1); Sec.  2.12(a)(1) and (2), (c)(3) and (4), (d)(2) and (3), 
(e)(3); Sec.  2.13(a); Sec.  2.14(a) and (b); Sec.  2.15(a)(2) and 
(b); Sec.  2.17(b); Sec.  2.20; Sec.  2.23 heading and (b); subpart 
C heading; Sec.  2.31(a) introductory text and (a)(4)(ii)(B); Sec.  
2.32(a)(2); Sec.  2.33 heading, (a), and (b); Sec.  2.34 heading; 
subpart D heading; Sec.  2.52(a); Sec.  2.53(a)(5); Sec.  2.61(a) 
and (b)(1) and (2); Sec.  2.64 heading, (a), (d)(2), and (e); Sec.  
2.65(a), (d) introductory text, (d)(2), (e) introductory text, 
(e)(1) and (2); Sec.  2.66(d)(2); Sec.  2.67(d)(3) and (e).
    \320\ 87 FR 74232.
    \321\ 42 CFR 2.11, definition of ``Disclose.'' 45 CFR 160.103, 
definition of ``Disclosure.''
---------------------------------------------------------------------------

Antidiscrimination Protections, Stigma and Discrimination
Overview
    As noted in the NPRM and above, paragraph (g) of section 3221 of 
the CARES Act, Antidiscrimination, adds a new provision (i)(1) to 42 
U.S.C. 290dd-2 to prohibit discrimination against an individual based 
on their part 2 records. We stated in the NPRM and reiterate that the 
Department intends to develop a separate rulemaking to implement the 
CARES Act antidiscrimination prohibitions. Nonetheless, we received 
several comments on antidiscrimination requirements as well as more 
general concerns about stigma and discrimination. While these comments 
are outside the scope of this rulemaking, we briefly summarize and 
respond to these comments below.
Comments and Response
    Comments we received on antidiscrimination issues addressed such 
topics as:

 Antidiscrimination rulemaking
 Harmful consequences to patients
 Increased reluctance to enter SUD treatment
 Stigma and discrimination in the context of criminalization 
and racial disparities
 Statistics on stigma and discrimination

[[Page 12580]]

 Unwillingness to disclose SUD treatment
 Timing of SUD treatment regulatory framework
 Considering stigma in regulatory updates

    Most commenters also addressed issues other than antidiscrimination 
topics and their comments on other provisions of part 2 were fully 
considered along with other comments received to the NPRM docket.
    Some commenters, including medical professionals associations, 
advocacy organizations, a trade association, a government agency, a 
provider-other, a health system, SUD providers, a consultant, a 
researcher, a law enforcement organization, and individuals urged the 
Department to expedite the rulemaking implementing the CARES Act 
antidiscrimination protections, or to put this rulemaking on hold until 
the antidiscrimination protections are in place. Some commenters such 
as SUD providers, recovery organizations, individuals, and advocacy 
organizations also expressed concern about significant stigma 
associated with SUD and SUD treatment. Several commenters, including 
advocacy organizations, a professional association, a government 
agency, and a health plan, cited reports, survey results, and 
statistics they believed reflect the stigma associated with addiction 
that continues to influence the perceptions and behaviors of health 
care professionals and continues to influence patients to avoid SUD 
treatment.
    Commenters described the many potential adverse outcomes that they 
say privacy protections help prevent, including discrimination in child 
custody, denial of life insurance, loss of employment, discrimination 
in health care decision making, and criminal charges, among many 
others. Some commenters also asserted that under the current 
regulations there are patients that are unwilling to disclose SUD 
treatment to caregivers or unwilling to enter treatment due to the 
concern surrounding stigma and discrimination.
    Several commenters, including a mental health provider, medical 
professionals' associations, and a few individuals, suggested that the 
proposed rule may increase the reluctance of patients to seek help for 
SUD. Commenters pointed to such potential issues as patients being 
unsure of how information will be used or having SUD information used 
against them. Additionally, several commenters, including an advocacy 
organization, and individual commenters addressed the effects of stigma 
and discrimination related to SUD and SUD treatment in the context of 
criminalization and racial disparities.
Response
    We acknowledge and appreciate comments asking us to expedite 
promulgation of the required antidiscrimination provisions and raising 
concerns about the continued impacts of discrimination and stigma 
within health care and other settings. As noted, we intend to issue a 
separate proposed regulation for part 2 antidiscrimination provisions 
after this rule is finalized. For that reason, as detailed in the NPRM, 
we also decline to hold publication of this rule until the 
antidiscrimination provisions also are proposed and finalized. As 
explained, comments on the NPRM concerning antidiscrimination 
requirements are beyond the scope of this rulemaking. However, we will 
take all comments received into account as we issue the forthcoming 
antidiscrimination provisions of part 2. We further encourage these 
commenters and others to provide input on the forthcoming proposed rule 
containing the antidiscrimination provisions.

V. Regulatory Impact Analysis

A. Executive Orders 12866 and 13563 and Related Executive Orders on 
Regulatory Review

    The Department has examined the impact of the final rule as 
required by Executive Order (E.O.) 12866 on Regulatory Planning and 
Review as amended by E.O. 14094, 58 FR 51735 (October 4, 1993); E.O. 
13563 on Improving Regulation and Regulatory Review, 76 FR 3821 
(January 21, 2011); E.O. 13132 on Federalism, 64 FR 43255 (August 10, 
1999); E.O. 13175 on Consultation and Coordination with Indian Tribal 
Governments, 65 FR 67249 (November 9, 2000); the Congressional Review 
Act, Public Law 104-121, sec. 251, 110 Stat. 847 (March 29, 1996); the 
Unfunded Mandates Reform Act of 1995, Public Law 104-4, 109 Stat. 48 
(March 22, 1995); the Regulatory Flexibility Act, Public Law 96-354, 94 
Stat. 1164 (September 19, 1980); E.O. 13272 on Proper Consideration of 
Small Entities in Agency Rulemaking, 67 FR 53461 (August 16, 2002); the 
Assessment of Federal Regulations and Policies on Families, Public Law 
105-277, sec. 654, 112 Stat. 2681 (October 21, 1998); and the Paperwork 
Reduction Act (PRA) of 1995, Public Law 104-13, 109 Stat. 163 (May 22, 
1995).
    E.O.s 12866 and 13563 direct us to assess all costs and benefits of 
available regulatory alternatives and, when regulation is necessary, to 
select regulatory approaches that maximize net benefits (including 
potential economic, environmental, public health and safety, and other 
advantages; distributive impacts; and equity). Section 3(f) of E.O. 
12866 (as amended by E.O. 14094) defines a ``significant regulatory 
action'' as any regulatory action that is likely to result in a rule 
that may: (1) have an annual effect on the economy of $200 million or 
more (adjusted every 3 years by the Administrator of the Office of 
Information and Regulatory Affairs (OIRA) for changes in gross domestic 
product); or adversely affect in a material way the economy, a sector 
of the economy, productivity, competition, jobs, the environment, 
public health or safety, or State, local, territorial, or Tribal 
governments or communities; (2) create a serious inconsistency or 
otherwise interfere with an action taken or planned by another agency; 
(3) materially alter the budgetary impact of entitlements, grants, user 
fees, or loan programs or the rights and obligations of recipients 
thereof; or (4) raise legal or policy issues for which centralized 
review would meaningfully further the President's priorities or the 
principles set forth in this E.O., as specifically authorized in a 
timely manner by the Administrator of OIRA in each case.
    This final rule is partially regulatory and partially deregulatory. 
The Department estimates that the effects of the final rule for part 2 
programs would result in new costs of $26,141,649 within 12 months of 
implementing the final rule. The Department estimates these first-year 
costs would be partially offset by $13,421,556 of first year cost 
savings, attributable to reductions in the need for part 2 programs to 
obtain written patient consent for disclosures for treatment, payment, 
or health care operations (TPO) ($10.3 million); reductions in the need 
for covered entities, business associates, and part 2 programs to 
obtain written patient consent for redisclosures ($2.6 million); and 
reductions in capital expenses for printing consent forms ($0.5 
million). This results in an estimated net cost of $12,720,093 in the 
first year of the rule. This is followed by net savings of 
approximately $5.2 to $5.4 million annually in years two through five, 
resulting from a continuation of first-year cost saving of $13.4 
million per year, minus varying Federal costs at approximately $2.3 to 
$2.6 million in years 1 to 5 and the estimated annual

[[Page 12581]]

costs of $5.7 million primarily attributable to compliance with 
attaching consent forms with every disclosure and breach notification 
requirements. This results in overall net cost savings of $8,445,536 
over 5 years for changes to 42 CFR part 2.
    The Department estimates that the private sector would bear 
approximately 60 percent of the costs, with state and Federal health 
plans bearing the remaining 40 percent of the costs. All of the cost 
savings experienced from the first year through subsequent years would 
benefit part 2 programs and covered entities. This final rule is a 
significant regulatory action, under sec. 3(f) of E.O. 12866 (as 
amended by E.O. 14094). Accordingly, the Office of Management and 
Budget (OMB) has reviewed this final rule.
    The Department presents a detailed analysis below.
Summary of the Final Rule
    This final rule modifies 42 CFR part 2 (``part 2'') to implement 
changes required by section 3221 of the Coronavirus Aid, Relief, and 
Economic Security (CARES) Act, to further align part 2 with the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA) Rules, and 
for clarity and consistency. Major changes are summarized in the 
preamble.
    The Department estimates that the first-year costs for part 2 
programs will total approximately $26.1 million in 2022 dollars. These 
first-year costs are attributable to part 2 programs training workforce 
members on the revised requirements ($13.3 million); capital expenses 
($0.9 million); compliance with breach notification requirements ($1.6 
million); updating Patient Notices ($2.6 million); attaching consent 
forms for disclosures (2.9 million); updating consent forms ($1.7 
million); updating the notice to accompany disclosures ($0.7 million); 
and costs to the Department for part 2 enforcement and compliance ($2.3 
million). It also includes nominal costs for responding to requests for 
privacy protection, providing accounting of disclosures, $32,238 for 
receiving complaints, and $61,726 for investigative agencies to file 
reports to the Secretary. For years 2 through 5, the estimated annual 
costs of $5.7 million are primarily attributable to compliance with 
attaching consent forms and breach notification requirements and 
related capital expenses, on top of variable Federal costs amounting to 
roughly $2.3 to $2.5 million from years 1 to 5.
    The Department estimates annual cost savings of $13.4 million per 
year, over 5 years, attributable to reductions in the need for part 2 
programs to obtain written patient consent for disclosures for TPO 
($10.3 million), reductions in the need for covered entities and 
business associates to obtain written patient consent for redisclosures 
($2.6 million), and reductions in capital expenses for printing consent 
forms ($0.5 million).\322\
---------------------------------------------------------------------------

    \322\ Totals in this Regulatory Impact Analysis may not add up 
due to showing rounded numbers in the tables.
---------------------------------------------------------------------------

    The Department estimates net costs for part 2 programs totaling 
approximately $12.7 million in the first year followed by net savings 
of approximately $5.4 to $5.2 million in years 2 to 5, resulting in 
overall net cost savings of approximately $8.4 million over 5 years. 
The yearly costs, cost-savings and net for part 2 are displayed in 
Table 1 below.
[GRAPHIC] [TIFF OMITTED] TR16FE24.011

Need for the Final Rule
    On March 27, 2020, Congress enacted the CARES Act as Public Law 
116-136. Section 3221 of the CARES Act amended 42 U.S.C. 290dd-2, the 
statute that establishes requirements regarding the confidentiality and 
disclosure of certain records relating to SUD, and section 3221(i) of 
the CARES Act requires the Secretary to promulgate regulations 
implementing those amendments.\323\ With this final rule, the 
Department changes part 2 to implement section 3221 of the CARES Act, 
increase clarity, and decrease compliance burdens for regulated 
entities. The Department believes the changes will reduce the need for 
data segmentation within entities subject to the regulatory 
requirements promulgated under part 2.
---------------------------------------------------------------------------

    \323\ Section 3221(i) of the CARES Act requires implementation 
on or after the date that is 12 months after the enactment of the 
CARES Act, i.e., March 27, 2021.
---------------------------------------------------------------------------

    Significant differences in the permitted uses and disclosures of 
part 2 records and protected health information (PHI) as defined under 
the

[[Page 12582]]

HIPAA Privacy Rule contribute to ongoing operational compliance 
challenges. For example, under the previous rule, entities subject to 
part 2 must obtain prior written consent for most uses and disclosures 
of part 2 records, including for TPO, while the HIPAA Privacy Rule 
permits many uses and disclosures of PHI without authorization. 
Therefore, to comply with both sets of regulations, HIPAA covered 
entities subject to part 2 must track and segregate part 2 records from 
other health records (e.g., records that are protected under the HIPAA 
regulations but not part 2).\324\
---------------------------------------------------------------------------

    \324\ For example, a clinic that provides general medical 
services, and has a unit specializing in SUD treatment that is a 
part 2 program, would need to segregate its SUD records from other 
medical records, even for the same patient, to ensure that the SUD 
records are used and disclosed only as permitted by part 2.
---------------------------------------------------------------------------

    In addition, once PHI is disclosed to an entity not covered by 
HIPAA, it is no longer protected by the HIPAA regulations. In contrast, 
part 2 strictly limits redisclosures of part 2 records by individuals 
or entities that receive a record directly from a part 2 program or 
other ``lawful holder'' of patient identifying information, absent 
written patient consent.325 326 Therefore, any part 2 
records received from a part 2 program or other lawful holder must be 
segregated or segmented from non-part 2 records.\327\ The need to 
segment part 2 records from other health records created data ``silos'' 
that hamper the integration of SUD treatment records into entities' 
electronic record systems and billing processes, which in turn may 
impact the ability to integrate treatment for behavioral health 
conditions and other health conditions.\328\ Many stakeholders, 
including public commenters on the NPRM, have urged the Department to 
take action to eliminate the need for such data segmentation,\329\ and 
the Department believes this final rule will reduce the need for data 
segmentation or tracking. Where segmentation may be necessary, we 
encourage the use of data standards adopted by ONC on behalf of HHS in 
45 CFR part 170, subpart B, and referenced in the ONC Health IT 
Certification Program certification criteria for security labels and 
segmentation of sensitive health data.
---------------------------------------------------------------------------

    \325\ See 42 CFR 2.12(d)(2)(i)(C).
    \326\ See definition of ``Patient identifying information'' in 
42 CFR 2.11. See also definition of ``Disclose'' in 42 CFR 2.11.
    \327\ See 42 CFR 2.12(d)(2)(ii).
    \328\ Dennis McCarty, Traci Rieckmann, Robin L. Baker, et al., 
``The Perceived Impact of 42 CFR part 2 on Coordination and 
Integration of Care: A Qualitative Analysis,'' Psychiatric Services 
(Nov. 2016), https://doi.org/10.1176/appi.ps.201600138.
    \329\ For example, the Ohio Behavioral Health Providers Network 
(Network) in an August 21, 2020, letter to SAMHSA, and the 
Partnership to Amend Part 2 in a similar January 8, 2021, letter to 
the U.S. Department of Health and Human Services (HHS), both urge 
that there should be no requirement for data segmentation or 
segregation after written consent is obtained and part 2 records are 
transmitted to a health information exchange or care management 
entity that is a business associate of a covered entity covered by 
the new CARES Act consent language. In the letter, the Network 
states that such requirements are difficult to implement in health 
centers and other integrated settings in which SUD treatment may be 
provided. See also public comments expressed and summarized in 85 FR 
42986 (July 15, 2020); and see Letter from The Partnership to Amend 
42 CFR part 2 to HHS Secretary Becerra (Jan. 8, 2021), https://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf.
---------------------------------------------------------------------------

Response to Public Comment
    The Department requested public comment on all aspects of the 
proposed amendments to the regulations at 42 CFR part 2, 
Confidentiality of Substance Use Disorder Patient Records. Seventy-two 
commenters, both individuals and organizations, offered views on 
various aspects related to the Regulatory Impact Analysis (RIA).
    Comments from organizations who expressed support for specific 
issues in the NPRM pointed to a decrease in the administrative burden 
and cost on providers, an increase in access to care, a decrease in 
costs for patients, and a general improvement in communication within 
the industry. One organization suggested that the changes in the rule 
will allow for streamlining care by decreasing the number of times the 
provider must ask for consent from the patient. Another organization 
asserted that the proposed rule changes could help minimize the stigma 
surrounding SUD treatment and help decrease the technical burdens that 
the previous rules have caused.
    Organizations and government entities who expressed opposition to 
specific issues in the NPRM asserted that the changes would increase 
costs and legal liability for both patients and providers, decrease the 
quality of care, create additional administrative and technical 
burdens, and be overly time consuming to follow. A government 
organization asserted that most current electronic health care record 
systems do not have the ability to give accountings of TPO disclosures, 
which would force the entities using these systems to manually process 
the information. This is a burdensome and time-consuming task, 
according to the organization, as the entities may have to account for 
disclosures for the previous six years. An organization argued that due 
to differences in Patient Notice requirements for part 2 and HIPAA, 
there may be different language for each privacy notice. Multiple 
organizations asserted that changing the language of the privacy 
notices is expensive, especially for larger organizations. One 
organization suggested that the expanded requirement to provide TPO 
accounting will lead to changes in the health care system and increased 
costs for patients. Another organization argued that the separation of 
part 2 data will lead to delays in care and threats to patient health 
as providers may not be able to see a patient's full medical history, 
which is necessary to give adequate care. One commenter argued that the 
proposed change could weaken patient privacy and lead to the 
information being misused in criminal investigations and court 
proceedings. This change also may put an additional burden on providers 
to counsel patients on the ethical and constitutional considerations 
that will go into signing the form.
    Organizations and government entities who expressed mixed views on 
the issues discussed in the excerpts change agreed with the need for 
the rule change and the general change itself but provided additional 
comments on concerns related to specific topics such as TPO disclosures 
and notices of privacy protections. One organization argued that HHS 
should take into consideration the time and costs associated with 
updating changes to the accounting of disclosures requirement and the 
timeframe to implement these changes. Another organization requested 
that accounting for TPO disclosures be delayed until regulations 
pursuant to the HITECH Act are enacted. This commenter asserted that 
applying the accounting requirement only to TPO disclosures made 
through an electronic health care record creates a disincentive to 
adopt electronic health care records, especially for small and rural 
providers and those serving patients of color and other historically 
underserved communities. Multiple organizations argued that if 
discrepancies exist between part 2 and HIPAA, there may be 
administrative burdens surrounding data segregation. Due to this part 2 
and HIPAA need to be aligned as much as possible to minimize 
impediments to critical care. One organization believed that it is 
unnecessary for part 2 to include providing a copy of a patient's 
consent and imposing retention periods on maintaining those consents 
since other laws, such as HIPAA, CMS regulations, and state licensing 
requirements already cover these requirements.

[[Page 12583]]

    After reviewing the comment submissions, the Department is making 
the following changes to this RIA, some of which result in changes to 
the RIA analysis presented in the proposed rule.\330\ Changes to the 
RIA also include updating wage rates and other cost factors to 2022 
dollars to reflect more recent data, adding small quantitative burdens, 
and qualitatively discussing changes from the proposed to the final 
rule when unquantifiable.
---------------------------------------------------------------------------

    \330\ Specific changes to the proposed rule RIA are discussed in 
each of the RIA sections where applicable.
---------------------------------------------------------------------------

     Adding a new quantitative recurring cost for receiving a 
complaint;
     Adding reference to the changes to the investigative 
agency definition;
     Adding a qualitative discussion of reasonable diligence 
steps for the limitation on liability for investigative agencies and 
their potential impacts on costs;
     Increasing the time required and the number of responses 
in the quantitative costs for the right to request restrictions;
     Adding a qualitative discussion of requirements for 
intermediaries;
     Adding a qualitative discussion of the benefit associated 
with the removal of data segmentation requirements;
     Adding qualitative discussion of SUD counseling notes 
which the Department does not expect to impose a quantifiable burden;
     Adding a new quantitative recurring cost for the 
requirement to attach consent with each disclosure or provide clear 
description of scope of consent;
     Including a clarification that qualified service 
organizations (QSOs) are also subject to breach notification 
requirements in the quantification of these costs;
     Qualitatively discussing the impacts of part 2 programs 
being required to notify recipients of a revocation of consent.
Cost-Benefit Analysis
a. Overview and Methodology
    This RIA relies on the same data source used by SAMHSA for the 
estimated number of part 2 programs in SAMHSA's 2020 Information 
Collection Request (ICR) (``part 2 ICR'') \331\ and uses an updated 
statistic from that source. The final rule also adopts the estimated 
number of covered entities used in the Department's 2021 ICR for the 
HIPAA Privacy Rule NPRM (``2021 HIPAA ICR''),\332\ as well as its cost 
assumptions for many requirements of the HIPAA regulations, including 
breach notification activities.
---------------------------------------------------------------------------

    \331\ 85 FR 42986.
    \332\ While the number of covered entities used in this final 
rule was adopted from the 2021 ICR for the HIPAA Privacy Rule, these 
numbers are also reflected in the more recent 2023 ICR for the HIPAA 
Privacy Rule NPRM and are the most up to date numbers the Department 
has. These ICRs may be found under OMB control # 0945-0003.
---------------------------------------------------------------------------

    Although HIPAA was a component of the proposed rule and is not for 
the final rule, the HIPAA number of covered entities (774,331) are 
still used in some calculations of costs from part 2 such as for breach 
notifications. When applying HIPAA cost assumptions to part 2 programs, 
the Department multiplies the figures by 2 percent (.02), representing 
the number of part 2 programs in proportion to the total number of 
covered entities. In some instances, the estimates historically used by 
the Department for similar regulatory requirements were developed based 
on different methodologies, resulting in significantly different fiscal 
projections for some required activities. This RIA adopts the approach 
used for HIPAA's projected costs and cost savings.
    In addition to the quantitative analyses of the effects of the 
regulatory modifications, the Department analyzes some benefits and 
burdens qualitatively; relatedly, there is uncertainty inherent in 
predicting the actions that a diverse scope of regulated entities might 
take in response to this final rule.
    For reasons explained more fully below, the changes to the consent 
requirements for part 2 programs and redisclosure permissions for 
covered entities and business associates would result in economic cost 
savings of approximately $67,107,778 over 5 years based on the final 
rule changes. Table 2 presents the undiscounted and discounted costs 
and cost savings figures over 5 years. All estimates are presented in 
millions of year-2022 dollars, using 2024 as the base year for 
discounting.

[[Page 12584]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.012

b. Baseline Assumptions
    In developing its estimates of the potential costs and cost savings 
of the final rule the Department relied substantially on recent prior 
estimates for modifications to this regulation \333\ and the HIPAA 
Privacy Rule \334\ and associated ICRs. Specifically, the part 2 ICR 
data previously approved under OMB control #0930-0092 informs the 
Department's estimates with respect to final rule modifications to part 
2 provisions.\335\ However, for final rule part 2 provisions that are 
based on provisions of the HIPAA regulations, the Department relies on 
the HIPAA regulatory ICRs previously approved under OMB control # 0945-
0003 and updated consistent with the 2021 HIPAA Privacy Rule NPRM.\336\
---------------------------------------------------------------------------

    \333\ See 83 FR 239 (Jan. 3, 2018) and 85 FR 42986.
    \334\ 86 FR 6446 (Jan. 21, 2021).
    \335\ 85 FR 42986.
    \336\ 84 FR 51604 (Sept. 30, 2019). See also 86 FR 6446.
---------------------------------------------------------------------------

    Because the Department lacks data to determine the percentage of 
part 2 programs that are also subject to the HIPAA regulations, the 
Department assumes for purposes of this analysis that the final rule 
changes to part 2 would affect all part 2 programs equally--including 
those programs that are also HIPAA covered entities, and thus already 
are subject to requirements under the HIPAA regulations (e.g., breach 
notification) that the Department incorporates into part 2. Thus, this 
RIA likely overestimates the overall compliance burden on part 2 
programs posed by the final rule. In contrast, this RIA likely 
underestimates the cost savings of the final rule. The estimated cost 
savings are primarily attributed to the reduction in the number of 
written patient consents that would be needed to use or disclose 
records for TPO and to redisclose them for other purposes permitted by 
the HIPAA Privacy Rule. Because the Department lacks data to estimate 
the annual numbers of written patient consents and disclosures to 
covered entities, this RIA adopts an assumption that only three 
consents per patient are currently obtained per year (one each for 
treatment, payment, and health care operations) and only one half of 
such consents result in a disclosure of records to a HIPAA covered 
entity or business associate, for which consent would be no longer 
required to use or redisclose the record under the final rule.
c. Part 2 Programs, Covered Entities, and Patient Population
    The Department relies on the same source as the approved part 2 ICR 
\337\ as the basis for its estimates of the total number of part 2 
programs and total annual part 2 patient admissions. part 2 programs 
are publicly (Federal, State, or local) funded, assisted, or regulated 
SUD treatment programs. The part 2 ICR's estimate of the number of such 
programs (respondents) is based on the results of the 2020 National 
Survey of Substance Abuse Treatment Services (N-SSATS), and the average 
number of annual total responses is based on the results of the average 
number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode 
Data Set (TEDS) as the number of patients treated annually by part 2 
programs, both approved under OMB Control No. 0930-0335.\338\ In the 
2020 data from N-SSATS, the number of part 2 respondents was 
16,066.\339\ The TEDS data for SUD treatment admissions has been 
updated, so the Department relies on the 2019 statistic, as shown in 
Table 3 below.
---------------------------------------------------------------------------

    \337\ 85 FR 42986.
    \338\ 84 FR 787 (Jan. 31, 2019).
    \339\ See Substance Abuse and Mental Health Servs. Admin., 
``National Survey of Substance Abuse Treatment Services (N-SSATS): 
2020. Data on Substance Abuse Treatment Facilities'' (2021), https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.

---------------------------------------------------------------------------

[[Page 12585]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.013

    For purposes of calculating estimated costs and benefits the 
Department relies on mean hourly wage rates for occupations involved in 
providing treatment and operating health care facilities, as noted in 
Table 4 below. This final rule updates the proposed rule RIA wages to 
the most recent year of available data.
---------------------------------------------------------------------------

    \340\ Substance Abuse and Mental Health Servs. Admin., Ctr. for 
Behavioral Health Statistics and Quality, ``Treatment Episode Data 
Set (TEDS): 2019. Admissions to and Discharges From Publicly Funded 
Substance Use Treatment'' (2021), https://www.samhsa.gov/data/sites/default/files/reports/rpt35314/2019_TEDS_Proof.pdf.
    \341\ 86 FR 6446, 6497.
    \342\ Id. at 6515.
    [GRAPHIC] [TIFF OMITTED] TR16FE24.014
    

[[Page 12586]]


d. Qualitative Analysis of Non-Quantified Benefits and Burdens
    The Department's analysis focuses on primary areas of changes 
imposed by the final rule that are likely to have an impact on 
regulated entities or patients. These are changes to establish or 
modify requirements with respect to: enforcement and penalties, 
notification of breaches, consent for uses and disclosures, Patient 
Notice, notice accompanying disclosure, copy of consent accompanying 
disclosure, requests for privacy protection, accounting of disclosures, 
audit and evaluation, disclosures for public health, and use and 
disclosure of records by investigative agencies. In addition to these 
changes, the Department believes the modifications to part 2 for 
clarification, readability, or consistency with HIPAA terminology, 
would have the unquantified benefits of providing clarity and 
regulatory certainty. The provisions that fall into this category and 
for which anticipated benefits are not discussed in-depth, are:
Sections 2.1, 2.2, 2.4, 2.11 Through 2.15, 2.17, 2.19 Through 2.21, 
2.23, 2.24, 2.34, 2.35, 2.52, and 2.61 Through 2.65
    The Department provides its analysis of non-quantified benefits and 
burdens for the primary areas of final rule regulatory change below, 
followed by estimates and analysis of quantified benefits and costs in 
section (e).
Section 2.3--Civil and Criminal Penalties for Violations
    The Department creates limitations on civil and criminal liability 
for investigative agencies in the event they unknowingly receive part 2 
records in the course of investigating or prosecuting a part 2 program 
or other person holding part 2 records prior to obtaining the required 
court order under subpart E. This safe harbor promotes public safety by 
permitting agencies to investigate part 2 programs and persons holding 
part 2 records in good faith with a reduced risk of HIPAA/HITECH Act 
penalties. The liability limitations would be available only to 
agencies that could demonstrate reasonable diligence in attempting to 
determine whether a provider was subject to part 2 before making a 
legal demand for records or placement of an undercover agent or 
informant. The changes benefit SUD providers, part 2 programs, 
investigative agencies, and the courts by encouraging agencies to seek 
information about a provider's part 2 status in advance and potentially 
reduce the number of instances where applications for good cause court 
orders are denied. Incentivizing investigative agencies to check 
whether part 2 applies in advance of investigating a provider would 
benefit the court system, programs public safety, patients, and 
agencies by enhancing efficiencies within the legal system, promoting 
the rule of law, and ensuring the part 2 protections for records are 
utilized when applicable.
    The limitations on liability for investigative agencies may result 
in more disclosures of patient records to such agencies by facilitating 
investigations and prosecutions of part 2 programs and lawful holders. 
The Department believes that limiting the application of Sec.  2.3(b) 
to investigations and prosecutions of programs and holders of records, 
requiring non-identifying information in the application for the 
requisite court orders,\343\ and keeping patient identifying 
information under seal \344\ will provide strong and continuing 
protections for patient privacy while promoting public safety.
---------------------------------------------------------------------------

    \343\ See Sec.  2.66 (requiring use of ``John Doe'').
    \344\ See Sec. Sec.  2.66 and 2.67.
---------------------------------------------------------------------------

Section 2.12--Applicability
    The final rule removes data segmentation requirements and instead 
expressly states that segregation of records is not required upon 
receipt. This results in the final rule neither requiring nor 
prohibiting data segmentation, leading to a benefit to covered 
entities, according to public comments on this issue. The Department 
acknowledges that there is likely a burden reduction from the express 
statement that segmentation of data or records is not required; 
however, the Department lacks data on the number of records benefitting 
from the removal of the data segmentation requirement to quantify this 
impact.
Section 2.16--Security for Records and Notification of Breaches
    The Department adds notification of breaches to Sec.  2.16 so that 
the requirements of 45 CFR 164.400 through 164.414, apply to breaches 
of part 2 records programs in the same manner as those requirements 
apply to breaches of PHI. Notification of breaches is a cornerstone 
element of good information practices because it permits affected 
individuals or patients to take steps to remediate harm, such as 
putting fraud alerts on their credit cards, checking their credit 
reports, notifying financial institutions, and informing personal 
contacts of potential scams involving the patient's identity. It is 
difficult to quantify the value of receiving notification in comparison 
to the costs incurred in restoring one's credit, correcting financial 
records, or the cost of lost opportunities due to loss of income or 
reduced credit ratings.\345\
---------------------------------------------------------------------------

    \345\ See 74 FR 42739, 42765-66 (Aug. 24, 2009).
---------------------------------------------------------------------------

    The benefit to the patient of learning about a breach of personally 
identifying information includes the opportunity for the patient to 
take timely action to regain control over their information and 
identity. The Department does not have data to predict how many 
patients will sign up for credit monitoring or other identity 
protections after receiving a notification of breach of their part 2 
records; however, the Department believes that the costs to patients of 
taking these actions \346\ will be far outweighed by the savings of 
avoiding identity theft.\347\ Requiring part 2 programs to provide 
breach notification ensures that patients of such programs are provided 
the same awareness of breaches as patients that receive other types of 
health care services from HIPAA covered entities.
---------------------------------------------------------------------------

    \346\ See Alexandria White, ``How much does credit monitoring 
cost? '' CNBC (Nov. 16, 2021), https://www.cnbc.com/select/how-much-does-credit-monitoring-cost/.
    \347\ See Kenneth Terrell, ``Identity Fraud Hit 42 Million 
People in 2021,'' AARP (Apr. 7, 2022) (``[T]he average per-victim 
loss from traditional identity fraud [is] $1,551.''), https://www.aarp.org/money/scams-fraud/info-2022/javelin-report.html.
---------------------------------------------------------------------------

Section 2.22 Patient Notice
    Patients, part 2 programs, and covered entities are all likely to 
benefit from final rule changes to more closely align the Patient 
Notice and HIPAA NPP regulatory requirements, which simplify their 
compliance with the two regulations. The Department establishes for 
patients the right to discuss the Patient Notice with a person 
designated by the program as the contact person and to include 
information about this right in the header of the Patient Notice as 
proposed in the HIPAA Coordinated Care and Individual Engagement 
NPRM.\348\ These changes help improve a patient's understanding of the 
program's privacy practices and the patient's rights with respect to 
their records. Even for patients who do not request a discussion under 
this final rule, knowledge of the right may promote trust and 
confidence in how their records are handled.
---------------------------------------------------------------------------

    \348\ See 86 FR 6446, 6485.
---------------------------------------------------------------------------

Section 2.24 Requirements for Intermediaries
    The final rule adopts a definition of ``intermediary'' that 
excludes part 2 programs, covered entities, and business associates. 
Business associates that are HIEs will particularly benefit from being 
excluded from the definition of

[[Page 12587]]

``intermediary'' because HIEs were the most representative example of 
an intermediary; therefore, had the most to benefit from burden 
reduction. They will not be subject to the requirement in Sec.  2.24 to 
provide a list of disclosures upon request of a patient; they will not 
be subject to the special consent requirements for intermediaries that 
many HIEs have found to be a barrier to accepting part 2 records in 
their systems; and they will be generally included when a patient signs 
a TPO consent. This will also benefit covered entities that are part 2 
programs because they will be able to use an HIE business associate to 
exchange part 2 data as well as PHI, furthering the integration of 
behavioral health information with other health information. We believe 
this will also benefit patients because it will enhance their ability 
to receive comprehensive care.
Section 2.25 Accounting of Disclosures
    Adding a requirement to account for disclosures for TPO through an 
electronic health record (EHR) benefits patients by increasing 
transparency about how their records are used and disclosed for those 
purposes. This requirement could counterbalance concerns about loss of 
control that patients may experience as a result of the changes to the 
consent process that would permit all future TPO uses and disclosures 
based on a single general consent. The data logs that part 2 programs 
need to maintain to create an accurate and complete accounting of TPO 
disclosures could also be beneficial for such programs in the event of 
an impermissible access by enabling programs to identify the 
responsible workforce member or other wrongful actor.
Section 2.26 Right To Request Privacy Protection for Records
    Adding a new right for patients to request restrictions on uses and 
disclosures of their records for TPO is likely to benefit patients by 
giving them a new opportunity to assert their privacy interests to part 
2 program staff, to address patients' concerns about who may see their 
records, and to understand what may be done with the information their 
records contain.
    With respect to the right for patients to restrict disclosures to 
their health plan when patients have self-paid in full for services, 
patients will benefit by being shielded from potential harmful effects 
of some health plans' restrictive coverage policies or other potential 
negative effects, such as employers learning of patients' SUD 
diagnoses.\349\ This right may also improve rates of access to SUD 
treatment because of patients' increased trust that they have the 
opportunity to ensure that their records will remain within the part 2 
program. A limitation on the benefits of this right is that it is only 
available to patients with the means to pay privately for SUD 
treatment.
---------------------------------------------------------------------------

    \349\ Nat'l Academies of Sciences, Engineering, and Medicine, 
The Nat'l Acads. Press, ``Ending Discrimination Against People with 
Mental and Substance Use Disorders: The Evidence for Stigma Change'' 
(2016), http://www.nap.edu/23442; U.S. Dep't of Health and Human 
Servs., Office of the Surgeon General, ``Facing Addiction in 
America: The Surgeon General's Report on Alcohol, Drugs, and 
Health'' (Nov. 2016), https://store.samhsa.gov/sites/default/files/d7/priv/surgeon-generals-report.pdf.
---------------------------------------------------------------------------

    Part 2 programs may benefit from increased frequency of patients 
paying in full out of pocket, which could decrease the time spent by 
staff in billing and claims activities. Part 2 programs also may 
benefit from increased patient trust in the programs' protection of 
records.
Section 2.31 Consent Requirements and Sec.  2.33 Uses and Disclosures 
Permitted With Written Consent
    The changes to consent for part 2 records are two-fold: changes to 
the required elements on the written consent form and a reduction in 
the instances where a separate written consent is needed (the process 
of obtaining consent). Changes to the consent form for alignment with 
the HIPAA authorization form would likely benefit part 2 programs 
because they would employ more uniform language and concepts related to 
information use and disclosure. Such changes may particularly benefit 
part 2 programs that are also subject to the HIPAA regulations, so 
staff do not have to compare and interpret different terms on forms 
that request the use or disclosure of similar types of information.
    Permitting patients to sign a single general consent for all uses 
and disclosures of their record for TPO, may carry both burdens and 
benefits to patients. Patients may benefit from a reduction in the 
amount of paperwork they must sign to give permission for routine 
purposes related to the treatment and payment and associated reductions 
in time spent waiting for referrals, transfer of records among 
providers, and payment of health insurance claims. At the same time, 
patients may experience a sense of loss of control over their records 
and the information they contain when they lose the opportunity to make 
specific decisions about which uses and disclosures they would permit. 
In some instances, the reduced ability to make specific use and 
disclosure decisions could result in a greater likelihood of harm to 
reputation, relationships, and livelihood.
    Part 2 programs would likely benefit from the efficiencies 
resulting from permitting a general consent for all TPO uses and 
disclosures by freeing staff from burdensome paperwork. In contrast, 
clinicians in part 2 programs may find it harder to gain the 
therapeutic trust needed for patients to divulge sensitive information 
during treatment if patients become less confident about where their 
information may be shared and their ability to control those uses and 
disclosures. Some potential patients may avoid initiating treatment 
altogether, which would harm both patients and programs.
    Covered entities and business associates would benefit markedly 
from the ability to follow only one set of Federal regulations when 
making decisions about using and disclosing part 2 records by 
streamlining processes and simplifying decision making procedures. 
Additionally, covered entities and business associates would no longer 
need to segregate SUD treatment data and could improve care 
coordination and integration of behavioral health with general medical 
treatment, resulting in comprehensive holistic treatment of the entire 
patient.
    In contrast, this final rule could also create a burden because 
covered entities and business associates subject to part 2 may need to 
sort and filter part 2 records for certain uses and disclosures, such 
as audit and evaluation activities that are health care operations, 
according to whether or not a patient consent for TPO has been 
obtained.
Section 2.32 Notice and Copy of Consent To Accompany Disclosure
    The revisions to the notice accompanying each disclosure of part 2 
records made with written consent benefit patients by ensuring that 
recipients of part 2 records are notified of the expanded prohibition 
on use of such records against patients in legal proceedings even 
though uses and redisclosures for other purposes would be more readily 
permissible. Due to the final rule changes in redisclosure permissions 
for recipients of part 2 records that are covered entities and business 
associates, the importance of the Notice to Accompany Disclosure would 
increase.
    Part 2 programs will benefit from having notice language that 
accurately

[[Page 12588]]

reflects statutory changes in the privacy protections for records. 
Retaining the notice to accompany disclosure requirement would also 
ensure that certain protections for part 2 records continue to ``follow 
the record,'' compared to the HIPAA Privacy Rule whereby protections 
are limited to PHI held by a covered entity or business associate.
Section 2.53 Management Audits, Financial Audits, and Program 
Evaluation
    Part 2 programs that are also covered entities would benefit from 
the final rule changes that would clarify that the limits on use and 
disclosure for audit and evaluation purposes do not apply to covered 
entities and business associates to the extent these activities fall 
within the HIPAA Privacy Rule disclosure permissions for health care 
operations. This benefit provides regulatory flexibility for covered 
entities when part 2 records are subject to audit or evaluation.
    In some instances, a third-party auditor or evaluator may also be a 
part 2 program or a covered entity or business associate. As recipients 
of part 2 records, such third parties would be permitted to redisclose 
the records as permitted by the HIPAA Privacy Rule, with patient 
consent for TPO. This flexibility would not extend to government 
oversight audits and evaluations.
Section 2.54 Disclosures for Public Health
    The Department creates a new permission to disclose de-identified 
records without patient consent for public health activities, 
consistent with statutory changes. This benefits public health by 
permitting records to be disclosed that would address the opioid 
overdose crisis and other public health issues related to SUDs, and it 
protects patient confidentiality because the permission is limited to 
disclosure of de-identified records.
Section 2.66 Procedures and Criteria for Orders Authorizing Use and 
Disclosure of Records To Investigate or Prosecute a Part 2 Program or 
the Person Holding the Records
    The Department specifies the actions investigative agencies should 
take when they discover in good faith that they have received part 2 
records without obtaining the required court order, such as securing 
the records, ceasing to use or disclose the records, applying for a 
court order, and returning or destroying the records, as applicable to 
the situation. This final rule would provide the benefit of enabling 
agencies to move forward with investigations when they have unknowingly 
sought records from a part 2 program. The final rule limits the 
liability of investigative agencies that unknowingly obtain records 
without the necessary court order and increase agencies' effectiveness 
in prosecuting programs. The minimal burden for exercising reasonable 
diligence before an unknowing receipt of part 2 records is outweighed 
by the reduction in risk of a penalty for noncompliance. This analysis 
applies as well to Sec.  2.67 below.
Section 2.67 Orders Authorizing the Use of Undercover Agents and 
Informants To Investigate Employees or Agents of a Part 2 Program in 
Connection With a Criminal Matter
    The Department's final rule adds a requirement for investigative 
agencies that seek a good cause court order after placement of an 
undercover agent or information in a part 2 program to first meet the 
reasonable diligence criteria in Sec.  2.3(b). This requirement ensures 
that agencies take basic actions to determine whether a SUD treatment 
provider is subject to part 2 before seeking to place an undercover 
agent or informant with the provider. As discussed above in reference 
to Sec.  2.66, this final rule also has the benefit of aiding courts to 
streamline the application process for court orders for the use and 
disclosure of records.
Section 2.68 Report to the Secretary
    The Department created a requirement for annual reports by 
investigative agencies concerning applications for court orders made 
after receipt of part 2 records. This new requirement benefits 
programs, patients, and investigative agencies by making data available 
about the frequency of investigative requests made ``after the fact.'' 
This requirement benefits agencies and programs by highlighting the 
potential need for increased awareness about part 2's applicability. A 
program that makes its part 2 status publicly known benefits from the 
procedural protections afforded within the court order requirements of 
Sec. Sec.  2.66 and 2.67 in the event it becomes the target of an 
investigation. The final rule's reporting requirement could also 
potentially serve as a deterrent to agencies from overly relying on the 
ability to obtain belated court orders instead of doing a reasonable 
amount of research to determine before making an investigative demand 
whether part 2 applies. Any resulting reduction in unauthorized uses 
and disclosures of records could be viewed as a benefit by patients and 
privacy advocates. In contrast, investigative agencies could view the 
reporting requirement as an administrative burden requiring resources 
that otherwise could be used to pursue investigations.
e. Estimated Quantified Cost Savings and Costs From the Final Rule
    The Department has estimated quantified costs and cost savings 
likely to result from the final rule modifying three core expense 
categories (capital expenses, attaching consent forms, and workforce 
training) and seven substantive regulatory requirements. The remaining 
regulatory changes are unlikely to result in quantifiable costs or cost 
savings, as explained following the discussion of projected costs and 
savings.
i. Capital Expenses
    Capital expenses related to compliance with the final rule fall 
into two categories: notification of breaches and printing forms and 
notices. The Department's estimates for capital costs related to 
providing breach notification are based on estimates from the HIPAA ICR 
multiplied by a factor of 0.02, representing the proportion of part 2 
programs compared to covered entities (774,331 x 16,066 = .02). For 
example, for an estimated 58,482 annual breaches of PHI the Department 
calculates that there are 1,170 breaches of part 2 records (58,482 x 
.02 = 1,170), and associated costs. Those costs are estimated on an 
ongoing annual basis because part 2 programs could experience a breach 
at any time that would require notification. Capital costs for breach 
notifications are presented in Table 5 below.

[[Page 12589]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.015

    The Department's estimate of the costs for printing revised consent 
forms is based on SAMHSA's part 2 ICR estimates for total annual 
patient admissions to part 2 programs \350\ at a rate of $0.11 per 
copy. Programs are already required to print forms and notices on an 
ongoing basis and no change to the number of such forms and notices is 
projected, so the Department has not added any new capital costs for 
printing the revised Patient Notice and Notice to Accompany 
Disclosures. However, the Department estimates that as a result of 
changes to the requirement to obtain consent for disclosures related to 
TPO, part 2 programs and covered entities and business associates would 
experience cost savings from a significant reduction in the number of 
needed consent forms. The Department assumes that, on average, each 
patient's treatment results in a minimum of three written consents 
obtained by part 2 programs, one each for treatment, payment, and 
health care operations purposes. The final rule is estimated to result 
in a decrease in the total number of consents by two-thirds because 
only one patient consent would be required to cover all TPO uses and 
disclosures. At an estimated cost of $0.11 per consent, for a total of 
1,864,367 annual patient admissions, this would result in an annual 
cost savings to part 2 programs of 3,728,734 fewer written consents, or 
$396,222.
---------------------------------------------------------------------------

    \350\ Substance Use Disorder Patient Records Supporting 
Statement A_06102020--OMB 0930-0092, https://omb.report/omb/0930-0092.
---------------------------------------------------------------------------

    Additionally, covered entities and business associates that receive 
part 2 records will also experience a reduced need to obtain written 
patient consent or a HIPAA authorization because redisclosure under the 
HIPAA Privacy Rule does not require patient consent or authorization 
for TPO and many other purposes. The Department lacks data to make a 
precise estimate of projected cost savings, but each patient record 
disclosed to a covered entity or business associate would potentially 
generate a savings based on eliminating the need for the recipient to 
obtain additional consent for redisclosure. The Department has adopted 
a low-cost savings estimate that one-half of part 2 annual admissions 
would result in receipt of part 2 records by a covered entity or 
business associate that would no longer be required to obtain specific 
written patient consent to redisclose such record, representing an 
annual capital expense savings from printing 932,184 fewer consent 
forms. At a per-consent cost of $0.11,\351\ this would result in annual 
savings of $99,056. The capital expense savings for printing consent 
forms are presented in Table 6 below. The savings related to the cost 
of staff time to obtain the patient consent are estimated and discussed 
separately in the section on consent below.
---------------------------------------------------------------------------

    \351\ The Department relies on its estimated capital expenses 
for printing HIPAA breach notification letters adjusted to 2022 
dollars. See 2021 HIPAA ICR, https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202011-0945-001.

---------------------------------------------------------------------------

[[Page 12590]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.016

ii. Training Costs
    Although part 2 does not expressly require training and the final 
rule does not require retraining, the Department anticipates that all 
part 2 programs will choose to train their workforce members on the 
modified part 2 requirements to ensure compliance. The Department 
estimates costs that all part 2 programs would incur to train staff on 
the changes to the confidentiality requirements. As indicated in the 
chart below, only certain staff would need to be trained on specific 
topics and each program would rely on a training specialist whose 
preparation time would also be accounted for. Compared to the proposed 
HIPAA Privacy Rule right to discuss privacy practices, the costs for 
training part 2 counselors include a higher number of staff per program 
because part 2 programs have no required Privacy Officer who is already 
assigned similar duties and are more likely to incur costs for 
developing a new training regimen. The Department of Labor, BLS last 
reported statistics for substance use and behavioral disorder 
counselors separate from mental health counselors in 2016, and 
substance use and behavioral disorder counselors represented 65 percent 
of the combined total. The Department thus calculates its estimate for 
the number of substance use and behavioral disorder counselors as 65 
percent of the workers in the BLS occupational category for ``substance 
abuse, behavioral disorder, and mental health counselors'' and uses 
that as a proxy for the number of part 2 program counselors that would 
require training on the new Patient Notice.\352\ The Department 
estimates that a total of $13.3 million in one-time new training costs 
would be incurred in the first year of the final rule's implementation, 
as presented in Table 7 below.
---------------------------------------------------------------------------

    \352\ This final rule RIA updates the number of counselors based 
on more recent data from the May 2022 National Occupational 
Employment and Wage Estimates. In 2022, the number of part 2 
counselors is estimated to be 224,231 (344,970 substance abuse and 
behavioral disorder counselors separate from mental health 
counselors. SOC code 21-1018) x .65).
---------------------------------------------------------------------------

BILLING CODE 4153-01-P

[[Page 12591]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.017

iii. Receiving a Complaint
    The Department estimates a new burden in this final rule, for 
covered entities to receive complaints filed by patients against a 
program, covered entity, business associate, qualified service 
organization, or other lawful holder in violation of this part would 
amount to a total annual labor cost of $38,328. This estimate is 
derived under the assumption that one in every thousand patients would 
file a complaint, leading to 1,864 complaints annually.\353\ The 
complaint is also assumed to be received by a manager and take 10 
minutes to address. The cost of receiving complaints poses both a 
recurring annual cost as well as a one-time cost to establish 
procedures for handling complaints. It is assumed that
---------------------------------------------------------------------------

    \353\ The assumption that one out of every 1,000 patients would 
file a complaint was adopted from the 2000 HIPAA Final Rule RIA's 
calculation of costs of internal complaints under 45 CFR part 160.

---------------------------------------------------------------------------

[[Page 12592]]

the cost for setting up complaint procedures is captured under the 
training requirement as well as the Patient Notice requirements, laid 
out in Tables 7 and 10 respectively. Table 8 presents the costs for 
receiving a complaint.
[GRAPHIC] [TIFF OMITTED] TR16FE24.018

iv. Notification of Breaches
    The Department estimates annual labor costs of $1.6 million to part 
2 programs for providing notification of breaches of unsecured records, 
including notification to the Secretary, affected patients, and the 
media, consistent with the requirements of the HIPAA Breach 
Notification Rule. This estimate is derived from calculating two 
percent of the total estimated breach notification activities for 
covered entities, business associates, and qualified service 
organizations under the HIPAA Breach Notification Rule.\354\ Costs for 
the labor spent to provide breach notifications are estimated in Table 
9 below. Capital costs for providing breach notification are discussed 
separately in Table 5 above.
---------------------------------------------------------------------------

    \354\ See 2021 HIPAA ICR, https://omb.report/icr/202011-0945-001. Wage rates are updated to 2022 figures.

---------------------------------------------------------------------------

[[Page 12593]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.019

BILLING CODE 4153-01-C

[[Page 12594]]

v. Patient Notice
    The Department estimates a first-year total of $2.6 million in 
costs to part 2 programs for updating the Patient Notice, as 
applicable, and providing patients a right to discuss the program's 
Patient Notice. Under the final rule's modifications to Sec.  2.22, as 
under the existing rules, a part 2 program that is also a covered 
entity only needs to have one notice that meets the requirements of 
both rules, so the Department's estimates are based on an unduplicated 
count of part 2 programs, each one needing to update its Patient 
Notice. The Department's estimate is based on the number of total 
entities and one hour of a lawyer's time to update the notice(s), as 
detailed in Table 10. There would be no new costs for providers 
associated with distribution of the revised notice other than posting 
it on the entity's website (where available), as providers have an 
ongoing obligation to provide the notice to first-time patients. The 
Department bases the estimate on its previous estimates from the 2013 
Omnibus Final Rule, in which the Department estimated approximately 613 
million first time visits with health care providers annually.\355\
---------------------------------------------------------------------------

    \355\ 78 FR 5565, 5675 (Jan. 25, 2013).
---------------------------------------------------------------------------

    In addition to the costs of updating the Patient Notice, the 
Department estimates that part 2 programs incur ongoing costs to 
implement the right to discuss a program's Patient Notice calculated as 
1 percent of all patients, or 18,644 requests, at the hourly wage of a 
substance abuse, behavioral disorder, and mental health counselor, as 
defined by BLS, for an average of 7 minutes per request or $117,586 
total per year. The number of discussions is based on the same 
percentage of new patients as the parallel proposal in the HIPAA 
Coordinated Care and Individual Engagement NPRM, which reflects the 
anticipated number of patients who would ask to speak with the 
identified contact person or office about the Patient Notice. It does 
not include the discussion that each counselor may have with a new 
patient about confidentiality in the clinical context which the 
Department views as part of treatment. Total costs for the Patient 
Notice are presented in Table 10 below.
[GRAPHIC] [TIFF OMITTED] TR16FE24.020

vi. Accounting of Disclosures
    The Department's estimate of minimal annual costs to part 2 
programs for providing patients an accounting of disclosures is based 
on the Department's estimates for covered entities to comply with the 
requirements in 45 CFR 164.528 multiplied by a factor of .02. This 
represents two percent of the total estimated requests for an 
accounting of disclosures under the HIPAA Privacy Rule. The Department 
included this estimate in its calculations (detailed in Table 11), 
although it is negligible, due to the CARES Act mandate to include the 
requirement in part 2. In addition, these costs will not constitute an 
immediate burden since they are contingent on the promulgation of 
HITECH Act modifications to the accounting of disclosures standard in 
the HIPAA Privacy Rule at 45 CFR 164.528, which the Department has not 
yet finalized.
    The responses to the Department's 2018 Request for Information on 
Modifying HIPAA Rules to Improve Coordinated Care \356\ indicated that 
covered entities and their business associates receive very few 
requests for an accounting of disclosures annually (a high of 
.00006).\357\ Comments received on the part 2 NPRM were consistent with 
these and suggested that covered entities still receive very few 
requests; however, one commenter asserted that a request can take 
approximately 40 hours of labor to address.\358\ We believe this figure 
is an outlier and that most requests cover a narrow time period related 
to a specific disclosure concern. The Department is unable to estimate 
the additional burdens, if any, of offering these accountings in a 
machine readable or other electronic format. Further, the Department 
lacks specific information about the costs to revise EHR systems to 
generate a report of disclosures for TPO, other than they could be 
substantial.\359\ We note too that the compliance date for the 
accounting of disclosures requirement is tolled until modifications to 
the accounting requirement are finalized in 45 CFR 164.528 of the HIPAA 
Privacy Rule. Table 11 presents the estimated costs for accounting of 
disclosures.
---------------------------------------------------------------------------

    \356\ 83 FR 64302 (Dec. 14, 2018).
    \357\ See generally, public comments posted in response to 
Docket ID# HHS-OCR-2018-0028, https://www.regulations.gov/document/HHS-OCR-2018-0028-0001/comment.
    \358\ See public comments posted in response to Docket ID# HHS-
OCR-2022-0018-0001, https://www.regulations.gov/document/HHS-OCR-2022-0018-0001.
    \359\ Id.

---------------------------------------------------------------------------

[[Page 12595]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.021

vii. Requests for Privacy Protection for Records
    The Department estimates that part 2 programs would incur a total 
of $5,019 in annual costs arising from the right to request 
restrictions on disclosures. OCR's HIPAA ICR estimate of costs for 
covered entities to comply with the parallel requirement under 45 CFR 
164.522 represents a doubling of previous estimated responses from 
20,000 to 40,000.\360\ However, costs remain low for compliance with 
this regulatory requirement, in part because the requirement to accept 
a patient's request for restrictions is mandatory only for services for 
which the patient has paid in full; the cost of complying with a 
request not to disclose records or PHI to a patient's health plan 
occurs in a context in which providers are saved the labor that would 
be needed to submit claims to health insurers.
---------------------------------------------------------------------------

    \360\ 86 FR 6446, 6498. See also 84 FR 51604.
---------------------------------------------------------------------------

    The Department acknowledges that in addition to the handling of 
restriction requests, providers will likely also incur costs related to 
the adjustment of their technological capabilities. Comments received 
on the part 2 NPRM outlined some of the existing shortcomings and 
potential improvements to the EHR systems. Some of the issues discussed 
included perceptions regarding the inability of current EHR systems to 
automatically flag and separate part 2 records, and challenges of 
granular data segmentation functionality, inability of systems to 
handle multiple types of information workflows, and difficulties in 
ensuring that the current systems protect part 2 data adequately from 
access and redistribution in large patient settings where data is 
received and redistributed electronically. Commenters suggested, among 
others, the development of broader interoperability frameworks, and the 
development of consistent standards as potential remedies for those 
technical issues, but there was no specific actionable data provided 
that could inform the cost analysis of such efforts. The Department 
therefore lacks a basis to formally quantify these costs and does 
include them in this RIA.
    The estimated costs for requests for privacy protection for records 
is presented in Table 12 below. The estimated number of responses is 
increased from the proposed rule to 1,200 and the average burden 
doubled to 6 minutes (0.1 hours) to account for the final rule adding 
the requirement that covered entities use reasonable effort to 
accommodate patient's request for restrictions resulting in a slight 
increase in estimated burden.
[GRAPHIC] [TIFF OMITTED] TR16FE24.022

viii. Updated Consent Form
    The Department estimates that each part 2 program would incur the 
costs for 40 minutes of a lawyer's time to update its patient consent 
form for use and disclosure of records. This would result in an 
estimated total nonrecurring cost of approximately $1.7 million, to be 
incurred in the first year after publication of a final rule, as 
detailed in Table 13 below.

[[Page 12596]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.040

ix. Attaching Consent Form
    The Department estimates a new cost in this final rule (compared to 
the proposed rule RIA) for the requirement associated with Sec.  2.32 
that each part 2 program would need to attach consent forms with each 
disclosure. The Department assumes an average of three (3) annual 
disclosures per patient. The Department assumes consent forms would 
need to be attached to paper disclosures as well as electronic 
disclosures and assumes ninety percent (90%) of disclosures are 
received electronically while the remaining ten percent (10%) would be 
received in paper format. This would result in a total recurring cost 
of $2.9 million per year. The estimated costs for attaching consent 
form are presented in Table 14 below.
[GRAPHIC] [TIFF OMITTED] TR16FE24.023

x. Updated Notice To Accompany Disclosures
    The Department estimates that each part 2 program would incur the 
costs for 20 minutes of a health care managers' time to update the 
regulatory notice that is to accompany each disclosure of records with 
written patient consent. The Department believes that in most cases a 
manager can accomplish this task, rather than a lawyer, because 
specific text for the Notice to Accompany Disclosure is required and is 
included in the final rule. For a total of 16,066 programs this would 
result in estimated total nonrecurring costs in the first year of the 
rule's implementation of approximately $0.7 million as detailed in 
Table 15 below.

[[Page 12597]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.024

xi. New Reporting to the Secretary
    The final rule's reporting requirements in Sec.  2.68 are directed 
to those agencies that investigate and prosecute programs and holders 
of part 2 records. Part 2 programs are subject, for example, to 
investigations for Medicare and Medicaid fraud and diversion of opioids 
used in medications for opioid use disorder (MOUD). Medicaid and 
Medicare fraud investigations may involve several agencies, such as the 
Department of Justice (DOJ), HHS Office of the Inspector General (OIG), 
and state agencies. Investigations involving the use and disclosure of 
part 2 records include those where SUD providers are the targeted 
entities as well as where other health care providers are the target 
and have received records from a part 2 program. The Department has 
revised its estimates of the number of investigations that involve part 
2 records, resulting in an increase of more than 100 percent from the 
225 estimated investigations in the NPRM. The Department estimates that 
approximately 506 investigations, prosecutions, or sanctions involve 
part 2 programs or records annually, based on FY 2021 statistics. The 
reported data does not separately track part 2 programs so we based our 
estimate on the proportion of part 2 programs as compared to covered 
entities, which is 2 percent, as we have done for other estimates 
within the analysis for this rule.\361\ We acknowledge that this may 
not capture all the entities subject to investigations that include 
part 2 records. At the same time, we have added a more extensive list 
of investigations and actions against health care entities, many of 
which represent duplicate actions, such as the removal of entities from 
Medicare participation based on a fraud conviction against the same 
entity that is also counted within the same year and counting both new 
fraud investigations and pending cases at the year's end. We included 
data from FY 2021 \362\ for the following actions:
---------------------------------------------------------------------------

    \361\ 16,066 part 2 programs/774,331 covered entities = .02
    \362\ Annual Report of the Departments of Health and Human 
Services and Justice, FY 2021 Health Care Fraud and Abuse Control 
Report (July 2022). We include data reflecting OIG investigations as 
one representative data point in an effort to estimate the volume of 
relevant records obtained through investigations throughout the 
country. Annual reporting will be conducted consistent with 
applicable Federal laws.
---------------------------------------------------------------------------

     831 new criminal health care fraud investigations (DOJ).
     462 cases of criminal charges filed by Federal 
prosecutors.
     805 new civil health care fraud investigations (DOJ).
     1,432 civil health care fraud matters pending at the end 
of the fiscal year (DOJ).
     107 health care fraud criminal enterprises dismantled 
(FBI).
     504 criminal actions for Medicare and Medicaid crimes 
(HHS-OIG).
     669 civil actions (HHS-OIG).
     1,689 individuals and entities excluded from participation 
in Medicare, Medicaid, and other Federal health care programs (HHS-
OIG).
     18,815 open investigations by state Medicaid Fraud Control 
Units in FY 2021.\363\
---------------------------------------------------------------------------

    \363\ https://oig.hhs.gov/fraud/medicaid-fraud-control-units-mfcu/expenditures_statistics/fy2021-statistical-chart.pdf. https://oig.hhs.gov/fraud/medicaid-fraud-control-units-mfcu/expenditures_statistics/fy2021-statistical-chart.pdf.
---------------------------------------------------------------------------

    This results in a count of 25,314 actions taken by investigative 
agencies and 506 as the estimated proportion involving use and 
disclosure of part 2 records. The Department assumes, as an over-
estimate, that all 506 cases involve use of the safe harbor under Sec.  
2.3 and result in a required report under Sec.  2.68.
    The burden on investigative agencies for annual reporting about 
unknowing receipt of part 2 records prior to a court order includes the 
labor of gathering data and submitting it to the Secretary. As a proxy 
for this burden, the Department estimates that the labor would be equal 
to reporting large breaches of PHI under HIPAA which has been 
calculated at 1.5 hours per response at an hourly wage rate of $81.28 
\364\ for a total estimated cost of $121.92 per response. For an 
estimated 506 annual investigations this would result in a total cost 
of $61,726. This figure represents an overestimate because it assumes 
100 percent of investigations would involve unknowing receipt of part 2 
records prior to seeking a court order. The Department assumes that the 
actual proportion of investigations falling within the reporting 
requirement would be less than 25 percent of cases, although it lacks 
data to substantiate this assumption. The final rule also adds to the 
definition of investigative agencies to include local, territorial, and 
Tribal agencies. The Department acknowledges the potential for 
expanding the definition to increase the affected population for 
investigative agencies; however, the Department lacks sufficient data 
to quantify the number of additional agencies impacted by the rule. The 
estimated costs for new reporting to the Secretary are presented in 
Table 16 below.
---------------------------------------------------------------------------

    \364\ This is a composite wage rate used in burden estimates for 
the Department's breach notification Information Collection Request.

---------------------------------------------------------------------------

[[Page 12598]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.025

f. Summary of First Year Costs
    Table 17 presents the total first year part 2 quantified costs 
presented in the above sections, totaling $23.9 million.
BILLING CODE 4153-01-P

[[Page 12599]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.026

BILLING CODE 4153-01-C
g. Final Rule Changes Resulting in Negligible Fiscal Impact
Sections 2.1 and 2.2 Statutory Authority and Enforcement
    While civil enforcement of part 2 by the Department may increase 
costs for part 2 programs or lawful holders that experience a breach or 
become the subject of a part 2 complaint or compliance review, the 
costs of responding to a potential violation are not calculated 
separately from the costs of complying with new or changed regulatory 
requirements. Thus, the Department's analysis does not estimate any 
program costs for the changes to Sec. Sec.  2.1 and 2.2 of 42 CFR part 
2.
Section 2.3 Civil and Criminal Penalties for Violations
    The final rule adds local, territorial, and Tribal agencies to the 
investigative agency definition. In Sec.  2.3(b)(1), investigative 
agencies that do not use reasonable diligence would be precluded from 
seeking a court order to use or disclose part 2 records that they later 
discover in their possession. The Department acknowledges there may be 
an overall increase in the affected population associated with 
including local, territorial, and Tribal agencies to investigative 
agency definition; however, the Department lacks sufficient data on the 
extent these agencies are involved in investigating part 2 programs to 
quantify these potential impacts.
    Section 2.3 also creates a limitation on civil or criminal 
liability for persons acting on behalf of investigative agencies when 
they may unknowingly receive part 2 records without first

[[Page 12600]]

obtaining the requisite court order. The final rule mandates reasonable 
diligence steps that mean taking all of the following actions:
    Searching for the practice or provider among the SUD treatment 
facilities in SAMHSA's online treatment locator; searching in a similar 
state database of treatment facilities where available; checking a 
practice or program's website, where available, or physical location; 
viewing the entity's Patient Notice or HIPAA NPP if it is available; 
and taking all these steps within no more than 60 days before 
requesting records or placing an undercover agent or informant. The 
regulatory change encourages investigative agencies to take 
preventative measures, reducing the need for after-the-fact court 
orders. The Department acknowledges that the reasonable diligence steps 
may result in additional burdens for investigative agencies to check 
websites and visit physical locations; however, the Department lacks 
sufficient data to quantify the additional burden and expects that it 
is negligible.
Section 2.11 Definitions
    Changes to the regulatory definitions are not likely to create 
significant increases or decreases in burdens for part 2 programs or 
covered entities and business associates. These entities, collectively, 
would benefit from the regulatory certainty resulting from 
clarification of terms; however, the definitions are generally intended 
to codify current usage and understanding of the defined terms. One 
change that has the potential to result in additional burden to part 2 
programs but potentially represents a benefit of increased privacy 
protection for patients would be the inclusion of a new definition of 
``SUD counseling notes.'' The Department has discussed the potential 
impact to the inclusion of SUD counseling notes in Sec.  2.31. The 
Department also changes the definition of ``investigative agency'' to 
include local, territorial, and Tribal agencies. This change in the 
definition has the potential to increase the population of 
investigative agencies. Additional discussion on the potential impact 
of adding local, territorial, and Tribal agencies is discussed in Sec.  
2.3. The final rule adds a new definition on ``lawful holder'' used in 
several provisions. The final rule also adds a new definition of 
``personal representative,'' replacing language in Sec.  2.15 
describing individuals authorized to act on a patient's behalf, as 
mentioned under the discussion on Sec.  2.15 below. Another change to 
the definition of ``intermediary'' excludes part 2 programs, covered 
entities, and business associates and may result in burden decreases to 
these entities, as mentioned under the discussion on Sec.  2.24 below. 
The Department estimates that these three changes will have a 
negligible impact.
Section 2.12 Applicability
    The final rule change from ``Armed Forces'' to ``Uniformed 
Services'' in paragraphs (b)(1) and (c)(2) of Sec.  2.12 is likely to 
result in only a negligible change in burden because this terminology 
is already in use in 42 U.S.C. 290dd-2. Adding ``uses'' and 
``disclosures'' in several places provides clarity and consistency, but 
is unlikely to create quantifiable costs or cost savings. Adding the 
four express statutory restrictions on use and disclosure of records 
for court proceedings \365\ in paragraph (d)(1) of this section will 
likely result in no significant burden change, as the restrictions on 
use and disclosure of records for criminal investigations and 
prosecutions of patients are already stringent and the ability to 
obtain a court order remains. Excluding covered entities from the 
restrictions applied to other ``third-party payers'' in paragraph 
(d)(2) of this section would reduce burden on covered entities that are 
health plans because they will be permitted to disclose records for a 
wider range of health care operations than under the current 
regulation. However, this burden reduction is similar to that for all 
covered entities under the final rule, so the Department has not 
estimated the costs or benefits separately from the effects of Sec.  
2.33 (Uses and disclosures permitted with written consent).
---------------------------------------------------------------------------

    \365\ See 42 U.S.C. 290dd-2(c).
---------------------------------------------------------------------------

Section 2.13 Confidentiality Restrictions and Safeguards
    The primary change to this section is to remove paragraph (d) and 
redesignate it as Sec.  2.24. Additionally, adding the term ``use'' to 
the circumstances when disclosures are permitted or prohibited provides 
clarification, but is unlikely to generate a change in burden 
associated with this provision.
Section 2.14 Minor Patients
    The final rule changes to this section would clarify that a part 2 
program director may clinically evaluate whether a minor has decision 
making capacity, but not issue a legal judgment to that effect. The 
changes also add ``uses'' to ``disclosures'' as the types of activities 
regulated under this section. None of the changes would be likely to 
result in quantifiable burdens to part 2 programs.
Section 2.15 Patients Who Lack Capacity and Deceased Patients
    The final rule replaces the terms for ``guardian or other 
individual authorized under state law to act on the patient's behalf'' 
with the term ``personal representative'' under Sec.  2.11, as 
described above. The Department does not anticipate this to result in 
any significant burdens or benefits. The Department's final rule will 
also replace outdated references to incompetence and instead refer to a 
lack of capacity to make health care decisions and will add ``uses'' to 
``disclosures'' to describe the activities permitted when certain 
conditions are met. These clarifications and additions are unlikely to 
generate a change in burden that can be quantified, and thus they are 
not included in the Department's calculation of estimated costs and 
cost savings.
Section 2.17 Undercover Agents or Informants
    The final rule adds the phrase ``and disclosure'' in the heading of 
paragraph (b) of this section and ``or disclosed'' after ``used'' in 
paragraph (b) for consistency with changes throughout the rule to align 
with HIPAA language. We do not expect any change in burden as a result 
of this change.
Section 2.20 Relationship to State Laws
    The final rule adds the term ``use'' to describe activities 
regulated by this section. Similar to 42 CFR part 2, state laws impose 
restrictions on uses and disclosures related to SUD and the Department 
assumes programs subject to regulation by this part would be able to 
comply with part 2 and the state law. The Department does not 
anticipate these changes would result in a quantifiable increase or 
decrease in burden.
Section 2.21 Relationship to Federal Statutes Protecting Research 
Subjects Against Compulsory Disclosure of Their Identity
    The Department replaced ``disclosure and use'' with ``use and 
disclosure'' to align the language of this section with the HIPAA 
Privacy Rule. The edit does not require any changes to existing part 2 
requirements. The Department does not anticipate this change would 
result in a quantifiable increase or decrease in burden.

[[Page 12601]]

Section 2.24 Requirements for Intermediaries
    The final rule changes the definition of ``intermediary'' to 
exclude part 2 programs, covered entities, and business associates, as 
noted above. The Department acknowledges that this poses a burden 
reduction to covered entities and business associates as they are no 
longer subject to these requirements; however, the Department does not 
anticipate these changes to have a significant impact.
Section 2.31 Consent Requirements
    The final rule adds a new consent requirement at Sec.  2.31(b), 
requiring separate consent for the use and disclosure of SUD counseling 
notes. The final rule limits use and disclosure of SUD counseling notes 
without patient consent in a manner that aligns with the HIPAA Privacy 
Rule authorization requirements for psychotherapy notes. The Department 
believes there is a qualitative benefit to patients and clinicians who 
keep separate SUD counseling notes. Requiring a separate consent for 
SUD counseling notes offers a means for patients to selectively 
disclose sensitive information and reduces barriers to clinicians 
recording treatment information for patients concerned about their 
confidentiality being protected. The Department acknowledges that there 
is a potential increase in the administrative burden to part 2 programs 
for segmenting SUD counseling notes as well as obtaining an additional 
patient consent; however, a separate consent requirement strikes a 
balance between heightened protection and an appropriately tailored 
permission for uses and disclosures that are low risk for abuse or 
related to requirements in law. The Department lacks sufficient data on 
the number of SUD counseling notes requiring additional consent and 
does not expect there to be a large number; and therefore, does not 
anticipate these changes would result in a quantifiable increase or 
decrease in burden.
Section 2.34 Uses and Disclosures To Prevent Multiple Enrollments
    The final rule adds the term ``uses'' to the heading and 
incorporate minor word changes and style edits for clarity. The edits 
do not require any changes to existing part 2 requirements. The 
Department does not anticipate these changes would result in a 
quantifiable increase or decrease in burden.
Section 2.35 Disclosures to Elements of the Criminal Justice System 
Which Have Referred Patients
    The final rule replaces the term ``individuals'' with ``persons,'' 
clarify that permitted redisclosures of information are from part 2 
records, and make minor word and style edits for clarity. The edits do 
not require any changes to existing part 2 requirements. The Department 
does not anticipate these changes would result in a quantifiable 
increase or decrease in burden.
Section 2.52 Scientific Research
    The Department considered whether the requirement to align the de-
identification standard in Sec.  2.52 (and throughout part 2) with the 
HIPAA Privacy Rule de-identification standard in 45 CFR 164.514 would 
significantly increase burden for part 2 programs or result in any 
unintended negative consequences. The Department concluded that the 
final rule change would not significantly increase burden because a 
part 2 program would need to follow detailed protocols to ensure that 
the current standard is met that are similar to the level of work 
needed to adhere to the HIPAA Privacy Rule standard. Additionally, the 
final rule ensures that all part 2 programs are following similar 
standards for de-identification, which would benefit researchers when 
creating data sets from different part 2 programs, by enabling them to 
populate the data sets with similar content elements.
Section 2.53 Management Audits, Financial Audits, and Program 
Evaluation
    The final rule clarifies that some audit and evaluation activities 
may be considered health care operations could be used by part 2 
programs, covered entities, and business associates to obtain records 
based on consent for health care operations and then such entities 
could redisclose them as permitted by the HIPAA Privacy Rule. The HIPAA 
Privacy Rule may allow these entities greater flexibility to use or 
redisclose the part 2 records for permitted purposes compared to the 
limitations contained in Sec.  2.53 of part 2. For part 2 programs that 
are covered entities, this change could result in burden reduction 
because they would not have to track the records used for audit and 
evaluation purposes as closely; however, the Department is without data 
to quantify the potential cost reduction. For business associates, 
there would likely be no change in burden because they are already 
obligated by contract to only use or disclose PHI (which may be part 2 
records) as allowed by the agreement with the covered entity.
    As discussed in preamble, the disclosure permission under Sec.  
2.53 would continue to apply to audits and evaluations conducted by a 
health oversight agency without patient consent. The Department does 
not believe that the text of section 3221(e) of the CARES Act indicates 
congressional intent to alter the established oversight mechanisms for 
part 2 programs, including those that provide services reimbursed by 
Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The 
Department also intends that a government agency conducting activities 
that could fall within either Sec.  2.53 or Sec.  2.33 for health care 
operations would have the flexibility to choose which permission to 
rely on and would not have to meet the conditions of both sections. In 
the event that the agency is a covered entity that has received the 
records based on a consent for TPO, it could further redisclose the 
records as permitted by the HIPAA Privacy Rule. Further, the Department 
intends that the availability of the safe harbor under Sec.  2.3 does 
not affect the ability of government agencies conducting health 
oversight to continue relying on Sec.  2.53 to access records without a 
court order.
Section 2.54 Disclosures for Public Health
    The Department does not believe that an express permission to 
disclose records to public health authorities without patient consent 
will impact burdens to a significant degree. While part 2 programs will 
likely experience a burden reduction from the lifting of a consent 
requirement, the permission may cause an increase in disclosures to 
public health authorities, resulting in a net impact of no change to 
burdens. Additionally, to the extent these disclosures are required by 
other law, the compliance burden is not calculated as a change caused 
by part 2.
Sections 2.61 Through 2.65 Procedures for Court Orders
    The Department lacks sufficient data to estimate the number of 
instances where the expanded scope of protection from use or disclosure 
of records against the patient in legal proceedings (including in 
administrative and legislative forums) would result in increased 
applications for court orders authorizing the disclosure of part 2 
records or testimony.

[[Page 12602]]

Section 2.66 Procedures and Criteria for Orders Authorizing Use and 
Disclosure of Records To Investigate or Prosecute a Part 2 Program or 
the Person Holding the Records
    Section 2.66(a)(3) provides specific procedures for investigative 
agencies to follow upon discovering after the fact that they are 
holders of part 2 records, such as securing, returning, or destroying 
the records and optionally seeking a court order under subpart E. 
Although the existing regulation does not expressly require law 
enforcement agencies to return or destroy records that it cannot use in 
investigations or prosecutions against a part 2 program when it does 
not obtain the required court order, it requires lawful holders to 
comply with Sec.  2.16 (Security for records). The Department developed 
the requirements in Sec.  2.66(a)(3) (to return or destroy records that 
an investigative agency is unable to use or disclose in an 
investigation or prosecution) to parallel the existing requirements in 
Sec.  2.16 for programs and lawful holders to establish policies for 
securing paper and electronic records, removing them, and destroying 
them. Section 2.66(c) requirements to obtain a court order, obtain 
information in violation if this part, or to return or destroy the 
records within a reasonable time (no more than 120 days from 
discovering it has received part 2 records), would not significantly 
increase the existing burden for investigative agencies to comply with 
Sec.  2.16.
Section 2.67 Orders Authorizing the Use of Undercover Agents and 
Informants To Investigate Employees or Agents of a Part 2 Program in 
Connection With a Criminal Matter
    Section 2.67(c)(4) restricts an investigative agency from seeking a 
court order authorizing placement of an undercover agent or informant 
unless it has first exercised reasonable diligence as described by 
Sec.  2.3(b). This provision serves as a prerequisite that would allow 
an investigative agency to continue placement of the undercover agent 
or informant in a part 2 program by correcting an error of oversight if 
the investigative agency learns after the fact that the undercover 
agent or informant is in a part 2 program and avoiding the risk of 
penalties for the violation. The Department anticipates that the added 
burden for searching SAMHSA's online treatment locator 
(FindTreatment.gov) and a similar state database, and a program's 
website or physical location, including its Patient Notice or HIPAA NPP 
to ascertain whether the program provides SUD treatment, would be 
minimal, as these activities would normally be included in the course 
of investigating and prosecuting a part 2 program. The requirement 
would merely shift the timing of these actions in some cases so that 
investigative agencies ensure they are completed prior to requesting 
court approval of an undercover agent or use of an informant. The 
primary burden on investigative agencies would be to include a 
statement in an application for a court order after learning of the 
program's part 2 status after the fact, that the investigator or 
prosecutor first exercised reasonable diligence to determine whether 
the program provided SUD treatment. The burden for including this 
statement within an application for a court order is minimal and could 
consist of standard language used in each application. Thus, the 
Department has not calculated specific quantitative costs for 
compliance.
h. Costs Borne by the Department
    This rule has cost impact on HHS. HHS has the primary 
responsibility to assess the regulatory compliance of covered entities 
and business associates and part 2 programs. This final rule would 
extend those responsibilities to part 2 programs. In addition to 
promulgating the current regulation, HHS would be responsible for 
developing guidance and conducting outreach to educate the regulated 
community and the public. The final rule also requires HHS to 
investigate and resolve complaints and compliance reviews as part of 
its expanded responsibility for part 2 compliance and enforcements. The 
Department estimates that implementing the new part 2 enforcement 
requirements would require two full-time policy employees (or 
contractors) at the Office of Personnel Management (OPM) General 
Schedule (GS) GS-14 or equivalent level who will develop regulation, 
guidance, and national-level outreach. Additionally, the Department 
estimates needing eight full-time employees (or contractors) for 
enforcement at a GS-13 or equivalent level to investigate, train 
investigators, and provide local outreach to regulated entities.\366\ 
The cost of labor for enforcement of part 2 programs across the ten 
employees described above amounts to $2,214,100 in the first year and 
$11,808,508 over all five years from 2024 to 2028, including 
appropriate step increases expected across years. The Department also 
estimates costs for hiring a contractor to create a breach portal or a 
part 2 module for the existing HIPAA breach portal. The Department 
assumes that the costs of hiring each contractor to maintain the breach 
portal amounts to 5 percent of the annual operation and management 
funding for the breach portal.\367\ The initial posting of such 
breaches is automated, and HHS currently pays a contractor 
approximately $13,814 annually to maintain the database to receive 
reports of breaches from HIPAA covered entities. Under the same 
assumptions, the Department estimates approximately $13,814 to hire a 
second contractor to maintain the database to exclusively receive 
reports of breaches from part 2 programs. Additionally, HHS drafts and 
posts summaries of each large breach on the website, using a 
combination of GS-12, GS-13, GS-14, and GS-15 workers.\368\ In total, 
the Department assumes it will take workers 1.5 hours to summarize each 
breach and that there will be 267 breaches requiring summaries per 
year, equaling a labor cost of approximately $32,107 per year. To 
implement the enforcement requirements, breach portal maintenance, and 
breach summary reporting, the Department estimates that first year 
Federal costs will be approximately $2,260,021 million. The Department 
estimates that based on the GS within grade step increases for each of 
the GS-13 and GS-14 employees working to enforce part 2 the Federal 
costs will be approximately $12,038,112 million over 5 years. These 
costs are presented in Table 18 below. The NPRM had not originally 
included the cost to the Department in the total cost estimate. 
However, as these costs to the Department are new to establish an

[[Page 12603]]

enforcement program for part 2, they have been incorporated into the 
final costs, presented below.\369\
---------------------------------------------------------------------------

    \366\ To determine the salary rate of the employees at the GS-13 
and GS-14 pay scale, the Department used the U.S. OPM's GS 
classification and pay system and used the Department's General 
Schedule (Base) annual rates. The Department used the available 2022 
data for the estimated costs. In 2022, the salary table for schedule 
GS-13, step 1 annual rate is $213,646, including $106,832 plus 100% 
for fringe benefits and overhead, and the GS-14, step 1 annual rate 
is $252,466, including $126,233 plus 100% for fringe benefits and 
overhead. The Department estimated the costs over 5 years based on 
within-grade step increases based on an acceptable level of 
performance and longevity (waiting periods of 1 year at steps 1-3 
and 2 years at steps 4-6).
    \367\ The Department estimates that the O&M costs of maintaining 
the portal are $276,281 in 2022.
    \368\ The Department uses hourly rates for Federal employees 
from the OPM's GS Base hourly rates for 2022. All workers are 
assumed to be at step 1. In 2022, GS-12 workers' hourly rate is 
$65.46, including $32.73 plus 100% for fringe benefits and overhead; 
GS-13 workers' hourly rate is $77.84, including $38.92 plus 100% for 
fringe benefits and overhead; an average rate between GS-14 and GS-
15 workers is used, equaling $100.08, including $50.04 plus fringe 
benefits and overhead; and lastly HHS headquarters staff is 
calculated at the GS-12 step 1 level with Washington, DC locality 
pay, equaling $86.06, including $43.04 plus 100% for fringe benefits 
and overhead.
    \369\ Note, an FY 2024 budget request to support additional 
enforcement activity is pending. See U.S. Dep't of Health and Human 
Servs., ``Department of Health and Human Services, Fiscal Year 
2024,'' FY 2024 Budget Justification, General Department Management, 
Office for Civil Rights, at 255, https://www.hhs.gov/sites/default/files/fy-2024-gdm-cj.pdf.
---------------------------------------------------------------------------

BILLING CODE 4153-01-P
[GRAPHIC] [TIFF OMITTED] TR16FE24.027

i. Comparison of Benefits and Costs
    The final rule results in costs, cost savings, and benefits as 
described in the preceding sections. Table 19 presents the 5-year costs 
and cost savings associated with part 2. Finally, Table 20 provides a 
narrative description of the non-quantified final rule changes and 
costs and benefits.
[GRAPHIC] [TIFF OMITTED] TR16FE24.028


[[Page 12604]]


[GRAPHIC] [TIFF OMITTED] TR16FE24.029


[[Page 12605]]


[GRAPHIC] [TIFF OMITTED] TR16FE24.030

BILLING CODE 4153-01-C
Consideration of Regulatory Alternatives
    Upon review of public comments on the NPRM, the Department 
considered alternatives to several proposals and the provisions that 
are finalized in this rule as explained below.
Section 2.11 Definitions
Lawful Holder
    Although not required by the CARES Act, the Department is 
finalizing a regulatory definition of the term ``lawful holder.'' We 
considered expressly excluding family, friends, and informal caregivers 
from the definition because we understand that these types of informal 
caregivers are overwhelmingly not professional entities and would not 
have the means or other resources necessary to meet obligations that 
part 2 places upon them. For example, Sec.  2.16 requires part 2 
programs or other lawful holders to have in place formal policies and 
procedures to protect against unauthorized disclosures and a patient's 
family member who receives a record based on consent could not be 
reasonably expected to comply.
    The description of ``lawful holder'' as a person who has received a 
part 2 record based on consent means that any person who receives 
records pursuant to a valid consent could be considered a lawful 
holder. We believe maintaining the parameters of the definition so it 
is confined to those who receive records as specified, is clear and 
unambiguous. To maintain this clarity, the Department believes it more 
appropriate to carve out an exception in Sec.  2.16 for certain types 
of lawful holders (i.e., family, friends, and informal caregivers) from 
those obligations to which they should not reasonably be expected to 
adhere. As we discuss in preamble, we do expect that these informal 
caregivers will still exercise some level of caution and care when 
handling these records.
Section 2.12 Exception for Reporting Suspected Abuse and Neglect
    The Department considered for a second time expanding the exception 
under Sec.  2.12(c)(6) for reporting suspected child abuse and neglect 
to include reporting suspected abuse and neglect of adults. Such an 
expansion would be consistent with the HIPAA Privacy Rule permission to 
report abuse, neglect, or domestic violence at 45 CFR 164.512(c), and 
could be beneficial for vulnerable adults, such as persons who are 
incapacitated or otherwise are unable to make health care decisions on 
their own behalf. However, Sec.  2.12(c)(6), under the authority of 42 
U.S.C. 290dd-2, limits the reporting of abuse and neglect to reporting 
child abuse and neglect as required by State or local law. Further, 
section (c) of the authorizing statute also restricts uses of records 
in criminal, civil, or administrative contexts, which could include 
investigations by a protective services agency, for example, unless 
pursuant to a court order or with the patient's consent. Therefore, the 
Department determined that expanding the exception under Sec.  
2.12(c)(6) to include reporting abuse and neglect of adults would 
exceed the statutory authority although we believe such reporting is 
needed.
Section 2.16 Security of Records and Notification of Breaches
    The Department considered further harmonizing part 2 and the HIPAA 
regulations by applying the HIPAA Security Rule, or components of it, 
to

[[Page 12606]]

part 2 programs and other lawful holders with respect to electronic 
part 2 records. A majority of commenters who addressed this issue 
recommended applying the HIPAA Security Rule to part 2 programs; 
however, few of these comments were from part 2 programs. Further, the 
CARES Act did not make the HIPAA Security Rule applicable to part 2 
programs. The Department is not finalizing any additional modifications 
to align the HIPAA Security Rule and part 2 at this time, but will take 
these comments into consideration in potential future rulemaking.
Breach Notification Obligation for QSOs
    The Department considered expressly applying breach notification 
provisions finalized in paragraph (b) of Sec.  2.16 to qualified 
service organizations ``in the same manner as those provisions apply to 
a business associate [. . .]''. To the extent that QSOs handle 
unsecured part 2 records on behalf of part 2 programs, the same policy 
objectives for requiring breach notification would equally apply. 
Further, to align with the structure of HIPAA, which imposes breach 
notification obligations on both covered entities and business 
associates, the Department considered that finalizing a parallel 
provision would further align the regulations. However, in analyzing 
title 42, as amended by the CARES Act, Congress was silent on this 
issue. In comparison, in section 13402(b) of the HITECH Act, Congress 
expressly extended the obligation of a business associate to notify 
covered entity in the event of a breach of PHI. This difference leads 
us to conclude that the requirement for QSOs to report was not 
intended. However, we expect that part 2 programs are likely to 
consider adding such requirements to QSO agreements to enable the 
programs to meet their breach notification obligations.
Section 2.26 Right To Request Restrictions Based on Ability To Pay
    Section 290dd-2 of title 42 of U.S.C., as amended by the CARES Act, 
applied section 13405(c) of the HITECH Act, including the right of a 
patient to obtain restrictions on disclosures to health plans for 
services paid in full similar to how the right is structured in the 
HIPAA Privacy Rule at 45 CFR 164.522 with respect PHI. In response to 
public comments, the Department considered a more equitable provision 
that would require part 2 programs to agree to a requested restriction 
in the case of those who cannot afford to pay for care in full. The 
Department determined that the amended statute did not grant such 
authority. The Sense of Congress in the CARES Act, section 3221(k)(3), 
provides that: ``[c]overed entities should make every reasonable effort 
to the extent feasible to comply with a patient's request for a 
restriction regarding a particular use or disclosure.'' Although the 
Sense of Congress did not include part 2 programs in its urging, we 
encourage these programs to also make every reasonable effort to 
fulfill requested restrictions on disclosures for TPO.
Sections 2.31 and 2.32 Tracking Consent and Revocation of Consent
    The Department considered alternatives to facilitate the new TPO 
consent and redisclosure permission for recipients of part 2 records 
and ensure such records are protected from use and disclosure in 
proceedings against the patient, absent consent or a court order. The 
Department further considered how other changes to the scope of a 
patient's consent would be tracked or communicated to recipients, such 
as patient-requested restrictions on disclosures and revocation of 
consent. We received many comments offering information about current 
practices, technology capabilities, and different approaches to 
tracking consent, revocation, and restrictions, as discussed in the 
preamble, and considered not imposing any new requirements. However, 
comments that sought no requirement to track the scope of consent 
provided were from organizations that did not believe that the 
prohibition on use of records in proceedings against patients should 
continue to apply to records received by a covered entity or business 
associate under a TPO consent. We disagree with this view and further, 
recognize that patients may still provide a consent for disclosures 
that is not a TPO consent. We considered requiring a copy of consent to 
be attached to each disclosure without any other option; however, in 
consideration of the amount of the burden and the available HIE models 
used to exchange electronic records, we offer an option in new 
paragraph (b) of Sec.  2.32 for disclosers to provide a clear 
explanation of the scope of the consent provided. We believe this 
offers the flexibility needed for health IT systems to exchange needed 
information about the consent status of an electronic record.
    The Department also analyzed how part 2 programs and recipients of 
records would effectively implement a patient's revocation of consent 
and considered adding a requirement for programs to notify recipients 
when a consent is revoked. Upon consideration of the complexities and 
burden this would impose we decided not to create a regulatory 
requirement, but to explain our expectation in preamble that programs 
would ensure patients' revocation rights are respected.
Section 2.52 Adding a Permission To Disclose Records in Limited Data 
Sets
    The Department considered adding a permission to allow part 2 
programs to disclose records in the form of a limited data set. The 
part 2 requirements for a limited data set would have matched those for 
limited data sets under the HIPAA Privacy Rule (45 CFR 164.504(e)) and 
would have responded to public comments requesting such a permission 
for research and public health disclosures of records. However, title 
42 refers only to the disclosure of records de-identified to the HIPAA 
standard at 45 CFR 164.514(b) for public health purposes and this 
differs from de-identification allowed for a limited data set under 45 
CFR 164.514(e). Although the Department is finalizing new standards for 
public health and research purposes that align with the 45 CFR 
164.514(a) and (b), we are not promulgating a standard for limited data 
sets at this time.
Subpart E Evidentiary Suppression Remedy for Records Obtained in 
Violation of Part 2
    In response to commenters' concerns about the potential for law 
enforcement to obtain records through coerced patient consent, we 
considered creating an express right for patients to request 
suppression of records obtained in violation of this part for use as 
evidence in proceedings against them. However, we determined that was 
unnecessary for two reasons. First, the provision for patients to 
consent to use and disclosure of records in investigations and 
proceedings against them is not new--it is covered in Sec.  2.33(a)--
thus, newly heightened concern about consent based on changes in this 
final rule is unwarranted. Second, the prohibition on disclosures based 
on false consent in Sec.  2.31(c) offers some protection to patients 
from coerced consent.
Sections 2.66 and 2.67 Preventing Misuse of Records by Investigative 
Agencies
    In response to public comments expressing concern about misuse of 
records by investigative agencies shielded from liability under the 
proposed safe harbor, the Department considered describing, in 
preamble, the expectation that information from records obtained in 
violation of part 2 cannot be used to apply for a court order for such 
records. Instead, the

[[Page 12607]]

Department added language to Sec. Sec.  2.66(c)(3) and 2.67(c)(4) to 
expressly prohibit the use of such information, in regulatory text. The 
Department believes codifying the prohibition in regulatory text 
creates an enforceable legal prohibition and more strongly deters 
investigative agencies from misusing records or information obtained in 
violation of part 2.
HIPAA NPP
    The Department considered finalizing modifications to 45 CFR 
164.520 in this final rule and decided not to do so, in part, because 
of limitations on how often modifications may be made to the HIPAA 
Privacy Rule.\370\ Thus, it is necessary to combine changes to the 
HIPAA NPP with other changes to the HIPAA NPP that are anticipated in 
the future. Finalizing changes to the HIPAA NPP in this final rule 
would prevent us from making any further modifications to the HIPAA NPP 
for one year. We realize this creates a possible gap when covered 
entities may have changes in policies and procedures that are not 
reflected in their HIPAA NPP; however, potentially needing to make 
multiple changes to the HIPAA NPP over a short time span would be 
equally problematic and confusing to individuals. Additionally, each 
set of revisions to the HIPAA NPP would add a burden to covered 
entities for making updates and distributing the HIPAA NPP totaling 
approximately $45 million as described in the NPRM.\371\ As explained 
in preamble, we intend to align compliance dates for any required 
changes to the HIPAA NPP and part 2 Patient Notice to enable covered 
entities to make such changes at the same time.
---------------------------------------------------------------------------

    \370\ See 45 CFR 160.104 (limiting changes by the Secretary to 
HIPAA standards or implementation specifications to once every 12 
months).
    \371\ See 87 FR 74216 (Dec. 2, 2022), Table 9b. Privacy Rule 
Costs and Savings Over 5-year Time Horizon.
---------------------------------------------------------------------------

B. Regulatory Flexibility Act

    The Department has examined the economic implications of this final 
rule as required by the Regulatory Flexibility Act (5 U.S.C. 601-612). 
If a rule has a significant economic impact on a substantial number of 
small entities, the Regulatory Flexibility Act (RFA) requires agencies 
to analyze regulatory options that would lessen the economic effect of 
the rule on small entities. For purposes of the RFA, small entities 
include small businesses, nonprofit organizations, and small 
governmental jurisdictions. The Act defines ``small entities'' as (1) a 
proprietary firm meeting the size standards of the Small Business 
Administration (SBA), (2) a nonprofit organization that is not dominant 
in its field, and (3) a small government jurisdiction of less than 
50,000 population. The Department did not receive any public comments 
on the NPRM small business analysis assumptions and is therefore making 
no changes to them for this final rule; however, we have updated this 
analysis of small entities for consistency with revisions to the 
regulatory impact analysis relating to the costs and cost savings to 
part 2 programs and covered entities. The Department has determined 
that roughly 90 percent or more of all health care providers meet the 
SBA size standard for a small business or are nonprofit organization. 
The Department assumes the part 2 program entities have the same size 
distribution as health care providers. Therefore, the Department 
estimates there are 14,459 small entities affected by this rule.\372\ 
The SBA size standard for health care providers ranges between a 
maximum of $9 million and $47 million in annual receipts, depending 
upon the type of entity.\373\
---------------------------------------------------------------------------

    \372\ 14,459 = 16,066 (the number of part 2 program) x 0.9 (90% 
of all health care providers are small entities).
    \373\ This range of size standards covers the full list of 6-
digit codes in Sector 62--Health Care and Social Assistance. The 
analysis uses SBA size standards effective as of March 17, 2023. 
U.S. Small Business Admin., ``Table of Small Business Size 
Standards,'' https://www.sba.gov/sites/sbagov/files/2023-06/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%282%29.pdf.
---------------------------------------------------------------------------

    The projected costs and savings are discussed in detail in the RIA 
(section 4.e.). This final rule would create cost savings for regulated 
entities (part 2 programs and covered entities), many of which are 
small entities. The Department considers a threshold for the size of 
the impact of 3 to 5 percent of entity annual revenue as a measure of 
significant economic impact. The Department estimates the annualized 3 
percent discounted net savings, excluding Federal Government costs 
since they do not apply to covered or small entities, of this rule to 
be $4,921,888. Spread across 14,459 small entities, the average savings 
per small entity are equal to $340.39. Since even the smallest entities 
in Sector 62 average over $55,000 in annual receipts, the projected 
impact for most of them is well below the 3 to 5 percent 
threshold.\374\ Therefore, the Secretary certifies that this final rule 
would not result in a significant negative impact on a substantial 
number of small entities.
---------------------------------------------------------------------------

    \374\ The entities in the smallest recorded receipt size 
category (<$100,000) average $56,500 in annual receipts (in 2022 
dollars). See U.S. Census. ``2017 SUSB Annual Data Tables by 
Establishment Industry''. https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html.
---------------------------------------------------------------------------

C. Unfunded Mandates Reform Act

    Section 202(a) of The Unfunded Mandates Reform Act of 1995 requires 
that agencies assess anticipated costs and benefits before issuing any 
rule whose mandates require spending that may result in expenditures in 
any one year of $100 million in 1995 dollars, updated annually for 
inflation. The current threshold after adjustment for inflation is $177 
million, using the most current (2022) Implicit Price Deflator for the 
Gross Domestic Product. The Department does not anticipate that this 
final rule would result in the expenditure by state, local, and Tribal 
governments, taken together, or by the private sector, of $177 million 
or more in any one year. The final rule, however, present novel legal 
and policy issues, for which the Department is required to provide an 
explanation of the need for this final rule and an assessment of any 
potential costs and benefits associated with this rulemaking in 
accordance with E.O.s 12866 and 13563. The Department presents this 
analysis in the preceding sections.

D. Executive Order 13132--Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts state law, or otherwise has federalism 
implications. The Department does not believe that this rulemaking 
would have any federalism implications.
    The federalism implications of the HIPAA Privacy, Security, Breach 
Notification, and Enforcement Rules were assessed as required by E.O. 
13132 and published as part of the preambles to the final rules on 
December 28, 2000,\375\ February 20, 2003,\376\ and January 25, 
2013.\377\ Regarding preemption, the preamble to the final HIPAA 
Privacy Rule explains that the HIPAA statute dictates the relationship 
between state law and HIPAA Privacy Rule requirements, and the Privacy 
Rule's preemption provisions do not raise federalism issues. The HITECH 
Act, at section 13421(a), provides that the HIPAA preemption provisions 
shall apply to the HITECH Act provisions and requirements.
---------------------------------------------------------------------------

    \375\ 65 FR 82462, 82797.
    \376\ 68 FR 8334, 8373.
    \377\ 78 FR 5566, 5686.
---------------------------------------------------------------------------

    The federalism implications of part 2 were assessed and published 
as part of

[[Page 12608]]

the preamble to proposed rules on February 9, 2016.\378\
---------------------------------------------------------------------------

    \378\ 81 FR 6987, 7012 (Feb. 9, 2016).
---------------------------------------------------------------------------

    The Department anticipates that the most significant direct costs 
on state and local governments would be the cost for state and local 
government-operated covered entities to revise consent forms, policies 
and procedures, providing notification in the event of a breach of part 
2 records and drafting, printing, and distributing Patient Notices for 
individuals with first-time health encounters. The RIA above addresses 
these costs in detail.
    In considering the principles in and requirements of E.O. 13132, 
the Department has determined that the final rule would not 
significantly affect the rights, roles, and responsibilities of the 
States.

E. Assessment of Federal Regulation and Policies on Families

    Section 654 of the Treasury and General Government Appropriations 
Act of 1999 \379\ requires Federal departments and agencies to 
determine whether a proposed or final policy or regulation could affect 
family well-being. If the determination is affirmative, then the 
Department or agency must prepare an impact assessment to address 
criteria specified in the law. The Department believes that these 
regulations would positively impact the ability of patients and 
families to coordinate treatment and payment for health care, 
particularly for families to participate in the care and recovery of 
their family members experiencing SUD treatment, by aligning the 
permission for covered entities and business associates to use and 
disclose records disclosed to them for TPO purposes with the 
permissions available in the HIPAA Privacy Rule. The Department does 
not anticipate negative impacts on family well-being as a result of 
this regulation or the separate rulemaking as described.
---------------------------------------------------------------------------

    \379\ Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
---------------------------------------------------------------------------

F. Paperwork Reduction Act of 1995

    Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104-13), 
agencies are required to submit to the OMB for review and approval any 
reporting or recordkeeping requirements inherent in a proposed or final 
rule, and are required to publish such proposed requirements for public 
comment. The PRA requires agencies to provide a 60-day notice in the 
Federal Register and solicit public comment on a proposed collection of 
information before it is submitted to OMB for review and approval. To 
fairly evaluate whether an information collection should be approved by 
OMB, section 3506(c)(2)(A) of the PRA requires that the Department 
solicit comment on the following issues:
    1. Whether the information collection is necessary and useful to 
carry out the proper functions of the agency;
    2. The accuracy of the agency's estimate of the information 
collection burden;
    3. The quality, utility, and clarity of the information to be 
collected; and
    4. Recommendations to minimize the information collection burden on 
the affected public, including automated collection techniques.
    The PRA requires consideration of the time, effort, and financial 
resources necessary to meet the information collection requirements 
referenced in this section. The Department did not receive comments 
related to the previous notice but has adjusted the estimated 
respondent burden in this request to reflect revised assumptions based 
on updated information available at the time of the final rule's 
publication. This revision resulted in adjusted cost estimates that are 
consistent with the RIA presented in this final rule. The estimates 
covered the employees' time for reviewing and completing the 
collections required.
    As discussed below, the Department estimates a total part 2 program 
burden associated with all final rule part 2 changes of 672,663 hours 
and $50,516,207, including capital costs and one-time burdens, across 
all 16,066 part 2 programs for 1,864,367 annual patient admissions. On 
average, this equates to an annual burden of 42 hours and $3,1444 per 
part 2 program and 0.36 hours and $27 per patient admission. Excluding 
one-time costs that would be incurred in the first year of the final 
rule's implementation, the average annual burden would be 27 hours and 
$1,940 per part 2 program and 0.24 hours and $17 per patient admission. 
In addition to program burdens, the Department's final rule would 
increase burdens on investigative agencies for reporting annually to 
the Secretary in the collective amount of 759 hours of labor and 
$61,726 in costs. This would result in a total burden for part 2 of 
672,663 hours in the first year after the rule becomes effective and 
439,880 annual burden hours thereafter.
    In this final rule, the Department is revising certain information 
collection requirements and, as such, is revising the information 
collection last prepared in 2020 and previously approved under OMB 
control #0930-0092.
Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2
    The Department presents, in separate tables below, revised 
estimates for existing burdens (Table 21), previously unquantified 
ongoing burdens (Table 22), new ongoing burdens of the final rule 
(Table 23), and new one-time burdens of the final rule (Table 24).
BILLING CODE 4153-01-P

[[Page 12609]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.031

BILLING CODE 4153-01-C
    As shown in Table 21, the Department is adjusting the currently 
approved burden estimates to reflect an increase in the number of part 
2 programs, from 13,585 to 16,066. The respondents for this collection 
of information are publicly (Federal, State, or local) funded, 
assisted, or regulated SUD treatment programs. The estimate of the 
number of such programs (respondents) is based on the results of the 
2020 N-SSATS, which represents an increase of 2,481 program from the 
2017 N-SSATS which was the basis for the approved ICR under OMB No. 
0930-0335. The average number of annual total responses is based the 
results of the average number of SUD treatment admissions from SAMHSA's 
2019 TEDS as the number of annual patient

[[Page 12610]]

admissions by part 2 programs (1,864,367 patients). To accurately 
reflect the number of disclosures, the Department based some estimates 
on the number of patients (or a multiple of that number) and then 
divided by the number of programs to arrive at the number of responses 
per respondent. The Department based other estimates on the number of 
programs and then multiplied by the estimated number of disclosures to 
arrive at the total number of responses.
---------------------------------------------------------------------------

    \380\ This refers to approved information collections; however, 
the burden hours shown are adjusted for the final rule.
---------------------------------------------------------------------------

    The estimate in the currently approved ICR includes the time spent 
with the patient to obtain consent and the time for training for 
counselors.\381\ The Department is now estimating the time for 
obtaining consent separately from the burden of training time and 
applies an average of 5 minutes per patient admission for obtaining 
consent.
---------------------------------------------------------------------------

    \381\ The Department estimated that the amount of time for 
disclosure to a patient ranged from a low of 3-5 minutes to a high 
of almost 38 minutes; the approximately 12-minute estimate used to 
estimate burden reflected a judgment about the time needed to 
adequately comply with the legal requirements and for basic training 
of counselors on the importance of patient confidentiality.
---------------------------------------------------------------------------

    For Sec. Sec.  2.31, 2.52, and 2.53, the Department is separating 
out estimates for each provision which were previously reported 
together and is also adjusting the estimates. For Sec.  2.31, the 
Department believes that disclosures with written consent for TPO are 
made for 100 percent of patients; due to the final rule changes to the 
consent requirements, the Department assumes that part 2 programs would 
experience a decreased burden from an average of 3 consents per 
admission to 1 consent. Table 21 reflects 1 consent for each of the 
1,864,367 annual patient admissions (used as a proxy for the estimated 
number of patients) and a time burden of 5 minutes per consent for a 
total of 155,364 burden hours. The previously unacknowledged burden of 
obtaining multiple consents for each patient is shown in Table 22, 
below.
    The Department previously estimated that for Sec. Sec.  2.31 
(consent), 2.52 (research), and 2.53 (audit and evaluation) combined, 
part 2 programs would need to disclose an average of 15 percent of all 
patients' records (1,864,367 records x .15 = 279,655 disclosures). The 
Department is adjusting its estimates to reflect that 15 percent of 
patients would have records disclosed without consent for research and 
audits or evaluations and that this would be divided evenly between the 
two provisions, resulting in 7.5% of 1,864,367 records (or 
approximately 139,828 disclosures) for Sec.  2.52 disclosures and the 
same for Sec.  2.53 disclosures. The Department previously estimated 
that 10 percent of disclosed records would be disclosed in paper form 
while the remaining 90 percent would be disclosed electronically. The 
time burden for disclosing a paper record is estimated as 15 minutes 
and the time for disclosing an electronic record as 5 minutes. For part 
2 programs using paper records, the Department expects that a staff 
member would need to gather and aggregate the information from paper 
records, and manually track disclosures; for those part 2 programs with 
a health IT system, the Department expects records and tracking 
information will be available within the system.
    For Sec.  2.36, the Department used the average number of opiate 
treatment admissions from SAMHSA's 2019 TEDS (565,610 admissions) and 
assumed the PDMP databases would need to be accessed and reported once 
initially and quarterly thereafter for each patient (565,610 x 5 = 
2,828.050). Dividing the number of opiate treatment admissions by the 
number of SUD programs results in an average of 35.21 patients per 
program (565,610 patients / 16,066 programs) and 176.03 PDMP updates 
per respondent (35.21 patients/program x 5 PDMP updates per patient). 
Based on discussions with providers, the Department believes accessing 
and reporting to PDMP databases would take approximately 2 minutes per 
patient, resulting in a total annual burden of 10 minutes (5 database 
accesses/updates x 2 minutes per access/update) or 0.166 hours annually 
per patient. For Sec.  2.51, the time estimate for recordkeeping for a 
clerk to locate a patient record, record the necessary information and 
re-file the record is 10 minutes.
[GRAPHIC] [TIFF OMITTED] TR16FE24.032

    As shown in Table 22, for Sec.  2.31 the Department is recognizing 
for the first time the burden on part 2 programs to obtain multiple 
consents for each patient annually. The Department estimates that for 
each patient admission to a program a minimum of 3 consents is needed 
for disclosures of records: one each for treatment, payment, and health 
care operations (1,864,367 x 3).
    As shown in Table 21, a burden is already recognized for obtaining 
consent, but the estimate assumed only one consent per admission under 
the existing regulation and it was combined with estimates for 
disclosures without consent under Sec. Sec.  2.52 (research) and 2.53 
(audit and evaluation). The Department believes its previous 
calculations underestimated the numbers of consents obtained annually, 
and thus the Department views its updated estimate (i.e., adding two 
consents per patient annually) as acknowledging a previously 
unquantified burden. Additionally, recipients of part 2 records that 
are covered entities or business associates must obtain consent for 
redisclosure of these records. The Department estimates an average of 
one-half of patients' records are disclosed to a covered entity or 
business associate that needs to redisclose the record with consent 
(1,864,367 x .5), and this also represents a previously unquantified 
burden. Together, this would result in an increase of 2.5 consents 
annually per

[[Page 12611]]

patient. However, this would be offset by the changes in this final 
rule which is estimated to result in a reduction in the number of 
consents by 2.5 per patient, thus resulting in no change from the 
currently approved burden of 1 consent per patient.
BILLING CODE 4153-01-P
[GRAPHIC] [TIFF OMITTED] TR16FE24.033


[[Page 12612]]


[GRAPHIC] [TIFF OMITTED] TR16FE24.034


[[Page 12613]]


[GRAPHIC] [TIFF OMITTED] TR16FE24.035


[[Page 12614]]


[GRAPHIC] [TIFF OMITTED] TR16FE24.036

    In Table 23 above, the Department shows an annualized new hourly 
burden of approximately 94,781 hours due to final rule requirements for 
receiving complaints, breach notification, accounting of disclosures of 
records, responding to patient's requests for restrictions on 
disclosures, discussing the Patient Notice, attaching consent form with 
each disclosure, and required reporting by investigative agencies. 
These burdens would be recurring. The estimates represent 2 percent of 
the total estimated by the Department for compliance with the parallel 
HIPAA requirements for covered entities. This percentage was calculated 
by dividing the total number of covered entities by the number of part 
2 programs (16,066/774,331 = .02). The Department recognizes that this 
is an overestimate because an unknown proportion of part 2 programs are 
also covered entities. As a result of these calculations, the estimated 
number of respondents and responses is a not a whole number. The totals 
were based on calculations that included decimals not shown in the 
table, resulting in different totals than computed in ROCIS for some 
line items. For Sec.  2.32, the Department estimates a new burden for 
attaching a consent or a clear explanation of the scope of the consent 
to each disclosure. The Department estimates that each part 2 program 
would make three (3) annual disclosures per patient for 1,864,367 
patients yearly. The Department also estimates that consent forms would 
need to be attached to paper disclosures as well as electronic 
disclosures and assumes ninety percent (90%) of disclosures are 
received electronically, totaling 5,033,791 consents or explanations of 
consent attached to electronic disclosures, while the remaining ten 
percent (10%) would be received in paper format, totaling 559,310 
attached paper disclosures. The Department assumes a receptionist or 
information clerk would take 5 minutes to attach a consent form for 
each paper disclosure and 30 second to attach a consent form for each 
electronic disclosure. This would result in a total recurring burden of 
46,609 hours for paper disclosures and 41,948 hours for electronic 
disclosures.
    The total number of responses for the accounting of disclosures has 
been corrected in the table to show 100, whereas the proposed rule 
displayed a total of 800. The total in Table 23 also includes the 
Department's estimates for a recurring annual burden on investigative 
agencies of 759 hours, relying on previous estimates for the burden of 
reporting breaches of PHI to the Secretary at 1.5 hours per report.

[[Page 12615]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.037


[[Page 12616]]


[GRAPHIC] [TIFF OMITTED] TR16FE24.038

    As shown in Table 24, the Department estimates one-time burden 
increases as a result of final rule changes to Sec. Sec.  2.16, 2.22, 
2.31, and 2.32 and due to new provisions Sec. Sec.  2.25 and 2.26. The 
nonrecurring burdens are for training staff on the final rule 
provisions and for updating forms and notices. The Department estimates 
that each part 2 program would need 5 hours of a training specialist's 
time to prepare and present the training for a total of 80,330 burden 
hours.
    For Sec.  2.16, the Department estimates that each part 2 program 
would need to train 1 manager on breach notification requirements for 1 
hour, for a total of 16,066 burden hours. For Sec.  2.22, the 
Department estimates that each program will need 1 hour of a lawyer's 
time to update the content of the Patient Notice (for a total of 16,066 
burden hours) and 15 minutes to train 202,072 part 2 counselors on the 
new Patient Notice and right to discuss the Patient Notice requirements 
(for 56,058 total burden hours).
    For Sec.  2.25, the Department estimates that each part 2 program 
would need to train a medical records specialist on the requirements of 
accounting of disclosures requirements for 30 minutes, resulting in a 
total burden of approximately 8,033 hours. For Sec.  2.26, the 
Department estimates that each part 2 program would need to train three 
staff (a front desk receptionist, a medical records technician, and a 
billing clerk (16,066 part 2 programs x 3 staff)) for 15 minutes each 
on the right of a patient to request restrictions on disclosures for 
TPO. The base wage rate is an average of the mean hourly rate for the 
three occupations being trained. This would total approximately 12,050 
burden hours.
    For Sec.  2.31, each part 2 program would need 40 minutes of a 
lawyer's time to update the consent to disclosure form (for a total of 
approximately 10,711 burden hours) and 30 minutes to train an average 
of 2 front desk receptionists on the changed requirements for consent 
(for a total of approximately 16,066 burden hours). For Sec.  2.32, the 
Department estimates that each part 2 program would need 20 minutes of 
a health care manager's time to update the content of the Notice to 
Accompany Disclosure with the changed language provided in the final 
rule, for a total of approximately 5,355 burden hours. This is likely 
an over-estimate because an alternative, short form of the notice is 
also provided in regulation, and the language for that form is 
unchanged such that part 2 programs that are using the short form 
notice could continue using the same notice and avoid any burden 
increase.
Explanation of Estimated Capital Expenses for 42 CFR Part 2
BILLING CODE 4153-01-P

[[Page 12617]]

[GRAPHIC] [TIFF OMITTED] TR16FE24.039

BILLING CODE 4153-01-C
    As shown above in Table 25, part 2 programs would incur new capital 
costs for providing breach notification. The table also reflects 
existing burdens for printing the Patient Notice, the Notice to 
Accompany Disclosure, and Consents. The Department has estimated 50 
percent of forms used would be printed on paper, taking into account 
the notable increase in the use of telehealth services for the delivery 
of SUD treatment and the expectation that the demand for telehealth 
will continue.\382\
---------------------------------------------------------------------------

    \382\ See Todd Molfenter, Nancy Roget, Michael Chaple, et al., 
``Use of Telehealth in Substance Use Disorder Services During and 
After COVID-19: Online Survey Study,'' JMIR Mental Health (Aug. 2, 
2021), https://mental.jmir.org/2021/2/e25835.
---------------------------------------------------------------------------

List of Subjects in 42 CFR Part 2

    Administrative practice and procedure, Alcohol use disorder, 
Alcoholism, Breach, Confidentiality, Courts, Drug abuse, Electronic 
information system, Grant programs--health, Health, Health care, Health 
care operations, Health care providers, Health information exchange, 
Health plan, Health records, Hospitals, Investigations, Medicaid, 
Medical research, Medicare, Patient rights, Penalties, Privacy, 
Reporting and recordkeeping requirements, Security measures, Substance 
use disorder.
Final Rule
    For the reasons stated in the preamble, the U.S. Department of 
Health and Human Services amends 42 CFR part 2 as set forth below:

Title 42--Public Health

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

0
1. Revise the authority citation for part 2 to read as follows:

    Authority: 42 U.S.C. 290dd-2; 42 U.S.C. 290dd-2 note.


0
2. Revise Sec.  2.1 to read as follows:


Sec.  2.1  Statutory authority for confidentiality of substance use 
disorder patient records.

    Title 42, United States Code, section 290dd-2(g) authorizes the 
Secretary to prescribe regulations to carry out the purposes of section 
290dd-2. Such

[[Page 12618]]

regulations may contain such definitions, and may provide for such 
safeguards and procedures, including procedures and criteria for the 
issuance and scope of orders under subsection 290dd-2(b)(2)(C), as in 
the judgment of the Secretary are necessary or proper to effectuate the 
purposes of section 290dd-2, to prevent circumvention or evasion 
thereof, or to facilitate compliance therewith.

0
3. Revise Sec.  2.2 to read as follows:


Sec.  2.2  Purpose and effect.

    (a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in 
this part impose restrictions upon the use and disclosure of substance 
use disorder patient records (``records,'' as defined in this part) 
which are maintained in connection with the performance of any part 2 
program. The regulations in this part include the following subparts:
    (1) Subpart B: General Provisions, including definitions, 
applicability, and general restrictions;
    (2) Subpart C: Uses and Disclosures With Patient Consent, including 
uses and disclosures that require patient consent and the consent form 
requirements;
    (3) Subpart D: Uses and Disclosures Without Patient Consent, 
including uses and disclosures which do not require patient consent or 
an authorizing court order; and
    (4) Subpart E: Court Orders Authorizing Use and Disclosure, 
including uses and disclosures of records which may be made with an 
authorizing court order and the procedures and criteria for the entry 
and scope of those orders.
    (b) Effect. (1) The regulations in this part prohibit the use and 
disclosure of records unless certain circumstances exist. If any 
circumstance exists under which use or disclosure is permitted, that 
circumstance acts to remove the prohibition on use and disclosure but 
it does not compel the use or disclosure. Thus, the regulations in this 
part do not require use or disclosure under any circumstance other than 
when disclosure is required by the Secretary to investigate or 
determine a person's compliance with this part pursuant to Sec.  
2.3(c).
    (2) The regulations in this part are not intended to direct the 
manner in which substantive functions such as research, treatment, and 
evaluation are carried out. They are intended to ensure that a patient 
receiving treatment for a substance use disorder in a part 2 program is 
not made more vulnerable by reason of the availability of their record 
than an individual with a substance use disorder who does not seek 
treatment.
    (3) The regulations in this part shall not be construed to limit:
    (i) A patient's right, as described in 45 CFR 164.522, to request a 
restriction on the use or disclosure of a record for purposes of 
treatment, payment, or health care operations.
    (ii) A covered entity's choice, as described in 45 CFR 164.506, to 
obtain the consent of the patient to use or disclose a record to carry 
out treatment, payment, or health care operations.

0
4. Revise Sec.  2.3 to read as follows:


Sec.  2.3  Civil and criminal penalties for violations.

    (a) Penalties. Any person who violates any provision of 42 U.S.C. 
290dd-2(a)-(d), shall be subject to the applicable penalties under 
sections 1176 and 1177 of the Social Security Act, 42 U.S.C. 1320d-5 
and 1320d-6.
    (b) Limitation on criminal or civil liability. A person who is 
acting on behalf of an investigative agency having jurisdiction over 
the activities of a part 2 program or other person holding records 
under this part (or employees or agents of that part 2 program or 
person holding the records) shall not incur civil or criminal liability 
under 42 U.S.C. 290dd-2(f) for use or disclosure of such records 
inconsistent with this part that occurs while acting within the scope 
of their employment in the course of investigating or prosecuting a 
part 2 program or person holding the record, if the person or 
investigative agency demonstrates that the following conditions are 
met:
    (1) Before presenting a request, subpoena, or other demand for 
records, or placing an undercover agent or informant in a health care 
practice or provider, as applicable, such person acted with reasonable 
diligence to determine whether the regulations in this part apply to 
the records, part 2 program, or other person holding records under this 
part. Reasonable diligence means taking all of the following actions 
where it is reasonable to believe that the practice or provider 
provides substance use disorder diagnostic, treatment, or referral for 
treatment services:
    (i) Searching for the practice or provider among the substance use 
disorder treatment facilities in the online treatment locator 
maintained by the Substance Abuse and Mental Health Services 
Administration.
    (ii) Searching in a similar state database of treatment facilities 
where available.
    (iii) Checking a provider's publicly available website, where 
available, or its physical location to determine whether in fact such 
services are provided.
    (iv) Viewing the provider's Patient Notice or the Health Insurance 
Portability and Accountability Act (HIPAA) Notice of Privacy Practices 
(NPP) if it is available online or at the physical location.
    (v) Taking all these actions within a reasonable period of time (no 
more than 60 days) before requesting records from, or placing an 
undercover agent or informant in, a health care practice or provider.
    (2) The person followed all of the applicable provisions in this 
part for any use or disclosure of the received records under this part 
that occurred, or will occur, after the person or investigative agency 
knew, or by exercising reasonable diligence would have known, that it 
received records under this part.
    (c) Enforcement. The provisions of 45 CFR part 160, subparts C, D, 
and E, shall apply to noncompliance with this part in the same manner 
as they apply to covered entities and business associates for 
noncompliance with 45 CFR parts 160 and 164.

0
5. Revise Sec.  2.4 to read as follows:


Sec.  2.4  Complaints of noncompliance.

    (a) Receipt of complaints. A part 2 program must provide a process 
to receive complaints concerning the program's compliance with the 
requirements of this part.
    (b) Right to file a complaint. A person may file a complaint to the 
Secretary for a violation of this part by a part 2 program, covered 
entity, business associate, qualified service organization, or lawful 
holder in the same manner as a person may file a complaint under 45 CFR 
160.306 for a violation of the administrative simplification provisions 
of the Health Insurance Portability and Accountability Act (HIPAA) of 
1996.
    (c) Refraining from intimidating or retaliatory acts. A part 2 
program may not intimidate, threaten, coerce, discriminate against, or 
take other retaliatory action against any patient for the exercise by 
the patient of any right established, or for participation in any 
process provided for, by this part, including the filing of a complaint 
under this section or Sec.  2.3(c).
    (d) Waiver of rights. A part 2 program may not require patients to 
waive their right to file a complaint under this section or Sec.  2.3 
as a condition of the provision of treatment, payment, enrollment, or 
eligibility for any program subject to this part.

0
6. Amend Sec.  2.11 by:
0
a. Adding in alphabetical order definitions of ``Breach'', ``Business 
associate'', ``Covered entity'', ``Health

[[Page 12619]]

care operations'', ``HIPAA'', and ``HIPAA regulations'';
0
b. Revising the introductory text in the definition of ``Informant'';
0
c. Adding in alphabetical order definitions of ``Intermediary'', 
``Investigative agency'', and ``Lawful holder'';
0
d. Revising the definition of ``Part 2 program director'';
0
e. Adding a sentence at the end of the definition of ``Patient'';
0
f. Revising the definition of ``Patient identifying information'';
0
g. Adding in alphabetical order the definition of ``Payment'';
0
h. Revising the definition of ``Person'';
0
i. Adding in alphabetical order the definition of ``Personal 
representative'';
0
j. Revising paragraph (1) in the definition of ``Program'';
0
k. Adding in alphabetical order the definition of ``Public health 
authority'';
0
l. Revising the introductory text and paragraph (2) introductory text 
and adding paragraph (3) in the definition of ``Qualified service 
organization'';
0
l. Revising the definitions of ``Records'' and ``Substance use 
disorder'';
0
m. Adding in alphabetical order the definition of ``Substance use 
disorder (SUD) counseling notes'';
0
n. Revising the definitions of ``Third-party payer'', ``Treating 
provider relationship'', and ``Treatment'';
0
o. Adding in alphabetical order definitions of ``Unsecured protected 
health information'', ``Unsecured record'', and ``Use''.
    The revisions and additions read as follows:


Sec.  2.11  Definitions.

* * * * *
    Breach has the same meaning given that term in 45 CFR 164.402.
    Business associate has the same meaning given that term in 45 CFR 
160.103.
* * * * *
    Covered entity has the same meaning given that term in 45 CFR 
160.103.
* * * * *
    Health care operations has the same meaning given that term in 45 
CFR 164.501.
    HIPAA means the Health Insurance Portability and Accountability Act 
of 1996, Public Law 104-191, as amended by the privacy and security 
provisions in subtitle D of title XIII of the Health Information 
Technology for Economic and Clinical Health Act, Public Law 111-5 
(``HITECH Act'').
    HIPAA regulations means the regulations at 45 CFR parts 160 and 164 
(commonly known as the HIPAA Privacy, Security, Breach Notification, 
and Enforcement Rules or ``HIPAA Rules'').
    Informant means a person:
* * * * *
    Intermediary means a person, other than a part 2 program, covered 
entity, or business associate, who has received records under a general 
designation in a written patient consent to be disclosed to one or more 
of its member participant(s) who has a treating provider relationship 
with the patient.
    Investigative agency means a Federal, state, Tribal, territorial, 
or local administrative, regulatory, supervisory, investigative, law 
enforcement, or prosecutorial agency having jurisdiction over the 
activities of a part 2 program or other person holding records under 
this part.
    Lawful holder means a person who is bound by this part because they 
have received records as the result of one of the following:
    (1) Written consent in accordance with Sec.  2.31 with an 
accompanying notice of disclosure.
    (2) One of the exceptions to the written consent requirements in 42 
U.S.C. 290dd-2 or this part.
* * * * *
    Part 2 program director means:
    (1) In the case of a part 2 program that is a natural person, that 
person.
    (2) In the case of a part 2 program that is an entity, the person 
designated as director or managing director, or person otherwise vested 
with authority to act as chief executive officer of the part 2 program.
    Patient * * * In this part where the HIPAA regulations apply, 
patient means an individual as that term is defined in 45 CFR 160.103.
    Patient identifying information means the name, address, Social 
Security number, fingerprints, photograph, or similar information by 
which the identity of a patient, as defined in this section, can be 
determined with reasonable accuracy either directly or by reference to 
other information.
    Payment has the same meaning given that term in 45 CFR 164.501.
    Person has the same meaning given that term in 45 CFR 160.103.
    Personal representative means a person who has authority under 
applicable law to act on behalf of a patient who is an adult or an 
emancipated minor in making decisions related to health care. Within 
this part, a personal representative would have authority only with 
respect to patient records relevant to such personal representation.
    Program * * *
    (1) A person (other than a general medical facility) that holds 
itself out as providing, and provides, substance use disorder 
diagnosis, treatment, or referral for treatment; or
* * * * *
    Public health authority has the same meaning given that term in 45 
CFR 164.501.
    Qualified service organization means a person who:
* * * * *
    (2) Has entered into a written agreement with a part 2 program 
under which that person:
* * * * *
    (3) Qualified service organization includes a person who meets the 
definition of business associate in 45 CFR 160.103, paragraphs (1), 
(2), and (3), for a part 2 program that is also a covered entity, with 
respect to the use and disclosure of protected health information that 
also constitutes a ``record'' as defined by this section.
    Records means any information, whether recorded or not, created by, 
received, or acquired by a part 2 program relating to a patient (e.g., 
diagnosis, treatment and referral for treatment information, billing 
information, emails, voice mails, and texts), and including patient 
identifying information, provided, however, that information conveyed 
orally by a part 2 program to a provider who is not subject to this 
part for treatment purposes with the consent of the patient does not 
become a record subject to this part in the possession of the provider 
who is not subject to this part merely because that information is 
reduced to writing by that provider who is not subject to this part. 
Records otherwise transmitted by a part 2 program to a provider who is 
not subject to this part retain their characteristic as records in the 
hands of the provider who is not subject to this part, but may be 
segregated by that provider.
    Substance use disorder (SUD) means a cluster of cognitive, 
behavioral, and physiological symptoms indicating that the individual 
continues using the substance despite significant substance-related 
problems such as impaired control, social impairment, risky use, and 
pharmacological tolerance and withdrawal. For the purposes of the 
regulations in this part, this definition does not include tobacco or 
caffeine use.
    Substance use disorder (SUD) counseling notes means notes recorded 
(in any medium) by a part 2 program provider who is a SUD or mental 
health professional documenting or analyzing the contents of 
conversation during a private SUD counseling session or a

[[Page 12620]]

group, joint, or family SUD counseling session and that are separated 
from the rest of the patient's SUD and medical record. SUD counseling 
notes excludes medication prescription and monitoring, counseling 
session start and stop times, the modalities and frequencies of 
treatment furnished, results of clinical tests, and any summary of the 
following items: diagnosis, functional status, the treatment plan, 
symptoms, prognosis, and progress to date.
    Third-party payer means a person, other than a health plan as 
defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or 
treatment furnished to a patient on the basis of a contractual 
relationship with the patient or a member of the patient's family or on 
the basis of the patient's eligibility for Federal, state, or local 
governmental benefits.
    Treating provider relationship means that, regardless of whether 
there has been an actual in-person encounter:
    (1) A patient is, agrees to be, or is legally required to be 
diagnosed, evaluated, or treated, or agrees to accept consultation, for 
any condition by a person; and
    (2) The person undertakes or agrees to undertake diagnosis, 
evaluation, or treatment of the patient, or consultation with the 
patient, for any condition.
    Treatment has the same meaning given that term in 45 CFR 164.501.
* * * * *
    Unsecured protected health information has the same meaning given 
that term in 45 CFR 164.402.
    Unsecured record means any record, as defined in this part, that is 
not rendered unusable, unreadable, or indecipherable to unauthorized 
persons through the use of a technology or methodology specified by the 
Secretary in the guidance issued under Public Law 111-5, section 
13402(h)(2).
    Use means, with respect to records, the sharing, employment, 
application, utilization, examination, or analysis of the information 
contained in such records that occurs either within an entity that 
maintains such information or in the course of civil, criminal, 
administrative, or legislative proceedings as described at 42 U.S.C. 
290dd-2(c).
* * * * *

0
7. Amend Sec.  2.12 by:
0
a. Revising paragraphs (a)(1) introductory text, (a)(1)(ii), and 
(a)(2);
0
b. Revising paragraph (b)(1);
0
c. Revising paragraphs (c)(2), (c)(3) introductory text, (c)(4), (c)(5) 
introductory text, and (c)(6);
0
d. Revising paragraphs (d)(1) and (2); and
0
e. Revising paragraphs (e)(3), (e)(4) introductory text, and (e)(4)(i).
    The revisions read as follows:


Sec.  2.12  Applicability.

    (a) * * *
    (1) Restrictions on use and disclosure. The restrictions on use and 
disclosure in the regulations in this part apply to any records which:
* * * * *
    (ii) Contain substance use disorder information obtained by a 
federally assisted substance use disorder program after March 20, 1972 
(part 2 program), or contain alcohol use disorder information obtained 
by a federally assisted alcohol use disorder or substance use disorder 
program after May 13, 1974 (part 2 program); or if obtained before the 
pertinent date, is maintained by a part 2 program after that date as 
part of an ongoing treatment episode which extends past that date; for 
the purpose of treating a substance use disorder, making a diagnosis 
for that treatment, or making a referral for that treatment.
    (2) Restriction on use or disclosure. The restriction on use or 
disclosure of information to initiate or substantiate any criminal 
charges against a patient or to conduct any criminal investigation of a 
patient (42 U.S.C. 290dd-2(c)) applies to any information, whether or 
not recorded, which is substance use disorder information obtained by a 
federally assisted substance use disorder program after March 20, 1972 
(part 2 program), or is alcohol use disorder information obtained by a 
federally assisted alcohol use disorder or substance use disorder 
program after May 13, 1974 (part 2 program); or if obtained before the 
pertinent date, is maintained by a part 2 program after that date as 
part of an ongoing treatment episode which extends past that date; for 
the purpose of treating a substance use disorder, making a diagnosis 
for the treatment, or making a referral for the treatment.
    (b) * * *
    (1) It is conducted in whole or in part, whether directly or by 
contract or otherwise by any department or agency of the United States 
(but see paragraphs (c)(1) and (2) of this section relating to the 
Department of Veterans Affairs and the Uniformed Services);
* * * * *
    (c) * * *
    (2) Uniformed Services. The regulations in this part apply to any 
information described in paragraph (a) of this section which was 
obtained by any component of the Uniformed Services during a period 
when the patient was subject to the Uniform Code of Military Justice 
except:
    (i) Any interchange of that information within the Uniformed 
Services and within those components of the Department of Veterans 
Affairs furnishing health care to veterans; and
    (ii) Any interchange of that information between such components 
and the Uniformed Services.
    (3) Communication within a part 2 program or between a part 2 
program and an entity having direct administrative control over that 
part 2 program. The restrictions on use and disclosure in the 
regulations in this part do not apply to communications of information 
between or among personnel having a need for the information in 
connection with their duties that arise out of the provision of 
diagnosis, treatment, or referral for treatment of patients with 
substance use disorders if the communications are:
* * * * *
    (4) Qualified service organizations. The restrictions on use and 
disclosure in the regulations in this part do not apply to the 
communications between a part 2 program and a qualified service 
organization of information needed by the qualified service 
organization to provide services to or on behalf of the program.
    (5) Crimes on part 2 program premises or against part 2 program 
personnel. The restrictions on use and disclosure in the regulations in 
this part do not apply to communications from part 2 program personnel 
to law enforcement agencies or officials which:
* * * * *
    (6) Reports of suspected child abuse and neglect. The restrictions 
on use and disclosure in the regulations in this part do not apply to 
the reporting under state law of incidents of suspected child abuse and 
neglect to the appropriate state or local authorities. However, the 
restrictions continue to apply to the original substance use disorder 
patient records maintained by the part 2 program including their use 
and disclosure for civil or criminal proceedings which may arise out of 
the report of suspected child abuse and neglect.
    (d) * * *
    (1) Restriction on use and disclosure of records. The restriction 
on the use and disclosure of any record subject to the regulations in 
this part to initiate or substantiate criminal charges against a 
patient or to conduct any criminal investigation of a patient, or to 
use in any civil, criminal, administrative, or legislative proceedings 
against a patient, applies to any person who obtains the

[[Page 12621]]

record from a part 2 program, covered entity, business associate, 
intermediary, or other lawful holder, regardless of the status of the 
person obtaining the record or whether the record was obtained in 
accordance with subpart E of this part. This restriction on use and 
disclosure bars, among other things, the introduction into evidence of 
a record or testimony in any criminal prosecution or civil action 
before a Federal or state court, reliance on the record or testimony to 
inform any decision or otherwise be taken into account in any 
proceeding before a Federal, state, or local agency, the use of such 
record or testimony by any Federal, state, or local agency for a law 
enforcement purpose or to conduct any law enforcement investigation, 
and the use of such record or testimony in any application for a 
warrant, absent patient consent or a court order in accordance with 
subpart E of this part. Records obtained by undercover agents or 
informants, Sec.  2.17, or through patient access, Sec.  2.23, are 
subject to the restrictions on uses and disclosures.
    (2) Restrictions on uses and disclosures--(i) Third-party payers, 
administrative entities, and others. The restrictions on use and 
disclosure in the regulations in this part apply to:
    (A) Third-party payers, as defined in this part, with regard to 
records disclosed to them by part 2 programs or under Sec.  
2.31(a)(4)(i);
    (B) Persons having direct administrative control over part 2 
programs with regard to information that is subject to the regulations 
in this part communicated to them by the part 2 program under paragraph 
(c)(3) of this section; and
    (C) Persons who receive records directly from a part 2 program, 
covered entity, business associate, intermediary, or other lawful 
holder of patient identifying information and who are notified of the 
prohibition on redisclosure in accordance with Sec.  2.32. A part 2 
program, covered entity, or business associate that receives records 
based on a single consent for all treatment, payment, and health care 
operations is not required to segregate or segment such records.
    (ii) Documentation of SUD treatment by providers who are not part 2 
programs. Notwithstanding paragraph (d)(2)(i)(C) of this section, a 
treating provider who is not subject to this part may record 
information about a SUD and its treatment that identifies a patient. 
This is permitted and does not constitute a record that has been 
redisclosed under this part. The act of recording information about a 
SUD and its treatment does not by itself render a medical record which 
is created by a treating provider who is not subject to this part, 
subject to the restrictions of this part.
* * * * *
    (e) * * *
    (3) Information to which restrictions are applicable. Whether a 
restriction applies to the use or disclosure of a record affects the 
type of records which may be disclosed. The restrictions on use and 
disclosure apply to any records which would identify a specified 
patient as having or having had a substance use disorder. The 
restriction on use and disclosure of records to bring a civil action or 
criminal charges against a patient in any civil, criminal, 
administrative, or legislative proceedings applies to any records 
obtained by the part 2 program for the purpose of diagnosis, treatment, 
or referral for treatment of patients with substance use disorders. 
(Restrictions on use and disclosure apply to recipients of records as 
specified under paragraph (d) of this section.)
    (4) How type of diagnosis affects coverage. These regulations cover 
any record reflecting a diagnosis identifying a patient as having or 
having had a substance use disorder which is initially prepared by a 
part 2 program in connection with the treatment or referral for 
treatment of a patient with a substance use disorder. A diagnosis 
prepared by a part 2 program for the purpose of treatment or referral 
for treatment, but which is not so used, is covered by the regulations 
in this part. The following are not covered by the regulations in this 
part:
    (i) Diagnosis which is made on behalf of and at the request of a 
law enforcement agency or official or a court of competent jurisdiction 
solely for the purpose of providing evidence; or
* * * * *

0
8. Amend Sec.  2.13 by:
0
a. Revising paragraphs (a), (b), and (c)(1); and
0
b. Removing paragraph (d).
    The revisions read as follows:


Sec.  2.13  Confidentiality restrictions and safeguards.

    (a) General. The patient records subject to the regulations in this 
part may be used or disclosed only as permitted by the regulations in 
this part and may not otherwise be used or disclosed in any civil, 
criminal, administrative, or legislative proceedings conducted by any 
Federal, state, or local authority. Any use or disclosure made under 
the regulations in this part must be limited to that information which 
is necessary to carry out the purpose of the use or disclosure.
    (b) Unconditional compliance required. The restrictions on use and 
disclosure in the regulations in this part apply whether or not the 
part 2 program or other lawful holder of the patient identifying 
information believes that the person seeking the information already 
has it, has other means of obtaining it, is a law enforcement agency or 
official or other government official, has obtained a subpoena, or 
asserts any other justification for a use or disclosure which is not 
permitted by the regulations in this part.
    (c) * * *
    (1) The presence of an identified patient in a health care facility 
or component of a health care facility that is publicly identified as a 
place where only substance use disorder diagnosis, treatment, or 
referral for treatment is provided may be acknowledged only if the 
patient's written consent is obtained in accordance with subpart C of 
this part or if an authorizing court order is entered in accordance 
with subpart E of this part. The regulations permit acknowledgment of 
the presence of an identified patient in a health care facility or part 
of a health care facility if the health care facility is not publicly 
identified as only a substance use disorder diagnosis, treatment, or 
referral for treatment facility, and if the acknowledgment does not 
reveal that the patient has a substance use disorder.
* * * * *

0
9. Amend Sec.  2.14 by revising paragraphs (a), (b)(1), (b)(2) 
introductory text, (b)(2)(ii), and (c) to read as follows:


Sec.  2.14  Minor patients.

    (a) State law not requiring parental consent to treatment. If a 
minor patient acting alone has the legal capacity under the applicable 
state law to apply for and obtain substance use disorder treatment, any 
written consent for use or disclosure authorized under subpart C of 
this part may be given only by the minor patient. This restriction 
includes, but is not limited to, any disclosure of patient identifying 
information to the parent or guardian of a minor patient for the 
purpose of obtaining financial reimbursement. The regulations in this 
paragraph (a) do not prohibit a part 2 program from refusing to provide 
treatment until the minor patient consents to a use or disclosure that 
is necessary to obtain reimbursement, but refusal to provide treatment 
may be prohibited under a state or local law requiring the program to 
furnish the service irrespective of ability to pay.
    (b) * * *
    (1) Where state law requires consent of a parent, guardian, or 
other person for

[[Page 12622]]

a minor to obtain treatment for a substance use disorder, any written 
consent for use or disclosure authorized under subpart C of this part 
must be given by both the minor and their parent, guardian, or other 
person authorized under state law to act on the minor's behalf.
    (2) Where state law requires parental consent to treatment, the 
fact of a minor's application for treatment may be communicated to the 
minor's parent, guardian, or other person authorized under state law to 
act on the minor's behalf only if:
* * * * *
    (ii) The minor lacks the capacity to make a rational choice 
regarding such consent as determined by the part 2 program director 
under paragraph (c) of this section.
    (c) Minor applicant for services lacks capacity for rational 
choice. Facts relevant to reducing a substantial threat to the life or 
physical well-being of the minor applicant or any other person may be 
disclosed to the parent, guardian, or other person authorized under 
state law to act on the minor's behalf if the part 2 program director 
determines that:
    (1) A minor applicant for services lacks capacity because of 
extreme youth or mental or physical condition to make a rational 
decision on whether to consent to a disclosure under subpart C of this 
part to their parent, guardian, or other person authorized under state 
law to act on the minor's behalf; and
    (2) The minor applicant's situation poses a substantial threat to 
the life or physical well-being of the minor applicant or any other 
person which may be reduced by communicating relevant facts to the 
minor's parent, guardian, or other person authorized under state law to 
act on the minor's behalf.

0
10. Amend Sec.  2.15 by revising the section heading and paragraphs (a) 
and (b)(2) to read as follows:


Sec.  2.15  Patients who lack capacity and deceased patients.

    (a) Adult patients who lack capacity to make health care 
decisions--(1) Adjudication by a court. In the case of a patient who 
has been adjudicated as lacking the capacity, for any reason other than 
insufficient age, to make their own health care decisions, any consent 
which is required under the regulations in this part may be given by 
the personal representative.
    (2) No adjudication by a court. In the case of a patient, other 
than a minor or one who has been adjudicated as lacking the capacity to 
make health care decisions, that for any period suffers from a medical 
condition that prevents knowing or effective action on their own 
behalf, the part 2 program director may exercise the right of the 
patient to consent to a use or disclosure under subpart C of this part 
for the sole purpose of obtaining payment for services from a third-
party payer or health plan.
    (b) * * *
    (2) Consent by personal representative. Any other use or disclosure 
of information identifying a deceased patient as having a substance use 
disorder is subject to the regulations in this part. If a written 
consent to the use or disclosure is required, that consent may be given 
by the personal representative.

0
11. Revise Sec.  2.16 to read as follows:


Sec.  2.16  Security for records and notification of breaches.

    (a) The part 2 program or other lawful holder of patient 
identifying information must have in place formal policies and 
procedures to reasonably protect against unauthorized uses and 
disclosures of patient identifying information and to protect against 
reasonably anticipated threats or hazards to the security of patient 
identifying information.
    (1) Requirements for formal policies and procedures. These policies 
and procedures must address all of the following:
    (i) Paper records, including:
    (A) Transferring and removing such records;
    (B) Destroying such records, including sanitizing the hard copy 
media associated with the paper printouts, to render the patient 
identifying information non-retrievable;
    (C) Maintaining such records in a secure room, locked file cabinet, 
safe, or other similar container, or storage facility when not in use;
    (D) Using and accessing workstations, secure rooms, locked file 
cabinets, safes, or other similar containers, and storage facilities 
that use or store such information; and
    (E) Rendering patient identifying information de-identified in 
accordance with the requirements of 45 CFR 164.514(b) such that there 
is no reasonable basis to believe that the information can be used to 
identify a particular patient.
    (ii) Electronic records, including:
    (A) Creating, receiving, maintaining, and transmitting such 
records;
    (B) Destroying such records, including sanitizing the electronic 
media on which such records are stored, to render the patient 
identifying information non-retrievable;
    (C) Using and accessing electronic records or other electronic 
media containing patient identifying information; and
    (D) Rendering the patient identifying information de-identified in 
accordance with the requirements of 45 CFR 164.514(b) such that there 
is no reasonable basis to believe that the information can be used to 
identify a patient.
    (2) Exception for certain lawful holders. Family, friends, and 
other informal caregivers who are lawful holders as defined in this 
part are not required to comply with paragraph (a) of this section.
    (b) The provisions of 45 CFR part 160 and subpart D of 45 CFR part 
164 shall apply to part 2 programs with respect to breaches of 
unsecured records in the same manner as those provisions apply to a 
covered entity with respect to breaches of unsecured protected health 
information.

0
12. Amend Sec.  2.17 by revising paragraph (b) to read as follows:


Sec.  2.17  Undercover agents and informants.

* * * * *
    (b) Restriction on use and disclosure of information. No 
information obtained by an undercover agent or informant, whether or 
not that undercover agent or informant is placed in a part 2 program 
pursuant to an authorizing court order, may be used or disclosed to 
criminally investigate or prosecute any patient.

0
13. Amend Sec.  2.19 by:
0
a. Revising paragraphs (a)(1) and (2);
0
b. Adding paragraph (a)(3);
0
c. Revising paragraphs (b)(1) introductory text, (b)(1)(i) introductory 
text, (b)(1)(i)(A), and (b)(2).
    The addition and revisions read as follows:


Sec.  2.19  Disposition of records by discontinued programs.

    (a) * * *
    (1) The patient who is the subject of the records gives written 
consent (meeting the requirements of Sec.  2.31) to a transfer of the 
records to the acquiring program or to any other program designated in 
the consent (the manner of obtaining this consent must minimize the 
likelihood of a disclosure of patient identifying information to a 
third party);
    (2) There is a legal requirement that the records be kept for a 
period specified by law which does not expire until after the 
discontinuation or acquisition of the part 2 program; or
    (3) The part 2 program is transferred, retroceded, or reassumed 
pursuant to the Indian Self-Determination and Education Assistance Act 
(ISDEAA), 25 U.S.C. 5301 et seq., and its

[[Page 12623]]

implementing regulations in 25 CFR part 900.
    (b) * * *
    (1) Records in non-electronic (e.g., paper) form must be:
    (i) Sealed in envelopes or other containers labeled as follows: 
``Records of [insert name of program] required to be maintained under 
[insert citation to statute, regulation, court order or other legal 
authority requiring that records be kept] until a date not later than 
[insert appropriate date]''.
    (A) All hard copy media from which the paper records were produced, 
such as printer and facsimile ribbons, drums, etc., must be sanitized 
to render the data non-retrievable.
* * * * *
    (2) All of the following requirements apply to records in 
electronic form:
    (i) Records must be:
    (A) Transferred to a portable electronic device with implemented 
encryption to encrypt the data at rest so that there is a low 
probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key; or
    (B) Transferred, along with a backup copy, to separate electronic 
media, so that both the records and the backup copy have implemented 
encryption to encrypt the data at rest so that there is a low 
probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key.
    (ii) Within one year of the discontinuation or acquisition of the 
program, all electronic media on which the patient records or patient 
identifying information resided prior to being transferred to the 
device specified in paragraph (b)(2)(i)(A) of this section or the 
original and backup electronic media specified in paragraph 
(b)(2)(i)(B) of this section, including email and other electronic 
communications, must be sanitized to render the patient identifying 
information non-retrievable in a manner consistent with the 
discontinued program's or acquiring program's policies and procedures 
established under Sec.  2.16.
    (iii) The portable electronic device or the original and backup 
electronic media must be:
    (A) Sealed in a container along with any equipment needed to read 
or access the information, and labeled as follows: ``Records of [insert 
name of program] required to be maintained under [insert citation to 
statute, regulation, court order or other legal authority requiring 
that records be kept] until a date not later than [insert appropriate 
date];'' and
    (B) Held under the restrictions of the regulations in this part by 
a responsible person who must store the container in a manner that will 
protect the information (e.g., climate-controlled environment).
    (iv) The responsible person must be included on the access control 
list and be provided a means for decrypting the data. The responsible 
person must store the decryption tools on a device or at a location 
separate from the data they are used to encrypt or decrypt.
    (v) As soon as practicable after the end of the required retention 
period specified on the label, the portable electronic device or the 
original and backup electronic media must be sanitized to render the 
patient identifying information non-retrievable consistent with the 
policies established under Sec.  2.16.

0
14. Revise Sec.  2.20 to read as follows:


Sec.  2.20  Relationship to state laws.

    The statute authorizing the regulations in this part (42 U.S.C. 
290dd-2) does not preempt the field of law which they cover to the 
exclusion of all state laws in that field. If a use or disclosure 
permitted under the regulations in this part is prohibited under state 
law, neither the regulations in this part nor the authorizing statute 
may be construed to authorize any violation of that state law. However, 
no state law may either authorize or compel any use or disclosure 
prohibited by the regulations in this part.

0
15. Amend Sec.  2.21 by revising paragraph (b) to read as follows:


Sec.  2.21  Relationship to federal statutes protecting research 
subjects against compulsory disclosure of their identity.

* * * * *
    (b) Effect of concurrent coverage. The regulations in this part 
restrict the use and disclosure of information about patients, while 
administrative action taken under the research privilege statutes and 
implementing regulations in paragraph (a) of this section protects a 
person engaged in applicable research from being compelled to disclose 
any identifying characteristics of the individuals who are the subjects 
of that research. The issuance under subpart E of this part of a court 
order authorizing a disclosure of information about a patient does not 
affect an exercise of authority under these research privilege 
statutes.

0
16. Revise Sec.  2.22 to read as follows:


Sec.  2.22  Notice to patients of Federal confidentiality requirements.

    (a) Notice required. At the time of admission to a part 2 program 
or, in the case that a patient does not have capacity upon admission to 
understand their medical status, as soon thereafter as the patient 
attains such capacity, each part 2 program shall inform the patient 
that Federal law protects the confidentiality of substance use disorder 
patient records.
    (b) Content of notice. In addition to the communication required in 
paragraph (a) of this section, a part 2 program shall provide notice, 
written in plain language, of the program's legal duties and privacy 
practices, as specified in this paragraph (b).
    (1) Required elements. The notice must include the following 
content:
    (i) Header. The notice must contain the following statement as a 
header or otherwise prominently displayed.

Notice of Privacy Practices of [Name of Part 2 Program]

    This notice describes:
     HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
     YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
     HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE 
PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS 
CONCERNING YOUR INFORMATION
    YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC 
FORM) AND TO DISCUSS IT WITH [ENTER NAME OR TITLE] AT [PHONE AND EMAIL] 
IF YOU HAVE ANY QUESTIONS.
    (ii) Uses and disclosures. The notice must contain:
    (A) A description of each of the purposes for which the part 2 
program is permitted or required by this part to use or disclose 
records without the patient's written consent.
    (B) If a use or disclosure for any purpose described in paragraph 
(b)(1)(ii)(A) of this section is prohibited or materially limited by 
other applicable law, the description of such use or disclosure must 
reflect the more stringent law.
    (C) For each purpose described in accordance with paragraphs 
(b)(1)(ii)(A) and (B) of this section, the description must include 
sufficient detail to place the patient on notice of the uses and 
disclosures that are permitted or required by this part and other 
applicable law.
    (D) A description, including at least one example, of the types of 
uses and disclosures that require written consent under this part.
    (E) A statement that a patient may provide a single consent for all 
future

[[Page 12624]]

uses or disclosures for treatment, payment, and health care operations 
purposes.
    (F) A statement that the part 2 program will make uses and 
disclosures not described in the notice only with the patient's written 
consent.
    (G) A statement that the patient may revoke written consent as 
provided by Sec. Sec.  2.31 and 2.35.
    (H) A statement that includes the following information:
    (1) Records, or testimony relaying the content of such records, 
shall not be used or disclosed in any civil, administrative, criminal, 
or legislative proceedings against the patient unless based on specific 
written consent or a court order;
    (2) Records shall only be used or disclosed based on a court order 
after notice and an opportunity to be heard is provided to the patient 
or the holder of the record, where required by 42 U.S.C. 290dd-2 and 
this part; and
    (3) A court order authorizing use or disclosure must be accompanied 
by a subpoena or other similar legal mandate compelling disclosure 
before the record is used or disclosed.
    (iii) Separate statements for certain uses or disclosures. If the 
part 2 program intends to engage in any of the following activities, 
the description required by paragraph (b)(1)(ii)(D) of this section 
must include a separate statement as follows:
    (A) Records that are disclosed to a part 2 program, covered entity, 
or business associate pursuant to the patient's written consent for 
treatment, payment, and health care operations may be further disclosed 
by that part 2 program, covered entity, or business associate, without 
the patient's written consent, to the extent the HIPAA regulations 
permit such disclosure.
    (B) A part 2 program may use or disclose records to fundraise for 
the benefit of the part 2 program only if the patient is first provided 
with a clear and conspicuous opportunity to elect not to receive 
fundraising communications.
    (iv) Patient rights. The notice must contain a statement of the 
patient's rights with respect to their records and a brief description 
of how the patient may exercise these rights, as follows:
    (A) Right to request restrictions of disclosures made with prior 
consent for purposes of treatment, payment, and health care operations, 
as provided in Sec.  2.26.
    (B) Right to request and obtain restrictions of disclosures of 
records under this part to the patient's health plan for those services 
for which the patient has paid in full, in the same manner as 45 CFR 
164.522 applies to disclosures of protected health information.
    (C) Right to an accounting of disclosures of electronic records 
under this part for the past 3 years, as provided in Sec.  2.25, and a 
right to an accounting of disclosures that meets the requirements of 45 
CFR 164.528(a)(2) and (b) through (d) for all other disclosures made 
with consent.
    (D) Right to a list of disclosures by an intermediary for the past 
3 years as provided in Sec.  2.24.
    (E) Right to obtain a paper or electronic copy of the notice from 
the part 2 program upon request.
    (F) Right to discuss the notice with a designated contact person or 
office identified by the part 2 program pursuant to paragraph 
(b)(1)(vii) of this section.
    (G) Right to elect not to receive fundraising communications.
    (v) Part 2 program's duties. The notice must contain:
    (A) A statement that the part 2 program is required by law to 
maintain the privacy of records, to provide patients with notice of its 
legal duties and privacy practices with respect to records, and to 
notify affected patients following a breach of unsecured records;
    (B) A statement that the part 2 program is required to abide by the 
terms of the notice currently in effect; and
    (C) For the part 2 program to apply a change in a privacy practice 
that is described in the notice to records that the part 2 program 
created or received prior to issuing a revised notice, a statement that 
it reserves the right to change the terms of its notice and to make the 
new notice provisions effective for records that it maintains. The 
statement must also describe how it will provide patients with a 
revised notice.
    (vi) Complaints. The notice must contain a statement that patients 
may complain to the part 2 program and to the Secretary if they believe 
their privacy rights have been violated, a brief description of how the 
patient may file a complaint with the program, and a statement that the 
patient will not be retaliated against for filing a complaint.
    (vii) Contact. The notice must contain the name, or title, 
telephone number, and email address of a person or office to contact 
for further information about the notice.
    (viii) Effective date. The notice must contain the date on which 
the notice is first in effect, which may not be earlier than the date 
on which the notice is printed or otherwise published.
    (2) Optional elements. (i) In addition to the content required by 
paragraph (b)(1) of this section, if a part 2 program elects to limit 
the uses or disclosures that it is permitted to make under this part, 
the part 2 program may describe its more limited uses or disclosures in 
its notice, provided that the part 2 program may not include in its 
notice a limitation affecting its right to make a use or disclosure 
that is required by law or permitted to be made for emergency 
treatment.
    (ii) For the part 2 program to apply a change in its more limited 
uses and disclosures to records created or received prior to issuing a 
revised notice, the notice must include the statements required by 
paragraph (b)(1)(v)(C) of this section.
    (3) Revisions to the notice. The part 2 program must promptly 
revise and distribute its notice whenever there is a material change to 
the uses or disclosures, the patient's rights, the part 2 program's 
legal duties, or other privacy practices stated in the notice. Except 
when required by law, a material change to any term of the notice may 
not be implemented prior to the effective date of the notice in which 
such material change is reflected.
    (c) Implementation specifications: Provision of notice. A part 2 
program must make the notice required by this section available upon 
request to any person and to any patient; and
    (1) A part 2 program must provide the notice:
    (i) No later than the date of the first service delivery, including 
service delivered electronically, to such patient after the compliance 
date for the part 2 program; or
    (ii) In an emergency treatment situation, as soon as reasonably 
practicable after the emergency treatment situation.
    (2) If the part 2 program maintains a physical service delivery 
site:
    (i) Have the notice available at the service delivery site for 
patients to request to take with them; and
    (ii) Post the notice in a clear and prominent location where it is 
reasonable to expect patients seeking service from the part 2 program 
to be able to read the notice in a manner that does not identify the 
patient as receiving treatment or services for substance use disorder; 
and
    (iii) Whenever the notice is revised, make the notice available 
upon request on or after the effective date of the revision and 
promptly comply with the requirements of paragraph (c)(2)(ii) of this 
section, if applicable.
    (3) Specific requirements for electronic notice include all the 
following:

[[Page 12625]]

    (i) A part 2 program that maintains a website that provides 
information about the part 2 program's customer services or benefits 
must prominently post its notice on the website and make the notice 
available electronically through the website.
    (ii) A part 2 program may provide the notice required by this 
section to a patient by email, if the patient agrees to electronic 
notice and such agreement has not been withdrawn. If the part 2 program 
knows that the email transmission has failed, a paper copy of the 
notice must be provided to the patient. Provision of electronic notice 
by the part 2 program will satisfy the provision requirements of this 
paragraph (c) when timely made in accordance with paragraph (c)(1) or 
(2) of this section.
    (iii) For purposes of paragraph (c)(2)(i) of this section, if the 
first service delivery to an individual is delivered electronically, 
the part 2 program must provide electronic notice automatically and 
contemporaneously in response to the individual's first request for 
service. The requirements in paragraph (c)(2)(ii) of this section apply 
to electronic notice.
    (iv) The patient who is the recipient of electronic notice retains 
the right to obtain a paper copy of the notice from a part 2 program 
upon request.

0
17. Amend Sec.  2.23 by revising the section heading and paragraph (b) 
to read as follows:


Sec.  2.23  Patient access and restrictions on use and disclosure.

* * * * *
    (b) Restriction on use and disclosure of information. Information 
obtained by patient access to their record is subject to the 
restriction on use and disclosure of records to initiate or 
substantiate any criminal charges against the patient or to conduct any 
criminal investigation of the patient as provided for under Sec.  
2.12(d)(1).

0
18. Add Sec.  2.24 to subpart B to read as follows:


Sec.  2.24  Requirements for intermediaries.

    Upon request, an intermediary must provide to patients who have 
consented to the disclosure of their records using a general 
designation, pursuant to Sec.  2.31(a)(4)(ii)(B), a list of persons to 
which their records have been disclosed pursuant to the general 
designation.
    (a) Under this section, patient requests:
    (1) Must be made in writing; and
    (2) Are limited to disclosures made within the past 3 years.
    (b) Under this section, the entity named on the consent form that 
discloses information pursuant to a patient's general designation (the 
entity that serves as an intermediary) must:
    (1) Respond in 30 or fewer days of receipt of the written request; 
and
    (2) Provide, for each disclosure, the name(s) of the entity(ies) to 
which the disclosure was made, the date of the disclosure, and a brief 
description of the patient identifying information disclosed.

0
19. Add Sec.  2.25 to subpart B to read as follows:


Sec.  2.25  Accounting of disclosures.

    (a) General rule. Subject to the limitations in paragraph (b) of 
this section, a part 2 program must provide to a patient, upon request, 
an accounting of all disclosures made with consent under Sec.  2.31 in 
the 3 years prior to the date of the request (or a shorter time period 
chosen by the patient). The accounting of disclosures must meet the 
requirements of 45 CFR 164.528(a)(2) and (b) through (d).
    (b) Accounting of disclosures for treatment, payment, and health 
care operations. (1) A part 2 program must provide a patient with an 
accounting of disclosures of records for treatment, payment, and health 
care operations only where such disclosures are made through an 
electronic health record.
    (2) A patient has a right to receive an accounting of disclosures 
described in paragraph (b)(1) of this section during only the 3 years 
prior to the date on which the accounting is requested.

0
20. Add Sec.  2.26 to subpart B to read as follows:


Sec.  2.26  Right to request privacy protection for records.

    (a)(1) A part 2 program must permit a patient to request that the 
part 2 program restrict uses or disclosures of records about the 
patient to carry out treatment, payment, or health care operations, 
including when the patient has signed written consent for such 
disclosures.
    (2) Except as provided in paragraph (a)(6) of this section, a part 
2 program is not required to agree to a restriction.
    (3) A part 2 program that agrees to a restriction under paragraph 
(a)(1) of this section may not use or disclose records in violation of 
such restriction, except that, if the patient who requested the 
restriction is in need of emergency treatment and the restricted record 
is needed to provide the emergency treatment, the part 2 program may 
use the restricted record, or may disclose information derived from the 
record to a health care provider, to provide such treatment to the 
patient.
    (4) If information from a restricted record is disclosed to a 
health care provider for emergency treatment under paragraph (a)(3) of 
this section, the part 2 program must request that such health care 
provider not further use or disclose the information.
    (5) A restriction agreed to by a part 2 program under paragraph (a) 
of this section is not effective under this subpart to prevent uses or 
disclosures required by law or permitted by this part for purposes 
other than treatment, payment, and health care operations.
    (6) A part 2 program must agree to the request of a patient to 
restrict disclosure of records about the patient to a health plan if:
    (i) The disclosure is for the purpose of carrying out payment or 
health care operations and is not otherwise required by law; and
    (ii) The record pertains solely to a health care item or service 
for which the patient, or person other than the health plan on behalf 
of the patient, has paid the part 2 program in full.
    (b) A part 2 program may terminate a restriction, if one of the 
following applies:
    (1) The patient agrees to or requests the termination in writing.
    (2) The patient orally agrees to the termination and the oral 
agreement is documented.
    (3) The part 2 program informs the patient that it is terminating 
its agreement to a restriction, except that such termination is:
    (i) Not effective for records restricted under paragraph (a)(6) of 
this section; and
    (ii) Only effective with respect to records created or received 
after it has so informed the patient.

0
21. Revise the heading of subpart C to read as follows:

Subpart C--Uses and Disclosures With Patient Consent

* * * * *

0
22. Amend Sec.  2.31 by:
0
a. Revising paragraphs (a) introductory text and (a)(2) through (8);
0
b. Adding paragraph (a)(10);
0
c. Redesignating paragraph (b) as paragraph (c);
0
d. Adding a new paragraph (b);
0
e. Revising newly redesignated paragraph (c); and
0
f. Adding paragraph (d).
    The revisions and additions read as follows:


Sec.  2.31  Consent requirements.

    (a) Required elements for written consent. A written consent to a 
use or disclosure under the regulations in this

[[Page 12626]]

part may be paper or electronic and must include:
* * * * *
    (2) The name or other specific identification of the person(s), or 
class of persons, authorized to make the requested use or disclosure.
    (3) A description of the information to be used or disclosed that 
identifies the information in a specific and meaningful fashion.
    (4)(i) General requirement for designating recipients. The name(s) 
of the person(s), or class of persons, to which a disclosure is to be 
made (``recipient(s)''). For a single consent for all future uses and 
disclosures for treatment, payment, and health care operations, the 
recipient may be described as ``my treating providers, health plans, 
third-party payers, and people helping to operate this program'' or a 
similar statement.
    (ii) Special instructions for intermediaries. Notwithstanding 
paragraph (a)(4)(i) of this section, if the recipient entity is an 
intermediary, a written consent must include the name(s) of the 
intermediary(ies) and:
    (A) The name(s) of the member participants of the intermediary; or
    (B) A general designation of a participant(s) or class of 
participants, which must be limited to a participant(s) who has a 
treating provider relationship with the patient whose information is 
being used or disclosed.
    (iii) Special instructions when designating certain recipients. If 
the recipient is a covered entity or business associate to whom a 
record (or information contained in a record) is disclosed for purposes 
of treatment, payment, or health care operations, a written consent 
must include the statement that the patient's record (or information 
contained in the record) may be redisclosed in accordance with the 
permissions contained in the HIPAA regulations, except for uses and 
disclosures for civil, criminal, administrative, and legislative 
proceedings against the patient.
    (5) A description of each purpose of the requested use or 
disclosure.
    (i) The statement ``at the request of the patient'' is a sufficient 
description of the purpose when a patient initiates the consent and 
does not, or elects not to, provide a statement of the purpose.
    (ii) The statement, ``for treatment, payment, and health care 
operations'' is a sufficient description of the purpose when a patient 
provides consent once for all such future uses or disclosures for those 
purposes.
    (iii) If a part 2 program intends to use or disclose records to 
fundraise on its own behalf, a statement about the patient's right to 
elect not to receive any fundraising communications.
    (6) The patient's right to revoke the consent in writing, except to 
the extent that the part 2 program or other lawful holder of patient 
identifying information that is permitted to make the disclosure has 
already acted in reliance on it, and how the patient may revoke 
consent.
    (7) An expiration date or an expiration event that relates to the 
individual patient or the purpose of the use or disclosure. The 
statement ``end of the treatment,'' ``none,'' or similar language is 
sufficient if the consent is for a use or disclosure for treatment, 
payment, or health care operations. The statement ``end of the research 
study'' or similar language is sufficient if the consent is for a use 
or disclosure for research, including for the creation and maintenance 
of a research database or research repository.
    (8) The signature of the patient and, when required for a patient 
who is a minor, the signature of a person authorized to give consent 
under Sec.  2.14; or, when required for a patient who has been 
adjudicated as lacking the capacity to make their own health care 
decisions or is deceased, the signature of a person authorized to sign 
under Sec.  2.15. Electronic signatures are permitted to the extent 
that they are not prohibited by any applicable law.
* * * * *
    (10) A patient's written consent to use or disclose records for 
treatment, payment, or health care operations must include all of the 
following statements:
    (i) The potential for the records used or disclosed pursuant to the 
consent to be subject to redisclosure by the recipient and no longer 
protected by this part.
    (ii) The consequences to the patient of a refusal to sign the 
consent.
    (b) Consent required: SUD counseling notes. (1) Notwithstanding any 
provision of this subpart, a part 2 program must obtain consent for any 
use or disclosure of SUD counseling notes, except:
    (i) To carry out the following treatment, payment, or health care 
operations:
    (A) Use by the originator of the SUD counseling notes for 
treatment;
    (B) Use or disclosure by the part 2 program for its own training 
programs in which students, trainees, or practitioners in SUD treatment 
or mental health learn under supervision to practice or improve their 
skills in group, joint, family, or individual SUD counseling; or
    (C) Use or disclosure by the part 2 program to defend itself in a 
legal action or other proceeding brought by the patient;
    (ii) A use or disclosure that is required by Sec.  2.2(b) or 
permitted by Sec.  2.15(b); Sec.  2.53 with respect to the oversight of 
the originator of the SUD counseling notes; Sec.  2.63(a); Sec.  2.64.
    (2) A written consent for a use or disclosure of SUD counseling 
notes may only be combined with another written consent for a use or 
disclosure of SUD counseling notes.
    (3) A part 2 program may not condition the provision to a patient 
of treatment, payment, enrollment in a health plan, or eligibility for 
benefits on the provision of a written consent for a use or disclosure 
of SUD counseling notes.
    (c) Expired, deficient, or false consent. A disclosure may not be 
made on the basis of a consent which:
    (1) Has expired;
    (2) On its face substantially fails to conform to any of the 
requirements set forth in paragraph (a) of this section;
    (3) Is known to have been revoked; or
    (4) Is known, or through reasonable diligence could be known, by 
the person holding the records to be materially false.
    (d) Consent for use and disclosure of records in civil, criminal, 
administrative, or legislative proceedings. Patient consent for use and 
disclosure of records (or testimony relaying information contained in a 
record) in a civil, criminal, administrative, or legislative 
investigation or proceeding cannot be combined with a consent to use 
and disclose a record for any other purpose.

0
23. Revise Sec.  2.32 to read as follows:


Sec.  2.32  Notice and copy of consent to accompany disclosure.

    (a) Each disclosure made with the patient's written consent must be 
accompanied by one of the following written statements (i.e., paragraph 
(a)(1) or (2) of this section):
    (1) Statement 1.
    This record which has been disclosed to you is protected by Federal 
confidentiality rules (42 CFR part 2). These rules prohibit you from 
using or disclosing this record, or testimony that describes the 
information contained in this record, in any civil, criminal, 
administrative, or legislative proceedings by any Federal, State, or 
local authority, against the patient, unless authorized by the consent 
of the patient, except as provided at 42 CFR 2.12(c)(5) or as 
authorized by a court in accordance with 42 CFR 2.64 or 2.65. In 
addition, the Federal rules prohibit you

[[Page 12627]]

from making any other use or disclosure of this record unless at least 
one of the following applies:
    (i) Further use or disclosure is expressly permitted by the written 
consent of the individual whose information is being disclosed in this 
record or as otherwise permitted by 42 CFR part 2.
    (ii) You are a covered entity or business associate and have 
received the record for treatment, payment, or health care operations, 
or
    (iii) You have received the record from a covered entity or 
business associate as permitted by 45 CFR part 164, subparts A and E.
    A general authorization for the release of medical or other 
information is NOT sufficient to meet the required elements of written 
consent to further use or redisclose the record (see 42 CFR 2.31).
    (2) Statement 2. ``42 CFR part 2 prohibits unauthorized use or 
disclosure of these records.''
    (b) Each disclosure made with the patient's written consent must be 
accompanied by a copy of the consent or a clear explanation of the 
scope of the consent provided.

0
24. Revise Sec.  2.33 to read as follows:


Sec.  2.33  Uses and disclosures permitted with written consent.

    (a) If a patient consents to a use or disclosure of their records 
consistent with Sec.  2.31, the following uses and disclosures are 
permitted, as applicable:
    (1) A part 2 program may use and disclose those records in 
accordance with that consent to any person or category of persons 
identified or generally designated in the consent, except that 
disclosures to central registries and in connection with criminal 
justice referrals must meet the requirements of Sec. Sec.  2.34 and 
2.35, respectively.
    (2) When the consent provided is a single consent for all future 
uses and disclosures for treatment, payment, and health care 
operations, a part 2 program, covered entity, or business associate may 
use and disclose those records for treatment, payment, and health care 
operations as permitted by the HIPAA regulations, until such time as 
the patient revokes such consent in writing.
    (b) If a patient consents to a use or disclosure of their records 
consistent with Sec.  2.31, the recipient may further disclose such 
records as provided in subpart E of this part, and as follows:
    (1) When disclosed for treatment, payment, and health care 
operations activities to a covered entity or business associate, such 
recipient may further disclose those records in accordance with the 
HIPAA regulations, except for uses and disclosures for civil, criminal, 
administrative, and legislative proceedings against the patient.
    (2) When disclosed with consent given once for all future 
treatment, payment, and health care operations activities to a part 2 
program that is not a covered entity or business associate, the 
recipient may further disclose those records consistent with the 
consent.
    (3) When disclosed for payment or health care operations activities 
to a lawful holder that is not a covered entity or business associate, 
the recipient may further disclose those records as may be necessary 
for its contractors, subcontractors, or legal representatives to carry 
out the payment or health care operations specified in the consent on 
behalf of such lawful holders.
    (c) Lawful holders, other than covered entities and business 
associates, who wish to redisclose patient identifying information 
pursuant to paragraph (b)(3) of this section must have in place a 
written contract or comparable legal instrument with the contractor or 
voluntary legal representative, which provides that the contractor, 
subcontractor, or voluntary legal representative is fully bound by the 
provisions of this part upon receipt of the patient identifying 
information. In making any such redisclosures, the lawful holder must 
furnish such recipients with the notice required under Sec.  2.32; 
require such recipients to implement appropriate safeguards to prevent 
unauthorized uses and disclosures; and require such recipients to 
report any unauthorized uses, disclosures, or breaches of patient 
identifying information to the lawful holder. The lawful holder may 
only redisclose information to the contractor or subcontractor or 
voluntary legal representative that is necessary for the contractor, 
subcontractor, or voluntary legal representative to perform its duties 
under the contract or comparable legal instrument. Contracts may not 
permit a contractor, subcontractor, or voluntary legal representative 
to redisclose information to a third party unless that third party is a 
contract agent of the contractor or subcontractor, helping them provide 
services described in the contract, and only as long as the agent only 
further discloses the information back to the contractor or lawful 
holder from which the information originated.

0
25. Amend Sec.  2.34 by revising the section heading and paragraph (b) 
to read as follows:


Sec.  2.34  Uses and Disclosures to prevent multiple enrollments.

* * * * *
    (b) Use of information in records limited to prevention of multiple 
enrollments. A central registry and any withdrawal management or 
maintenance treatment program to which information is disclosed to 
prevent multiple enrollments may not use or redisclose patient 
identifying information for any purpose other than the prevention of 
multiple enrollments or to ensure appropriate coordinated care with a 
treating provider that is not a part 2 program unless authorized by a 
court order under subpart E of this part.
* * * * *

0
26. Amend Sec.  2.35 by revising paragraphs (a) introductory text, 
(a)(1), (b)(3), and (d) to read as follows:


Sec.  2.35  Disclosures to elements of the criminal justice system 
which have referred patients.

    (a) Consent for criminal justice referrals. A part 2 program may 
disclose information from a record about a patient to those persons 
within the criminal justice system who have made participation in the 
part 2 program a condition of the disposition of any criminal 
proceedings against the patient or of the patient's parole or other 
release from custody if:
    (1) The disclosure is made only to those persons within the 
criminal justice system who have a need for the information in 
connection with their duty to monitor the patient's progress (e.g., a 
prosecuting attorney who is withholding charges against the patient, a 
court granting pretrial or post-trial release, probation or parole 
officers responsible for supervision of the patient); and
* * * * *
    (b) * * *
    (3) Such other factors as the part 2 program, the patient, and the 
person(s) within the criminal justice system who will receive the 
disclosure consider pertinent.
* * * * *
    (d) Restrictions on use and redisclosure. Any persons within the 
criminal justice system who receive patient information under this 
section may use and redisclose it only to carry out official duties 
with regard to the patient's conditional release or other action in 
connection with which the consent was given.

0
27. Revise the heading of subpart D to read as follows:

Subpart D--Uses and Disclosures Without Patient Consent

* * * * *

[[Page 12628]]


0
28. Amend Sec.  2.51 by revising paragraph (c)(2) to read as follows:


Sec.  2.51  Medical emergencies.

* * * * *
    (c) * * *
    (2) The name of the person making the disclosure;
* * * * *

0
29. Amend Sec.  2.52 by:
0
a. Revising the section heading and paragraphs (a) introductory text, 
(a)(1) introductory text, (a)(1)(i), (a)(2), (b) introductory text, 
(b)(2) and (3), and (c)(1) introductory text;
0
b. Adding paragraph (c)(1)(iii); and
0
c. Removing the second paragraph (c)(2).
    The revisions and addition read as follows:


Sec.  2.52  Scientific research.

    (a) Use and disclosure of patient identifying information. 
Notwithstanding other provisions of this part, including paragraph 
(b)(2) of this section, patient identifying information may be used or 
disclosed for the purposes of the recipient conducting scientific 
research if:
    (1) The person designated as director or managing director, or 
person otherwise vested with authority to act as chief executive 
officer or their designee, of a part 2 program or other lawful holder 
of data under this part, makes a determination that the recipient of 
the patient identifying information is:
    (i) A HIPAA covered entity or business associate that has obtained 
and documented authorization from the patient, or a waiver or 
alteration of authorization, consistent with 45 CFR 164.508 or 
164.512(i), as applicable;
* * * * *
    (2) The part 2 program or other lawful holder of data under this 
part is a HIPAA covered entity or business associate, and the use or 
disclosure is made in accordance with the requirements at 45 CFR 
164.512(i).
* * * * *
    (b) Requirements for researchers. Any person conducting scientific 
research using patient identifying information obtained under paragraph 
(a) of this section:
* * * * *
    (2) Must not redisclose patient identifying information except back 
to the person from whom that patient identifying information was 
obtained or as permitted under paragraph (c) of this section.
    (3) May include data under this part in research reports only in 
aggregate form in which patient identifying information has been de-
identified in accordance with the requirements of 45 CFR 164.514(b) 
such that there is no reasonable basis to believe that the information 
can be used to identify a patient.
* * * * *
    (c) * * *
    (1) Researchers. Any person conducting scientific research using 
patient identifying information obtained under paragraph (a) of this 
section that requests linkages to data sets from a data repository(ies) 
holding patient identifying information must:
* * * * *
    (iii) Ensure that patient identifying information is not 
redisclosed for data linkage purposes other than as provided in this 
paragraph (c).
* * * * *

0
30. Amend Sec.  2.53 by:
0
a. Revising the section heading and paragraphs (a) introductory text, 
(a)(1)(ii), (b) introductory text, (b)(1)(iii), (b)(2)(ii), (c)(1) 
introductory text, (c)(1)(i), (e)(1) introductory text, (e)(1)(iii), 
(e)(5) and (6), and (f) heading; and
0
b. Adding paragraph (h).
    The revisions and addition read as follows:


Sec.  2.53  Management audits, financial audits, and program 
evaluation.

    (a) Records not copied or removed. If patient records are not 
downloaded, copied or removed from the premises of a part 2 program or 
other lawful holder, or forwarded electronically to another electronic 
system or device, patient identifying information, as defined in Sec.  
2.11, may be disclosed in the course of a review of records on the 
premises of a part 2 program or other lawful holder to any person who 
agrees in writing to comply with the limitations on use and 
redisclosure in paragraph (f) of this section and who:
    (1) * * *
    (ii) Any person which provides financial assistance to the part 2 
program or other lawful holder, which is a third-party payer or health 
plan covering patients in the part 2 program, or which is a quality 
improvement organization (QIO) performing a QIO review, or the 
contractors, subcontractors, or legal representatives of such person or 
quality improvement organization; or
* * * * *
    (b) Copying, removing, downloading, or forwarding patient records. 
Records containing patient identifying information, as defined in Sec.  
2.11, may be copied or removed from the premises of a part 2 program or 
other lawful holder or downloaded or forwarded to another electronic 
system or device from the part 2 program's or other lawful holder's 
electronic records by any person who:
    (1) * * *
    (iii) Comply with the limitations on use and disclosure in 
paragraph (f) of this section; and
    (2) * * *
    (ii) Any person which provides financial assistance to the part 2 
program or other lawful holder, which is a third-party payer or health 
plan covering patients in the part 2 program, or which is a quality 
improvement organization performing a QIO review, or the contractors, 
subcontractors, or legal representatives of such person or quality 
improvement organization; or
* * * * *
    (c) * * *
    (1) Activities undertaken by a Federal, state, or local 
governmental agency, or a third-party payer or health plan, in order 
to:
    (i) Identify actions the agency or third-party payer or health plan 
can make, such as changes to its policies or procedures, to improve 
care and outcomes for patients with substance use disorders who are 
treated by part 2 programs;
* * * * *
    (e) * * *
    (1) Patient identifying information, as defined in Sec.  2.11, may 
be disclosed under paragraph (e) of this section to any person for the 
purpose of conducting a Medicare, Medicaid, or CHIP audit or 
evaluation, including an audit or evaluation necessary to meet the 
requirements for a Centers for Medicare & Medicaid Services (CMS)-
regulated accountable care organization (CMS-regulated ACO) or similar 
CMS-regulated organization (including a CMS-regulated Qualified Entity 
(QE)), if the person agrees in writing to comply with the following:
* * * * *
    (iii) Comply with the limitations on use and disclosure in 
paragraph (f) of this section.
* * * * *
    (5) If a disclosure to a person is authorized under this section 
for a Medicare, Medicaid, or CHIP audit or evaluation, including a 
civil investigation or administrative remedy, as those terms are used 
in paragraph (e)(2) of this section, the person may further use or 
disclose the patient identifying information that is received for such 
purposes to its contractor(s), subcontractor(s), or legal 
representative(s), to carry out the audit or evaluation, and a quality 
improvement organization which

[[Page 12629]]

obtains such information under paragraph (a) or (b) of this section may 
use or disclose the information to that person (or, to such person's 
contractors, subcontractors, or legal representatives, but only for the 
purposes of this section).
    (6) The provisions of this paragraph (e) do not authorize the part 
2 program, the Federal, state, or local government agency, or any other 
person to use or disclose patient identifying information obtained 
during the audit or evaluation for any purposes other than those 
necessary to complete the audit or evaluation as specified in this 
paragraph (e).
    (f) Limitations on use and disclosure. * * *
    (h) Disclosures for health care operations. With respect to 
activities described in paragraphs (c) and (d) of this section, a part 
2 program, covered entity, or business associate may disclose records 
in accordance with a consent that includes health care operations, and 
the recipient may redisclose such records as permitted under the HIPAA 
regulations if the recipient is a covered entity or business associate.

0
31. Add Sec.  2.54 to subpart D to read as follows:


Sec.  2.54  Disclosures for public health.

    A part 2 program may disclose records for public health purposes 
without patient consent so long as:
    (a) The disclosure is made to a public health authority as defined 
in this part; and
    (b) The content of the information from the record disclosed has 
been de-identified in accordance with the requirements of 45 CFR 
164.514(b) such that there is no reasonable basis to believe that the 
information can be used to identify a patient.

0
32. Revise the heading of subpart E to read as follows:

Subpart E--Court Orders Authorizing Use and Disclosure

* * * * *

0
33. Revise Sec.  2.61 to read as follows:


Sec.  2.61  Legal effect of order.

    (a) Effect. An order of a court of competent jurisdiction entered 
under this subpart is a unique kind of court order. Its only purpose is 
to authorize a use or disclosure of patient information which would 
otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in 
this part. Such an order does not compel use or disclosure. A subpoena 
or a similar legal mandate must be issued to compel use or disclosure. 
This mandate may be entered at the same time as and accompany an 
authorizing court order entered under the regulations in this part.
    (b) Examples. (1) A person holding records subject to the 
regulations in this part receives a subpoena for those records. The 
person may not use or disclose the records in response to the subpoena 
unless a court of competent jurisdiction enters an authorizing order 
under the regulations in this part.
    (2) An authorizing court order is entered under the regulations in 
this part, but the person holding the records does not want to make the 
use or disclosure. If there is no subpoena or other compulsory process 
or a subpoena for the records has expired or been quashed, that person 
may refuse to make the use or disclosure. Upon the entry of a valid 
subpoena or other compulsory process the person holding the records 
must use or disclose, unless there is a valid legal defense to the 
process other than the confidentiality restrictions of the regulations 
in this part.

0
34. Revise Sec.  2.62 to read as follows:


Sec.  2.62  Order not applicable to records disclosed without consent 
to researchers, auditors, and evaluators.

    A court order under the regulations in this part may not authorize 
persons who meet the criteria specified in Sec. Sec.  2.52(a)(1)(i) 
through (iii) and 2.53, who have received patient identifying 
information without consent for the purpose of conducting research, 
audit, or evaluation, to disclose that information or use it to conduct 
any criminal investigation or prosecution of a patient. However, a 
court order under Sec.  2.66 may authorize use and disclosure of 
records to investigate or prosecute such persons who are holding the 
records.

0
35. Amend Sec.  2.63 by revising paragraph (a)(3) to read as follows:


Sec.  2.63  Confidential communications.

    (a) * * *
    (3) The disclosure is in connection with a civil, criminal, 
administrative, or legislative proceeding in which the patient offers 
testimony or other evidence pertaining to the content of the 
confidential communications.
* * * * *

0
36. Amend Sec.  2.64 by revising the section heading and paragraphs 
(a), (b) introductory text, (d)(2), and (e) to read as follows:


Sec.  2.64  Procedures and criteria for orders authorizing uses and 
disclosures for noncriminal purposes.

    (a) Application. An order authorizing the use or disclosure of 
patient records or testimony relaying the information contained in the 
records for purposes other than criminal investigation or prosecution 
may be applied for by any person having a legally recognized interest 
in the use or disclosure which is sought in the course of a civil, 
administrative, or legislative proceeding. The application may be filed 
separately or as part of a pending civil action in which the applicant 
asserts that the patient records or testimony relaying the information 
contained in the records are needed to provide evidence. An application 
must use a fictitious name, such as John Doe, to refer to any patient 
and may not contain or otherwise disclose any patient identifying 
information unless the patient is the applicant or has given written 
consent (meeting the requirements of the regulations in this part) to 
disclosure or the court has ordered the record of the proceeding sealed 
from public scrutiny.
    (b) Notice. A court order under this section is only valid when the 
patient and the person holding the records from whom disclosure is 
sought have received:
* * * * *
    (d) * * *
    (2) The public interest and need for the use or disclosure outweigh 
the potential injury to the patient, the physician-patient relationship 
and the treatment services.
    (e) Content of order. An order authorizing a use or disclosure 
must:
    (1) Limit use or disclosure to only those parts of the patient's 
record, or testimony relaying those parts of the patient's record, 
which are essential to fulfill the objective of the order;
    (2) Limit use or disclosure to those persons whose need for 
information is the basis for the order; and
    (3) Include such other measures as are necessary to limit use or 
disclosure for the protection of the patient, the physician-patient 
relationship and the treatment services; for example, sealing from 
public scrutiny the record of any proceeding for which use or 
disclosure of a patient's record, or testimony relaying the contents of 
the record, has been ordered.

0
37. Amend Sec.  2.65 by revising the section heading and paragraphs 
(a), (b) introductory text, (d) introductory text, (d)(2), and (e) to 
read as follows:

[[Page 12630]]

Sec.  2.65  Procedures and criteria for orders authorizing use and 
disclosure of records to criminally investigate or prosecute patients.

    (a) Application. An order authorizing the use or disclosure of 
patient records, or testimony relaying the information contained in 
those records, to investigate or prosecute a patient in connection with 
a criminal proceeding may be applied for by the person holding the 
records or by any law enforcement or prosecutorial official who is 
responsible for conducting investigative or prosecutorial activities 
with respect to the enforcement of criminal laws, including 
administrative and legislative criminal proceedings. The application 
may be filed separately, as part of an application for a subpoena or 
other compulsory process, or in a pending criminal action. An 
application must use a fictitious name such as John Doe, to refer to 
any patient and may not contain or otherwise use or disclose patient 
identifying information unless the court has ordered the record of the 
proceeding sealed from public scrutiny.
    (b) Notice and hearing. Unless an order under Sec.  2.66 is sought 
in addition to an order under this section, an order under this section 
is valid only when the person holding the records has received:
* * * * *
    (d) Criteria. A court may authorize the use and disclosure of 
patient records, or testimony relaying the information contained in 
those records, for the purpose of conducting a criminal investigation 
or prosecution of a patient only if the court finds that all of the 
following criteria are met:
* * * * *
    (2) There is a reasonable likelihood that the records or testimony 
will disclose information of substantial value in the investigation or 
prosecution.
* * * * *
    (e) Content of order. Any order authorizing a use or disclosure of 
patient records subject to this part, or testimony relaying the 
information contained in those records, under this section must:
    (1) Limit use and disclosure to those parts of the patient's 
record, or testimony relaying the information contained in those 
records, which are essential to fulfill the objective of the order;
    (2) Limit disclosure to those law enforcement and prosecutorial 
officials who are responsible for, or are conducting, the investigation 
or prosecution, and limit their use of the records or testimony to 
investigation and prosecution of the extremely serious crime or 
suspected crime specified in the application; and
    (3) Include such other measures as are necessary to limit use and 
disclosure to the fulfillment of only that public interest and need 
found by the court.

0
38. Amend Sec.  2.66 by
0
a. Revising the section heading and paragraph (a)(1);
0
b. Adding paragraph (a)(3);
0
c. Revising paragraphs (b), (c), and (d).
    The revisions and addition read as follows:


Sec.  2.66  Procedures and criteria for orders authorizing use and 
disclosure of records to investigate or prosecute a part 2 program or 
the person holding the records.

    (a) * * *
    (1) An order authorizing the use or disclosure of patient records 
subject to this part to investigate or prosecute a part 2 program or 
the person holding the records (or employees or agents of that part 2 
program or person holding the records) in connection with a criminal or 
administrative matter may be applied for by any investigative agency 
having jurisdiction over the program's or person's activities.
* * * * *
    (3) Upon discovering in good faith that it received records under 
this part in the course of investigating or prosecuting a part 2 
program or the person holding the records (or employees or agents of 
that part 2 program or person holding the records), an investigative 
agency must do the following:
    (i) Secure the records in accordance with Sec.  2.16; and
    (ii) Immediately cease using and disclosing the records until the 
investigative agency obtains a court order consistent with paragraph 
(c) of this section authorizing the use and disclosure of the records 
and any records later obtained. The application for the court order 
must occur within a reasonable period of time, but not more than 120 
days after discovering it received records under this part; or
    (iii) If the agency does not seek a court order in accordance with 
paragraph (a)(3)(ii) of this section, the agency must either return the 
records to the part 2 program or person holding the records, if it is 
legally permissible to do so, within a reasonable period of time, but 
not more than 120 days after discovering it received records under this 
part; or
    (iv) If the agency does not seek a court order or return the 
records, the agency must destroy the records in a manner that renders 
the patient identifying information non-retrievable, within a 
reasonable period of time, but not more than 120 days after discovering 
it received records under this part.
    (v) If the agency's application for a court order is rejected by 
the court and no longer subject to appeal, the agency must return the 
records to the part 2 program or person holding the records, if it is 
legally permissible to do so, or destroy the records immediately after 
notice from the court.
    (b) Notice not required. An application under this section may, in 
the discretion of the court, be granted without notice. Although no 
express notice is required to the part 2 program, to the person holding 
the records, or to any patient whose records are to be disclosed, upon 
implementation of an order so granted any of those persons must be 
afforded an opportunity to seek revocation or amendment of that order, 
limited to the presentation of evidence on the statutory and regulatory 
criteria for the issuance of the court order in accordance with 
paragraph (c) of this section. If a court finds that individualized 
contact is impractical under the circumstances, patients may be 
informed of the opportunity through a substitute form of notice that 
the court determines is reasonably calculated to reach the patients, 
such as conspicuous notice in major print or broadcast media in 
geographic areas where the affected patients likely reside.
    (c) Requirements for order. An order under this section must be 
entered in accordance with, and comply with the requirements of Sec.  
2.64(e). In addition, an order under this section may be entered only 
if the court determines that good cause exists. To make such good cause 
determination, the court must find that:
    (1) Other ways of obtaining the information are not available, 
would not be effective, or would yield incomplete information;
    (2) The public interest and need for the use or disclosure outweigh 
the potential injury to the patient, the physician-patient 
relationship, and the treatment services; and
    (3) For an application being submitted pursuant to paragraph 
(a)(3)(ii) of this section, the investigative agency has satisfied the 
conditions at Sec.  2.3(b). Information from records obtained in 
violation of this part, including Sec.  2.12(d), cannot be used in an 
application for a court order to obtain such records.
    (d) Limitations on use and disclosure of patient identifying 
information. (1) An order entered under this section must require the 
deletion or removal of patient identifying information from any 
documents or oral testimony made available to the public.

[[Page 12631]]

    (2) No information obtained under this section may be used or 
disclosed to conduct any investigation or prosecution of a patient in 
connection with a criminal matter, or be used or disclosed as the basis 
for an application for an order under Sec.  2.65.

0
39. Amend Sec.  2.67 by revising paragraphs (a), (c), (d)(3), and (e) 
to read as follows:


Sec.  2.67  Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.

    (a) Application. A court order authorizing the placement of an 
undercover agent or informant in a part 2 program as an employee or 
patient may be applied for by any investigative agency which has reason 
to believe that employees or agents of the part 2 program are engaged 
in criminal misconduct.
* * * * *
    (c) Criteria. An order under this section may be entered only if 
the court determines that good cause exists. To make such good cause 
determination, the court must find all of the following:
    (1) There is reason to believe that an employee or agent of the 
part 2 program is engaged in criminal activity;
    (2) Other ways of obtaining evidence of the suspected criminal 
activity are not available, would not be effective, or would yield 
incomplete evidence;
    (3) The public interest and need for the placement of an undercover 
agent or informant in the part 2 program outweigh the potential injury 
to patients of the part 2 program, physician-patient relationships, and 
the treatment services; and
    (4) For an application submitted after the placement of an 
undercover agent or informant has already occurred, that the 
investigative agency has satisfied the conditions at Sec.  2.3(b) and 
only discovered that a court order was necessary after such placement 
occurred. Information from records obtained in violation of this part, 
including Sec.  2.12(d), cannot be used in an application for a court 
order to obtain such records.
    (d) * * *
    (3) Prohibit the undercover agent or informant from using or 
disclosing any patient identifying information obtained from the 
placement except as necessary to investigate or prosecute employees or 
agents of the part 2 program in connection with the suspected criminal 
activity; and
* * * * *
    (e) Limitation on use and disclosure of information. No information 
obtained by an undercover agent or informant placed in a part 2 program 
under this section may be used or disclosed to investigate or prosecute 
any patient in connection with a criminal matter or as the basis for an 
application for an order under Sec.  2.65.

0
40. Add Sec.  2.68 to subpart E to read as follows:


Sec.  2.68  Report to the Secretary.

    (a) Any investigative agency covered by this part shall report to 
the Secretary, not later than 60 days after the end of each calendar 
year, to the extent applicable and practicable, on:
    (1) The number of applications made under Sec. Sec.  2.66(a)(3)(ii) 
and 2.67(c)(4) during the calendar year;
    (2) The number of instances in which such applications were denied, 
due to findings by the court of violations of this part during the 
calendar year; and
    (3) The number of instances in which records under this part were 
returned or destroyed following unknowing receipt without a court 
order, in compliance with Sec.  2.66(a)(3)(iii), (iv), or (v), 
respectively during the calendar year.
    (b) [Reserved]

Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2024-02544 Filed 2-8-24; 11:15 am]
BILLING CODE 4153-01-P