[Federal Register Volume 82, Number 11 (Wednesday, January 18, 2017)]
[Rules and Regulations]
[Pages 6052-6127]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-00719]



[[Page 6051]]

Vol. 82

Wednesday,

No. 11

January 18, 2017

Part VII





Department of Health and Human Services





-----------------------------------------------------------------------





42 CFR Part 2





Confidentiality of Substance Use Disorder Patient Records; Final Rule

Federal Register / Vol. 82 , No. 11 / Wednesday, January 18, 2017 / 
Rules and Regulations

[[Page 6052]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

42 CFR Part 2

[SAMHSA-4162-20]
RIN 0930-AA21


Confidentiality of Substance Use Disorder Patient Records

AGENCY: Substance Abuse and Mental Health Services Administration, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS) is issuing 
this final rule to update and modernize the Confidentiality of Alcohol 
and Drug Abuse Patient Records regulations and facilitate information 
exchange within new health care models while addressing the legitimate 
privacy concerns of patients seeking treatment for a substance use 
disorder. These modifications also help clarify the regulations and 
reduce unnecessary burden.

DATES: Effective date: This final rule is effective February 17, 2017.

FOR FURTHER INFORMATION CONTACT: Danielle Tarino, Telephone number: 
(240) 276-2857, Email address: [email protected].

SUPPLEMENTARY INFORMATION:

Preamble Table of Contents

I. Executive Summary
    A. Purpose of the Regulatory Action
    B. Summary of the Major Provisions
    C. Summary of Impacts
II. Background
    A. Significant Technology Changes
    B. Statutory and Rulemaking History
III. Overview of the Final Rule
IV. Effective Date
V. Discussion of Public Comments and Final Modifications to 42 CFR 
part 2
    A. General Comments on the Proposed Rule
    1. General Feedback on the Proposed Rule
    a. General Support for the Proposed Rule
    b. General Opposition to the Proposed Rule
    2. The Proposed Rule Did Not Go Far Enough To Facilitate 
Information Exchange
    3. Final Rule Should Balance Patient Protections With Enhanced 
Information Exchange
    4. Part 2 Should Align With the Health Insurance Portability and 
Accountability Act
    B. Statutory Authority (Sec.  2.1)
    C. Reports of Violations (Sec.  [thinsp]2.4)
    D. Definitions (Sec.  [thinsp]2.11)
    1. New Definitions
    a. Part 2 Program
    b. Part 2 Program Director
    c. Substance Use Disorder
    d. Treating Provider Relationship
    e. Withdrawal Management
    2. Existing Definitions
    a. Central Registry
    b. Disclose or Disclosure
    c. Maintenance Treatment
    d. Member Program
    e. Patient
    f. Patient Identifying Information
    g. Person
    h. Program
    i. Qualified Service Organization
    j. Records
    k. Treatment
    3. Terminology Changes
    4. Other Comments on Definitions
    E. Applicability (Sec.  [thinsp]2.12)
    F. Confidentiality Restrictions and Safeguards (Sec.  
[thinsp]2.13)
    1. Delayed Implementation of List of Disclosures Provision
    2. Responsibilities Under the List of Disclosures Process
    3. Technological Challenges and Burden of the List of 
Disclosures Provision
    4. Recommendations to Further Protect Patient Privacy
    5. Other Comments and Recommendations on the List of Disclosures 
Provision
    G. Security for Records (Sec.  [thinsp]2.16)
    H. Disposition of Records by Discontinued Programs (Sec.  
[thinsp]2.19)
    I. Notice to Patients of Federal Confidentiality Requirements 
(Sec.  [thinsp]2.22)
    J. Consent Requirements (Sec.  [thinsp]2.31)
    1. General Comments on Consent Requirements
    a. General
    b. Consent Form Validity Period
    c. Technical Challenges to Proposed Consent Requirements
    d. Requests for Exemptions and Exceptions
    e. Commenter Recommendations
    2. To Whom
    a. General
    b. Determination of Treating Provider Relationship
    c. Requests for Clarification
    d. Commenter Recommendations
    e. Proposed Alternative Approach for ``To Whom'' Section
    3. Amount and Kind
    a. General
    b. Impact of the Amount and Kind Requirement on Providers and 
Patients
    c. Required Substance Use Disorder Information on Consent Forms
    d. Requests for Clarification
    4. From Whom
    5. New Requirements
    K. Prohibition on Re-Disclosure (Sec.  [thinsp]2.32)
    1. General
    2. Impact of Re-Disclosure Prohibition on Patient Privacy and 
Patient Choice
    3. Disclosure of Information that May Indicate a Substance Use 
Disorder
    4. Technical Challenges in Preventing Unauthorized Re-Disclosure
    5. Requests for Clarification of the Re-Disclosure Prohibition
    6. Recommendations to Improve the Prohibition on Re-Disclosure
    L. Disclosures to Prevent Multiple Enrollments (Sec.  
[thinsp]2.34)
    M. Medical Emergencies (Sec.  [thinsp]2.51)
    1. General
    2. Definition of ``Bona Fide Medical Emergency''
    3. Documentation of Medical Emergency
    4. Other Comments on Medical Emergency
    N. Research (Sec.  [thinsp]2.52)
    1. General
    2. Suggestions for Improvement of the Research Provisions
    3. HIPAA and HHS Common Rule Requirements
    4. Data Linkages
    5. Multi-Payer Claims Database
    O. Audit and Evaluation (Sec.  [thinsp]2.53)
    P. Other Public Comments on the Proposed Rule
    1. Requests to Extend the Public Comment Period
    2. Rulemaking Process
    3. Implementation Timeline and Other Barriers to Implementation
    4. Educational Opportunities
    5. Increased Enforcement
    6. Other Miscellaneous Comments on the Proposed Rule
VI. Rulemaking Analyses
    A. Paperwork Reduction Act
    B. Regulatory Impact Analysis
    C. Regulatory Flexibility Act
    D. Unfunded Mandates Reform Act
    E. Federalism (Executive Order 13132)

Acronyms

ACO Accountable Care Organization
ABAM American Board of Addiction Medicine
ADAMHA Alcohol, Drug Abuse and Mental Health Administration
APCD All Payer Claims Database
ARRA American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)
ASAM American Society of Addiction Medicine
ATR Access to Recovery
C-CDA Consolidated-Clinical Document Architecture
CCD Continuity of Care Document
CCLF Claim and Claim Line Feed
CCO Coordinated Care Organization
CFR Code of Federal Regulations
CHIP Children's Health Insurance Program
CMS Centers for Medicare & Medicaid Services
CPCMH Certified Patient-Centered Medical Home
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
EQRO External Quality Review Organization
FAQ Frequently Asked Question
FAX Facsimile
FDA Food and Drug Administration
FR Federal Register
HHS Department of Health and Human Services
HIE Health Information Exchange
HIO Health Information Organization
HIPAA Health Insurance Portability and Accountability Act of 1996 
(Pub. L. 104-191)
HITECH Health Information Technology for Economic and Clinical 
Health Act of 2009 (Pub. L. 111-5, title XIII of division A and 
title IV of division B)
HITPC Health Information Technology Privacy Committee
IG Implementation Guide
IRB Institutional Review Board
IT Information Technology

[[Page 6053]]

MCO Managed Care Organization
MPCD Multi-Payer Claims Database
NCQA National Committee for Quality Assurance
NPRM Notice of Proposed Rulemaking
N-SSATS National Survey of Substance Abuse Treatment Services
OHRP Office for Human Research Protections
OMB Office of Management and Budget
ONC Office of the National Coordinator for Health Information 
Technology
PDMP Prescription Drug Monitoring Program
PPS Performing Provider System
QE Qualified Entity
QSO Qualified Service Organization
QSOA Qualified Service Organization Agreement
RFA Regulatory Flexibility Act
RHIO Regional Health Information Organization
SAMHSA Substance Abuse and Mental Health Services Administration
SBIRT Screening, Brief Intervention, and Referrals for Treatment
S&I Standards and Interoperability
TEDS Treatment Episode Data Set
U.S.C. United States Code
USAO United States Attorney's Office
VA Department of Veterans Affairs

I. Executive Summary

A. Purpose of the Regulatory Action

    The laws and regulations governing the confidentiality of substance 
use disorder records were written out of great concern about the 
potential use of substance use disorder information against 
individuals, causing individuals with substance use disorders not to 
seek needed treatment. The disclosure of records of individuals with 
substance use disorders has the potential to lead to a host of negative 
consequences, including: Loss of employment, loss of housing, loss of 
child custody, discrimination by medical professionals and insurers, 
arrest, prosecution, and incarceration. The purpose of the regulations 
at title 42 of the Code of Federal Regulations (CFR) part 2 (42 CFR 
part 2) is to ensure that a patient receiving treatment for a substance 
use disorder in a part 2 program is not made more vulnerable by reason 
of the availability of their patient record than an individual with a 
substance use disorder who does not seek treatment. Now, more than 29 
years since the part 2 regulations were last substantively amended, 
this final rule makes policy changes to the regulations to better align 
them with advances in the U.S. health care delivery system while 
retaining important privacy protections.
Need for Regulatory Action
    The last substantive update to these regulations was in 1987. Over 
the last 29 years, significant changes have occurred within the U.S. 
health care system that were not envisioned by the current (1987) 
regulations, including new models of integrated care that are built on 
a foundation of information sharing to support coordination of patient 
care, the development of an electronic infrastructure for managing and 
exchanging patient information, and a new focus on performance 
measurement within the health care system. SAMHSA wants to ensure that 
patients with substance use disorders have the ability to participate 
in, and benefit from health system delivery improvements, including 
from new integrated health care models while providing appropriate 
privacy safeguards. These new integrated models are foundational to 
HHS's delivery system reform goals of better care, smarter spending, 
and healthier people.
Legal Authority for Regulatory Action
    This final rule revises 42 CFR part 2, Confidentiality of Alcohol 
and Drug Abuse Patient Records regulations. The authorizing statute, 
Title 42, United States Code (U.S.C.) 290dd-2, protects the 
confidentiality of the records containing the identity, diagnosis, 
prognosis, or treatment of any patient that are maintained in 
connection with the performance of any federally assisted program or 
activity relating to substance abuse (now referred to as substance use 
disorder) education, prevention, training, treatment, rehabilitation, 
or research. Title 42 of the CFR part 2 was first promulgated in 1975 
(40 FR 27802) and last substantively updated in 1987 (52 FR 21796).

B. Summary of the Major Provisions

    Proposed modifications to 42 CFR part 2 were published as a Notice 
of Proposed Rulemaking (NPRM) on February 9, 2016 (81 FR 6988). After 
consideration of the public comments received in response to the NPRM, 
SAMHSA is issuing this final rule amending 14 major provisions of 42 
CFR part 2, as follows:
    Statutory authority for confidentiality of substance use disorder 
patient records (Sec.  2.1) combines old Sec.  [thinsp]2.1 (Statutory 
authority for confidentiality of drug abuse patient records), and Sec.  
[thinsp]2.2 (Statutory authority for confidentiality of alcohol abuse 
patient records) and deleting references to 42 U.S.C. 290ee-3 and 42 
U.S.C. 290dd-3, as these U.S.C. sections were omitted by Public Law 
102-321 and combined and renamed into Section 290dd-2, Confidentiality 
of records. Because SAMHSA combined former Sec. Sec.  [thinsp]2.1 and 
2.2 into Sec.  2.1, we redesignated Sec. Sec.  [thinsp]2.2 through 2.5 
accordingly.
    Reports of violations (Sec.  [thinsp]2.4) revises the requirement 
for reporting violations of these regulations by methadone programs 
(now referred to as opioid treatment programs) to the Food and Drug 
Administration (FDA) because the authority over these programs was 
transferred from the FDA to the Substance Abuse and Mental Health 
Services Administration (SAMHSA) in 2001.
    Definitions (Sec.  [thinsp]2.11) revises some existing definitions, 
adds new definitions of key terms that apply to 42 CFR part 2, and 
consolidates all but one of the definitions that are currently in other 
sections into Sec.  [thinsp]2.11 (e.g., the definition of ``Minor'' 
previously found in Sec.  2.14(a)). We revised the definitions of 
``Central registry,'' ``Disclose or disclosure,'' ``Maintenance 
treatment,'' ``Member program,'' ``Patient,'' ``Patient identifying 
information,'' ``Person,'' ``Program,'' ``Qualified service 
organization (QSO),'' ``Records,'' and ``Treatment.'' We also added 
definitions of ``Part 2 program,'' ``Part 2 program director,'' 
``Substance use disorder,'' ``Treating provider relationship,'' and 
``Withdrawal management,'' some of which replaced existing definitions. 
In addition, SAMHSA revised the regulatory text to use terminology in a 
consistent manner. The following definitions were not revised 
substantively: ``Diagnosis,'' ``Informant,'' ``Minor,'' ``Third-party 
payer,'' and ``Undercover agent.''
    Applicability (Sec.  [thinsp]2.12) continues to apply the 42 CFR 
part 2 regulations to a program that is federally assisted and holds 
itself out as providing, and provides, substance use disorder 
diagnosis, treatment, or referral for treatment. Most changes to the 
applicability of the part 2 regulations result from SAMHSA's decision 
not to finalize one of its proposed changes to the definition of 
``Program'' (see Sec.  2.11, Definitions). Whereas the NPRM definition 
of ``Program'' included, under certain conditions, ``general medical 
practices'' in addition to ``general medical facilities,'' the 
definition in this final rule is limited to ``general medical 
facilities.'' However, consistent with the NPRM, the definition of 
``Program'' continues to use the term ``general medical facility'' 
rather than both ``general medical facility'' and ``general medical 
care facility'' that were used interchangeably in the 1987 final rule 
definition of ``Program.'' For example, an identified unit within a 
general medical facility is subject to part 2 if it holds itself out as 
providing, and provides, substance use disorder

[[Page 6054]]

diagnosis, treatment, or referral for treatment. In addition, if the 
primary function of medical personnel or other staff in a general 
medical facility is the provision of such services and they are 
identified as providing such services, they are considered a 
``Program'' and, thus, subject to part 2. This final rule revises Sec.  
[thinsp]2.12(d)(2)(i)(C) so that restrictions on disclosures also apply 
to individuals or entities who receive patient records from other 
lawful holders of patient identifying information, such that patient 
records subject to the part 2 regulations include substance use 
disorder records maintained by part 2 programs, as well as those 
records in the possession of ``other lawful holders of patient 
identifying information.''
    Confidentiality restrictions and safeguards (Sec.  [thinsp]2.13) 
adds a requirement that, upon request, patients who have included a 
general designation in the ``To Whom'' section of their consent form 
(see Sec.  [thinsp]2.31) must be provided a list of entities (referred 
to as a List of Disclosures) to which their information has been 
disclosed pursuant to the general designation.
    Security for records (Sec.  [thinsp]2.16) clarifies that this 
section requires both part 2 programs and other lawful holders of 
patient identifying information to have in place formal policies and 
procedures addressing security, including sanitization of associated 
media, for both paper and electronic records.
    Disposition of records by discontinued programs (Sec.  
[thinsp]2.19) addresses both paper and electronic records. SAMHSA also 
added requirements for sanitizing associated media.
    In Section I., Notice to Patients of Federal Confidentiality 
Requirements (Sec.  [thinsp]2.22), SAMHSA clarifies that the written 
summary of federal law and regulations may be provided to patients in 
either paper or electronic format. SAMHSA also revised Sec.  2.22 to 
require the statement regarding the reporting of violations include 
contact information for the appropriate authorities.
    Consent requirements (Sec.  [thinsp]2.31) permits, in certain 
circumstances, a patient to include a general designation in the ``To 
Whom'' section of the consent form, in conjunction with requirements 
that the consent form include an explicit description of the amount and 
kind of substance use disorder treatment information that may be 
disclosed. SAMHSA decided not to finalize its proposed changes to the 
``From Whom'' section, but did make minor updates to the terminology in 
the text. SAMHSA also revised Sec.  2.31 to require the part 2 program 
or other lawful holder of patient identifying information to include a 
statement on the consent form when using a general designation in the 
``To Whom'' section of the consent form that patients have a right to 
obtain, upon request, a list of entities to which their information has 
been disclosed pursuant to the general designation (see Sec.  
[thinsp]2.13). In addition, SAMHSA revised Sec.  2.31 to permit 
electronic signatures to the extent that they are not prohibited by any 
applicable law.
    In Section K., Prohibition on Re-disclosure (Sec.  [thinsp]2.32), 
SAMHSA clarifies that the prohibition on re-disclosure only applies to 
information that would identify, directly or indirectly, an individual 
as having been diagnosed, treated, or referred for treatment for a 
substance use disorder, such as indicated through standard medical 
codes, descriptive language, or both, and allows other health-related 
information shared by the part 2 program to be re-disclosed, if 
permissible under other applicable laws.
    Disclosures to prevent multiple enrollments (Sec.  [thinsp]2.34) 
modernizes the terminology and definitions and moves the definitions to 
Sec.  [thinsp]2.11 (Definitions).
    Medical emergencies (Sec.  [thinsp]2.51) revises the medical 
emergency exception to make it consistent with the statutory language 
and to give providers more discretion to determine when a ``bona fide 
medical emergency'' exists.
    Research (Sec.  [thinsp]2.52) revises the research exception to 
permit data protected by 42 CFR part 2 to be disclosed to qualified 
personnel for the purpose of conducting scientific research by a part 2 
program or any other individual or entity that is in lawful possession 
of part 2 data if the researcher provides documentation of meeting 
certain requirements related to other existing protections for human 
research. SAMHSA also revised Sec.  2.52 to address data linkages to 
enable researchers holding part 2 data to obtain linkages to other 
datasets, provided that appropriate safeguards are in place as outlined 
in section 2.52.
    Audit and evaluation (Sec.  [thinsp]2.53) modernizes the 
requirements to include provisions governing both paper and electronic 
patient records. SAMHSA also revised Sec.  2.53 to permit an audit or 
evaluation necessary to meet the requirements of a Centers for Medicare 
& Medicaid Services (CMS)-regulated accountable care organization (CMS-
regulated ACO) or similar CMS-regulated organization (including a CMS-
regulated Qualified Entity (QE)), under certain conditions.
    The other sections in 42 CFR part 2 that are not referenced above 
are not addressed in this final rule nor were they discussed in the 
NPRM because SAMHSA is maintaining their content substantively 
unchanged from the 1987 final rule.

C. Summary of Impacts

    In the first year that the final rule is in effect, we estimate 
that the total costs associated with updates to 42 CFR part 2 will be 
roughly $70,691,000. In year two we estimate that costs will be 
$17,680,000, and increase annually as a larger share of entities 
implement List of Disclosures requirements and respond to disclosure 
requests. Over the 10-year period of 2016-2025, the total undiscounted 
cost of the part 2 changes will be about $241 million in 2016 dollars. 
When future costs are discounted at 3 percent or 7 percent per year, 
the total costs become approximately $217,586,000 or $193,098,000, 
respectively. These costs are presented in the tables below.
    Costs associated with the 42 CFR part 2 final rule, include: 
updates to health IT system costs, costs for staff training and updates 
to training curricula, costs to update patient consent forms, costs 
associated with providing patients a list of entities to which their 
information has been disclosed pursuant to a general designation on the 
consent form (i.e., the List of Disclosures requirement), and 
implementation costs associated with the List of Disclosures 
requirements. We assumed that costs associated with modifications to 
existing health IT systems, staff training costs associated with 
updating staff training materials, and costs to update consent forms 
will be one-time costs the first year the final rule is in effect and 
will not carry forward into future years. Staff training costs other 
than those associated with updating training materials are assumed to 
be ongoing annual costs to part 2 programs, also beginning in the first 
year that the final rule is in effect. The List of Disclosures costs 
are assumed to be ongoing annual costs to entities named on a consent 
form that disclose patient identifying information to their 
participants under the general designation. Costs associated with the 
List of Disclosures provision are limited to implementation costs for 
entities that chose to upgrade their health IT systems in order to 
comply with the List of Disclosures requirements. Several provisions in 
the final rule reference other lawful holders of patient identifying 
information in combination with part 2 programs. These other lawful 
holders must comply with part 2 requirements with respect to 
information they maintain that is covered by part 2 regulations. 
However,

[[Page 6055]]

because this group is not clearly defined with respect to the range of 
organizations it may include, we are unable to include estimates 
regarding the number and type of these organizations and are only 
including part 2 programs in this analysis.
    The benefits of modernizing the part 2 regulations is to increase 
opportunities for individuals with substance use disorders to 
participate in new and emerging health and health care models and 
health information technology (IT). The final rule will facilitate the 
sharing of information within the health care system to support new 
models of integrated health care which, among other things, improve 
patient safety while maintaining or strengthening privacy protections 
for individuals seeking treatment for substance use disorders. 
Moreover, as patients are allowed, in certain circumstances, to include 
a general designation in the ``To Whom'' section of the consent form, 
we anticipate there will be more individuals with substance use 
disorders participating in organizations that facilitate the exchange 
of health information (e.g., health information exchanges (HIEs)) and 
organizations that coordinate care (e.g., ACOs and coordinated care 
organizations (CCOs)), leading to increased efficiency and quality in 
the provision of health care for this population. In addition, the 
revisions to the research provision (Sec.  2.52) will allow additional 
scientific research to be conducted that will facilitate continual 
quality improvement of part 2 programs and the important services they 
offer.

II. Background

A. Significant Technology Changes

    Since the promulgation of 42 CFR part 2, significant technology 
changes have impacted the delivery of health care. The Office of the 
National Coordinator for Health Information Technology (ONC) was 
established as an office within HHS under Executive Order 13335 on 
April 27, 2004. Subsequently, on February 17, 2009, the Health 
Information Technology for Economic and Clinical Health Act (HITECH 
Act) of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. 
L. 111-5) expanded the Department's health IT work, including the 
expansion of ONC's authority and the provision of federal funds for 
ONC's activities consistent with the development of a nationwide health 
IT infrastructure. This work included the certification of health IT; 
the authorization of CMS' Electronic Health Record (EHR) Incentive 
Program, including payments to eligible providers for the adoption and 
meaningful use of certified EHR technology; and numerous other federal 
agencies' programs--all of which served the objective of ensuring 
patient health information is secure, private, accurate, and available 
where and when needed. SAMHSA's role in encouraging the use of health 
IT by behavioral health (substance use disorder and mental health) 
providers, included: (1) Collaborating with ONC to develop two sets of 
Frequently Asked Questions (FAQs) and convening a number of stakeholder 
meetings to provide guidance on the application of 42 CFR part 2 to HIE 
models; (2) a one-year pilot project with five state HIEs to support 
the exchange of health information among behavioral health and physical 
health providers; and (3) the Data Segmentation for Privacy (DS4P) 
initiative within ONC's Standards and Interoperability (S&I) Framework 
facilitated:
     The development of standards to improve the 
interoperability of EHRs containing sensitive information that must be 
protected to a greater degree than other health information due to 42 
CFR part 2 and similar state laws,
     six DS4P Implementation Guide (IG) use case pilot projects 
including the Department of Veterans Affairs (VA)/SAMHSA Pilot that 
implemented all the DS4P use cases and passed all conformance tests, 
and
     the development of the application branded Consent2Share, 
an open-source health IT solution based on DS4P which assists in 
consent management and data segmentation. Consent2Share is currently 
being used by the Prince Georges County (Maryland) Health Department to 
manage patient consent directives while sharing substance use disorder 
information with an HIE.
    Despite SAMHSA's efforts, some stakeholders continued to request 
modernization of 42 CFR part 2 out of concern that part 2, as written 
in the current (1987) regulation, continues to be a barrier to the 
integration of substance use disorder treatment and physical health 
care. As noted below, SAMHSA plans to release shortly an updated 
version of Consent2Share with improved functionality and ability to 
meet List of Disclosures requirements.

B. Statutory and Rulemaking History

    The Confidentiality of Alcohol and Drug Abuse Patient Records 
regulations, 42 CFR part 2, implement Section 543 of the Public Health 
Service Act, 42 U.S.C. 290dd-2, as amended by Section 131 of the 
Alcohol, Drug Abuse and Mental Health Administration Reorganization Act 
(ADAMHA Reorganization Act), Public Law 102-321 (July 10, 1992). The 
regulations were promulgated as a final rule on July 1, 1975 (40 FR 
27802). In 1980, the Department invited public comment on 15 
substantive issues arising out of its experience interpreting and 
implementing the regulations (45 FR 53). More than 450 public responses 
to that invitation were received and taken into consideration in the 
preparation of a 1983 NPRM (48 FR 38758). Approximately 150 comments 
were received in response to the NPRM and were taken into consideration 
in the preparation of the final rule released on June 9, 1987 (52 FR 
21798).
    The Department published an NPRM again in the Federal Register (FR) 
on August 18, 1994 (59 FR 42561), which proposed a clarification of the 
definition of ``Program'' in the regulations. Specifically, the 
Department proposed to clarify that, as to general medical care 
facilities, these regulations cover only specialized individuals or 
units in such facilities that hold themselves out as providing and 
provide alcohol or drug abuse (now referred to as substance use 
disorder) diagnosis, treatment, or referral for treatment and which are 
federally assisted, directly or indirectly. On May 5, 1995, the final 
rule was released (60 FR 22296).
    SAMHSA posted a document in the FR on May 12, 2014, (79 FR 26929) 
announcing a public Listening Session planned for June 11, 2014, to 
solicit feedback on the Confidentiality of Alcohol and Drug Abuse 
Patient Records regulations, 42 CFR part 2. SAMHSA accepted written 
comments until June 25, 2014. The Listening Session comments are posted 
on the SAMHSA Web site at http://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations.
    Prompted by the need to update and modernize the Confidentiality of 
Alcohol and Drug Abuse Patient Records regulations at 42 CFR part 2, on 
February 9, 2016, SAMHSA published an NPRM that proposed revisions to 
the part 2 regulations and requested public input on the proposed 
changes during a 60-day public comment period (81 FR 6988). Although 
raised in the Listening Session public comments, SAMHSA decided not to 
address issues pertaining to e-prescribing and Prescription Drug 
Monitoring Programs (PDMPs) in the NPRM because they were not ripe for 
rulemaking at the time due to the state of technology and because the 
majority of part 2 programs are not prescribing controlled substances 
electronically. As noted in the NPRM, SAMHSA intends to monitor 
developments in this area to

[[Page 6056]]

see whether further action may be warranted in the future. SAMHSA 
received 376 public comment submissions on the part 2 NPRM. The 
comments received were detailed, thoughtful, and reflective of the 
complex issues addressed and balanced in the part 2 regulations. This 
final rule reflects SAMHSA's thorough consideration of all substantive 
issues raised in the public comments in response to its proposals in 
the NPRM.

III. Overview of the Final Rule

    In this final rule, the Department finalizes the modifications to 
the Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR 
part 2, including renaming it ``Confidentiality of Substance Use 
Disorder Patient Records.'' The modifications modernize the rule by 
facilitating electronic exchange of substance use disorder information 
for treatment and other legitimate health care purposes while ensuring 
appropriate confidentiality protections for records that might identify 
an individual, directly or indirectly, as having or having had a 
substance use disorder.

Overview of Public Comments

    We received 376 public comments from medical health care providers; 
behavioral health care providers; combined medical/behavioral health 
care providers; HIEs, ACOs, CCOs, and certified patient-centered 
medical homes (CPCMHs), sometimes called health homes; third-party 
payers; privacy/consumer advocates; medical health care provider 
associations; behavioral health care provider associations; accrediting 
organizations; researchers; individuals (with no stated affiliation); 
attorneys (with no stated affiliation); HIT vendors; and state/local 
governments. The comments ranged from general support or opposition to 
the proposed provisions to very specific questions or comments 
regarding the proposed rules.
    Some comments were outside the scope of or inconsistent with 
SAMHSA's legal authority regarding the confidentiality of substance use 
disorder patient records. Likewise, other comments did not pertain to 
specific proposals made by SAMHSA in the NPRM. In some instances, 
commenters raised policy or operational issues that are best addressed 
through subregulatory guidance that SAMHSA will consider issuing 
subsequent to this final rule. Consequently, SAMHSA did not address 
these comments in this final rule.
    Commenters have also provided SAMHSA with informative feedback on 
how lawful holders, including third-party payers and others within the 
healthcare industry, use health data or hire others to use health data 
on their behalf to provide operational services such as independent 
auditing, legal services, claims processing, plan pricing and other 
functions that are key to the day-to-day operation of entities subject 
to this rule. We have previously clarified in responses to particular 
questions that contracted agents of individuals and/or entities may be 
treated as the individual/entity. Questions raised by commenters during 
this rulemaking have, however, highlighted varying interpretations of 
the current (1987) rule's restrictions on lawful holders and their 
contractors' and subcontractors' use and disclosure of part 2-covered 
data for purposes of carrying out payment, health care operations, and 
other health care related activities. In consideration of this feedback 
and given the critical role that third-party payers, other lawful 
holders, and their contractors and subcontractors play in the provision 
of health care services, SAMHSA is issuing a supplemental notice of 
proposed rulemaking (SNPRM) to seek further comments and information on 
this matter.

IV. Effective Date

    In this final rule, SAMHSA has established a single effective date 
of 30 days after the publication of the final rule, or February 17, 
2017. On this date, the revised 42 CFR part 2 will replace the 1987 
version of part 2 in the CFR and all part 2 programs and other lawful 
holders of patient identifying information must comply with all aspects 
of the regulations. In the NPRM, SAMHSA proposed that, with the 
exception of Sec.  [thinsp]2.13(d), part 2 programs and other lawful 
holders of patient identifying information would have to comply with 
applicable requirements of the revised part 2 regulations beginning 30 
days after the publication of the final rule. See Section V.D.3 below 
for a discussion of ``other lawful holders.'' We proposed that entities 
would not have to comply with the List of Disclosures requirements of 
Sec.  2.13(d) until two-years after the effective date of the final 
rule. As explained below, because the right to obtain, upon request, a 
List of Disclosures is only available to patients who use a general 
designation in the ``To Whom'' section of the consent form, entities 
must only have the technical capability to provide the List of 
Disclosures if they take advantage of the general designation 
provision. Therefore, SAMHSA has revised the effective date from that 
proposed to avoid confusion. However, signed consent forms in place 
prior to the effective date of this final rule will be valid until they 
expire. Nonetheless, part 2 programs may update signed consent forms 
consistent with the final rule, prior to the effective date of the 
final rule if they so choose. Consents obtained after the effective 
date will need to comply with the final rule, regardless of whether the 
consents involve patient identifying information obtained prior to or 
after the effective date of this final rule.

Public Comments

    One commenter urged that the final rule allow for implementation of 
the research provision (Sec.  2.52) immediately or shortly after the 
rule takes effect. Several commenters raised concerns about how to 
interpret the two-year delayed implementation of List of Disclosures 
and whether the general designation will be used during that period.

SAMHSA Response

    SAMHSA acknowledges commenters' confusion regarding the proposed 
two-year delayed compliance date for the List of Disclosures 
requirements. After considering the public comments received on this 
point, SAMHSA realized that such a two-year delayed compliance date for 
the requirements of Sec.  2.13(d) is not helpful. As explained in the 
``To Whom'' section of the part 2-compliant consent requirements (see 
Section V.J.2 below), an entity that serves as an intermediary (e.g., 
HIE, ACO, CCO) must comply with the List of Disclosures provision in 
order to disclose information pursuant to a general designation 
provided on the consent form (see Sec.  2.31(a)(4)(iii)(B)(3)(i)). 
Therefore, an entity that serves as an intermediary would be prohibited 
from electing to disclose information pursuant to a general designation 
without the ability to comply with the List of Disclosures requirement. 
It would not make sense to implement a two-year delayed compliance date 
for the List of Disclosures requirements at Sec.  2.13(d) because the 
only reason an entity that serves as an intermediary would have to 
comply with the List of Disclosures requirements would be if they 
wanted to disclose information pursuant to general designations that 
have been included in the ``To Whom'' section of the patient consent 
form, which requires alerting patients to the fact that they have a 
right to request a list of entities to which their information has been 
disclosed (per Sec.  2.13(d)). Thus, an entity that serves as an 
intermediary is prohibited from

[[Page 6057]]

disclosing information pursuant to a general designation without having 
the capability to comply with the List of Disclosures requirements. For 
these reasons, it is not advisable to include a two-year delayed 
compliance date for the List of Disclosures provision. Some entities 
that serve as intermediaries as described by Sec.  
[thinsp]2.31(a)(4)(iii)(B) may elect never to disclose information 
pursuant to a general designation and, thus, would not need to comply 
with the List of Disclosures requirement. Those that choose to disclose 
information pursuant to general designations must ensure the capability 
to comply with the List of Disclosures requirements at Sec.  2.13(d) 
before they disclose the information pursuant to a general designation. 
But there is no timeframe in which they need to comply; only the 
condition that if they choose to have the option of disclosing 
information pursuant to a general designation on a consent form, they 
must also be capable of providing a List of Disclosures upon request 
per Sec.  2.13(d).
    Regarding the suggestion to allow for implementation of the 
Research provision Sec.  2.52 immediately after the final rule takes 
effect, SAMHSA declines to make this change. For clarity regarding part 
2 compliance, the 1987 part 2 final rule remains in effect until the 
effective date for the 2016 part 2 regulations established in this 
final rule. Because of the revised definitions that impact the research 
provision, it would create unnecessary confusion to make effective 
Sec.  2.52 before the rest of the final rule.

V. Discussion of Public Comments and Final Modifications to 42 CFR Part 
2

    In this section of the final rule, SAMHSA explains the finalized 
revisions to the part 2 regulations and responds to public comments 
received. If a part 2 CFR section is not addressed below, it is because 
SAMHSA did not propose changes to that part 2 provision and that this 
final rule maintains the existing language in that section. However, 
SAMHSA notes that in addition to the revisions discussed below, SAMHSA 
has made other technical, non-substantive, and nomenclature changes to 
various part 2 provisions. Those changes are reflected in the 
regulatory text at the end of this rule.

A. General Comments on the Proposed Rule

1. General Feedback on the Proposed Rule
a. General Support for the Proposed Rule
Public Comments
    Many commenters expressed general support for the proposed rule, 
with some noting that the proposed rule would preserve the 
confidentiality rights of substance use disorder patients while 
facilitating the sharing of health information; would ensure that 
patients with a substance use disorder participate in, and benefit 
from, new integrated health care models without fear of putting 
themselves at risk of adverse consequences; would help reduce the 
stigma associated with substance use disorder; and would provide 
patients comfort in knowing they have control of their record.
    Several commenters expressed general support for the NPRM's 
proposed part 2 changes to enhance integrated care and information 
exchange. Multiple commenters, with some stressing the need for patient 
privacy protections, suggested that integrated networks of care between 
medical and behavioral health services is current best practice and 
will benefit patients. Two commenters implied general support. The 
first of these two commenters stated that the current practice of 
keeping paper substance use records separate from the EHR system 
increases work required to maintain records, creates redundancies, and 
could contribute to providers missing critical information needed for 
treating patients. The second commenter stated that the current (1987) 
part 2 regulations are out of step with the health care system's rapid 
adoption of EHRs, its capacity to quickly exchange information (e.g., 
HIEs), the federal privacy and security regulations (Health Insurance 
and Portability and Accountability Act [HIPAA] and HITECH) governing 
these EHRs and exchanges, and the increasing treatment of patients' 
substance use in health care systems not covered by existing part 2 
regulations, but by HIPAA.
    Another commenter expressed support for the facilitation of 
electronic exchange of substance use disorder treatment information 
where the confidentiality protections historically afforded patients by 
part 2 are maintained.
    A few commenters stated that the proposal would help patients with 
substance use disorders benefit from emerging care models that require 
enhanced health information exchange for better care coordination 
(e.g., CPCMHs, ACOs).
SAMHSA Response
    SAMHSA appreciates the support for updating the regulations. This 
final rule is intended to modernize the part 2 regulations by 
facilitating the electronic exchange of substance use disorder 
information for treatment and other legitimate health care purposes 
while ensuring appropriate confidentiality protections for records that 
might identify an individual, directly or indirectly, as having or 
having had a substance use disorder. Many new integrated care models 
rely on interoperable health IT and these proposed changes are expected 
to support the integration of substance use disorder treatment into 
primary and other specialty care, improving the patient experience, 
clinical outcomes, and patient safety while at the same time ensuring 
patient choice, confidentiality, and privacy. Due to its targeted 
population, part 2 provides more stringent federal protections than 
most other health privacy laws, including HIPAA.
b. General Opposition to the Proposed Rule
Public Comments
    Some commenters expressed general opposition to the proposed rule, 
with some arguing that it would eliminate the right of patients to 
protect and control personal health information; would introduce 
complexity, not simplification; and would maintain the stigma 
surrounding drug use. One commenter warned the proposed rule would 
create concessions to institutional stakeholders, both providers and 
researchers, who find the consent requirements inconvenient and 
burdensome.
    Many commenters requested that part 2 remain unchanged, with some 
stating that loosening part 2 regulations would dissuade substance use 
disorder patients from seeking help out of fear of how their 
information could be used against them or that the proposed regulations 
would not offer the intended protection.
    Some commenters asserted that maintaining a separate set of 
confidentiality restrictions aimed solely at substance use disorder 
providers and patients perpetuates the discrimination associated with 
substance use disorder and ultimately negatively impacts patients and 
the care they receive, suggesting that issues of substance use disorder 
information confidentiality

[[Page 6058]]

should be part of the broader general medical care confidentiality 
regulations. Others argued that the fear of discrimination is a real 
problem for many individuals suffering from a substance use disorder 
and being able to receive treatment without worrying that personal 
information will be leaked is crucial in helping these people get the 
help they need so that they can return to their communities as 
contributing members of society.
SAMHSA Response
    SAMHSA wants to ensure that patients with substance use disorders 
have the ability to participate in, and benefit from, new and emerging 
health care models that promote integrated care and patient safety 
while respecting the legitimate privacy concerns of patients seeking 
treatment for a substance use disorder due to the potential for 
discrimination, harm to their reputations and relationships, and 
serious civil and criminal consequences. This approach is consistent 
with the intent of the governing statute (42 U.S.C. 290dd-2) and 
regulations at 42 CFR part 2, which is to protect the confidentiality 
of substance use disorder patient records. SAMHSA has added more 
flexibility to some of the consent provisions, including a range of 
``To Whom'' consent options that includes the current (1987) ``To 
Whom'' consent requirement, but still retained core part 2 protections, 
including the prohibition on re-disclosure as well as requiring the 
``Amount and Kind'' section of the consent form to include how much and 
what kind of information is to be disclosed, including an explicit 
description of the substance use disorder information that may be 
disclosed. Changes to the research provision also enable patients to 
benefit from advanced research protocols while still complying with 
part 2 protections regarding patient confidentiality. However, with 
these conflicting comments, as well all other comments, SAMHSA was 
guided by the governing statute in developing the final rule, which 
restricts disclosure without consent other than under a small number of 
exceptions
2. The Proposed Rule Did Not Go Far Enough To Facilitate Information 
Exchange
Public Comments
    Several commenters suggested that the proposed part 2 revisions did 
not go far enough to facilitate information exchange and data sharing. 
For example, some commenters asserted that the proposed regulations 
would maintain previous barriers and create additional barriers that 
impede the sharing of information exchange and care coordination 
necessary to effectively treat patients who seek care in a variety of 
settings. A few commenters said the proposed part 2 revisions go beyond 
the protections intended by the statutory requirements in 42 U.S.C. 
290dd-2 and suggested that the proposed changes would continue to 
decrease access to substance use disorder treatment and the achievement 
of positive health outcomes.
    Citing concerns about people with substance use disorders who visit 
multiple health care providers to obtain medication, one commenter 
advocated that substance use disorder health care records should be 
accessible to all health care facilities for the sole purpose of better 
treating and rehabilitating these patients.
    Other commenters requested further clarification on the regulations 
to ensure that coordination of care happens smoothly for all patients, 
especially those at the highest need of coordination, without 
unnecessary barriers. Citing a 2010 report from the President's Council 
of Advisors on Science and Technology, a couple of commenters urged 
SAMHSA to initiate a broad conversation among other HHS agencies to 
develop a granular data specification standard that enables patients to 
be in full control of all their health data, not just part 2 data.
    Citing technological barriers, a commenter asserted that additional 
changes to part 2 are necessary to allow for technological solutions 
for sharing data. One commenter said new funding for HIEs permitted by 
recent CMS guidance could be maximized by more substantial revisions to 
part 2 that would encourage the inclusion of substance use disorder 
providers in HIEs. Expressing uncertainty as to whether data 
segmentation can be implemented effectively absent clear standards, a 
commenter expressed concern the result would be a two-tier system of 
how substance use disorder data are defined both by payers and by local 
and state jurisdictions that has the effect of having substance use 
disorder data exchanged differently depending on if the patient 
received services within or beyond the veil of part 2 regulation.
    Some commenters suggested that the current (1987) part 2 regulation 
and the proposed revisions maintain a status quo of segregated 
substance use disorder information with minimal benefits to patients, 
high compliance costs, and deterrence for organizations to provide 
substance use treatment. Some of these commenters said the part 2 
regulations keep the substance use disorder treatment system isolated 
from general health care providers and reduce access to substance use 
disorder treatment being added by general health care organizations, 
which, due to administrative burden and liability fears, are less 
likely to add substance use disorder treatment. A few of these 
commenters asserted that the part 2 regulations have unintended 
consequences, including disadvantaging persons with a substance use 
disorder and treatment providers because of the burdens associated with 
constantly updating expiring consents. One of these commenters said 
that the burdens caused by the part 2 regulations are particularly 
costly because patients with substance use disorder are among the 
highest cost utilizers in the health care system.
    Some commenters asserted that maintaining a separate set of 
confidentiality restrictions aimed solely at substance use disorder 
providers and patients perpetuates the stigma associated with substance 
use disorder and ultimately negatively impacts patients and the care 
they receive, suggesting that issues of substance use disorder 
information confidentiality should be part of the broader general 
medical care confidentiality regulations.
    Some commenters expressed concern that the proposed part 2 
revisions did not address information exchange issues associated with 
specific types of health care services delivery, including integrated 
delivery systems operating with a behavioral health organization unit 
or department; organizations that include affiliated entities, such as 
jointly held and operated hospital-based systems and health insurance 
plans; risk-based Medicaid managed care; social service programs 
integrated with publicly financed health delivery systems; and combined 
behavioral health service delivery.
    One commenter urged SAMHSA to include the release of previous 
substance use disorder treatment information from insurance companies 
to part 2 programs as disclosure permitted without consent under part 
2. Another commenter expressed concern that SAMHSA did not propose an 
allowance under part 2 regarding appropriate disclosures by a health 
plan for the coordination of a health plan member's care.
    Expressing concern that the proposed part 2 revisions do not 
address many of the issues on which SAMHSA has issued guidance with 
respect to health information networks, a commenter asserted that such 
guidance is outdated

[[Page 6059]]

and creates unintended obstacles to the desired exchange of information 
on patients with substance use disorders.
SAMHSA Response
    The governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR 
part 2 protect the confidentiality of substance use disorder patient 
records. Consistent with the governing statute, SAMHSA wants to ensure 
that patients with substance use disorders have the ability to 
participate in, and benefit from new and emerging health care models 
which promote integrated care and patient safety while respecting the 
legitimate privacy concerns of patients seeking treatment for a 
substance use disorder due to the potential for discrimination, harm to 
their reputations and relationships, and serious civil and criminal 
consequences. Toward that end, SAMHSA held a Listening Session on June 
11, 2014, to solicit feedback on the Confidentiality of Alcohol and 
Drug Abuse Patient Records regulations. All the feedback received from 
the Listening Session was considered and helped to inform the 
development of the proposed and final rules. In addition, SAMHSA 
collaborated with its federal partner experts in developing this final 
rule.
    Information exchange is addressed in both the applicability 
provision (Sec.  2.12) and the consent requirements provision (Sec.  
2.31), among other places in this final rule. SAMHSA has added more 
flexibility to the ``To Whom'' section of the consent form, which will 
give patients the option to release their records to past, current, 
and/or future treating providers. In addition, Sec.  2.13 requires a 
part 2-compliant consent form must list the date, event, or condition 
upon which the consent will expire, if not revoked before. Thus, it is 
not sufficient under part 2 for a consent form to merely state that 
that disclosures will be permitted until the consent is revoked by the 
patient. It is, however, permissible for a consent form to specify the 
event or condition that will result in revocation, such as having its 
expiration date be ``upon my death.'' The Applicability provision 
includes: ``The restrictions on disclosure in these regulations do not 
apply to communications of information between or among personnel 
having a need for the information in connection with their duties that 
arise out of the provision of diagnosis, treatment, or referral for 
treatment of patients with substance use disorders if the 
communications are within a part 2 program; or between a part 2 program 
and an entity that has direct administrative control over the 
program.''
    With this rulemaking, SAMHSA has attempted to facilitate the 
electronic exchange of substance use disorder treatment records while 
ensuring patient privacy. SAMHSA acknowledges that many EHRs and HIEs 
are experiencing technical barriers to segmenting or redacting 
substance use disorder treatment data. As a result, SAMHSA has spent 
several years supporting the continued development of the Consent2Share 
application, an open-source health IT solution based on DS4P, which 
assists in both consent management and data segmentation. It is 
designed to integrate with existing EHR and HIE systems via the 
developed standards. Consent2Share enables electronic implementation of 
various sensitive health information disclosure policies by applying 
the information-sharing rules needed to constrain the disclosure of 
sensitive data according to patient preferences. SAMHSA, in conjunction 
with ONC and other federal partners, also continues to support the 
development of data standards and IGs to further reduce technical 
barriers in the field.
    Finally, SAMHSA has added additional information from previously 
issued FAQ guidance to the preamble discussion in this final rule, such 
as information about medical emergencies and ``holds itself out,'' and 
plans to issue additional subregulatory guidance after publication of 
the final rule.
    3. Final Rule Should Balance Patient Protections With Enhanced 
Information Exchange
Public Comments
    Numerous commenters emphasized that the part 2 revisions must 
balance patient protections with enhanced information exchange and data 
sharing.
    Some commenters suggested that patient confidentiality should not 
be compromised by any updates to the part 2 regulations, reasoning that 
the stigma associated with having or having had a substance use 
disorder and the fear that this information may be used against an 
individual would lead them to not seek treatment. To this end, a few of 
these commenters cautioned SAMHSA to remain diligent in the oversight 
of these regulations to ensure that the information is only being 
conveyed to the appropriate parties with the sole intent to improve 
patient care. Other commenters emphasized that sharing patient 
information should be solely for necessary medical purposes. Another 
commenter argued that the interest in integrating mental health care 
with physical health care should not result in the erosion or 
elimination of the heightened privacy protections that are essential 
for effective mental health treatment.
    A few commenters urged SAMHSA to ensure that the final rule 
respects patient choice for privacy in the treatment of sensitive 
information like substance use disorder treatment records, including 
the right to control how their records are disclosed, even for health 
and payment purposes. A commenter said the proposed part 2 changes have 
substantially weakened the privacy protections surrounding the sharing 
of a patient's substance use treatment data. One commenter stated that 
before an individual's health data can be accessed, there should be a 
specific, legitimate reason, and a careful review of the patient's set 
of permissions. In addition to suggesting that mental health and 
substance abuse records be blocked from view by any providers or staff 
not directly involved in the care and treatment of a patient, a 
commenter asserted that a patient has the right to have substance abuse 
and/or mental health treatment records blocked from view by even their 
primary care provider or nurses.
    A couple of commenters asserted that it is both necessary and 
technologically possible to integrate substance use disorder and other 
health care information and effectively exchange substance use 
treatment data while maintaining the core protections of part 2, 
including consent requirements and the prohibition on re-disclosure.
    Emphasizing the importance of patient confidentiality and privacy, 
a few commenters asserted that sacrificing the dignity and well-being 
of a person seeking help for a substance use disorder in the name of 
convenience, administrative efficiency, and research is a poor way to 
achieve the well-being of either the person in need or the community. 
One of these commenters recommended that SAMHSA delay the part 2 
changes until the technology is available to protect persons with 
substance use disorder.
    Another commenter encouraged a cautious, step-wise approach to 
making substance use treatment records more integrated with general 
medical records. This commenter expressed concern that making treatment 
records more accessible to other providers would exacerbate the 
stigmatization of substance use disorder, particularly among pregnant 
women, which could lead to these individuals not seeking treatment for 
their substance use disorder or prenatal care.
SAMHSA Response
    SAMHSA reiterates its intent to ensure that patients with substance 
use

[[Page 6060]]

disorders have the ability to participate in, and benefit from new and 
emerging health care models which promote integrated care and patient 
safety while respecting the legitimate privacy concerns of patients 
seeking treatment for a substance use disorder due to the potential for 
discrimination, harm to their reputations and relationships, and 
serious civil and criminal consequences. This approach is consistent 
with the intent of the governing statute (42 U.S.C. 290dd-2) and 
regulations at 42 CFR part 2, which is to protect the confidentiality 
of substance use disorder patient records.
    In response to the commenters who cautioned SAMHSA to remain 
diligent in the oversight of these regulations, SAMHSA has the 
statutory authority to promulgate 42 CFR part 2, but the Department of 
Justice retains the authority for enforcing 42 CFR part 2. Reports of 
violation of these regulations may be directed to the United States 
Attorney for the judicial district in which the violation occurs. The 
report of any violations of these regulations by an opioid treatment 
program may be directed to United States Attorney for the judicial 
district in which the violation occurs as well as the SAMHSA office for 
opioid treatment program oversight. SAMHSA has oversight of opioid 
treatment programs through 42 CFR part 8. Related to oversight and 
compliance education, SAMHSA expects to issue FAQs as it has done in 
the past and develop other subregulatory guidance such as education and 
outreach materials.
    SAMHSA has added more flexibility to some of the consent provisions 
but still retained core part 2 protections, including prohibition on 
re-disclosure as well as consent options that would continue to give 
patients significant control. For example, the ``To Whom'' section of 
the consent form includes an option permitting a general designation 
under certain circumstances. However, SAMHSA retained the option of 
listing the name(s) of the individual(s) to whom a disclosure is made. 
In addition, any disclosure made under these regulations must comply 
with the ``Amount and Kind'' of information to be disclosed and the 
purpose of the disclosure, as provided on a part 2-compliant consent 
form. Furthermore, Sec.  2.13(a) limits the information to be disclosed 
to that information which is necessary to carry out the purpose of the 
disclosure. Moreover, a patient has the option to withhold consent to 
disclosure of any of their substance use disorder information.
    SAMHSA is aware that technology adoption is an ongoing process and 
that many behavioral health providers have yet to adopt electronic 
health records as incentive payments have been unavailable for such 
purposes for these providers under the HITECH Meaningful Use Program. 
In addition, paper records are still used today in some part 2 programs 
and shared through facsimile (FAX). Therefore, in spite of advances in 
technology, some stakeholders are concerned that part 2, as currently 
written, continues to be a barrier to the integration of substance use 
disorder treatment and physical health care. Rather than waiting for 
the development and adoption of technology, SAMHSA decided to issue 
these final regulations to ensure that patients with substance use 
disorders have the ability to participate in, and benefit from new and 
emerging health care models which promote integrated care and patient 
safety while respecting the legitimate privacy concerns of patients 
seeking treatment for a substance use disorder due to the potential for 
discrimination, harm to their reputations and relationships, and 
serious civil and criminal consequences. SAMHSA understands the 
importance of not compromising patient protection, and has, in Sec.  
2.13(d) of these final regulations, required an entity that serves as 
an intermediary (upon request) to provide a List of Disclosures made 
pursuant to the general designation option. Further, as discussed later 
in this preamble, the general designation option may not be used until 
there is technical capability to provide the required List of 
Disclosures.
4. Part 2 Should Align With the Health Insurance Portability and 
Accountability Act
Public Comments
    Many commenters expressed that part 2 should be aligned with HIPAA. 
Some commenters specifically mentioned various areas for HIPAA 
alignment, including the consent form; Business Associate Agreement 
standards; treatment, payment, and health care operations; patient-
requested restrictions on disclosure; de-identification standards, 
medical emergencies; research; the definition of ``Patient identifying 
information;'' HIPAA penalties contained in the HITECH Act; and re-
disclosure provisions. Many commenters asserted that aligning the 
regulations with HIPAA would help to strike an appropriate balance 
between protecting sensitive patient health information while providing 
coordinated, quality care. Many commenters urged SAMHSA to align part 2 
with HIPAA to broaden the allowable sharing of data for purposes of 
care coordination and patient safety.
    Numerous commenters urged that substance use disorder records and 
treatments should be held to the same level of privacy as all other 
health records. Other commenters raised the concern of equal access, 
stating that individuals with substance use disorder should have the 
same access to the benefits of increased care coordination as 
individuals without substance use disorder.
    Commenters encouraged the broader harmonization of part 2, HIPAA, 
and HITECH into a single uniform set of standards applicable for all 
personal health information, including substance use disorder treatment 
and payment.
    Some commenters asserted that HIPAA is sufficient to protect 
patient privacy and part 2 is no longer necessary. Some commenters also 
asserted that part 2 also predates the development of EHR and HIEs, and 
there is pressing need to reconsider these rules in light of more 
recent technological and legal developments. Some commenters expressed 
concern that complying with both part 2 and HIPAA would lead to undue 
administrative burden and management issues across the continuum of 
patient care.
    A commenter recommended that SAMHSA should add the same release 
requirements for substance use disorder treatment as is required for 
psychotherapy notes under HIPAA, which are restricted from release 
without the client's consent. According to the commenter, this would 
give substance use disorder patients protections with Business 
Associates Agreements (instead of additional rules and forms for 
Qualified Service Organization Agreements [QSOAs]), notification upon 
breach requirements, and other rights already afforded persons 
receiving medical and mental health care.
    Several commenters said part 2 should be as consistent as possible 
with HIPAA, except for the prohibition on use for investigation, 
prosecution, or criminal charges.
SAMHSA Response
    SAMHSA noted the many comments from a wide range of commenters that 
requested that SAMHSA align part 2 provisions with HIPAA where 
possible. In some instances, SAMHSA has attempted to do so in this 
final rule to the extent the change was permissible under 42 U.S.C. 
290dd-2. At the same time, part 2 and its governing statute are 
separate and distinct from HIPAA and

[[Page 6061]]

its implementing regulations. Because of its targeted population, part 
2 provides more stringent federal protections than most other health 
privacy laws, including HIPAA.
    In response to comments about alignment of this regulation with 
HIPAA, SAMHSA has aligned the interpretation the definition of 
``Patient identifying information'' with HIPAA to the extent feasible. 
In addition, SAMHSA revised Security for records (Sec.  2.16) to more 
closely align with HIPAA.

B. Statutory Authority (Sec.  [thinsp]2.1)

    SAMHSA is adopting this section as proposed. SAMHSA has combined 
what was Sec. Sec.  [thinsp]2.1 (Statutory authority for 
confidentiality of drug abuse patient records) and 2.2 (Statutory 
authority for confidentiality of alcohol abuse patient records) and 
renamed the new Sec.  [thinsp]2.1, Statutory authority for 
confidentiality of substance use disorder patient records. We have re-
designated Sec. Sec.  [thinsp]2.2 through 2.5 accordingly. In the new 
Sec.  2.1, SAMHSA has deleted references to 42 U.S.C. 290ee-3 and 42 
U.S.C. 290dd-3. Sections 290dd-3 and 290ee-3 were omitted by Public Law 
102-321 and combined and renamed into Section 290dd-2, Confidentiality 
of records. In addition, we have deleted references to laws and 
regulations that have been repealed in Sec.  [thinsp]2.21.
Public Comments
    One commenter urged SAMHSA to assess whether existing statutory 
authority is adequate to modernize part 2 regulatory requirements to 
keep pace with existing laws and industry developments while also 
protecting privacy, and to discuss necessary statutory changes in the 
final rule. Further, the commenter recommended that SAMHSA encourage 
Congress to convene public hearings to evaluate proposals for statutory 
changes and delay issuing a final rule if pending legislative proposals 
are enacted that change the legal landscape for substance use disorder 
information and related protections.
    A commenter urged SAMHSA to address the congressional action that 
may be needed to effectively expand the ability to provide coordinated 
services, such as including health and human services agencies' field 
staff clearly into the definition of treatment terms. A few commenters 
suggested that the statutory authority underlying the part 2 
regulations (42 U.S.C. 290dd-2) should be revised. Another commenter 
asserted that the 1992 confidentiality statute should be reformed to 
afford patients greater protections against unlawful disclosure of 
their substance use disorder treatment, limit the use of information 
shared for non-health purposes, provide meaningful enforcement and 
penalties, and more effectively prevent discrimination. Another 
commenter recommended that modifications should be made to HIPAA to 
incorporate special protections and limitations for substance use 
information and that the part 2 regulations should be rescinded. If the 
intent of the part 2 changes is to prevent inappropriate adverse 
consequences from the disclosure of substance use disorder health data, 
a commenter suggested that those specific adverse consequences should 
be targeted with legislation reform, rather than providing a blanket 
privacy allowance that hides medical information from providers.
SAMHSA Response
    SAMHSA does not have the authority to repeal or revise the 
governing statute for the regulations codified at 42 CFR part 2 nor any 
other statute, as that power is given to Congress. The part 2 
authorizing statute, 42 U.S.C. 290dd-2, gives the Secretary broad 
authority to carry out the confidentiality provisions therein, but to 
promulgate requirements to: (1) Carry out the purposes of the 
legislation; (2) prevent its circumvention or evasion; and (3) 
facilitate its compliance. These part 2 revisions were drafted to 
further these three purposes while, to the extent allowable under the 
legislation, permitting disclosure and use to increase access to 
treatment and improve treatment services. The intent of the part 2 
regulations and its governing statute (42 U.S.C. 290dd-2) is to protect 
the confidentiality of substance use disorder patient records. Because 
individuals seeking treatment for substance use disorders may 
experience a host of negative consequences, including discrimination, 
harm to their reputations and relationships, and possibly serious civil 
and criminal consequences should information regarding their treatment 
be improperly disclosed, there is a specific need for strong privacy 
protections for substance use disorder records.

C. Reports of Violations (Sec.  [thinsp]2.4)

    SAMHSA is adopting this section as proposed. We have revised the 
requirement of reporting violations of these regulations by a methadone 
program to the FDA (Sec.  [thinsp]2.5(b)). The authority over methadone 
programs (now referred to as opioid treatment programs) was transferred 
from the FDA to SAMHSA in 2001 (66 FR 4076). Suspected violations of 42 
CFR part 2 by opioid treatment programs may be reported to the U.S. 
Attorney's Office for the judicial district in which the violation 
occurred, as well as the SAMHSA office responsible for opioid treatment 
program oversight.
Public Comments
    SAMHSA received no public comments on this section. This section of 
the final rule is adopted as proposed.

D. Definitions (Sec.  [thinsp]2.11)

    SAMHSA has consolidated all of the definitions in 42 CFR part 2, 
with the exception the definition of the term ``Federally assisted,'' 
into a single section at Sec.  [thinsp]2.11. SAMHSA has retained the 
definition of the term ``Federally assisted'' in Sec.  2.12 
(Applicability) for the purpose of clarity because it is key to 
understanding the applicability of the part 2 regulations. SAMHSA is 
adopting these structural changes as proposed in the NPRM. Specific 
definitions are discussed in the sections below. If a part 2 definition 
is not addressed below, it is because SAMHSA did not propose or make 
substantive changes to that definition. However, as discussed below, 
SAMHSA updated the terms in those definitions, as appropriate (e.g., to 
replace ``program'' with ``part 2 program,'' and when ``alcohol abuse'' 
and ``drug abuse'' were used collectively to replace it with 
``substance use disorder''). The definitions in the regulatory text of 
this final rule reflect these changes.
1. New Definitions
a. Part 2 Program
    SAMHSA is adopting this definition as proposed. SAMHSA defines a 
``Part 2 program'' as ``a federally assisted program (federally 
assisted as defined in Sec.  [thinsp]2.12(b) and program as defined in 
Sec.  [thinsp]2.11). See Sec.  [thinsp]2.12(e)(1) for examples.'' We 
have retained the examples provided in Sec.  [thinsp]2.12(e)(1) of the 
current (1987) regulations, with minor clarifications in Sec.  
2.12(e)(1), because they explain the part 2 applicability and coverage. 
SAMHSA has replaced the term ``program'' with ``part 2 program,'' where 
appropriate. For example, we have revised the definition of QSO, 
including replacing ``program'' with ``part 2 program,'' which is 
discussed in depth below (see Section V.D.2.i., Existing Definitions). 
We also replaced ``program'' with ``part 2 program'' in several other 
definitions, while making no additional changes.
    While a couple of commenters purported to address the proposed 
definition of ``Part 2 program,'' the nature of their comments made 
clear that their underlying concern was how

[[Page 6062]]

SAMHSA defined ``Program'' for purposes of part 2. For this reason, 
these comments are addressed in the discussion of the definition of 
``Program'' below (see Section V.D.2.h).
b. Part 2 Program Director
    SAMHSA is adopting this definition as proposed, except for a non-
substantive technical edit. Because of the addition of the ``Part 2 
program'' definition, we have defined a ``Part 2 program director'' as:
     In the case of a part 2 program that is an individual, 
that individual; and
     In the case of a part 2 program that is an entity, the 
individual designated as director or managing director, or individual 
otherwise vested with authority to act as chief executive officer of 
the part 2 program.
    We have deleted the definition of ``Program Director.''
Public Comments
    SAMHSA received no public comments on this definition. This section 
of the final rule is adopted as proposed.
c. Substance Use Disorder
    SAMHSA is adopting this definition as proposed, except to remove 
the final sentence, ``Also referred to as substance abuse.'' Throughout 
this rule, SAMHSA made revisions to refer to alcohol abuse and drug 
abuse collectively as ``substance use disorder'' but, when referring to 
the part 2 governing statute, we use ``substance abuse'' since that is 
the term used in 42 U.S.C. 290dd-2. SAMHSA also uses the term 
``substance abuse'' when discussing public comments and other 
publications that use that term. For consistency, SAMHSA also revised 
the title of 42 CFR part 2 from ``Confidentiality of Alcohol and Drug 
Abuse Patient Records'' to ``Confidentiality of Substance Use Disorder 
Patient Records.'' SAMHSA has replaced ``alcohol or drug abuse'' with 
``substance use disorder'' in several definitions.
    While SAMHSA has deleted the definitions of ``Alcohol abuse'' and 
``Drug abuse,'' we continued to use the terms ``alcohol abuse'' and 
``drug abuse'' when referring to 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-
3 (omitted by Pub. L. 102-321 and combined and renamed into Section 
290dd-2), respectively, because they are the terms used in the 
statutes.
    SAMHSA is defining the term ``Substance use disorder'' in such a 
manner as to cover substance use disorders that can be associated with 
altered mental status that has the potential to lead to risky and/or 
socially prohibited behaviors, including, but not limited to, 
substances such as, alcohol, cannabis, hallucinogens, inhalants, 
opioids, sedatives, hypnotics, anxiolytics, and stimulants. In 
addition, the ``Substance use disorder'' definition clarifies that, for 
the purposes of these regulations, the term excludes both tobacco and 
caffeine.
Public Comments
    Several commenters expressed support for the newly defined term 
``substance use disorder'' to replace references to alcohol and drug 
abuse. One commenter requested that SAMHSA clarify the scope of 
substance use disorder and what constitutes substance use treatment. 
Another commenter suggested that, in the definition of substance use 
disorder, protected data should be directly related to an objective 
measure, such as information related to specific payment or clinical 
diagnosis codes submitted in connection with reimbursement for 
services.
SAMHSA Response
    The final rule adopts the definition of substance use disorder as 
proposed, except that the parenthetical of the proposed definition is 
not adopted in the final rule. Use of the term is consistent with 
recognized classification manuals, current diagnostic lexicon, and 
commonly used descriptive terminology. Moreover, SAMHSA declines to 
define substance use disorder treatment by specific billing or 
diagnostic codes in in the final rule as these codes are subject to 
frequent revision.
d. Treating Provider Relationship
    SAMHSA is modifying the proposed definition of ``Treating provider 
relationship'' slightly to account for the situation of involuntary 
commitment and other situations where a patient is diagnosed, evaluated 
and/or treated, but may not have actually consented to such care, as 
discussed in greater detail below. In summary, a treating provider 
relationship means that, regardless of whether there has been an actual 
in-person encounter:
     A patient is, agrees to, or is legally required to be 
diagnosed, evaluated, and/or treated, or agrees to accept consultation, 
for any condition by an individual or entity, and;
     The individual or entity undertakes or agrees to undertake 
diagnosis, evaluation, and/or treatment of the patient, or consultation 
with the patient, for any condition.
    As explained in the NPRM, the term ``agrees'' as used in the 
definition does not necessarily imply a formal written agreement. An 
agreement might be evidenced, among other things, by making an 
appointment or by a telephone consultation.
    It is also important to note that, based on the definition of 
treating provider relationship, SAMHSA considers an entity to have a 
treating provider relationship with a patient if the entity employs or 
privileges one or more individuals who have a treating provider 
relationship with the patient.
Public Comments
    A few commenters expressed support for the proposed definition of 
``treating provider relationship.'' One commenter supported the 
definition and added that this type of relationship could be a result 
of any action taken to schedule, refer, or order services that are 
related to health services to be provided in the future.
    Other commenters provided suggestions to improve the definition, 
including specifying entities involved in identifying, evaluating, and 
referring for treatment any persons in need of substance use disorder 
services; adding related services, including social services, and 
consultation; accounting for patients who cannot agree or consent to 
the relationship; and clarifying that an individual's designated 
treating provider is also a treating provider for part 2 purposes, even 
before the patient's first appointment. A few commenters requested that 
HIEs, health plans, and organizations that provide care coordination be 
added to the definition, or that comparable definitions be provided for 
these entities.
    A few commenters objected to the consent requirements limiting 
recipients to entities with a ``treating provider relationship,'' and 
suggested that the requirement be eliminated, or the term be redefined 
to include entities that provide care management. A few commenters also 
disagreed with the interpretation that equates making an appointment 
with an agreement to diagnose or treat.
    Some commenters raised a number of questions about the definition, 
including whether the definition applies to each hospital in a system 
or to the system as a whole; whether the definition applies to Medicaid 
managed care programs with mandatory enrollment; whether a care 
coordination entity can form a treating provider relationship with an 
individual; and whether ancillary providers, such as laboratories, 
pharmacies, therapists,

[[Page 6063]]

counselors, or mental health specialists, fall within the definition of 
treating provider relationship.
SAMHSA Response
    A treating provider relationship, as defined in this final rule, 
begins when an individual seeks or receives health-related assistance 
from an individual or entity who may provide assistance. However, the 
relationship is clearly established when the individual or entity 
agrees to undertake diagnosis, evaluation, and/or treatment of the 
patient, or consultation with the patient, and the patient agrees to be 
treated, whether or not there has been an actual in-person encounter 
between the individual or entity and the patient. When a patient is not 
regarded as being legally competent under the laws of their 
jurisdiction, such as when a patient is subject to an involuntary 
commitment (i.e., formally committed for behavioral health treatment by 
a court, board, commission, or other legal authority), a treating 
provider relationship may be established when a patient is, agrees to, 
or is legally required to be provided consultation, diagnosis, 
evaluation, and/or treatment by an individual or entity. A treating 
provider relationship may be established whether or not there has been 
an actual in-person encounter between the individual or entity and 
patient. A treating provider relationship with a patient may be 
established by any member of the health care team as long as the 
relationship meets the definition of ``Treating provider 
relationship.'' SAMHSA believes that further specification in this 
definition is unnecessary.
e. Withdrawal Management
    SAMHSA is adopting this definition as proposed. SAMHSA has removed 
the definition of ``Detoxification treatment'' and replaced it with the 
definition of the currently acceptable term ``Withdrawal management'' 
as indicated in the American Society of Addiction Medicine (ASAM) 
Principles of Addiction Medicine, 5\th\ edition.\1\
---------------------------------------------------------------------------

    \1\ ASAM Principles of Addiction Medicine, 5th edition, 2014, 
Richard Ries et al., editor. http://www.asam.org/quality-practice/essential-textbooks/principles-of-addiction-medicine (last accessed 
Aug. 1, 2016).
---------------------------------------------------------------------------

Public Comments
    One commenter supported replacing the term ``Detoxification 
treatment'' with the term ``Withdrawal management.''
SAMHSA Response
    SAMHSA appreciates this support.
2. Existing Definitions
a. Central Registry
    SAMHSA is adopting this definition as proposed. SAMHSA has updated 
the definition of ``Central registry'' to incorporate currently 
accepted terminology.
Public Comments
    One commenter stated that the NPRM preamble described the proposed 
revisions to the definition of ``central registry'' as changes to 
``update terminology to make the definition clearer,'' rather than 
detailing the proposed changes to the definition, so there was 
insufficient information for public comment.
SAMHSA Response
    Exact language for the definition of ``central registry'' was 
provided in the NPRM regulation text and is being adopted as proposed.
b. Disclose or Disclosure
    SAMHSA is modifying the proposed definition of ``Disclose'' to 
specifically cover diagnosis, treatment, and referral for treatment for 
substance use disorder, as follows: ``Disclose means to communicate any 
information identifying a patient as being or having been diagnosed 
with a substance use disorder, having or having had a substance use 
disorder, or being or having been referred for treatment of a substance 
use disorder either directly, by reference to publicly available 
information, or through verification of such identification by another 
person.'' We have updated terminology and made the definition clearer. 
SAMHSA has defined only one word, ``Disclose,'' since it is implied 
that the same definition applies to other forms of the word.
Public Comments
    A commenter encouraged SAMHSA to develop guidance and promote 
standards adoption for the identification of part 2 data so that the 
implementation and applicability of concrete restrictions and 
obligations can be applied to the disclosure of such data. Another 
commenter urged coordination between the definitions of ``disclosure'' 
of a substance use disorder and a current or former ``patient,'' 
because someone may have a past substance use disorder but may not have 
been a former patient. A commenter stated that the NPRM preamble 
described the proposed revisions to the definition of ``disclosure'' as 
changes to ``update terminology and make the definition clearer,'' 
rather than detailing the proposed changes to the definition, so there 
was insufficient information for public comment.SAMHSA Response
    With regard to developing subregulatory guidance and promoting 
standards adoption, SAMHSA is an organizational member of Health Level 
7 (HL7) and is working to ensure that health IT standards support the 
needs of behavioral health treatment patients and providers. SAMHSA has 
supported the creation of several HL7 standards, including the 
Composite Privacy Consent Directive Domain Analysis Model to capture 
the requirement of states and federal agencies. Those requirements were 
reflected in the IG for Clinical Document Architecture Release 2 (CDA 
R2) to provide a standard-based electronic representation of a consent 
to support the management of consent directives and policies.
    In response to comments urging coordination between the definition 
of ``disclosure'' and a current or former patient, SAMHSA has expanded 
the definition of ``disclose'' to include any information identifying a 
patient as ``being or having been diagnosed with a substance use 
disorder, having or having had a substance use disorder, or being or 
having been referred for treatment of a substance use disorder.'' Exact 
language for the definition of ``disclosure'' was provided in the NPRM 
regulatory text and is being adopted as proposed. We note that to the 
extent an individual may have had a past substance use disorder 
diagnosis, but never sought or received diagnosis, treatment, or 
referral for substance use disorder treatment, the definition of 
patient would not cover such individual and the part 2 regulations 
would not apply to that individual's health information unless and 
until the individual is a patient as defined in these regulations.
c. Maintenance Treatment
    SAMHSA is modifying this definition from what was proposed by 
replacing the term ``pharmacotherapy'' with the phrase ``long-term 
pharmacotherapy'' for purposes of clarity to read as follows: 
``Maintenance treatment means long-term pharmacotherapy for individuals 
with substance use disorders that reduces the pathological pursuit of 
reward and/or relief and supports remission of substance use disorder-
related symptoms.'' As compared to the 1987 final rule definition of 
``Maintenance treatment,'' SAMHSA updated terminology in the definition 
and moved it from Sec.  2.34 to Sec.  2.11.

[[Page 6064]]

Public Comments
    A commenter stated that the NPRM preamble described the proposed 
revisions to the definition of ``maintenance treatment'' as changes to 
``update terminology and make the definition clearer,'' rather than 
detailing the proposed changes to the definition, so there was 
insufficient information for public comment.
SAMHSA Response
    Exact language for the proposed definition of ``maintenance 
treatment'' was provided in the NPRM regulation text at 81 FR 7014.
d. Member Program
    In response to comments received, SAMHSA has revised the definition 
of ``Member program,'' by replacing a reference to a specific 
geographic distance, so it reads as follows: ``Member program means a 
withdrawal management or maintenance treatment program which reports 
patient identifying information to a central registry and which is in 
the same state as that central registry or is in a state that 
participates in data sharing with the central registry of the program 
in question.''
Public Comments
    A commenter asserted that the 125-mile distance to a state border 
limitation contained within the definition of ``member program'' does 
not adequately recognize the geographic realities of states with 
significant rural and frontier areas, and the commenter strongly 
suggested that it be eliminated.
SAMHSA Response
    In response to the comment, SAMHSA has removed the distance from 
the definition to address the concerns about rural areas and replaced 
it with ``is in a state that participates in data sharing with the 
central registry of the program in question.'' We removed the distance 
requirement from the definition of ``Member program'' to reflect that 
in some states (e.g., with rural areas) the distance from the border of 
the state in which the central registry is located may exceed 125 
miles.
e. Patient
    SAMHSA is adopting this definition as proposed. To emphasize that 
the term ``Patient'' refers to both current and former patients, SAMHSA 
has revised the definition as follows: ``Patient means any individual 
who has applied for or been given diagnosis, treatment, or referral for 
treatment for a substance use disorder at a part 2 program. Patient 
includes any individual who, after arrest on a criminal charge, is 
identified as an individual with a substance use disorder in order to 
determine that individual's eligibility to participate in a part 2 
program. This definition includes both current and former patients.''
Public Comments
    One comment opposed the inclusion of former patients in the 
definition because retrospective outcome studies would be difficult to 
conduct because many patients relocate or their contact information 
becomes otherwise unobtainable for purposes of obtaining consent to 
disclose and use patient identifying information. One commenter opposed 
including in the definition individuals who ``applied for'' but did not 
receive a diagnosis and also asked who makes the identification of an 
individual with a substance use disorder. Another commenter suggested 
that the definition should include individuals participating in 
prevention programs and recovery support programs. A commenter asked 
whether the definition includes an individual who has been 
involuntarily committed to a program for treatment and suggested that 
the final rule clarify that such an individual is considered a patient 
and entitled to part 2's protections.
SAMHSA Response
    Regarding the opposition to including former patients in the 
definition of ``Patient'' because retrospective outcome studies would 
be difficult to conduct, this concern appears to be based on a 
misunderstanding that a consent requires a specific expiration date. A 
part 2-compliant consent form must list the date, event, or condition 
upon which the consent will expire, if not revoked before. Therefore, 
it would be permissible for a consent form to specify the event or 
condition that will result in revocation, such as having its expiration 
date be ``upon my death.'' Consequently, it is possible for researchers 
to obtain consents that would permit retrospective outcome studies.
    Regarding the inclusion of ``applied for'' in the definition of 
``Patient,'' this definition has not changed from that included in the 
1987 final rule except to replace ``alcohol and drug abuse'' with 
``substance use disorder.'' SAMHSA declines to make the recommended 
change since no other concerns regarding the inclusion of ``applied 
for'' have been received in over 29 years. Patients who are 
involuntarily committed to participating in or receiving substance use 
disorder services from a part 2 program are covered by the definition. 
SAMHSA declines to accept the suggestion that the definition should be 
expanded to cover patients in prevention programs as such programs are 
not covered by the definition of a part 2 program.
f. Patient Identifying Information
    SAMHSA is modifying the definition as proposed to: (1) Clarify that 
SAMHSA intends for the identifiers listed in the HIPAA Privacy Rule at 
45 CFR 164.514(b)(2)(i) that are not already included in the definition 
of patient identifying information to meet the ``or similar 
information'' standard; (2) delete the word ``publicly'' from the 
phrase ``can be determined with reasonable accuracy either directly or 
by reference to other publicly available information''; and (3) to 
revise the last sentence as follows: for internal use only by the part 
2 program, if that number does not consist of, or contain numbers (such 
as a social security, or driver's license number) that could be used to 
identify a patient with reasonable accuracy from sources external to 
the part 2 program.''
    SAMHSA intends for the identifiers listed in the HIPAA Privacy Rule 
at 45 CFR 164.514(b)(2)(i) that are not already included in the 
definition of ``Patient identifying information'' to meet the following 
clause: ``or similar information.'' Those HIPAA Privacy Rule 
identifiers are:
    (1) Name;
    (2) All geographic subdivisions smaller than a [s]tate, including 
street address, city, county, precinct, zip code, and their equivalent 
geocodes, except for the initial three digits of a zip code if, 
according to the current publicly available data from the Bureau of the 
Census:
    (i) The geographic unit formed by combining all zip codes with the 
same three initial digits contains more than 20,000 people; and
    (ii) The initial three digits of a zip code for all such geographic 
units containing 20,000 or fewer people is changed to 000;
    (3) All elements of dates (except year) for dates directly related 
to an individual, including birth date, admission date, discharge date, 
date of death; and all ages over 89 and all elements of dates 
(including year) indicative of such age, except that such ages and 
elements may be aggregated into a single category of age 90 or older;
    (4) Telephone numbers;
    (5) Fax numbers;
    (6) Electronic mail addresses;
    (7) Social security numbers;
    (8) Medical record numbers;
    (9) Health plan beneficiary numbers;

[[Page 6065]]

    (10) Account numbers;
    (11) Certificate/license numbers;
    (12) Vehicle identifiers and serial numbers, including license 
plate numbers;
    (13) Device identifiers and serial numbers;
    (14) Web Universal Resource Locators (URLs);
    (15) Internet Protocol (IP) address numbers;
    (16) Biometric identifiers, including finger and voice prints;
    (17) Full face photographic images and any comparable image; or
    (18) Any other unique identifying number, characteristic, or code.
Public Comments
    A few commenters urged that the definition of ``Patient identifying 
information'' be aligned with the ``protected health information,'' 
including the patient identifiers, under HIPAA. One commenter 
recommended that telephone numbers and email addresses should be 
mentioned because they are accessible by electronic means. Another 
commenter suggested that SAMHSA delete the reference to publicly 
available information; use a phrase such as, ``information with respect 
to which there is a reasonable basis to believe that the information 
can be used to identify the individual''; and mention other identifiers 
assigned to an individual, including credit card numbers, driver's 
license numbers, and automobile license numbers.
SAMHSA Response
    The HIPAA Privacy Rule, at 45 CFR 164.514(b)(2)(i), enumerates 18 
identifiers that make health information individually identifiable. 
SAMHSA considers any of these identifiers to be patient identifying 
information either because SAMHSA has explicitly listed the identifier 
in the definition of patient identifying information in 42 CFR part 2 
or because SAMHSA considers the identifier to be `similar information' 
(See Sec.  2.11 Definitions). Also as suggested, SAMHSA has deleted the 
word ``publicly'' from the phrase ``can be determined with reasonable 
accuracy either directly or by reference to other publicly available 
information;''
g. Person
    SAMHSA is adopting this definition as proposed. SAMHSA has revised 
the definition of ``Person'' to clearly indicate that ``Person'' is 
also referred to as individual or entity.
Public Comments
    A commenter urged SAMHSA to recognize an ``Affiliated Covered 
Entity'' under HIPAA as an ``entity'' in the definition of ``Person.'' 
Another commenter asked that the definition specify that it includes 
limited liability companies. A commenter suggested removing the 
redundant parenthetical at the end of the proposed definition.
SAMHSA Response
    SAMHSA has determined that no change is needed in response to the 
comments; the definition covers any legal entity. SAMHSA declines to 
delete the clarifying parenthetical at the end of the definition since 
the terms ``individual'' and ``entity'' are more intuitive than the 
term ``person,'' as defined in these regulations.
h. Program
    SAMHSA decided not to finalize its proposed changes to the 
definition of ``Program,'' but did make minor updates to the 
terminology in the text. We are, however, finalizing certain other 
minor changes to the proposed definition to update terminology so that 
it is consistent with current best practice.
    First, SAMHSA moved the reference to examples from the definition 
of ``Program'' to the definition of ``Part 2 program.''
    Second, we retain the language changes from drug and/or alcohol 
abuse to substance use disorder.
    Finally, as stated in the NPRM, SAMHSA clarifies that paragraph (1) 
of the definition of ``Program'' would not apply to ``general medical 
facilities''. However, paragraphs (2) and (3) of the definition of 
``Program'' would apply to ``general medical facilities.''
Public Comments
    A few commenters expressed support for the revised definition of 
``Program.''
    However, many commenters generally opposed the proposed revision to 
the definition of ``Program.'' The reasons primarily related to 
interpretations that SAMHSA did not intend to imply. Many commenters 
asked that SAMHSA not call out general medical practices as a separate 
category of provider excluded from paragraph one but included in 
paragraphs two and three of the definition of program.
    Some commenters requested clarification in various areas, including 
the meaning and examples of ``holds itself out;'' determining ``primary 
function;'' treatment of behavioral health clinics and community mental 
health centers; roles of general medical or dental practices that 
engage in screening, brief intervention, and referrals for treatment 
(SBIRT) activities, and co-located substance abuse/mental health 
counselors; whether covered part 2 facilities provide some, primarily 
provide, or only provide substance use disorder diagnosis, treatment, 
and referral to treatment; physicians who prescribe buprenorphine 
products and pharmacies that fill those prescriptions; a general 
psychiatric unit that also provides substance use disorder treatment; 
and offering patients integrated behavioral health care in a primary 
care setting.
    Some commenters suggested limiting programs to those that meet a 
minimum standard, are specifically licensed, credentialed, or 
accredited, such as state licensure. Several commenters asked that 
SAMHSA provide an exception for pharmacists and pharmacies or dentists. 
Lastly, a commenter said the rule should include rehabilitation centers 
as medical facilities.
SAMHSA Response
    Based on the number and type of comments received regarding 
including general medical practices in the Program definition, SAMHSA 
has decided not to finalize the general medical practices language in 
the final rule. The number and type of comments led SAMHSA to believe 
separating out general medical practices from general medical 
facilities was more confusing than clarifying. Most commenters 
indicated a belief that SAMHSA was expanding the definition of program 
to include individuals and entities that had not previously been 
covered. As we've previously noted in our publicly available FAQ 
guidance, a practice comprised of primary care providers could be 
considered a ``general medical facility and be subject to 42 CFR part 2 
if they are both ``federally assisted'' and meet the definition of a 
program under 42 CFR 2.11. Nevertheless, consistent with the definition 
of a ``program'':

    1. If a provider is not a general medical care facility, then 
the provider meets the part 2 definition of a ``Program'' if it is 
an individual or entity who holds itself out as providing, and 
provides substance use disorder diagnosis, treatment, or referral 
for treatment.
    2. If the provider is an identified unit within a general 
medical facility, it is a ``Program'' if it holds itself out as 
providing, and provides, substance use disorder diagnosis, 
treatment, or referral for treatment.
    3. If the provider consists of medical personnel or other staff 
in a general medical facility, it is a ``Program'' if its primary 
function is the provision of substance use disorder diagnosis, 
treatment, or referral for treatment and is identified as such 
specialized medical personnel or other staff by the general medical 
facility.

    SAMHSA's FAQ guidance further addresses the issue of what 
constitutes a general medical facility. This FAQ

[[Page 6066]]

guidance clarifies that, while the term ``general medical care 
facility'' is not defined in the definitions section of 42 CFR 2.11, 
hospitals, trauma centers, or federally qualified health centers would 
generally be considered ``general medical care'' facilities. Therefore, 
primary care providers who work in such facilities would only meet part 
2's definition of a program if (1) they work in an identified unit 
within such general medical facility that holds itself out as 
providing, and provides, substance use disorder diagnosis, treatment or 
referral for treatment, or (2) the primary function of the provider is 
substance use disorder diagnosis, treatment or referral for treatment 
and they are identified as providers of such services. In addition, a 
practice comprised of primary care providers could be considered a 
``general medical facility.'' As such, only an identified unit within 
that general medical care facility which holds itself out as providing 
and provides substance use disorder diagnosis, treatment or referral 
for treatment would be considered a ``program'' under the definition in 
the part 2 regulations. Medical personnel or staff within that facility 
whose primary function is the provision of those services and who are 
identified as such providers would also qualify as a ``program'' under 
the definition in the part 2 regulations. Other units or practitioners 
within that general medical care facility would not meet the definition 
of a part 2 program unless such units or practitioners also hold 
themselves out as providing and provide substance use disorder 
diagnosis, treatment or referral for treatment.
    SAMHSA also clarifies that the program definition does not 
categorically exclude buprenorphine providers. However, holding a 
waiver to prescribe buprenorphine or holding a waiver and prescribing 
buprenorphine as part of primary care practice also does not lead to 
categorical inclusion of providers in the definition of a part 2 
program; such determinations are fact-specific. Also, a health care 
provider that does not otherwise meet the definition of a part 2 
program would not become a program simply because they provided 
screening, brief intervention, and/or referral to treatment within the 
context of general health care. SBIRT is discussed in further detail 
under Section V.E (Applicability) below.
    Regarding comments on the meaning of ``primary function,'' SAMHSA 
did not propose a definition of ``primary function'' because it has not 
historically received many, if any, questions on its meaning.
    Consistent with previously published FAQ guidance, we reiterate 
that ``Holds itself out'' means any activity that would lead one to 
reasonably conclude that the individual or entity provides substance 
use disorder diagnosis, treatment, or referral for treatment, including 
but not limited to:
     Authorization by the state or federal government (e.g. 
licensed, certified, registered) to provide, and provides, such 
services,
     Advertisements, notices, or statements relative to such 
services, or
     Consultation activities relative to such services.
i. Qualified Service Organization
    SAMHSA is adopting the definition of ``Qualified Service 
Organization'' as proposed. SAMHSA has revised the definition of QSO to 
include population health management in the list of examples of 
services a QSO may provide. SAMHSA also revised the term ``medical 
services'' as listed in the examples of permissible services offered by 
a QSO to clarify that it is limited to ``medical staffing services.'' 
SAMHSA made this revision to emphasize that QSOAs should not be used to 
avoid obtaining patient consent.
Public Comments
    A large number of commenters supported the proposed QSO definition, 
particularly the addition of ``population health management.'' Many 
commenters requested a clarification or a narrow definition of 
``population health management.''
SAMHSA Response
    SAMHSA provided guidance in the NPRM preamble regarding what 
constitutes population health management services. Specifically, 
population health management refers to increasing desired health 
outcomes and conditions through monitoring and identifying individual 
patients within a group. To achieve the best outcomes, providers must 
supply proactive, preventive, and chronic care to all of their 
patients, both during and between encounters with the health care 
system. For patients with substance use disorders, who often have 
comorbid conditions, proactive, preventive, and chronic care is 
important to achieving desired outcomes. Any QSOA executed between a 
part 2 program and an organization providing population health 
management services would be limited to the office(s) or unit(s) 
responsible for population health management in the organization (e.g., 
the ACO, CCO, CPCMH, or managed care organization [MCO]), not the 
entire organization and not its participants (e.g., case managers, 
physicians, addiction counselors, hospitals, and clinics). However, the 
presence of a QSOA does not preclude disclosures of patient identifying 
information to other individuals within these organizations based on a 
valid part 2-compliant consent.
Public Comments
    Some commenters requested clarification about the definition, such 
as whether an HIE could be considered a QSO; whether the definition, 
which includes ``an individual,'' can include members of the covered 
entity's workforce; and whether public health management staff can 
share part 2 information with case managers.
    A few commenters expressed opposition to the proposed definition of 
QSO, asserting that patient consent should be obtained before making a 
disclosure of substance use disorder information to multiple entities. 
Another commenter warned that under the definition, it would be 
difficult to track which part 2 patients may or may not be within a 
population health program at any given time.
SAMHSA Response
    The NPRM as well as the current (1987) definition of QSO uses the 
term person. Person is defined in the current (1987) regulations as: 
``Person means an individual, partnership, corporation, federal, state 
or local government agency, or any other legal entity.'' The NPRM 
definition proposed a parenthetical: ``(also referred to as individual 
or entity).'' Because both the 1987 regulations and the NPRM definition 
of person includes both individuals and entities, the definition of the 
term QSO has always included both individual and entities, the 
definition of the term QSO has always included individuals, as well as 
entities.
    Whether the QSO definition applies to members of an entity's 
workforce and case managers depends on whether they meet the definition 
of QSO as defined in Sec.  2.11 because such determinations are fact-
specific. An individual or entity who does not meet the definition of a 
QSO may, however, meet the definition of ``Treating provider 
relationship'' for the purposes of obtaining consent. Likewise, care 
coordination was not added to the list of examples of permissible 
services offered by a QSO because care coordination has a patient 
treatment component.
    Under the part 2 governing statute, patient records pertaining to 
the patient's substance use disorder may be shared only with the prior 
written

[[Page 6067]]

consent of the patient or as permitted under the part 2 statute, 
regulations, or guidance. However, the regulations may contain such 
definitions, and may provide for such safeguards and procedures, 
including procedures and criteria for the issuance and scope of orders, 
as in the judgment of the Secretary are necessary or proper to 
effectuate the purposes of this statute, to prevent circumvention or 
evasion thereof, or to facilitate compliance therewith.
    Regarding the concern about disclosing to multiple entities under a 
QSOA, as noted above, any QSOA executed between a part 2 program and an 
organization providing population health management services would be 
limited to the office(s) or unit(s)/entity(ies) responsible for 
population health management for the organization (e.g., the ACO, CCO, 
CPCMH, or MCO), not the entire organization and not its participants 
(e.g., case managers, physicians, addiction counselors, hospitals, and 
clinics).
Public Comments
    Commenters provided various suggestions to improve the definition. 
Several commenters said the definition should be expanded to permit a 
multi-party agreement for multi-directional sharing of information. 
Commenters said the description of the provision should address 
overlapping requirements of HIPAA and part 2 with respect to 
contractual agreements and services such as data processing and 
billing. A commenter said facilitating entities should be able to enter 
into QSO agreements with participating providers to perform quality 
improvement activities. Another commenter said the QSO exception to 
restrictions on disclosure should apply to third-party payers and other 
holders of part 2 information, and the definition should include other 
functions to support improved care delivery.
SAMHSA Response
    Part 2 and its implementing statute are much more restrictive than 
HIPAA. Because 42 CFR part 2 and its governing statute are separate and 
distinct from HIPAA, the part 2 regulations use different terminology 
than used in HIPAA. However, SAMHSA aligned policy with HIPAA where 
possible.
    Because a QSOA is a two-way agreement between a part 2 program and 
the entity providing the part 2 program and an individual or entity 
providing a service to a part 2 program, agreements between more than 
those two parties (e.g. multi-party agreements) are prohibited. A QSOA 
cannot be used to avoid obtaining patient consent in the treatment 
context.
    As stated previously in this preamble, SAMHSA is issuing an SNPRM 
to seek further comments and information on the disclosure to and use 
of part 2 information by the contractors and subcontractors of third-
party payers and other lawful holders for purposes of payment, health 
care operations, and other health care related activities before 
establishing any appropriate restrictions on disclosures to them.
Public Comments
    Commenters generally expressed opposition to the change of 
``medical services'' to ``medical staffing services'' in the 
definition. A commenter expressed opposition to the interpretation that 
the QSO agreement executed between a part 2 program and an organization 
that provided population health management services would be limited to 
a specific office(s) or unit(s) within the organization that is/are 
tasked with carrying out such services.
SAMHSA Response
    SAMHSA has revised the term ``medical services'' as listed in the 
examples of permissible services offered by a QSO to clarify that it is 
limited to ``medical staffing services.'' SAMHSA proposed to make this 
revision to emphasize that QSOAs should not be used to avoid obtaining 
patient consent. Accordingly, a QSOA could be used by a part 2 program 
to contract with a provider of on-call coverage services (previously 
clarified in FAQ guidance) or other medical staffing services but could 
not be used to disclose John Doe's patient identifying information to 
his primary care doctor for the purpose of treatment (other than that 
provided under a QSOA for medical staffing services). However, an 
individual or entity who is prohibited from providing treatment to an 
individual patient under a QSOA may still meet the requirements of 
having a treating provider relationship (as that term is defined in 
Sec.  2.11) with respect to the consent requirements in Sec.  2.31.
    With respect to the comment regarding an organization providing 
population health management services, a QSOA is a two-way agreement 
between a part 2 program and the entity providing the service. We 
reiterate that disclosures by a QSO pursuant to a QSOA executed between 
a part 2 program and an organization that provides population health 
management services would be limited to a specific office(s) or 
unit(s)/entity(ies) that is/are tasked with carrying out such services 
for the organization. SAMHSA believes this is a needed safeguard to 
limit disclosures to that which is reasonably necessary to carry out 
services under the QSOA.
Public Comments
    Many commenters expressed opposition to the exclusion of ``care 
coordination'' from the QSO definition or requested clarification for 
the meaning of ``care coordination.'' Some commenters specifically 
requested adding care coordination to the list of services a QSO may 
provide, reasoning that it would facilitate integrated substance use 
disorder, health, and mental health services. The commenters asserted 
that the addition would benefit patients' health, safety, and quality 
of life while maintaining confidentiality protections.
SAMHSA Response
    In the NPRM, SAMHSA clarified that an individual or entity is 
prohibited from providing treatment to an individual patient under a 
QSOA. SAMHSA has revised the term ``medical services'' as listed in the 
examples of permissible services offered by a QSO to clarify that it is 
limited to ``medical staffing services.'' SAMHSA proposed to make this 
revision to emphasize that QSOAs should not be used to avoid obtaining 
patient consent. Accordingly, a QSOA could be used by a part 2 program 
to contract with a provider of on-call coverage services (previously 
clarified in FAQ guidance) or other medical staffing services, but 
could not be used to disclose John Doe's patient identifying 
information to his primary care doctor for the purpose of treatment 
(other than that provided under a QSOA for medical staffing services). 
For this reason, care coordination and medication management, both of 
which have a treatment component, were not added to the list of 
examples of permissible services offered by a QSO. However, an 
individual or entity who is prohibited from providing treatment to an 
individual patient under a QSOA may still meet the requirements of 
having a treating provider relationship (as that term is defined in 
Sec.  2.11) with respect to the consent requirements in Sec.  2.31.
    Regarding the request to clarify the meaning of ``care 
coordination'' and how it differs from ``population health 
management,'' because SAMHSA decided not to include care coordination 
in the examples of permissible services under the definition of a QSO, 
we did not define the term ``care coordination'' in the NPRM and, 
therefore, decline to do so

[[Page 6068]]

in this final rule. Population health management refers to increasing 
desired health outcomes and conditions through monitoring and 
identifying patients within a group.
j. Records
    SAMHSA has revised the proposed definition. As suggested by 
commenters, SAMHSA has modified the definition of ``Records'' by adding 
``created by'' and a parenthetical with examples to read as follows: 
``Records means any information, whether recorded or not, created by, 
received, or acquired by a part 2 program relating to a patient (e.g., 
diagnosis, treatment and referral for treatment information, billing 
information, emails, voice mails, and texts). For the purpose of these 
regulations, records include both paper and electronic records.'' 
SAMHSA revised the definition of ``Records'' to include any 
information, whether recorded or not, which includes verbal 
communications, created, received or acquired by a part 2 program 
relating to a patient. The revised definition makes clear that, for the 
purpose of the part 2 regulations, records include both paper and 
electronic records.
Public Comments
    A commenter remarked that the proposed definition of ``records'' 
does not address ``identifiability,'' asserting that information that 
is not individually identifiable, that is not reasonably capable of 
being re-identified, or that is aggregate may not need to be covered by 
the definition of record. Regarding the phrase ``whether recorded or 
not'' in the proposed definition, a couple of commenters requested 
guidance on what constitutes ``unrecorded information.''
SAMHSA Response
    SAMHSA clarifies that unrecorded information includes verbal 
communications and is still considered part of the record. To add 
further clarity to the definition, SAMHSA has revised the definition of 
``Records'' from the proposed language by adding examples (e.g., 
diagnosis, treatment and referral for treatment information, billing 
information, emails, voice mails, and texts). SAMHSA also added the 
phrase ``created by'' to clarify that ``records'' includes information 
received, acquired, or created by a part 2 program relating to a 
patient. Regarding ``identifiability,'' identification is addressed in 
the term ``Patient identifying information,'' not in the definition of 
``Record.'' The definition of records is just that and does not address 
information that may be disclosed.
k. Treatment
    SAMHSA is adopting the proposed definition of ``Treatment.'' SAMHSA 
has deleted the term ``management'' from the ``Treatment'' definition.
Public Comments
    A few commenters opposed the proposed removal of the term 
``management'' from the definition of ``treatment'' because the 
narrower definition would decrease information sharing and have a 
chilling effect on care coordination. A couple of commenters urged that 
``treatment'' should be limited to care of the substance use disorder 
and not be extended to include care of other medical conditions 
secondary to or that arose because of the substance use disorder. One 
commenter suggested that ``care'' should be defined as it is used in 
the definition of ``treatment.''
SAMHSA Response
    SAMHSA removed the term ``management'' from the definition of 
``Treatment'' because in today's health care environment, 
``management'' has a much broader meaning than it did when the 
regulations were last revised. Treatment is not limited to care of the 
substance use disorder because patients with a substance use disorder 
often have comorbid conditions.
3. Terminology Changes
    SAMHSA is adopting the changes proposed in this section, as 
described in the NPRM. In addition to changes to several definitions, 
SAMHSA is also implementing several terminology changes intended to 
ensure consistency in the use of terms throughout the regulations and 
to increase the understandability of the rule. First, we made revisions 
to consistently refer to law enforcement as ``law enforcement agencies 
or officials.'' Secondly, SAMHSA revised the part 2 regulations to use 
the term ``entity'' instead of ``organization'' wherever possible. 
Thirdly, SAMHSA clarifies that, for the purposes of this regulation, 
the term ``written'' includes both paper and electronic documentation. 
Fourthly, we use the phrase ``part 2 program or other lawful holder of 
patient identifying information'' to refer to a part 2 program or other 
individual or entity that is in lawful possession of patient 
identifying information. A ``lawful holder'' of patient identifying 
information is an individual or entity who has received such 
information as the result of a part 2-compliant patient consent (with a 
prohibition on re-disclosure notice) or as a result of one of the 
exceptions to the consent requirements in the statute or implementing 
regulations and, therefore, is bound by 42 CFR part 2.
Public Comments
    One commenter requested clarification about what entities are 
considered ``lawful holders'' of patient identifying information in the 
context of complex health care systems. For example, would the parent 
company of a health care system, each specific hospital, or each entity 
affiliated with the health care system be considered a ``lawful 
holder''?
    Another commenter urged that the term ``other lawful holder'' 
should be clearly defined in the final rule.
SAMHSA Response
    A ``lawful holder'' of patient identifying information is an 
individual or entity who has received such information as the result of 
a part 2-compliant patient consent (with a prohibition on re-disclosure 
notice) or as permitted under the part 2 statute, regulations, or 
guidance and, therefore, is bound by 42 CFR part 2. SAMHSA cannot 
determine what entities are ``lawful holders'' because such 
determinations are fact-specific. In addition, SAMHSA determined that 
it was not feasible to define all lawful holders of information so has 
not included a definition in the rule. As explained in the NPRM, 
examples of ``lawful holders'' include a patient's treating provider, a 
hospital emergency room, an insurance company, an individual or entity 
performing an audit or evaluation, or an individual or entity conducing 
scientific research. This list provided in the NPRM was intended only 
as an illustrative example of who could be a lawful holder.
4. Other Comments on Definitions
Public Comments
    Many commenters expressed general support for the proposed 
clarification of definitions. Some commenters sought new definitions 
for terms including HIE; recipient; population health management and 
care coordination; population health; re-disclosure; law enforcement 
agency or official; repository; and scientific research.
    Several commenters addressed the ``alternative approach'' discussed 
in the NPRM for allowing disclosure to treating providers by requesting 
the addition of a definition for ``organization'' to Sec.  2.11. 
Commenters generally supported a clear definition of ``organization'' 
to allow for the exchange of part 2 information. One commenter, 
however, opposed relying upon a definition rather than specifying the 
process for consent in the rule itself.

[[Page 6069]]

SAMHSA Response
    SAMHSA did not propose definitions for the terms suggested and has 
decided not to pursue the ``alternative approach'' since that approach 
as written received no support and only 2 commenters supported the 
``alternative approach with suggested revisions.'' Based on comments 
received, the agency has addressed disclosures to treating providers 
within this rule's consent requirements.
E. Applicability (Sec.  2.12)
    SAMHSA is adopting this section as proposed. In addition to the 
revisions to the definition of ``Program'' and the addition of a 
definition for ``Part 2 program'' mentioned above, SAMHSA has revised 
Sec.  ;2.12(d)(2)(i)(C) so that restrictions on disclosures also apply 
to individuals or entities who receive patient records from other 
lawful holders of patient identifying information (see Sec.  2.11, 
Terminology Changes). Patient records subject to these regulations 
include patient records maintained by part 2 programs, as well as those 
records in the possession of ``other lawful holders of patient 
identifying information.'' SAMHSA may issue additional subregulatory 
guidance addressing the applicability section, as deemed necessary, 
after publication of the final rule.
Public Comments
    A few commenters supported the proposed applicability provisions. 
Some commenters cited relevant preamble language but remained uncertain 
about who qualifies as a part 2 provider. Several commenters requested 
greater clarification in identifying part 2 coverage, including whether 
the provisions apply to various models of integrated behavioral health 
and primary care; mixed-use facilities that provide primary care and 
behavioral health services or mental health and substance use 
treatment; certified community behavioral health centers that do not 
necessarily ``primarily'' furnish substance abuse services but rather 
provide a comprehensive approach to care; embedded behavioral health 
information within an acute care record; a medical facility providing 
several distinct books of business, of which only one receives federal 
assistance; pharmacies; dentists; Drug Addiction Treatment Act (DATA 
2000)-waived physicians; employee assistance programs that may include 
substance use assessment and counseling; a provider who bills Medicaid 
and Medicare but is not otherwise a ``federally assisted program;'' and 
confidential information related to safety and incident reporting. A 
commenter requested clarification about the definition of ``direct 
administrative control'' in the proposed provision related to 
exceptions for communications within a part 2 program. A commenter 
urged consideration for reporting by programs to a public health 
registry and suggested advantages of such a requirement.
    Some commenters requested applicability exemptions. Some commenters 
requested exclusions for employee assistance programs; Medicaid 
overutilization control programs; and plans with integrated care 
delivery models. Some commenters requested exemptions to consent for 
communications between a QSO and a part 2 program or third-party payer 
(e.g., Medicaid) and between a part 2 program. One commenter requested 
clarification that consent and disclosure requirements would not apply 
when the patient directs electronic disclosure for a consumer health 
application. A commenter requested clarification that services are only 
covered under part 2 if the personnel are identified as providing 
substance use disorder treatment outside the organization to the 
general public. Commenters favored an exception for reporting of child 
abuse and elder abuse. A few commenters mentioned certain concerns 
related to the proposed rule. A commenter argued that the proposed rule 
would do little to simplify requirements for providers, and this may 
result in providers not documenting substance use disorder-related 
information in medical records. Other commenters opposed the lack of 
protections in the proposal and warned that the rule would impose 
constraints and burdens on providing a patient's behavioral health data 
and impede information sharing. A commenter stated that general health 
care organizations that hire an employee with substance use disorder 
expertise would be considered a covered entity, so they may be 
discouraged from integrating substance use disorder services into their 
operation. Similarly, hospital emergency departments may be discouraged 
from hiring staff with specialized experience in substance use 
disorders. One commenter expressed concern that the rule may extend 
protection not just to records for substance use disorder treatment, 
but also to medical conditions and medications that allow an inference 
that the patient has a substance use disorder. One commenter argued 
that any substance use record should be protected from unauthorized 
disclosure for criminal justice investigations. Expressing support for 
the continued protection of substance use disorder records from 
disclosure and use in criminal investigations except under certain 
conditions, a commenter said that while HIPAA and other laws also 
provide similar protections, part 2 has more stringent due process and 
court order provisions.
    One commenter argued that the proposed rule exceeds the underlying 
statutory requirements in 42 U.S.C. 290dd-2 by expanding protections of 
substance use information and establishing penalties. Another commenter 
mentioned that the HITECH revisions to HIPAA already require general 
medical facilities to utilize enhanced security measures to protect the 
confidentiality and privacy of patient's health records.
    A few commenters advocated that the safeguards applied to protected 
health information (as defined under HIPAA) for all other health 
conditions could apply for substance use disorder-related information.
    One commenter urged a focus on the actual information that requires 
protection, as opposed to the origin of the treatment records. 
Similarly, another commenter expressed disappointment that SAMHSA 
rejected the option to redefine the applicability of part 2 based on 
the type of substance use disorder treatment services, rather than the 
type of provider.
    Several commenters suggested exceptions to the applicability of 
part 2 regulations. One commenter said SAMHSA should create a due 
diligence exception to allow a part 2 program's records to be reviewed 
in the event of a proposed sale of the part 2 facility. Another 
commenter said SAMHSA should include an exception to allow disclosure 
of part 2 records in connection with the seeking of a grant or much 
needed funding for substance abuse patients. A commenter said SAMHSA 
should create a payment exception that would allow part 2 programs to 
submit information to governmental or commercial payers without the 
patient's prior authorization.
    Other commenters stated that exceptions should be added for the 
purpose of seeking involuntary commitment of an individual who poses a 
likelihood of serious harm to self or others by reason of a substance 
use disorder, in accordance with applicable provisions of state law and 
subject to appropriate terms regarding the continued confidentiality of 
such data. Another commenter stated that the rule

[[Page 6070]]

should specifically permit continued data collection of substance use 
disorder by state agencies. Another commenter stated that an exception 
limited disclosures to law enforcement and other appropriate parties in 
the event a committed patient escapes from a treatment facility, and to 
other part 2 programs and appropriate state agencies as necessary for 
purposes of discharge planning or transferring a patient without 
consent.
SAMHSA Response
    With respect to the comments recommending aligning with HIPAA, 
SAMHSA has attempted to do so in this final rule to the extent the 
change was permissible under 42 U.S.C. 290dd-2. At the same time, part 
2 and its governing statute are separate and distinct from HIPAA and 
its implementing regulations. Because of its targeted population, part 
2 provides more stringent federal protections than most other health 
privacy laws, including HIPAA.
    As stated in the preamble discussion of the applicability (Sec.  
2.12) in the NPRM, SAMHSA considered options for defining what 
information is covered by part 2, including defining covered 
information based on the type of substance use disorder treatment 
services provided instead of the type of facility providing the 
services. SAMHSA however, rejected that approach because more substance 
use disorder treatment services are occurring in general health care 
and integrated care settings, which typically are not covered under the 
current (1987) regulations. Providers who in the past offered only 
general or specialized health care services (other than substance use 
disorder services) now, on occasion, provide substance use disorder 
treatment services, but only as incident to the provision of general 
health.
    The definitions of ``Part 2 program'' and ``Program'' are critical 
to applicability. These terms are defined in Sec.  2.11. The response 
to comments on the definition of program in this final rule further 
clarifies coverage. Holding a waiver to prescribe buprenorphine or 
holding a waiver and prescribing buprenorphine as part of primary care 
practice does not lead to categorical inclusion of providers in the 
definition of a part 2 program; such determinations are fact-specific. 
The same concept applies whenever determining applicability.
    With respect to comments on part 2 coverage, although the statute 
may not be explicit with regard to certain provisions in 42 CFR part 2, 
the statute directs the Secretary to prescribe regulations to carry out 
the purpose of the statute, which may include definitions and may 
provide for such safeguards and procedures that in the judgment of the 
Secretary are necessary or proper to effectuate the purposes of this 
section, to prevent circumvention or evasion thereof, or to facilitate 
compliance therewith. For various models of integrated behavioral 
health, SAMHSA strives to facilitate information exchange within new 
health care models while addressing the legitimate privacy concerns of 
patients seeking treatment for a substance use disorder. These concerns 
include, but are not limited to, the potential for loss of employment, 
loss of housing, loss of child custody, discrimination by medical 
professionals and insurers, arrest, prosecution, and incarceration.
    The response to comments on the definition of program in this final 
rule further clarifies coverage.
    SBIRT is a cluster of activities designed to identify people who 
engage in risky substance use or who might meet the criteria for a 
formal substance use disorder. Clinical findings indicate that the 
overwhelming majority of individuals screened in a general medical 
setting do not have a substance use disorder and do not need substance 
use disorder treatment. A health care provider that does not otherwise 
meet the definition of a part 2 program would not become a part 2 
program simply because they provide SBIRT within the context of general 
health care.
    For behavioral health facilities, SAMSHA notes that federally 
qualified health centers, community mental health centers, and 
behavioral health clinics meeting the definition of a part 2 program 
must comply with 42 CFR part 2 and those that do not meet the 
definition of part 2 program do not have to comply with 42 CFR part 2 
unless they become a lawful holder of patient identifying information 
because they received patient identifying information via consent 
(along with a notice of prohibition on re-disclosure) or as permitted 
under the part 2 statute, regulations, or guidance. Rather than offer 
definitions or outline an exhaustive list of entities that could meet 
the definition of a part 2 program, we prefer to offer illustrative 
examples in the explanation of applicability provision of these 
regulations (see Sec.  2.12(e)(1)). SAMHSA has not received questions 
in the past concerning the definition of general medical facility.
    Regarding the question of part 2 applicability when a patient 
directs electronic disclosure for a consumer health application, the 
NPRM preamble discussion of lawful holder in the Terminology Changes 
section stated: ``A patient who has obtained a copy of their records or 
a family member who has received such information from a patient would 
not be considered a `lawful holder' of patient identifying information 
in this context.'' Information disclosed by a part 2 program or a 
lawful holder of patient identifying information is covered by 42 CFR 
part 2 and requires patient consent unless disclosure is otherwise 
permitted under the part 2 statute or regulations. Therefore, it is 
permissible for a patient to disclose information to a personal health 
record or similar consumer health application but if a part 2 program 
or lawful holder of patient identifying information discloses that 
information to the personal health record or other similar consumer 
application on behalf of the patient, consent would be required.
    Regarding patient records and Medicaid overutilization control 
programs, the prohibition on re-disclosure (Sec.  2.32) applies to 
information that would identify, directly or indirectly, an individual 
as having been diagnosed, treated, or referred for treatment for a 
substance use disorder, such as indicated through standard medical 
codes, descriptive language, or both, and allows other health-related 
information shared by the part 2 program to be re-disclosed, if not 
prohibited by any other applicable laws. Under the current statutory 
authority, patient records pertaining to substance use disorder may be 
shared only with the prior written consent of the patient or as 
permitted under the part 2 statute and implementing regulations. In 
addition, the authorizing statute specifically enumerates the areas of 
non-applicability, which includes the reporting under state law of 
incidents of suspected child abuse and neglect to appropriate state and 
local authorities. Therefore, SAMHSA did not adopt this requested 
change. Regarding elder abuse, if a program determines it is important 
to report elder abuse, disabled person abuse, or a threat to someone's 
health or safety, or if the laws in a program's state require such 
reporting, the program must make the report anonymously, or in a way 
that does not disclose that the person making the threat is a patient 
in the program or has a substance use disorder, or obtain a court order 
if time allows.
    Some commenters asked about the applicability of the part 2 
regulations to various facilities or entities, such as rehabilitation 
facilities, dentists, and pharmacies. In summary, if a provider is not 
a general medical facility or does

[[Page 6071]]

not hold itself out as providing, and provides, substance use disorder 
diagnosis, treatment or referral for treatment, it would not meet the 
first section of the definition of ``Program.'' If the provider is 
either not an identified unit within a general medical facility that 
holds itself out as providing, or does not provide, substance use 
disorder diagnosis, treatment, or referral for treatment, it does not 
meet the second section of the definition of ``Program.'' If the 
provider either does not consist of medical personnel or other staff in 
a general medical facility whose primary function is the provision of 
substance use disorder diagnosis, treatment, or referral for treatment 
or is not identified as such specialized medical personnel or other 
staff by the general medical facility, it does not meet the third 
section of the definition of ``Program.'' Whether embedded behavioral 
health information is covered by 42 CFR part 2 depends on several 
factors: First, only patient identifying information is subject to part 
2 protections. If the acute care facility meets the definition of a 
part 2 program and the information would identify, directly or 
indirectly an individual as having been diagnosed, treated, or referred 
for treatment for a substance use disorder, the information is subject 
to part 2 protections; and if the acute care facility received the 
patient identifying information via a valid part 2 consent (with a 
notice of prohibition on re-disclosure) or as otherwise permitted under 
the part 2 statute or regulations, the information is subject to part 2 
protections.
    With respect to pharmacies, when they receive prescriptions 
directly from part 2 programs, the patient identifying information 
related to those prescriptions is subject to 42 CFR part 2 
confidentiality restrictions (as indicated by the accompanying 
prohibition on re-disclosure notice). Pharmacies that receive paper 
prescriptions directly from patients (and do not receive a prohibition 
on re-disclosure notice) are, therefore, not subject to the part 
2confidentiality restrictions. However, if the pharmacy or pharmacist 
meets the definition of a part 2 program, they must comply with the 
part 2 regulations.
    In response to the commenter's request for clarification that 
services are only covered under part 2 if the personnel are identified 
as providing substance use disorder treatment outside the organization 
to the general public, the third section of the definition of program 
uses the term ``personnel'' to state that medical personnel or other 
staff in a general medical facility whose primary function is the 
provision of substance use disorder diagnosis, treatment or referral 
for treatment and who are identified as such providers. This section of 
the definition of program does not include the phrase ``holds itself 
out'' as do the first two sections of the definition of program. In the 
third section of the definition, the medical personnel or other staff 
must be identified as such specialized medical personnel or other staff 
by the general medical facility.
    Although commenters requested an exclusion for employee assistance 
programs, the regulation text at Sec.  2,12(d)(1) states: ``Coverage 
includes, but is not limited to, those treatment or rehabilitation 
programs, employee assistance programs, programs within general 
hospitals, school-based programs, and private practitioners who hold 
themselves out as providing, and provide substance use disorder 
diagnosis, treatment, or referral for treatment.
    Commenters requested an exemption for communications between a part 
2 program and another entity under common ownership or control, but 
SAMHSA declines to make the requested change. However, as stated in the 
regulatory text (Sec.  2.12(c)(3) restrictions on disclosure in these 
regulations do not apply to communications of information between or 
among personnel having a need for the information in connection with 
their duties that arise out of the provision of diagnosis, treatment, 
or referral for treatment of patients with substance use disorders if 
the communications are:
    (i) Within a part 2 program; or
    (ii) Between a part 2 program and an entity that has direct 
administrative control over the program.''
    SAMHSA declines to add the various suggested exceptions to the 
applicability of the part 2 regulations, and encourages all 
stakeholders to consult with legal counsel to ensure compliance with 42 
CFR part 2, as well as any other applicable federal, state, or local 
laws or regulations. SAMHSA is limited by statute to the specific 
exceptions listed in the law; it cannot, therefore, add exceptions. As 
stated previously, SAMHSA is authorized to promulgate regulations and 
to provide such safeguards and procedures necessary to carry out the 
purposes of the authorizing statute. SAMHSA has endeavored to strike an 
appropriate balance between the important privacy protections afforded 
patients with substance use disorders and the necessary exchange of 
information to improve treatment outcomes for these individuals.
F. Confidentiality Restrictions and Safeguards (Sec.  2.13)
    SAMHSA is modifying this section slightly from that proposed in the 
NPRM by adding a paragraph clarifying responsibility for the List of 
Disclosures requirement. As discussed in the proposal, because SAMHSA 
is revising the consent requirements to allow a general designation in 
certain circumstances, we have revised Sec.  2.13 by adding a paragraph 
(d), which requires that, upon request, patients who have included a 
general designation in the ``To Whom'' section of their consent form 
must be provided, by the entity that serves as an intermediary, a list 
of entities to which their information has been disclosed pursuant to 
the general designation (List of Disclosures).
    The new Sec.  2.13(d) specifies that patient requests for a list of 
entities to which their information has been disclosed must be in 
writing. Consistent with the NPRM, we consider ``written'' to include 
both paper and electronic documentation. The list is limited to 
disclosures made within the past 2 years.
    Further, entities named on the consent form that disclose 
information pursuant to a patient's general designation (entities that 
serve as intermediaries as described in Sec.  2.31(a)(4)(iii)(B)) must 
respond to requests for a List of Disclosures in 30 or fewer days of 
receipt of the request.
1. Delayed Implementation of List of Disclosures Provision
Public Comments
    Several commenters raised concerns about how to interpret the two-
year delayed implementation of List of Disclosures and whether the 
general designation will be used during that period. A commenter 
expressed concern about the immediate implementation of the general 
designation while the right of patients to obtain a List of Disclosures 
is postponed for two years.
    Other commenters stated that, based on the NPRM language, HIEs will 
not be able to take advantage of a general designation on the consent 
form until they have the ability to comply with the List of Disclosures 
requirement.
    Commenters said SAMHSA needs to clarify that the duty to begin 
collecting and storing disclosures under the general designation begins 
two years after the effective date of the final rule and not before.
    A commenter recommended that the right to obtain a list of those 
who have received the patient's information should be implemented 
simultaneously

[[Page 6072]]

with any other revisions to the part 2 regulation. Another commenter 
said SAMSHA should implement the List of Disclosures requirement within 
90 days.
SAMHSA Response
    SAMHSA clarifies that the general designation on a consent form may 
not be used until entities have the ability to comply with the List of 
Disclosures provision. However, SAMHSA has removed the two-year delayed 
compliance date for the List of Disclosures provision for the reasons 
discussed in Section IV above.
2. Responsibilities Under the List of Disclosures Process
Public Comments
    Commenters said SAMHSA should allow non-treating entities, that do 
not have a treating provider relationship with the patient whose 
information is being disclosed and serve as intermediaries named on the 
consent form, to release the List of Disclosures to the facility where 
the patient receives care (or the part 2 program), rather than to the 
patient directly. One commenter said because this process, in which the 
patient/consumer requests and receives the List of Disclosures from the 
site where they receive care/part 2 program, rather than from the HIE, 
resembles the process currently being used to meet HIPAA disclosure 
requirements, it could be implemented without requiring additional 
burdens on HIEs. Since most HIEs are not patient-facing, commenters 
stated that there are typically not policies or procedures in place for 
interacting with patients directly, particularly for patient 
authentication, and suggested it be done at the provider level, and 
that the patient communication be maintained at the part 2 program 
level.
    Other commenters said SAMHSA does not specify what responsibility, 
if any, the part 2 program has to coordinate or verify the compliance 
of the CCO or HIE with the List of disclosures. One commenter said if 
SAMHSA intends for the part 2 program to have any responsibilities 
beyond this, then it should obtain additional feedback from part 2 
programs before proposing any new obligations. Some commenters appeared 
to assume the part 2 program was responsible for the List of 
Disclosures and requested that SAMHSA modify the requirement to impose 
the duty directly upon the HIE, ACO, CCO, or research institution to 
provide the listing to the patient, rather than the part 2 program.
    A commenter said SAMSHA should clarify what entities must be 
included on the List of Disclosures when the entity is part of a 
complex healthcare system.
    Another commenter said the absence of requiring disclosure of 
individual names undermines the intent of the List of Disclosures and 
undermines the purpose of expanding the ``To Whom'' provision and the 
patient's incentive or willingness to consent to a general designation. 
The commenter said the provision must be very explicit in disclosing 
those agencies or individuals that will receive the patients' medical 
information.
SAMHSA Response
    Regarding the suggestion to allow entities that serve as 
intermediaries as described by Sec.  2.31(a)(4)(iii)(B) to release the 
List of Disclosures to the facility where the patient receives care (or 
the part 2 program) or with the providers to whom the disclosure was 
made, rather than directly to the patient, SAMHSA has decided to retain 
the NPRM language and proposed responsibilities because the party 
making the disclosure under the general designation should be 
accountable for that disclosure. SAMHSA has clarified in paragraph 
Sec.  2.31(d)(3) that the part 2 program is not responsible for 
complying with the List of Disclosures requirement; the entity that 
serves as an intermediary, as described in Sec.  2.31(a)(4)(iii)(B), is 
responsible for compliance with the List of Disclosures requirement.
    SAMHSA plans to issue subregulatory guidance that clarifies how the 
patient may request the List of Disclosures from intermediaries as 
described by Sec.  2.31(a)(4)(iii)(B).
    On the responsibility of part 2 providers to comply with the List 
of Disclosures requirement, SAMHSA agrees with the commenters that more 
clarity is needed. In the circumstance in which a patient provides a 
general designation in the ``To Whom'' part of a consent form, the part 
2 program may not know to whom the disclosures have been made by the 
entity that serves as an intermediary. As such, the List of Disclosures 
provision requires that: The entity named on the consent form that 
discloses information pursuant to a patient's general designation (the 
entity that serves as an intermediary, as described in Sec.  
2.31(a)(4)(iii)(B)) must: (i) Respond in 30 or fewer days of receipt of 
the written request; and (ii) Provide, for each disclosure, the name(s) 
of the entity(ies) to which the disclosure was made, the date of the 
disclosure, and a brief description of the patient identifying 
information disclosed. Further, paragraph (d)(3) clarifies that the 
part 2 program is not responsible for complying with Sec.  2.13(d).
    In response to the request for clarification on what entities must 
be listed on the List of Disclosures and suggestion that individuals 
(rather than entities with whom such individuals are affiliated) must 
be listed, SAMHSA clarifies that the List of Disclosures must include a 
list of the entities to which the information was disclosed pursuant to 
a general designation. Individuals who received patient identifying 
information pursuant to the general designation on a consent form 
should be included on the List of Disclosures based on an entity 
affiliation, such as the name of their practice or place of employment. 
However, if entities that are required to comply with the List of 
Disclosures requirement wish to include individuals on the List of 
Disclosures, in addition to the required data elements which are 
outlined in Sec.  2.13(d)(2)(ii), nothing in this rule prohibits it.
    SAMHSA considered requiring both individuals and entities to be 
included on the List of disclosures but, after reviewing the Health 
Information Technology Privacy Committee's (HITPC's) recommendations 
(https://www.healthit.gov/sites/faca/files/PSTT_Transmittal010914.pdf), 
decided to require, at a minimum, a list of entities. These 
recommendations addressed the HITECH requirement that HIPAA covered 
entities and business associates account for disclosures for treatment, 
payment, and health care operations made through an EHR. The 
Transmittal Letter recommended, ``that the content of the disclosure 
report be required to include only an entity name rather than a 
specific individual as proposed in the NPRM.'' In addition, the 
Transmittal Letter noted that the Organization for Economic Cooperation 
and Development (OECD) principles, the Fair Credit Reporting Act, and 
the Privacy Act of 1974 do not require that the names of individuals be 
provided. The HITPC, a committee established by the American Recovery 
and Reinvestment Act of 2009 in accordance with the Federal Advisory 
Committee Act (FACA), provides recommendations on health IT policy 
issues to the ONC for consideration. The HITPC gave a broad charge to 
its Privacy & Security Tiger Team (Tiger Team) ``to provide 
recommendations on how to implement the requirements of the HITECH Act 
of 2009 for covered entities and business associates to account for 
disclosures for treatment, payment and health care operations made 
through an EHR. In the referenced Transmittal Letter, the HITPC did not 
focus on 42 CFR part 2,

[[Page 6073]]

however, given the similarities of the issues and the importance of the 
lessons the Tiger Team learned, SAMHSA was persuaded by the Tiger 
Team's discussion.
3. Technological Challenges and Burden of the List of Disclosures 
Provision Public Comments
Public Comments
    Many commenters argued that entities may not be equipped to 
maintain and provide a List of Disclosures. A few commenters expressed 
general concern about the burden associated with the List of 
Disclosures provision. Several commenters added that the burden is 
disproportionate to the anticipated benefit. Other commenters specified 
areas of burden, including administering consents; developing a 
tracking system; manually reviewing or auditing all records; and 
transmitting information by U.S. mail. Some comments mentioned the 
operational impact of the provision, including the impact on existing 
business practices; uncertainty about interoperability with additional 
systems; and operationalizing a different approach for HIPAA. One 
commenter argued that HIPAA already provides sufficient protections 
through the requirement for tracking and providing an accounting of 
certain disclosures. Another commenter expressed concern that there are 
varying levels of technical resources available for compliance with the 
rule.
    A commenter warned that one component of the Affordable Care Act is 
its focus on sharing of certain medical information and the proposed 
regulation may prevent realization of that goal. Similarly, another 
commenter said, if HIEs are included in the disclosure request, 
entities would be left with the choice of either not sending this 
information, which would then not be available in emergent situations, 
or not complying with this requirement. Another commenter said creating 
additional accounting requirements, without further clarification on 
the interoperability of such EHR systems, can create a state of 
continuous uncertainty and flux, deterring investment into substance 
use disorder treatment programs within integrated care networks.
    Some commenters stated that the proposed provision conflicts with 
existing HIPAA accounting of disclosure requirements or state laws. 
Other commenters said it would be administratively burdensome to 
implement, particularly in light of the fact that the health 
information technology industry is still waiting for OCR to determine 
how it will address the HITECH changes to HIPAA accounting of 
disclosures.
    For the above reasons, some commenters urged SAMHSA not to include 
the List of Disclosures provision in the final rule; delay promulgating 
until OCR decides how it will approach the HITECH provisions concerning 
the HIPAA accounting of disclosures requirement; and engage with OCR, 
providers, and vendors to fully understand the implications of such a 
requirement before establishing an implementation date for the List of 
Disclosures requirement.
SAMHSA Response
    SAMHSA is including the List of Disclosures requirement in the 
final rule to balance the flexibility of allowing a general designation 
in the ``To Whom'' section of the consent form against the protection 
of patient privacy. We understand commenter concerns about the 
technical feasibility of implementing the List of Disclosures 
requirement. However, there is no timeframe in which part 2 programs 
and lawful holders need to comply with the List of Disclosures 
requirements; only the condition that if they choose to have the option 
to disclose information pursuant to a general designation on the ``To 
Whom'' part of the consent form, they must also be capable of providing 
a List of Disclosures upon request per Sec.  2.13(d). Because the 
general designation is not mandated on a consent form, this allows 
entities time to develop and test the technology needed for compliance 
with the List of Disclosures requirements or to decide not to disclose 
information pursuant to a general designation and not implement 
technology needed for compliance with the List of Disclosures 
provision.
Public Comments
    A commenter said the List of Disclosures will impose a complex 
burden upon all parties involved in the disclosure and receipt of 
substance use disorder treatment, asserting that the disclosing party--
if it is not a part 2 program--would need to know that the information 
being disclosed is subject to the part 2 requirements. The commenter 
said there may be a question of whether this type of disclosure would 
be prohibited per the Prohibition on re-disclosure provision, and this 
becomes more complex if further disclosures or re-disclosures take 
place.
SAMHSA Response
    SAMHSA responds that the entity that serves as an intermediary 
should be provided a copy of the part 2-compliant consent form or the 
pertinent information on the consent form necessary for the 
intermediary to comply with the signed consent. The providers with a 
treating provider relationship with the patient whose information is 
being disclosed would be aware of the part 2 protections because the 
disclosure would also be accompanied by the prohibition on re-
disclosure notice.
Public Comments
    A commenter said SAMHSA has not addressed whether there will be a 
cost to the patient for obtaining a List of Disclosures. If patients 
will be required to pay a fee for this list of disclosures, the 
commenter said SAMHSA should establish a reasonable fee for the 
provision of the List of Disclosures.
SAMHSA Response
    SAMHSA strongly encourages entities to provide the List of 
Disclosures at no charge to the patient.
4. Recommendations To Further Protect Patient Privacy
Public Comments
    A commenter said SAMHSA should require the List of Disclosures to 
include all disclosures of the patient's health information, whether 
such disclosure was made pursuant to a consent form, QSOA, medical 
emergency, or any other means. Similarly, another commenter stated 
that, when a record of all uses and disclosures already exists, a 
program should be required to make that record available to a patient 
upon request. Other commenters asserted that the List of Disclosures 
should be presented to the patient at the time the consent is signed, 
rather than after the disclosures have been made. A commenter said 
patients should also be given the option, at the time of signing, to 
cross out entities to whom they do not want their information 
disclosed. Also, a commenter said patients should be informed of 
changes to the list that may now have access to their information.
    Some commenters expressed concern that the List of Disclosures 
would be limited to disclosures made within the past two years, which 
does not allow the patient to learn about past data breaches. Some 
commenters recommended expanding the time period to five years or not 
including a time limit.
SAMHSA Response
    In response to these concerns and recommendations about increasing 
patient privacy rights, SAMHSA

[[Page 6074]]

clarifies that the List of Disclosures provision was proposed in the 
NPRM as a way to balance the revision to the consent form allowing a 
more general designation in the ``To Whom'' section, which is optional. 
The List of Disclosures provision is limited to information disclosed 
pursuant to the general designation by the entity that serves as the 
intermediary, but these entities as well as part 2 programs are not 
prohibited from providing patients with all available information. 
Patients will have the right to request this List of Disclosures and 
have it produced in a timely fashion; however, SAMHSA has chosen not to 
require entities to provide this information at the time of patient 
consent as this would be impossible because disclosure of the patient's 
information has not occurred at that point. SAMHSA also emphasizes that 
patients are not required to use a general designation in the ``To 
Whom'' section of the consent form. Therefore, patients can limit 
disclosures by a more concrete specification (i.e., named 
individual(s)).
    In response the comments on expanding the time period that the List 
of Disclosures covers, this final rule's provision to limit the List of 
Disclosures to those made within the last two years does not preclude 
an entity that serves as an intermediary from providing the patient 
with a list covering disclosures made for periods greater than two 
years.
Public Comments
    A commenter said SAMHSA should not include the sample language for 
a request for a List of Disclosures under the general designation in 
the final rule because HIPAA has shown that entities construe such 
sample language as mandates to use the sample language, thereby making 
it more difficult for an individual to request such information, and 
hindering their ability to obtain such information contrary to the 
intent of the proposed rule. The commenter suggested that SAMHSA, as 
part of this rule or in subregulatory guidance at a later date, 
recommend that certain criteria be included as part of an individual's 
request for such disclosures.
SAMHSA Response
    SAMHSA did not intend for the sample language for a request for a 
list of disclosures provided in the NPRM to be construed as a 
requirement for requesting a List of Disclosures, but rather to assist 
patients in making such a request. SAMHSA is retaining the sample 
language in this rule.
Public Comments
    A commenter asserted that states can set a higher standard than 
part 2, but the NPRM language would lead the patient to think that they 
could get information via unencrypted email. The commenter suggested 
the provision be modified to indicate that responses sent to the 
patient electronically may be sent by unencrypted email at the request 
of the patient ``so long as it is not prohibited by applicable law.'' 
In addition, the commenter said the final rule should require patients 
to be notified that there may be some level of risk that the 
information in an unencrypted email could be read by a third party. In 
addition, the commenter said the rule should state that, if patients 
are notified of the risks and still prefer unencrypted email, the 
patient has the right to receive the information in that way, and 
entities are not responsible for unauthorized access of the information 
while in transmission to the patient based on the patient's request.
SAMHSA Response
    The language regarding unencrypted email transmissions appears in 
the NPRM preamble only and acknowledges both encrypted and unencrypted 
email as acceptable modes of transmission. The language goes on to say: 
``Responses sent to the patient electronically may be sent by encrypted 
transmission (e.g., encrypted email or portal), or by unencrypted email 
at the request of the patient, so long as the patient has been informed 
of the potential risks associated with unsecured transmission. Patients 
should be notified that there may be some level of risk that the 
information in an unencrypted email could be read by a third party. If 
patients are notified of the risks and still prefer unencrypted email, 
the patient has the right to receive the information in that way, and 
entities are not responsible for unauthorized access of the information 
while in transmission to the patient based on the patient's request. 
Before using an unsecured method to respond to a request for a list of 
disclosures, an entity should take certain precautions, such as 
checking an email address for accuracy before sending it or sending an 
email alert to the patient for address confirmation to avoid unintended 
disclosures.'' SAMHSA does not intend to be prescriptive regarding how 
the information is relayed to the patient or to preempt applicable 
state law that may prohibit unencrypted transmission (see Sec.  2.20).
Public Comments
    A commenter said the NPRM abandoned the current statement that the 
rule does not restrict a disclosure that ``an identified individual is 
not and has never been a patient.'' The commenters said the new 
approach militates against fishing by third parties.
SAMHSA Response
    SAMHSA agrees with the commenter that prohibiting a disclosure that 
``an identified individual is not and has never been a patient'' 
mitigates against fishing by third parties. In the NPRM, SAMHSA 
proposed to remove the concept from Sec.  2.13(c)(2) that the 
regulations do not restrict a disclosure that an identified individual 
is not and never has been a patient and has retained this position in 
the final rule.
Public Comments
    Commenters made other recommendations relating to the proposed List 
of Disclosures requirement focused on generally improving patients' 
rights, including suggestions to keep information confidential; notify 
when a treating provider has accessed the patient's confidential 
information; ensure patient-approved information sharing; provide a 
process by which an individual can raise a complaint; and disclose to 
patients in plain language.
SAMHSA Response
    SAMHSA acknowledges and shares the commenters' concerns with 
patient privacy. We believe that the List of Disclosures requirement as 
proposed in the NPRM is adequate to inform patients of how their 
information has been shared in the event that they provided a general 
designation in the ``To Whom'' portion of their consent. SAMHSA 
encourages entities to provide the information associated with a List 
of Disclosures in plain language and with sufficient specificity so 
that patients understand the List of Disclosures, including the brief 
description of the patient identifying information disclosed.
5. Other Comments and Recommendations on the List of Disclosures 
Provision
Public Comments
    One commenter recommended that SAMHSA allow consent to include a 
description of HIE as a function to support patient care, and exclude 
this function from the information disclosure accounting [List of 
Disclosure] requirement.

[[Page 6075]]

    A commenter recommended that SAMHSA offer additional guidance on 
best practices and make infrastructure grants available to create the 
necessary modifications within providers' EHRs or other consent 
tracking systems.
    Some commenters made other suggestions. For example, a commenter 
requested that SAMHSA define ``in writing'' and ``written requests'' as 
those terms are used in the List of Disclosures provision (Sec.  
3.13(d)). Another commenter urged SAMHSA to explore options to reduce 
the cost of the List of Disclosures provision and further clarify how 
the enhanced protection of substance use disorder treatment information 
can be consistent and interoperable with other health systems.
SAMHSA Response
    As for the request to define ``in writing'' and ``written 
requests'' as those terms are used in the List of Disclosures 
provision, in the NPRM preamble discussion of Terminology Changes, 
SAMHSA explained that for the purposes of this regulation, we also 
propose that the term ``written'' include both paper and electronic 
documentation.
    The consent requirements (Sec.  2.31) include the option of 
including in the ``To Whom'' section of the consent form the name of an 
entity that does not have a treating provider relationship with the 
patient whose information is being disclosed (and is not a third-party 
payer that requires patient identifying information for the purposes of 
reimbursement for the services rendered by the part 2 program) and 
either the name(s) of an individual participant(s); or the name(s) of 
an entity participant(s) that has a treating provider relationship with 
the patient whose information is being disclosed; or a general 
designation of an individual or entity participant(s) or class of 
participant(s) who has a treating provider relationship with the 
patient whose information is being disclosed. Any HIE that serves as an 
intermediary is subject to the List of Disclosures requirement 
regardless of its other ``functions.'' Regarding the requests for 
guidance, SAMHSA may issue additional subregulatory guidance on this 
provision after this final rule is published.

G. Security for Records (Sec.  [thinsp]2.16)

    SAMHSA is adopting this section as proposed except for some non-
substantive, technical changes to the language in proposed Sec.  
2.16(a)(2)(i). SAMHSA is modernizing this section to address both paper 
and electronic records. First, SAMHSA revised the heading by deleting 
the word ``written'' so that it now reads: Security for Records. 
Secondly, SAMHSA clarified that this section requires both part 2 
programs and other lawful holders of patient identifying information to 
have in place formal policies and procedures for the security of both 
paper and electronic records. Finally, SAMHSA has replaced language in 
other sections of part 2 with a reference to the policies and 
procedures established under Sec.  [thinsp]2.16, where applicable. As 
noted above, SAMHSA has made some technical changes to the language in 
proposed Sec.  2.16(a)(2)(i). In particular, to more closely align with 
the HIPAA Security Rule, SAMHSA has revised Sec.  2.16(a)(2)(i) to 
require that part 2 program security for electronic records policies 
must include ``creating, receiving, maintaining, and transmitting such 
records.'' The proposed language was ``copying, downloading, 
forwarding, transferring, and removing such records.''
Public Comments
    Some commenters supported the proposed provisions on security and 
stated that they provide appropriate protections. However, many 
commenters asserted that the security provisions of HIPAA should be 
followed and that those requirements should satisfy the part 2 
provisions.
    A commenter also supported the use of internal confidentiality 
agreements.
    A commenter expressed concern that the rule does not address what a 
non-part 2 provider who receives part 2 data must do to ensure adequate 
safeguards are in place. Similarly, another commenter expressed concern 
about security obligations that would be placed on other lawful 
holders, such as courts, law firms, family members, or other private 
citizens who are often not the types of providers subject to the 
current (1987) part 2.
    One commenter recommended an expiration date for electronic 
records. Another commenter recommended that the use of secure, 
certified HIT be added as a requirement for part 2 program providers, 
as well as any services provided that conduct audits and evaluations 
related to transition of patient information.
SAMHSA Response
    SAMHSA appreciates the support of commenters on this issue. On the 
issue of HIPAA, covered entities must comply with all regulations that 
are applicable to them. Because some entities subject to this rule are 
not subject to HIPAA, SAMHSA may provide subregulatory guidance after 
the rulemaking on the extent to which compliance with HIPAA security 
requirements, for those subject to them, will satisfy Sec.  2.16. 
SAMHSA emphasizes that if an entity already has security practices and 
policies in place that meet the requirements of this rule, whether 
those practices were developed to meet the regulatory requirements or 
simply as a matter of good practice, the entity may not need to take 
additional action on this issue. In the NPRM, SAMHSA suggested 
resources for part 2 programs and other lawful holders for developing 
formal policies and procedures including materials from the HHS Office 
for Civil Rights (e.g., Guidance Regarding Methods for De-
identification of Protected Health Information in Accordance with the 
Health Insurance Portability and Accountability Act (HIPAA) Privacy 
Rule), and the National Institute of Standards and Technology (NIST) 
(e.g., the most current version of the Special Publication 800-88, 
Guidelines for Media Sanitization).
    On the issue of use of internal confidentiality agreements and the 
required use of secure, certified Health IT, Sec.  2.16 provides 
requirements for formal policies and procedures to reasonably protect 
against unauthorized uses and disclosure of patient identifying 
information and to protect against reasonably anticipated threats or 
hazards to the security of patient identifying information. A part 2 
program or other lawful holder of patient identifying information may 
impose any additional requirements that they feel will enhance 
protections.
    With regard to security of the records lawfully obtained by non-
part 2 programs, Sec.  2.16 applies equally to these entities (referred 
to as lawful holders of patient identifying information). The required 
formal policies and procedures are intended to ensure protection of 
patient identifying information when electronic records are exchanged 
electronically using health IT, as well as when they are exchanged 
using paper records. In addition, the formal policies and procedures 
will have to address, among other things, the sanitization of hard copy 
and electronic media, which is addressed in the NPRM discussion of 
Disposition of Records by Discontinued Programs (Sec.  [thinsp]2.19). 
On the concern raised that Sec.  2.16 places an unreasonable burden on 
courts, law firms, family members, or other private citizens who may 
obtain the information, a patient who has obtained a copy of his or her 
records or a family member or private citizen who has received such 
information from a patient would not be considered a lawful holder of 
patient identifying information in this context. Generally,

[[Page 6076]]

consents and permissible disclosures are initiated by a lawful holder 
who desires the information and, therefore, the lawful holder would 
already be familiar with part 2.

H. Disposition of Records by Discontinued Programs (Sec.  2.19)

    SAMHSA is modifying this section from that proposed in the NPRM in 
response to public comments, as discussed below. In this section, 
SAMHSA addresses the disposition of both paper and electronic records 
by discontinued programs, including added requirements for sanitizing 
paper and electronic media, which is distinctly different from deleting 
electronic records and may involve clearing (using software or hardware 
products to overwrite media with non-sensitive data) or purging 
(degaussing or exposing the media to a strong magnetic field in order 
to disrupt the recorded magnetic domains) the information from the 
electronic media. If circumstances warrant the destruction of the 
electronic media prior to disposal, destruction methods may include 
disintegrating, pulverizing, melting, incinerating, or shredding the 
media. SAMHSA expects the process of sanitizing paper media (including 
printer and facsimile (FAX) ribbons, drums, etc.) or electronic media 
to be permanent and irreversible, so that there is no reasonable risk 
that the information may be recovered. For the purpose of this rule, 
SAMHSA makes a distinction between electronic devices (something that 
has computing capability, such as a laptop, tablet, etc.) and 
electronic media (something that can be read on an electronic device, 
such as a CD/DVD, flash drive, etc.).
Public Comments
    A commenter expressed support for the proposal related to 
disposition of records by discontinued programs. Another commenter 
recommended that the rule allow for ``selective sanitizing,'' using 
methods that will not require overwriting the entire electronic media. 
Two commenters asked about patient records when a program is acquired 
by another program. A commenter suggested that the rule should address 
situations in which a patient cannot be located or is deceased and 
cannot give consent. The commenter provided multiple suggestions 
relating to disposition of records, including permit more flexible 
means of storage; permit scanning and electronic storage of records; do 
not require transfer to a portable device; offer an option to store 
records in a production encrypted network storage device. This 
commenter also asserted that sanitation of electronic communications 
would not be feasible in organizations storing millions of electronic 
records; requiring storage of a portable electronic device in a sealed 
container does not add additional security if it is already encrypted; 
and deleting substance use information from records does not conceal 
the fact that someone has a substance use disorder but instead 
highlights the fact.
SAMHSA Response
    SAMHSA acknowledges the support for the proposed provision. With 
regard to the issue of multiple sources of records, we have revised the 
language in the final rule to allow one year to complete the process of 
sanitizing paper or electronic media (see Sec.  2.19(b)(2)(iii)). This 
change should allow for select patient records to be removed from both 
the specific site and any operational sources without disrupting other 
patient records. Regarding acquisition of one program by another, the 
Sec.  2.19(a) regulatory text outlines the exceptions to removing 
patient identifying information from its records or destroying its 
records.
    If the patient cannot be located or is deceased and cannot give 
consent, the part 2 program that has discontinued operations or is 
taken over or acquired by another program, must remove the patient's 
identifying information from its records, including sanitizing any 
associated hard copy or patient records or patient identifying 
information residing on electronic media, to render the patient 
identifying information non-retrievable in a manner consistent with 
policies and procedures under Sec.  2.16.
    Regarding comments on more flexible means of electronic record 
storage, SAMHSA has revised Sec.  2.19(b)(2) to allow for more 
flexibility. The revised language allows for electronic records to be 
transferred to a portable electronic device with implemented encryption 
to encrypt the data at rest so that there is a low probability of 
assigning meaning without the use of a confidential process or key and 
implemented access controls for the confidential process or key (see 
Sec.  2.19(b)(2)(i)); or transferred, along with a backup copy, to 
separate electronic media, so that both the records and the backup have 
implemented encryption to encrypt the data at rest so that there is a 
low probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key (see Sec.  2.19(b)(2)(ii)). For electronic storage of 
the records, if the records are scanned, they would have to be 
maintained consistent with Sec.  2.19(b)(2) and the paper records would 
have to be destroyed consistent with Sec.  2.16. Regarding portable 
device storage, the final Sec.  2.19 language specifies that the 
portable electronic device or the original and backup electronic media 
must be sealed in a container along with any equipment needed to read 
or access the information. The sealed container prevents the portable 
electronic device or the original and backup electronic media from 
being separated from the equipment needed to read or access the 
information.

I. Notice to Patients of Federal Confidentiality Requirements (Sec.  
2.22)

    SAMHSA is adopting this section as proposed. Consistent with the 
NPRM, SAMHSA considers the term ``written'' to include both paper and 
electronic documentation. Accordingly, the notice to patients may be 
either on paper or in an electronic format. SAMHSA also revised Sec.  
2.22(b)(2) to require the statement regarding the reporting of 
violations to include contact information for the appropriate 
authorities.
Public Comments
    Several commenters expressed support for the proposed provisions, 
particularly the allowing of electronic notice, and they encouraged the 
use of plain language and notices in languages other than English. 
Several commenters recommended that SAMHSA should make a sample notice 
or language available to covered entities. One commenter asked how 
written notice can be provided for encounters that are not in person.
    Other commenters suggested that the patient be given copies rather 
than written summaries of state and federal law; a paper report, if 
requested; the right to request and obtain restrictions; and a 
description of how patient information may be disclosed for scientific 
research.
SAMHSA Response
    The final rule requires that the notice include contact information 
for the appropriate authorities for reporting violations. SAMHSA 
believes this change will make it easier for patients to identify to 
whom they should file a complaint of a potential violation of part 2. 
Therefore, SAMHSA declines to include a sample complaint form at this 
time but may consider whether to issue one outside of this rulemaking 
process. SAMHSA also declines to require copies rather than summaries 
of state and federal law because the notice to patients of federal 
confidentiality requirements is required to provide citations to the 
federal law and

[[Page 6077]]

regulations that protect the confidentiality of patient records and 
including information concerning state laws and regulations is 
optional. The notice must also be provided in writing but as was 
discussed in Terminology Changes (Sec.  2.11), the term ``in writing'' 
includes both paper and electronic documentation. Because the purpose 
of the notice is to communicate to the patient the federal law and 
regulations that protect the confidentiality of patient records, SAMHSA 
declines to require anything additional. However, if a part 2 program 
wishes to provide additional information, nothing in this provision 
prohibits them from doing so.

J. Consent Requirements (Sec.  2.31)

    SAMHSA is finalizing the consent requirements in this section, with 
certain modifications as described in greater detail below. In summary, 
SAMHSA is adopting all proposed changes to Sec.  2.31 except for two at 
this time. In the ``From Whom'' section of the consent requirements 
(Sec.  2.31(a)(2)), SAMHSA decided not to finalize its proposal to 
remove the general designation option, but did make minor updates to 
the terminology in the current (1987) regulatory text. As explained in 
greater detail below, the final ``From Whom'' provision of the consent 
requirements specifies that a written consent to a disclosure of part 2 
information must include the specific name(s) or general designation(s) 
of the part 2 program(s), entity(ies), or individual(s) permitted to 
make the disclosure. SAMHSA also decided not to finalize the proposed 
requirement that a part 2 program or other lawful holder of patient 
identifying information obtain written confirmation from the patient 
that they understand the terms of the consent.
    SAMHSA has revised the section heading from ``Form of written 
consent'' to ``Consent requirements.'' SAMHSA also made revisions to 
the two other sections of the consent form requirements: the ``To 
Whom'' section and the ``Amount and Kind'' section. SAMHSA also revised 
Sec.  2.31 to require a part 2 program or other lawful holder of 
patient identifying information to include on the consent form that 
patients, when using a general designation in the ``To Whom'' section 
of the consent form, have the right to obtain, upon request, a List of 
Disclosures (see Sec.  2.13). In addition, SAMHSA revised Sec.  2.31 to 
permit electronic signatures to the extent that they are not prohibited 
by any applicable law.
1. General Comments on Consent Requirements
a. General
Public Comments
    SAMHSA received many comments on the proposed rule's updated 
consent requirements. Some commenters generally supported the new 
consent requirements. Other commenters listed various reasons for their 
support, including increased facilitation of informed patient 
decisions, increased patient choice with regard to protection of their 
health information, and increased sharing of health care records among 
providers. One commenter supported the use of paper and electronic 
forms of written consent.
    Many commenters, however, expressed general opposition to the 
proposed consent requirements. Several commenters argued that the 
proposed rule created unnecessary burdens for providers, such as staff 
training, constant updates to consent forms, and expensive updates to 
provider EHRs. Several commenters argued the proposed consent rules 
would create obstacles to information sharing and integrated care. 
Specifically, a commenter argued that the ``To Whom'' and ``From Whom'' 
format restricts who within organizations can view a patient's records, 
further hampering coordinated care. Another commenter argued that the 
proposed consent form requirements would make it difficult for many 
HIEs to exchange part 2 information, and that the new requirements do 
little to promote a patient's informed consent. A couple of commenters 
argued that the proposed regulations would reduce access to substance 
use disorder treatment being added by general health care 
organizations, due to administrative burden and liability fears. 
General health care providers are less likely to add substance use 
disorder treatment, or partner or undertake projects with substance use 
disorder treatment providers. Another commenter stated this rule may 
result in providers not screening patients for substance use disorders 
and not documenting substance use disorder related information.
    According to a few commenters, the current part 2 regulations 
exceed the statutory requirements that led to the regulations. One 
commenter suggested that 42 U.S.C 290dd-2 requires consent to share 
information and does not allow any shared information to be used for 
prosecution. The commenter goes on to state that nothing in Title 42, 
U.S.C. 290dd-2 requires an explicit description of what information can 
be released, or requires time limits on consent. The commenter 
suggested that SAMHSA could reduce confusion and administrative burden 
by proposing revisions that are much more consistent with HIPAA than 
its current proposal.
SAMHSA Response
    Regarding the comments on statutory authority, we do not agree that 
the regulations in 42 CFR part 2 exceed the authority provided for in 
42 U.S.C. 290dd-2. The statute specifies that patient identifying 
information may be disclosed in accordance with prior written patient 
consent, ``but only to such extent under such circumstances, and for 
such purposes as may be allowed under regulations prescribed'' by the 
Secretary.
    Regarding concerns about unnecessary burdens for providers, such as 
staff training, constant updates to consent forms, and expensive 
updates to provider EHRs, these burdens might be offset by the benefits 
of increased in flexibility in the consent requirements. With respect 
to obstacles to information sharing, one of SAMHSA's goals for this 
rulemaking is to ensure that patients with substance use disorders have 
the ability to participate in and benefit from new integrated health 
care models without fear of putting themselves at risk of adverse 
consequences.
Public Comments
    Some commenters stressed that consent forms should be easy to read, 
accessible to limited English proficiency patients, and should meet 
HIPAA's plain language requirements. Commenters stated that language 
and literacy concerns could be barriers to actual understanding of the 
form's contents. Similarly, suggesting that SAMHSA take into account 
the reading level standards in other health programs, including 
Medicare and Medicaid, one commenter asserted that the proposed 
regulations do not provide adequate options for an individual to easily 
and simply determine who can or cannot access their substance use 
disorder records.
SAMHSA Response
    SAMHSA agrees with the commenters that the consent form should be 
written clearly so that the patient can easily understand the form. 
SAMHSA is considering issuing subregulatory guidance in the future to 
provide examples of forms that comply with the basic consent 
requirements in 2.31(a). In addition, SAMHSA encourages part 2 programs 
to be sensitive to the cultural and linguistic composition of their

[[Page 6078]]

patient population when considering whether the consent form should 
also be provided in a language(s) other than English (e.g., Spanish).
b. Consent Form Validity Period
Public Comments
    Several commenters stated that a two-year time limit for the 
validity of consent is insufficient, with some commenters suggesting 
that consent forms be valid indefinitely or until death. For example, 
one commenter asked why SAMHSA would deny a person who has received 
substance use disorder treatment the right to decide that they want any 
and all information regarding their treatment shared with any and all 
of their health care providers indefinitely as needed for coordination 
of care. Another commenter stressed the language of Sec.  2.31(a) was 
confusing and requested clarification on the permissible length of time 
a consent is valid.
SAMHSA Response
    Under Sec.  2.31, a part 2-compliant consent form must list the 
date, event, or condition upon which the consent will expire, if not 
revoked before. Thus, it is not sufficient under part 2 for a consent 
form to merely state that that disclosures will be permitted until the 
consent is revoked by the patient. It is, however, permissible for a 
consent form to specify the event or condition that will result in 
revocation, such as having its expiration date be ``upon my death.'' 
The rule does not set a two-year time limit for consents, as some 
commenters thought.
c. Technical Challenges to Proposed Consent Requirements
Public Comments
    Commenters expressed concern about the technical challenges 
providers would face in complying with the proposed consent 
requirements. Generally, commenters expressed concern that few, if any, 
EHR systems and/or HIEs have the capability to segregate substance use 
disorder patient information in a way that could fully support the rule 
by reflecting the patient's consent choices, and many providers would 
have to expend significant amounts of funds to create or acquire a 
compliant system. Commenters argued that if providers do not have data 
segmentation capability, they may simply exclude substance use disorder 
patient data from their systems, thus adversely impacting system 
integration and patient care.
    A couple of commenters asserted that EHR, HIE, and other electronic 
records systems have no way of selecting different levels of consent 
for treating providers. Specifically, a commenter stated that SAMHSA 
should remove requirements for varied levels of consent within a given 
organization (e.g., between departments or individuals), instead 
limiting such variation to HIEs that share information between or 
across organizations. A commenter stated that it is not feasible to do 
individual exclusionary consents in an HIE, especially for an entity 
that has thousands of employees across multiple states.
    A commenter stated that providers in an integrated care network may 
be precluded from performing important quality improvement checks 
because no set of clinically integrated network officials can be 
expected to have a direct treatment relationship with every patient in 
the large data pools necessary to drive these important public health 
efforts.
    A commenter stated that the confidentiality of a substance use 
disorder patient's information should not be compromised if some 
electronic systems were poorly designed and without regard for part 2. 
Similarly, another commenter stated that technology should be regarded 
as a tool and should not diminish a patient's privacy rights.
SAMHSA Response
    SAMHSA acknowledges the concerns regarding technical challenges to 
the consent requirements and data segmentation more broadly. As stated 
above, SAMHSA has played a significant role in encouraging the use of 
health IT by behavioral health (substance use disorders and mental 
health) providers and towards minimizing technical burdens through a 
variety of activities. SAMHSA actively participates in the development 
and stewarding of data standards to promote data segmentation and 
interoperability. Specifically, the Data Segmentation for Privacy 
(DS4P) initiative within ONC's Standards and Interoperability (S&I) 
Framework facilitated the development of standards to improve the 
interoperability of EHRs containing sensitive information that must be 
protected to a greater degree than other health information due to 42 
CFR part 2 and similar state laws. The DS4P standards were used in 
several pilot projects, including the Department of Veterans Affairs 
(VA)/SAMHSA Pilot, which implemented all the DS4P use cases and passed 
all conformance tests; and SAMHSA's Opioid Treatment Program (OTP) 
Service Continuity Pilot that connected OTPs to an HIE to facilitate 
continuity of care during disasters or other unexpected disruptions in 
service. Additionally, DS4P standards were adopted in ONC's 2015 
Edition final rule (80 FR 62702, Oct. 16, 2015) as part of the 2015 
Edition Health IT Certification Criteria (2015 Edition). See 45 CFR 
170.315(b)(7) and (8). SAMHSA has also supported the development of the 
application branded Consent2Share, an open-source health IT solution 
based on DS4P, which assists in consent management and data 
segmentation and is currently being used by the Prince Georges County 
(Maryland) Health Department to manage patient consent directives while 
sharing substance use disorder information with an HIE. SAMHSA is 
currently updating Consent2Share, slated for release in late 2016, with 
the aim that its streamlined data stack and improved functionality will 
lower barriers to implementation in the field. SAMHSA is considering 
issuing subregulatory guidance in the future to address other technical 
solutions to complying with the regulation.
    Regarding the comment that it is not feasible to do individual 
exclusionary consents in an HIE, the HIE does not have to give the 
patient the option to do individual level consent. SAMHSA has provided 
more flexibility in the consent provisions in an effort to ensure that 
patients with substance use disorders have the ability to participate 
in and benefit from new integrated health care models while, at the 
same time, maintaining core confidentiality protections.
d. Requests for Exemptions and Exceptions
Public Comments
    Several commenters requested various exemptions or exceptions from 
the part 2 consent requirements, including a public health exception 
similar to that of the HIPAA Privacy Rule (see http://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html), an 
exemption for CCOs who have a treating relationship with a patient, an 
exemption for ACOs who have integrated delivery systems, an exception 
for state health data organizations that collect data under legislative 
authority and collection of substance use disorder data by state 
agencies, and in instances where part 2 data may be used to improve 
patient care coordination, ensure interoperability, and ensure patient 
safety. One commenter requested an exception for care coordination 
purposes for valid and vital clinical reasons.

[[Page 6079]]

    Regarding Sec.  2.20 (Relationship to state laws), a commenter said 
SAMHSA should include an exception under part 2, subpart D (Disclosures 
Without Patient Consent) allowing disclosures of substance use disorder 
treatment information based on state laws that authorize or compel such 
disclosures (e.g., for public health or medical assistance reasons). 
Another commenter, noting the role of multi-payer claims databases or 
MPCDs (also known as all payer claims databases (APCDs)), suggested 
that SAMHSA add a new section to include state health data 
organizations that collect data under a legislative authority, 
reasoning that these states have decades of experience in collecting 
and managing sensitive data with strict legal and policy controls.
    A commenter said SAMHSA should permit oral consent with 
documentation and specific information to be shared.
SAMHSA Response
    SAMHSA appreciates the perspectives expressed by those who seek 
additional exceptions or exemptions from part 2 consent requirements, 
as well as the suggestion that SAMHSA permit oral consents that are 
documented in writing.
    The part 2 underlying statute, 42 U.S.C. 290dd-2, and this rule 
require a written patient consent to disclose part 2 information unless 
the disclosure is otherwise permitted under the part 2 statute or 
regulations. The statute, for instance, does not provide a general 
exception to the consent requirement for the purpose of sharing 
information with public health officials. In certain circumstances, 
disclosures of part 2 information may be authorized by court order to 
protect against an existing threat to life or of serious bodily injury 
(see[thinsp]Sec.  2.63, Confidential communications) or to the extent 
necessary to meet a bona fide medical emergency in which the patient's 
prior informed consent cannot be obtained (see Sec.  2.51, Medical 
emergencies). SAMHSA may in the future consider issuing subregulatory 
guidance to further describe medical emergencies under Sec.  2.51 and 
how such emergencies may relate to public health emergencies declared 
at the federal, state, local, and/or tribal levels. SAMHSA does not, 
however, have the statutory authority to authorize routine disclosure 
of part 2 information for public health reporting, surveillance, 
investigation or intervention purposes.
    With respect to Sec.  2.20 (Relationship to state laws), in the 
proposed and final rules SAMHSA maintains current language regarding 
preemption. As discussed above, SAMHSA cannot develop a new general 
exception for public health or medical assistance purposes in light of 
the statute. Likewise, SAMHSA cannot develop a specific new exception 
for APCDs (hereinafter referred to as MPCDs). The role of MPCDs is 
discussed in the section of this preamble concerning research (Sec.  
2.52). SAMHSA disagrees with the recommendations to consider a specific 
exemption to the consent requirements for ACOs that have integrated 
delivery systems, except as described in Sec.  2.53 for the purposes of 
audits and evaluations. Similarly, SAMHSA is not accepting the 
suggestion to provide a specific exemption from the part 2 consent 
requirements for CCOs that have a treating provider relationship with a 
patient (i.e., that meet the definition of having a treating provider 
relationship with the patient whose information is being disclosed). 
SAMHSA believes that the final changes to the consent requirements will 
facilitate care coordination and information exchange. Improving the 
quality of substance use disorder care depends on effective 
collaboration of mental health, substance use disorder, general health 
care, and other service providers in coordinating patient care. 
However, the composition of a health care team varies widely among 
entities. Because SAMHSA wants to ensure that patient identifying 
information is only disclosed to those individuals and entities on the 
health care team with a need to know this sensitive information, we are 
limiting a general designation in the ``To Whom'' section of the 
consent requirements to those individuals or entities with a treating 
provider relationship. Patients may further designate their treating 
providers as ``past,'' ``current,'' and/or ``future'' treating 
providers. In addition, the consent form can include multiple 
authorizations in the ``To Whom'' section. A consent may allow a 
patient to designate, by name, one or more individuals with whom they 
do not have a treating provider relationship, that they authorize to 
receive or access their health care data.
    While we are not establishing specific additional exemptions or 
exclusions from the consent requirements at this time in response to 
commenters' suggestions, in light of the longstanding role that 
contractors and subcontractors play in the health care system and their 
handling of part 2 data, we are issuing an SNPRM related to lawful 
holders' use of contractors and subcontractors.
e. Commenter Recommendations
Public Comments
    Some commenters said SAMHSA should expand the list of persons who 
could view the patient's medical record without the patient's written 
consent to include clergy, social workers, psychologists and family 
members if in their professional opinion they were necessary for the 
patient's recovery and progress. Another commenter recommended 
expanding the list to include all types of professionals involved in 
the treatment of individuals receiving substance use treatment into the 
respective definitions, including those employed in social services 
that are members of the treatment team.
SAMHSA Response
    The definition of ``treating provider relationship'' is 
sufficiently broad to cover the necessary components of a patient's 
care team. The statute, 42 U.S.C. 290dd-2, does not provide an 
exception to the consent requirement for the purpose of sharing 
information with family members. Part 2, therefore, requires a part 2-
compliant consent to disclose patient identifying information unless 
disclosure is otherwise permitted under the statute or regulations.
Public Comments
    Many commenters said SAMHSA should provide a sample consent form. 
Some commenters stated that any sample consent form should not be 
mandated to allow stakeholders flexibility.
SAMHSA Response
    SAMHSA may, after publication of this rule, issue subregulatory 
guidance that includes a sample consent form that meets the 
specifications of the final rule. SAMHSA has never and has no intention 
of mandating the use of a specific consent form.
Public Comments
    Several commenters generally supported the use of electronic 
signatures. Several commenters only supported electronic signatures 
when also authorized under state law. A couple of commenters requested 
guidance on what steps the provider would need to take to verify 
identity, provide the required prefatory information and to obtain a 
substance use disorder patient's electronic signature. A commenter 
requested guidance from SAMHSA on the areas modified by SAMHSA. A 
commenter said SAMHSA should identify the signatory and enforceability

[[Page 6080]]

consideration of electronic consent through reference to other laws.
SAMHSA Response
    Because there is no single federal law on electronic signatures and 
there may be variation in state laws, SAMHSA recommends that 
stakeholders consult their attorneys to ensure they are in compliance 
with all applicable laws.
Public Comments
    Some commenters made recommendations for patient privacy 
protection. One commenter noted that the use of secure, certified 
health IT, networks, and devices, especially for the transmission of 
patient records, does not appear to be included in the proposed 
provisions. Another commenter said meaningful consents could only be 
achieved by adding statements that inform the patient of the 
unprecedented risks of making highly sensitive substance use disorder 
information accessible throughout integrated health care systems or 
electronic health information systems that cannot be made secure.
    A commenter stated the proposed rule did not address revocation or 
refusal of consent. Similarly, another commenter recommended adding 
language that makes clear that revocation of consent prevents 
unauthorized access but does not remove the information from the 
electronic record.
SAMHSA Response
    Section 2.16 addresses security for records and requires formal 
policies and procedures to reasonably protect against unauthorized use 
and disclosures of patient identifying information and to protect 
against reasonably anticipated threats or hazards to the security of 
patient identifying information. Whereas this provision does not 
specifically address the use of certified health IT networks, and 
devices, they may be used as long as the requirements of section 2.16 
are met. Regarding revocation of consent, Sec.  2.31(a)(6) requires: 
``A statement that the consent is subject to revocation at any time 
except to the extent that the part 2 program or other lawful holder of 
patient identifying information that is permitted to make the 
disclosure has already acted in reliance on it. Acting in reliance 
includes the provision of treatment services in reliance on a valid 
consent to disclose information to a third-party payer.'' To the extent 
an individual refuses to consent to the disclosure of their patient 
identifying information, part 2 prohibits such disclosure unless 
otherwise permitted under the statute or regulations (e.g., audit or 
evaluation, or scientific research).
2. To Whom
    SAMHSA is adopting this aspect of the proposal. SAMHSA has moved 
the former Sec.  2.31(a)(2), ``To Whom'' provision, to Sec.  
2.31(a)(4). The following table provides an overview of the options 
permitted when completing the designation in the ``To Whom'' section of 
the consent form.

        Table 1--Designating Individuals and Organizations in the ``To Whom'' Section of the Consent Form
----------------------------------------------------------------------------------------------------------------
                                                       Treating provider
                                     Individual or     relationship with                           Required
           42 CFR 2.31              entity to whom       patient whose          Primary           additional
                                   disclosure is to     information is        designation         designation
                                        be made         being disclosed
----------------------------------------------------------------------------------------------------------------
(a)(4)(i).......................  Individual........  Yes...............  Name of             None.
                                                                           individual(s)
                                                                           (e.g., Jane Doe,
                                                                           MD).
(a)(4)(i).......................  Individual........  No................  Name of             None.
                                                                           individual(s)
                                                                           (e.g., John Doe).
(a)(4)(ii)......................  Entity............  Yes...............  Name of entity      None.
                                                                           (e.g., Lakeview
                                                                           County Hospital).
(a)(4)(iii)(A)..................  Entity............  No................  Name of entity      None.
                                                                           that is a third-
                                                                           party payer as
                                                                           specified under
                                                                           Sec.
                                                                           2.31(a)(4)(iii)(A
                                                                           ) (e.g.,
                                                                           Medicare).
(a)(4)(iii)(B)..................  Entity............  No................  Name of entity      At least one of
                                                                           that is not         the following:
                                                                           covered by Sec.    1. The name(s) of
                                                                           2.31(a)(4)(iii)(A   an individual
                                                                           ) (e.g., HIE, or    participant(s)
                                                                           research            (e.g., Jane Doe,
                                                                           institution).       MD, or John Doe).
                                                                                              2. The name(s) of
                                                                                               an entity
                                                                                               participant(s)
                                                                                               with a treating
                                                                                               provider
                                                                                               relationship with
                                                                                               the patient whose
                                                                                               information is
                                                                                               being disclosed
                                                                                               (e.g., Lakeview
                                                                                               County Hospital).
                                                                                              3. A general
                                                                                               designation of an
                                                                                               individual or
                                                                                               entity
                                                                                               participant(s) or
                                                                                               a class of
                                                                                               participants
                                                                                               limited to those
                                                                                               participants who
                                                                                               have a treating
                                                                                               provider
                                                                                               relationship with
                                                                                               the patient whose
                                                                                               information is
                                                                                               being disclosed
                                                                                               (e.g., my current
                                                                                               and future
                                                                                               treating
                                                                                               providers).
----------------------------------------------------------------------------------------------------------------

    If a general designation is used, the entity must have a mechanism 
in place to determine whether a treating provider relationship exists 
with the patient whose information is being disclosed. Patients may 
further designate their treating providers as ``past,'' ``current,'' 
and/or ``future'' treating providers. In addition, a patient may 
designate, by name, one or more individuals on their health care team 
with whom they do not have a treating provider relationship.
a. General
Public Comments
    Several commenters generally agreed with the proposed ``To whom'' 
section of the consent requirements, stating that it allows patients to 
disclose substance use disorder information to past, current, or future 
treating providers; would improve information and data sharing for 
health care, especially for entities that are continually adding new 
members; allow patients to remain in control of their substance use 
disorder information and understand who had access to their data. One 
commenter supported the express permission to designate the name of the 
entity for third-party payers that require patient identifying 
information for purposes of reimbursement of services rendered to the 
patient.
    Many commenters offered general support for the proposed rule's 
general designation. Some commenters stated that the general 
designation creates a

[[Page 6081]]

balance between patient privacy and operational functions, facilitates 
internal communication within an integrated delivery system, 
streamlines the consent process, reduces administration burdens, 
creates new flexibility, may help facilitate increased behavioral 
health participation in some HIEs around the country, and would help 
improve the quality and continuity of care within integrated delivery 
models. A commenter supported the expansion of the use of a general 
designation when there is a treating provider relationship, but said it 
is unworkable to require an updated consent form every time new 
entities are added to the ``umbrella'' consent.
    Some commenters generally disagreed with the proposed ``To Whom'' 
provision of the consent requirements. Several commenters argued that 
the proposal was burdensome, would create additional complexity, would 
reduce information sharing, and would not improve patient privacy 
protections or facilitate informed consent. Commenters stated it is 
unnecessary and impractical to require the consent form to name every 
HIE and other intermediaries that may assist in transmitting or 
providing access to the patient's information. A couple of commenters 
stated the proposed rule would restrict the ability of patients to 
specifically name an entity or to authorize part 2 programs to send 
their information to entities that do not have a treatment relationship 
[treating provider relationship]. Another commenter said the regulatory 
preface mentions a number of very specific drivers of this purported 
need for broader sharing (such as HIEs), but the regulatory language 
itself contains no such limitation and offers HIE only as an 
illustrative example.
    Many commenters specifically did not support the general 
designation in the ``To Whom'' section. Some commenters claimed that 
the proposal presumes each person entering a treatment process has the 
ability to understand the longer-term consequences, or that substance 
use disorder patients, who are under tremendous stress, would simply 
choose the general designation because it was easiest. A commenter said 
the general designation does not guarantee that a HIE or other 
organizations will send all patient data, which could be a critical 
source of information in the case of an emergency.
SAMHSA Response
    A patient may consent to designate, for example, an HIE (an entity 
that does not have a treating provider relationship with the patient 
whose information is being disclosed) and ``all my treating providers'' 
(a general designation of an individual or entity participant(s) or a 
class of individual or entity participants that must be limited to a 
participant(s) who has a treating provider relationship with the 
patient whose information is being disclosed). Using the same concept, 
an ACO, pursuant to a general designation, may disclose information 
described in the ``Amount and Kind'' section of a consent form 
(explained further in 3. Amount and Kind) to ``all my entity treating 
providers.'' If a general designation is used, the entity must have a 
mechanism in place to determine whether a treating provider 
relationship exists with the patient whose information is being 
disclosed (e.g., an attestation). In the HIE and ACO examples above, 
the entity that does not have a treating provider relationship with the 
patient whose information is being disclosed and serves as the 
intermediary may not further disclose the patient identifying 
information except to those providers who have a treating provider 
relationship with the patient whose information is being disclosed that 
can be verified by the intermediary. The prohibition on re-disclosure 
notice must be provided with the disclosure because it also applies to 
the treating provider(s) who receive the information from the entity 
that serves as an intermediary. In addition, a copy of the part 2-
compliant consent form or the pertinent information on the consent form 
necessary for the treating provider(s) to comply with the signed 
consent should be provided with the disclosure.
    The patient retains the ability to name only specific individuals 
or entities to whom their records will be disclosed. Patients have the 
option to use a general designation to designate entities with which 
they have a treating provider relationship, but are not required to do 
so. Although SAMHSA received comments suggesting that the proposed rule 
makes it more difficult to disclose necessary information to an 
organization that does not have a treating provider relationship with 
the patient whose information is being disclosed other than a 3rd party 
payer, the commenters did not provide examples of such entities. The 
final rule permits the ``To Whom'' section of the consent form to 
designate disclosure of information to an entity that does not have a 
treating provider relationship with the patient whose information is 
being disclosed, as long as the consent also includes one of three 
options specified in Sec.  2.31(a)(4)(iii)(B), for example, include the 
name(s) of an individual participant(s).
    If the patient designates all my current treating providers, and 
another of the patient's treating providers becomes a participant in 
the entity that does not have a treating provider relationship with the 
patient and serves as the intermediary, a new consent form would not be 
required. For example, if a patient designates an HIE (an entity that 
does not have a treating provider relationship with the patient whose 
information is being disclosed and serves as an intermediary) and ``my 
current treating providers,'' and subsequently another of the patient's 
treating providers becomes a participant in the HIE, a new consent form 
would not be required. In addition, more than one HIE or other 
intermediary may be listed on the consent form. With respect to burden, 
SAMHSA acknowledges that there may be burdens associated with the 
revised consent requirements. SAMHSA made these changes based on 
comments from stakeholders in the field and SAMHSA strongly believes 
that the changes to ``To Whom'' will increase flexibility for patients 
and providers.
b. Determination of Treating Provider Relationship
Public Comments
    A commenter agreed with SAMHSA's suggestion that entities must have 
an established mechanism for determining whether a treating provider 
relationship exists. However, several commenters stated that 
determining who has a treating provider relationship would be 
difficult. Commenters expressed concern that entities do not currently 
have mechanisms in place to determine whether a treating provider 
relationship exists with the patient whose information is being 
disclosed. Another commenter asked how an HIE would be able to 
determine which participants have a past/present/future treating 
provider relationship with the patient. A commenter stated that 
creating this mechanism would require additional resources and would 
discourage entities from sharing necessary data. Another commenter 
recommended a provision that exempts the provider from liability when 
relying in good faith on an attestation or representation from an 
outside treating provider.
    Several commenters expressed concern that once a consent reflecting 
a general designation of recipients with a treating provider 
relationship has been executed and relied upon by the part 2 program, 
there is no method by which the program can ensure that the recipients 
are properly authenticated by the HIE or research institution. 
Commenters suggested the proposed

[[Page 6082]]

rule should specify that the HIE, ACOs, CCOs or research institution, 
as well as the recipient that has a treating provider relationship with 
the patient, be responsible for ensuring that the recipient is actually 
a treating provider and that the disclosure is appropriate under part 
2.
    A commenter requested clarification on whether care managers would 
be included as having a ``treating provider relationship.'' Another 
commenter requested clarification as to whether care coordinating 
entities that have a treating provider relationship may assign 
additional designees under the general designation (e.g., treatment 
providers with different levels of care or recovery services).
    Commenters recommended the language in the ``To Whom'' clause state 
``my treating providers'' or ``my service providers.'' A commenter 
recommended ``my substance use disorder providers'' or ``my treating 
providers except Dr. John Doe.'' Another commenter recommended ``my 
treating providers and transferring HIEs''
SAMHSA Response
    Although SAMHSA understands the concerns about further clarifying 
when an entity is considered a treating provider, it respectfully 
declines to provide more specificity in the final rule than was 
included in the NPRM. The arrangements between treating providers and 
other entities evolve too rapidly to be comprehensively addressed in 
regulations. Although, SAMHSA has not revised the proposed text, SAMHSA 
may provide additional subregulatory guidance in the future if further 
clarification is needed. In addition, only individuals and entities 
that meet the definition of having a treating provider relationship 
with a patient are considered treating providers. The determination is 
fact-specific. Consistent with the NPRM, SAMHSA continues to encourage 
innovative solutions to implement this provision. For example, an HIE 
could have a policy in place requiring their participant providers to 
attest to have a treating provider relationship with a patient, or 
provide a patient portal where patients designate their treating 
providers.
c. Requests for Clarification
Public Comments
    Some commenters requested clarification regarding the patient's 
role in consent, including the patient's ability to alter their 
consent, how patients can authorize disclosures to non-health entities 
other than third-party payers, and what the impact would be if a 
patient failed to designate past, present, and future disclosures. One 
commenter stated that, if a patient designates an entity without a 
treating provider relationship and ``my treating providers'' without 
further specifying ``past, present, or future,'' it should be assumed 
that the intent is to designate ``current'' treating providers.
SAMHSA Response
    Patients may designate on the consent form a specific individual(s) 
with whom they either have or do not have a treating provider 
relationship and/or a specific entity(-ies) with whom they have a 
treating provider relationship. Consents for disclosures to entities 
that do not have a treating provider relationship (other than third-
party payers) require at least one of the following: (1) The name(s) of 
an individual participant(s); (2) the name(s) of an entity 
participant(s) that has a treating provider relationship with the 
patient whose information is being disclosed; or (3) a general 
designation of an individual or entity participant(s) or a class of 
participants that must be limited to a participant(s) who has a 
treating provider relationship with the patient whose information is 
being disclosed.
    If a patient uses a general designation and lists ``my treating 
providers'' without further specifying ``past, current, or future,'' it 
should be presumed that the intent is to designate ``current'' treating 
providers. Finally, a patient can revoke a consent at any time, except 
to the extent that the part 2 program or other lawful holder of patient 
identifying information that is permitted to make the disclosure has 
already acted in reliance on it. Acting in reliance includes the 
provision of treatment services in reliance on a valid consent to 
disclose information to a third-party payer.
Public Comments
    Other commenters requested clarification regarding entity roles, 
including whether a CCO can request a single consent for multiple 
purposes (e.g., care coordination, treatment, and payment); whether 
providers need to maintain the variety of forms to meet the 
requirements of Sec.  2.31(a)(4); what limitations (if any) would be 
placed on HIE entities or research institutions using substance use 
disorder information received via the new consent process, specifically 
whether the disclosure would not be limited to treatment purposes; and 
whether an HIE-to-HIE disclosure is permissible and, if so, for what 
purposes. A few commenters asked whether it would be permissible to 
list multiple HIEs on a consent form. Similarly, another commenter 
recommended SAMHSA adopt a broad definition of an HIE to allow a 
``network of networks,'' such as the statewide health information 
network to be considered an HIE. A commenter requested clarification as 
to whether 42 CFR part 2 information can flow through other HIEs not 
designated on the consent form to transfer the information to the 
recipient.
    A few commenters requested clarification on how the proposed 
changes would impact multi-party consent forms that allow disclosure 
``among and between'' all the parties listed on the form. Similarly, a 
commenter requested clarification regarding the ``To Whom'' and ``From 
Whom'' definitions and how they would apply between two providers to 
whom a patient has independently given consent to receive information, 
urging that the definitions be general and consistent so that they 
allow for bi-directional flow of information.
    A commenter said SAMHSA should clarify that the provision of 
general consent to disclosure of substance use disorder treatment also 
applies to disclosure of information between those responsible for 
treatment in the community and those responsible for treatment in 
correctional settings.
SAMHSA Response
    Under the changes to the consent requirements, an entity that does 
not have a treating provider relationship with the patient may further 
disclose, with a part 2-compliant consent, to a named individual who 
does not have a treating provider relationship with the patient.
    Section 2.31(a)(4) of the consent requirements may be completed 
with one or more recipients. Section 2.31(a)(5) of the consent 
requirements requires that the consent form include the purpose of the 
disclosure. Part 2 allows the use of a single consent form authorizing 
the disclosure of part 2 patient information to different recipients 
for different purposes. However, part 2 also requires a consent form to 
specify the amount and kind of information that can be disclosed, 
including an explicit description of the substance use disorder 
information that may be disclosed, to each of the recipients named in 
the consent. The amount of information to be disclosed ``must be 
limited to that information which is necessary to carry out the purpose 
of the disclosure (see Sec.  2.13(a)). This will vary depending on the 
different purposes for which different

[[Page 6083]]

recipients are being allowed to access or receive the information. Thus 
the consent form would have to be structured to make it clear what 
information may be given to each of the recipients, and for which 
purposes.
    Disclosure of patient identifying information made with the 
patient's written consent must be accompanied by a written notice 
regarding the prohibition on re-disclosure (see Sec.  2.32). This 
notice informs them that 42 CFR part 2 prohibits the recipients of the 
patient identifying information from re-disclosing it to any individual 
or organization not specified in the consent form unless otherwise 
permitted under the part 2 statute or regulations.
    The rule includes an additional patient safeguard, in which 
patients who have included a general designation in the ``To Whom'' 
section of their consent form (see Sec.  2.31) must be provided, upon 
request, a list of entities to which their information has been 
disclosed pursuant to the general designation.
    With respect to multi-party consent, SAMHSA is not finalizing the 
``From Whom'' provision (2.31(a)(2)) as proposed for the reasons 
discussed in 4. ``From Whom.'' Therefore, consents may authorize 
disclosures ``among and between'' the parties designated in the ``To 
Whom'' and ``From Whom'' sections of the consent form.
Public Comments
    Some commenters requested clarification regarding aspects of the 
``To Whom'' provision, such as what would happen if a person does not 
want to give a general designation; how the process of designating 
past, present, and future treating providers would work in practice; 
whether a Performing Provider System (PPS) could be assigned in the 
``To Whom'' section of the consent form; and whether a health care 
organization would be an appropriate entity to be named for disclosure.
    With regard to third-party payers, a commenter asked whether a 
general designation for third-party payers could be used for other 
purposes, such as care coordination, population health, or other 
services that may fall under the definition of health care operations 
within the meaning of HIPAA. Some commenters recommended that third-
party payers should not have to be listed in the ``To Whom'' section of 
the consent form.
SAMHSA Response
    With regard to third-party payers, the regulations require written 
consent for disclosure of patient identifying information to third-
party payers. The statute does not provide an exception to this consent 
requirement. However, with respect to patients who have both a 
substance use disorder and a mental illness, Sec.  2.15 of the 
regulations states that, in the case of a patient, other than a minor 
or one who has been adjudicated incompetent, that for any period 
suffers from a medical condition that prevents knowing or effective 
action on their own behalf, the part 2 program director may exercise 
the right of the patient to consent to a disclosure under subpart C of 
this part for the sole purpose of obtaining payment for services from a 
third-party payer. In addition, in the case of minor patients, Sec.  
2.14 of the regulations states the regulations do not prohibit a part 2 
program from refusing to provide treatment until the minor patient 
consents to the disclosure necessary to obtain reimbursement, but 
refusal to provide treatment may be prohibited under a state or local 
law requiring the program to furnish the service irrespective of 
ability to pay.
    If an individual does not want to use a general designation, they 
have several other options, which are enumerated in Sec.  2.31(a)(4) of 
this final rule.
    If a patient does not designate ``current, past, and/or future'' 
treating provider(s), the presumption is that the patient means 
``current treating provider(s).'' SAMHSA may, after publication of this 
final rule, also provide further clarification on this process of 
designating past, present, and future treating providers in 
subregulatory guidance.
    Whether a PPS or a health care organization may be listed in the 
``To Whom'' section of the consent form depends upon whether they have 
a treating provider relationship with the patient whose information is 
being disclosed. If an entity does have a treating provider 
relationship with the patient, the entity name may be listed on the 
consent (see Sec.  2.31(a)(4)(ii)). However, if the entity does not 
have a treating provider relationship with the patient whose 
information is being disclosed, and is not a third-party payer, the 
entity name may be listed on the consent form as long as one or more of 
the following is also listed: (1) The name(s) of an individual 
participant(s); (2) the name(s) of an entity participant(s) that has a 
treating provider relationship with the patient whose information is 
being disclosed; or (3) a general designation of an individual or 
entity participant(s) or a class of participants that must be limited 
to those participants who have a treating provider relationship with 
the patient whose information is being disclosed.
    SAMHSA plans to address issues concerning third-party payer use and 
disclosure of part 2 information in greater detail in an SNPRM.
d. Commenter Recommendations
Public Comments
    Commenters recommended more flexibility in the ``To Whom'' section. 
Commenters recommended that SAMHSA expand the general designation to 
include all of the various participants in the modern health care 
system and their respective activities: Providers, care managers, 
health plans and ACOs, MCO services, CCOs, and similar integrated 
health care networks. One commenter said the general designation should 
include those who do not have a treating provider relationship with the 
patient but who/which require access to the patient's information 
solely in relation to fulfilling a specific function for the benefit of 
the individual or entity that has the treating provider relationship 
with specific patients. Another commenter requested that SAMHSA allow 
patients to generally consent to disclose information to any company 
assisting in processing their insurance claims. Another commenter 
suggested that patients be able to name as many treating providers as 
they wish under the general designation. One commenter said patients 
should be permitted to provide a generalized consent for all of their 
previous providers to disclose information. One commenter said generic 
consent (i.e., disclosure through an HIE) is all that should be 
required because SAMHSA has previously provided guidance that HIEs may 
have access to part 2 information under a QSO agreement without patient 
consent. A commenter said the rule should allow for the general 
designation of certain types of non-treating providers, rather than 
require a listing of the name of each entity.
    In contrast, other commenters suggested increased limitations on 
the ``To Whom'' designation. A commenter proposed excluding health 
information networks and health information organizations (HIOs) from 
being specifically identified on patient consent form because they are 
not true recipients of patient health information and simply facilitate 
electronic exchange of information. One commenter recommended that 
SAMHSA preserve the patient's right of consent to disclosures only to 
specifically identified practitioners

[[Page 6084]]

involved in their mental health treatment.
    Regarding third-party payers, several commenters recommended 
allowing third-party payers to act as intermediaries for purposes of 
sharing substance use disorder information, allowing them to share 
information with all of the patient's treating providers. Another 
commenter requested general designation for third-party payers. To 
accommodate the operational realities of Medicaid, a commenter stressed 
that the rule should explicitly provide that consent to disclose 
covered data to Medicaid constitutes consent to release such data to 
Medicaid or to the payer's contracted entity (e.g. the MCO) to apply to 
both entities as a third-party payer. Similarly, another commenter 
recommended that the rule consider a designation to the name of the 
state agency, the MCO, or simply Medicaid as consent that applies to 
the state and its contracted delivery system, reasoning that not all 
Medicaid beneficiaries understand their health care system.
SAMHSA Response
    SAMHSA acknowledges the commenters' concerns related to the 
recommendations above. SAMHSA has concluded that the proposed changes 
to the consent requirements would facilitate care coordination and 
information exchange. Improving the quality of substance use disorder 
care depends on effective collaboration of mental health, substance use 
disorder, general health care, and other service providers in 
coordinating patient care. However, the composition of a health care 
team varies widely among entities. Because SAMHSA wants to ensure that 
patient identifying information is only disclosed to those individuals 
and entities on the health care team with a need to know this sensitive 
information, we are limiting a general designation to those individuals 
or entities with a treating provider relationship. Patients may further 
designate their treating providers as ``past,'' ``current,'' and/or 
``future'' treating providers. In addition, a patient may designate, by 
name, one or more individuals on their health care team with whom they 
do not have a treating provider relationship. SAMHSA clarifies that a 
QSO can be used to share part 2 information with the HIE when the HIE 
is a service provider to the part 2 program, but the QSO cannot be used 
to share information with the members of an HIE without patient 
consent.
    As for third-party payers and others, SAMHSA must balance the need 
for and benefits of care coordination with the need for consent and the 
requirements of the part 2 governing statute. SAMHSA declines to adopt 
commenter recommendations to allow third-party payers to serve as 
intermediaries that could share information with all the patient's 
treating providers because we conclude that the ``To Whom'' consent 
requirements are sufficiently broad to cover the necessary components 
of a patient's care team. For purposes of payment-related activities, 
to the extent that federal or state law authorizes or requires that the 
Medicaid or Medicare agency or program share data or enter into a 
contractual arrangement or other formal agreements to do so, consent to 
disclose patient identifying information to the agencies or programs 
(as a third-party payer) under section 2.31(a)(4)(iii)(A) is considered 
to extend to the contractors and subcontractors of the agencies or 
programs.
    Commenters have provided SAMHSA with informative feedback on how 
lawful holders, including third-party payers and others within the 
healthcare industry, use health data or hire others to use health data 
on their behalf to provide operational services such as independent 
auditing, legal services, claims processing, plan pricing and other 
functions that are key to the day-to-day operation of entities subject 
to this rule. Those comments indicate that there may be varying 
interpretations of the part 2 rule's restrictions on lawful holders and 
their contractors' and subcontractors' use and disclosure of part 2-
covered data for purposes of carrying out payment, health care 
operations, and other health care related activities. In consideration 
of this feedback and given the critical role third-party payers, other 
lawful holders, and their contractors and subcontractors play in the 
provision of health care services, SAMHSA is issuing an SNPRM to seek 
further comments and information on this matter before establishing any 
appropriate restrictions.
Public Comments
    Instead of listing organizations in the ``To Whom'' section, a 
commenter recommended that a consent form should specify the reasons 
for disclosure (e.g. care coordination, management of benefits).
SAMHSA Response
    In addition to the ``To Whom'' section, the consent form is 
required to include how much and want kind of information is to be 
disclosed, including an explicit description of the substance use 
disorder information that may be disclosed. In addition, the consent 
form must include the purpose of the disclosure. All the required 
elements must be included on the consent form. SAMHSA declines to make 
the suggested change to allow the ``Purpose'' of the consent to dictate 
the recipients of the patient identifying information. The intent of 
SAMHSA's approach to the ``To Whom'' section of the consent form is to 
provide the patient options for the degree to which they will be able 
to identify, at the point of consent, who they are authorizing to 
receive their information.
Public Comments
    A commenter stated that SAMHSA should explicitly recognize and 
include health plan care services, such as managed care, care 
coordination, case management and other integrated care activities as 
part of the required elements for written consent for entities that do 
not have a treating provider relationship with the patient under 
proposed Sec.  2.31(a)(4)(iv).
    A commenter stated any privacy concerns could be fixed by requiring 
(1) a general designation of a class of participants with a treating 
provider relationship; and (2) that the disclosing organization provide 
patients, upon request, a list entities to which their information has 
been disclosed.
    A commenter proposed that Sec.  2.31(a)(4) be revised to allow a 
general designation to be used whenever there is a ``treating provider 
relationship'' or a ``care management relationship.'' The commenter 
stated the ``care management relationship'' should be defined to 
include the concepts of assistance in obtaining appropriate care, care 
coordination, and assistance in the implementation of a plan of medical 
care.
    A couple of commenters suggested SAMHSA revise proposed Sec.  
2.31(a)(4)(iv)(C) to read: ``. . . to a participant(s) who has a 
treating provider relationship with the patient at the time the 
disclosure is made.'' (Note, the relevant text is now found at Sec.  
2.31(a)(4)(iii)(B)(3) due to renumbering of the final regulation.) The 
commenters stated this would make it clear that participants who 
develop a treatment relationship with the patient after the date the 
consent can gain access.
    Commenters recommended that the general authorization mirror the 
authorization under HIPAA to ease the transition and reduce compliance 
issues.
    A commenter recommended SAMHSA work with other federal entities 
that are exploring parity enforcement to ensure that the proposed rule 
changes would not create barriers for states working on enforcement of 
the parity law.

[[Page 6085]]

    If a patient notes their information may be shared with current and 
future health care providers, one commenter said the specific name of 
the ACO or other provider should not be required.
SAMHSA Response
    SAMHSA declines to explicitly recognize and include health plan 
care services, such as managed care, care coordination, case management 
and other integrated care activities as part of the required elements 
for written consent for entities that do not have a treating provider 
relationship with the patient under proposed Sec.  2.31(a)(4)(iv), or 
broaden the ``treating provider relationship'' to also include a ``care 
management relationship.'' The definition of ``Treating provider 
relationship'' is sufficiently broad to cover the necessary components 
of a patient's care team.
    A commenter stated any privacy concerns could be fixed by requiring 
(1) a general designation of a class of participants with a treating 
provider relationship; and (2) that the disclosing organization provide 
patients, upon request, a list of entities to which their information 
has been disclosed. Another commenter wanted to delete the requirement 
of naming the entity without a treating provider relationship with the 
patient whose information is being disclosed. SAMHSA is retaining the 
consent requirements discussed in this section of the preamble because 
we believe it balances increased flexibility with necessary privacy 
protections.
    SAMHSA declines to mirror the authorization under HIPAA to ease the 
transition and reduce compliance issues, as a commenter suggested, 
because, due to its targeted population, part 2 provides more stringent 
federal protections than most other health privacy laws, including 
HIPAA.
    SAMHSA may, after publication of this final rule, provide further 
subregulatory guidance on specific concerns, such as states working on 
enforcement of the parity law.
Public Comments
    Several commenters recommended splitting proposed Sec.  
2.31(a)(4)(iv) into two sections. The first would contain special 
provisions governing disclosures made through HIEs and would retain the 
references to ``individual participants'' and ``entity participants.'' 
The second would cover all entities that do not fall into any of the 
other categories in proposed paragraph (a)(4)(iv); in these cases, the 
specific entity to which disclosure is made would have to be specified.
SAMHSA Response
    SAMHSA proposed Sec.  2.31(a)(4)(iv) to apply to an entity (1) that 
does not have a treating provider relationship with the patient whose 
information is being disclosed, and (2) is not a third-party payer. 
Therefore, SAMHSA declines to make the recommended changes. We note, 
however, that due to re-numbering the proposed Sec.  2.31(a)(4)(iv) 
provision is found in the final regulation at Sec.  2.31(a)(4)(iii)(B).
Public Comments
    A commenter recommended that the use of multi-party consents be 
permissible even when the ``To Whom'' section contains a general 
designation, and that the party(ies) named in the ``To Whom'' section 
be permitted to re-disclose patient information if the patient has 
consented to such re-disclosures in order to allow patients' treating 
providers to communicate with each other (pursuant to patient consent) 
within networks like HIE and integrated care organizations. Another 
commenter stated that the general designation is a step in the right 
direction but the proposed rule would add a burdensome accounting, 
which is not required for disclosures pursuant to a valid authorization 
under HIPAA.
SAMHSA Response
    On the issue of multi-party consent, a multi-party consent can be 
achieved by allowing for bi-directional communication using the general 
designation in both the ``To Whom'' and ``From Whom'' sections of the 
consent. It can also be created by naming multiple individuals with or 
without a treating provider relationship with the patient whose 
information is being disclosed or entities with a treating provider 
relationship with the patient whose information is being disclosed in 
the ``To Whom'' and ``From Whom'' sections of the consent. The key is 
to make sure the consent form authorizes each party to disclose to the 
other ones the information specified and for the purpose specified, in 
the consent. The ``To Whom'' and ``From Whom'' sections of the consent 
provisions of the final rule will permit multi-party consents.
    With respect to the comment regarding the additional burden of the 
List of Disclosures associated with the use of a general designation on 
the consent form, SAMHSA addressed this issue in Section F.3, in the 
preamble discussion of Confidentiality Restrictions and Safeguards 
(Sec.  2.3). That discussion emphasizes the fact that there is no 
timeframe in which part 2 programs and lawful holders need to comply 
with the List of Disclosures systems requirements; the final rule only 
requires that if they choose to disclose information pursuant to a 
general designation on the ``To Whom'' part of the consent form, they 
must also be capable of providing a List of Disclosures upon request 
per Sec.  2.13(d).
e. Proposed Alternative Approach for ``To Whom'' Section
    SAMHSA is not finalizing the alternative approach to the ``To 
Whom'' consent provision. In the NPRM, SAMHSA proposed an alternative 
approach for the ``To Whom'' aspect of a consent form that attempted to 
reflect the same policy goal as the proposed regulation text while 
attempting to simplify the language that would appear on the consent 
form. This alternative approach would not change the existing language 
in the ``To Whom'' section of the consent form. Under this alternative 
approach, SAMHSA proposed to add a definition of ``organization'' to 
Sec.  2.11. Organization would mean, for purposes of Sec.  2.31, (a) an 
organization that is a treating provider of the patient whose 
information is being disclosed; or (b) an organization that is a third-
party payer that requires patient identifying information for the 
purpose of reimbursement for services rendered to the patient by a part 
2 program; or (c) an organization that is not a treating provider of 
the patient whose information is being disclosed but that serves as an 
intermediary in implementing the patient's consent by providing patient 
identifying information to its members or participants that have a 
treating provider relationship, as defined in Sec.  2.11, or as 
otherwise specified by the patient.
Public Comments
    No commenters expressed support for the proposed rule's alternative 
approach to required elements as stated. One commenter said the 
alternative approach would impose fewer burdens on patients and part 2 
entities but did not agree with the restriction on dissemination to 
only treating entities. Another commenter supported the proposed 
alternative if it results in only the name of the HIE and not its 
participants being listed on the consent form.
    Several commenters expressed general opposition to the proposed 
alternative approach. One commenter stated that redefining 
``organization'' to make it more expansive would lead to erosion of 
trust and would have a chilling effect on the communications

[[Page 6086]]

necessary for effective treatment. Another commenter stated that a more 
expansive definition of ``organization'' may defeat a patient's intent 
because a patient would have less notice that their information could 
be disclosed to an entity not specifically named on the consent form.
SAMHSA Response
    Based on the comments, SAMHSA has not adopted the alternate 
approach. Although a few commenters supported the adoption of the broad 
definition of ``organization,'' none provided sufficient information to 
determine how that definition could be implemented to protect the 
patient's information from disclosure to parties without a need to 
know. It is also unclear how the List of Disclosures requirement would 
be applied under a broader definition of ``organization.'' SAMHSA, 
therefore, has not adopted a definition of ``organization.'' SAMHSA 
disagrees with the recommendation that disclosure to a wider range of 
entities should be allowed without the patient's specific consent.
3. Amount and Kind
    SAMHSA is adopting this aspect of the proposal. SAMHSA has moved 
the former Sec.  2.31(a)(5), ``Amount and Kind'' provision, to Sec.  
2.31(a)(3) and revised the provision to require the consent form to 
explicitly describe the substance use disorder-related information to 
be disclosed. The designation of the ``Amount and Kind'' of information 
to be disclosed must have sufficient specificity to allow the 
disclosing program or other entity to comply with the request.
a. General
Public Comments
    Many commenters provided feedback on the proposed rule's ``Amount 
and Kind'' requirements on a patient's consent form. A few commenters 
generally supported the provision. However, several commenters 
generally disagreed with the proposed provision because it would either 
decrease or fail to improve the sharing of patient information; would 
hamper integrated care; would result in consent forms routinely 
becoming outdated; patients should not decide what information is 
disclosed; and the current (1987) rule language is adequate for 
protection of patient privacy.
    Some commenters said the rule should continue to allow a general 
description of the type of information being disclosed. Other 
commenters asked SAMHSA to clarify why the revision of the regulatory 
language was necessary and why specific information is preferable to 
simply stating that the consent form covers all the records maintained 
by the part 2 program.
SAMHSA Response
    The designation of the ``Amount and Kind'' of information to be 
disclosed must explicitly describe the substance use disorder-related 
information to be disclosed and have sufficient specificity to allow 
the disclosing program or other entity to comply with the request. 
However, the entity creating the consent form may provide options by 
including free text space, or choices based on a generally accepted 
architecture (e.g. the Consolidated-Clinical Document Architecture (C-
CDA)), or document (e.g. the Summary of Care Record as defined by CMS 
for the EHR Incentive Programs). It is permissible to include ``all my 
substance use disorder information'' as long as more granular options 
are also included.
    Nothing in the rule would prevent the development and use of broad 
categories of the substance use disorder-related information on the 
Amount and Kind section of the consent form. The types of information 
that might be requested include diagnostic information, medications and 
dosages, lab tests, allergies, substance use history summaries, trauma 
history summary, elements of a medical record such as clinical notes 
and discharge summary, employment information, living situation and 
social supports, and claims/encounter data. If options are provided, it 
is also permissible to provide check boxes next to each option.
b. Impact of the Amount and Kind Requirement on Providers and Patients
Public Comments
    Commenters expressed concern that the proposed ``Amount and Kind'' 
provision would be unduly burdensome for providers, thus obstructing 
communications. Several commenters stated that the proposed rule would 
require both patients and providers to have an in-depth understanding 
of the precise terms used for substance use disorder information. Some 
commenters thought this would put undue burden on patients. Other 
commenters argued that the ``Amount and Kind'' requirement would place 
an additional burden on patients to anticipate future care and/or 
continually update their consent forms. Similarly, commenters stated 
that patients do not know what information is necessary to support 
their treatment, which could lead to important information being 
omitted. Commenters argued that the ``Amount and Kind'' provision would 
require requesting health providers to know the format, titling, and 
nomenclature used for substance use disorder information in the part 2 
program.
    A commenter argued that many patients would want all of their 
substance use disorder information disclosed if it would improve the 
quality and coordination of their care. Many commenters recommended 
that patients should be able to sign a consent to sharing their entire 
record (i.e., a global consent), with some arguing that the form should 
include a statement that covers ``all my records,'' ``all my substance 
abuse records,'' ``entire record'' and/or ``full record.'' Other 
commenters said patients should be able to choose via a check box 
``substance abuse treatment information'' or authorize the entire 
medical record and list what cannot be disclosed. Several commenters 
stated that an exhaustive list of check boxes on the consent form would 
be confusing for many patients.
    Some commenters said patients should be able to designate an option 
for overall record release with an option for further specification of 
dates and materials to be released from the substance use disorder 
record. However, another commenter said selections should be ``all or 
nothing'' to enable providers to exchange information with HIE, ACO, 
CCO or a similar entity according to the patient's consent directive 
with other providers.
SAMHSA Response
    The patient will be aware that they have substance use disorder 
information and can make a determination whether they want that 
information disclosed. The 1987 final rule part 2 regulations require 
the patient to list ``how much and what kind of information is to be 
disclosed'' (Sec.  2.31(a)(5)). SAMHSA has revised the provision to 
require that the consent form explicitly describe the substance use 
disorder information to be disclosed to ensure patients understand they 
are disclosing the specified substance use disorder information. The 
amount of specificity patients wish to include in the ``Amount and 
Kind'' section of the consent form is left to them, as long as it has 
sufficient specificity to allow the disclosing program or other entity 
to comply with the request. As such, this section does not prohibit a 
patient from listing ``all my substance use disorder information'' or 
``none of my substance use disorder information.'' However, the Amount 
and Kind section of a consent form must accommodate more specific 
options. As stated previously, nothing in the rule

[[Page 6087]]

would prohibit the inclusion on a consent form of broad categories of 
the substance use disorder-related information that would generally 
appear in patient records to assist patients in identifying the 
information they wish to disclose. In developing broad categories of 
information to be included on the consent form, part 2 programs and 
other lawful holders of patient identifying information would need to 
take into consideration reading level standards and the concepts of 
plain language. The rule does not require further consent when new 
information is added to the substance use disorder record if the new 
information is covered by the ``Amount and Kind'' section on the 
consent form. If the ``Amount and Kind'' section does include 
specificity that the patient doesn't understand, the party obtaining 
the consent should explain it to the patient. SAMHSA may, after 
publication of this final rule, issue in subregulatory guidance 
information for educating staff and patients. We are reliant on the 
provider to be clear to patient, which has always been the case.
c. Required Substance Use Disorder Information on Consent Forms
Public Comments
    Some commenters said the level of detail required in the ``Amount 
and Kind'' section of the consent form was unrealistic, unnecessary, 
and confusing. A commenter argued that the level of detail required by 
the rule was at odds with the general designations necessary for 
information exchange. A commenter stated that EHR infrastructure may 
not be able to categorize and segregate information as described in 
proposed Sec.  2.31(a)(3).
    Some commenters urged SAMHSA to simplify or otherwise revise this 
section of the consent form. A commenter recommended that the list 
could be simplified by including standardized fields on the consent 
form that align with information commonly found on a Continuity of Care 
Document (CCD). Commenters recommended narrowing the list to several 
broad categories (e.g. employment information, living situation, social 
supports). A commenter stated that if more specific categories were 
needed, the patient could write in their own terms. Some commenters 
said the elements and extent of the consent should be the same under 
part 2 as it is in HIPAA. Other commenters said SAMHSA should use the 
required elements of a Summary of Care Record as defined by CMS for the 
EHR Incentive Program as a basis for the ``kind'' and ``type'' of 
information able to be disclosed. Another commenter said SAMHSA should 
defer to the expertise of health plans to determine what is necessary 
for a treating provider to know about substance use disorder.
SAMHSA Response
    The types of information that might be requested include diagnostic 
information, medications and dosages, lab tests, allergies, substance 
use history summaries, trauma history summary, employment information, 
living situation and social supports, and claims/encounter data. 
However, the entity creating the consent form may provide options to 
include free text space, or choices based on a generally accepted 
architecture or document such as the C-CDA, or Summary of Care Record, 
as defined by CMS for the EHR Incentive Program. It is permissible to 
include ``all my substance use disorder information'' as long as more 
granular options are also included. If options are provided, it is also 
permissible to provide check boxes next to each option. The designation 
of the ``Amount and Kind'' of information to be disclosed must have 
sufficient specificity to allow the disclosing program or other entity 
to comply with the request.
d. Requests for Clarification
Public Comments
    A couple of commenters asked SAMHSA to clarify whether the ``Amount 
and Kind'' section is to inform the patient or the providers. A 
commenter requested clarification on whether multiple patient consents 
would be necessary when the contents of a record changes over time. 
Some commenters requested that SAMHSA provide more specific examples of 
adequate descriptions of the type of information being disclosed. 
Another commenter recommended SAMHSA create a sample consent form.
SAMHSA Response
    The ``amount and kind'' section informs both the patient and the 
providers. It allows patients the opportunity to specify whether all of 
their substance use disorder treatment information or only some may be 
disclosed and sets the limits on what a part 2 program or other lawful 
holders may disclose. The amount and kind section will generally cover 
classes of information so that changes to the record should not trigger 
the need for re-consents for the same classes of information. SAMHSA 
may provide examples or a sample consent form in subregulatory guidance 
following the publication of the final rule.
4. From Whom
    SAMHSA is not finalizing the substantive changes that were proposed 
for the ``From Whom'' provision in Sec.  2.31(a)(2). In the NPRM, 
SAMHSA proposed to move the 1987 Sec.  2.31(a)(1) ``From Whom'' 
language of the consent requirements provision to Sec.  2.31(a)(2). In 
addition, because SAMHSA was also proposing, in certain instances, to 
permit a general designation in the ``To Whom'' section of the consent 
form, SAMHSA proposed to require the ``From Whom'' section of the 
consent form to specifically name the part 2 program(s) or other lawful 
holder(s) of the patient identifying information permitted to make the 
disclosure.
Public Comments
    SAMHSA received comments on the ``From Whom'' section of the 
consent form from a group of commenters representing a broad spectrum 
of stakeholder organizations. The overwhelming majority of these 
commenters were opposed to the proposed change and many suggested 
withdrawing the proposal in Sec.  2.31(a)(2) and retaining the 1987 
``From Whom'' language (Sec.  2.31(a)(1)).
    Commenters expressed concern that the proposed Sec.  2.31(a)(2) 
could decrease the sharing of health information; would add complexity 
with little or no benefit to patient privacy; would unnecessarily limit 
the use of a consent; and may accidentally cause the patient to omit a 
provider whom they want or need to see their data; would negatively 
impact certain HIE models. A significant majority of the comments 
regarding the ``From Whom'' section of the consent form voiced strong 
opposition to the proposal. A few commenters said the proposed change 
would unnecessarily limit the positive step SAMHSA took in permitting, 
in certain circumstance, a general designation in the ``To Whom'' 
section of the consent form. One commenter suggested revising the 
requirements on the basis that the proposed changes do not modernize 
the regulation.
SAMHSA Response
    SAMHSA was persuaded by the overwhelming opposition to the proposed 
``From Whom'' language and, with the exception of minor technical 
revisions, will retain in this final rule the language in the current 
(1987) regulation. SAMHSA made this decision for several reasons. 
First, the existing ``From Whom'' requirements have been in effect for 
nearly 30 years and were based on the Department's prior determination 
that, even with a general

[[Page 6088]]

designation option, the provision did not jeopardize patient privacy. 
The fact that SAMHSA is not aware of any reports of the current (1987) 
``From Whom'' requirement resulting in unintended consequences further 
supports this position.
    Second, in the NPRM, SAMHSA supported the elimination of the 
general designation option in the ``From Whom'' section of the consent 
form based on concerns that ``[t]he patient may be unaware of possible 
permutations of combining the two broad designations (i.e., in the ``To 
Whom'' and ``From Whom'' sections) to which they are consenting, 
especially if these designations include future unnamed treating 
providers.'' Based on the comments received, we believe this concern 
may have been overstated. Commenters generally did not agree that the 
``unintended consequences'' the NPRM postulated were likely to occur. 
Commenters also asserted that SAMHSA's proposal shifted the burden from 
the receiver to the sender of health information and would be 
burdensome both to providers and patients. In addition, the proposed 
change could undermine new models to streamline consent.
    While the option of using a general designation in either the ``To 
Whom'' or the ``From Whom'' sections (or both) provides the patient 
greater flexibility, and may result in two broad designations, it is 
still ultimately the patient's decision whether to use these options or 
to specifically name both the disclosing and receiving parties on the 
consent form. We agree with the remarks of one commenter that the 
proposed change to the ``From Whom'' section potentially undermines, 
rather than supports, patient choice, which was not SAMHSA's intent. 
Another commenter suggested that SAMHSA's proposed revisions may 
restrict multi-party consents and disclosures, such as consents that 
authorize disclosures ``between and among'' the parties. These types of 
consents are an important option for part 2 programs and patients, 
which SAMHSA believes would be eliminated if it were to finalize the 
proposal articulated in the NPRM. Another characterized the proposed 
change as adding greater complexity to the consent process for patients 
with little or no benefit to patient privacy.
    Third, leaving the 1987 ``From Whom'' section essentially unchanged 
may reduce the burden on providers and IT vendors to accommodate this 
final regulation. HIE consortiums/associations and state governments 
were particularly concerned about the impact of the proposed revisions 
on consent-to-access HIE models (sometimes referred to as a community-
wide consent-to-access model). As several commenters said, the only way 
for the participant to comply with the NPRM ``From Whom'' requirement 
would be for the participant to list the name of every part 2 program 
in the relevant state in the ``From Whom'' section of the consent form 
in order to inform the patient that there is a possibility that one of 
these programs might be the source of the information being accessed. 
Not only would this require the listing of hundreds of providers on the 
face of a consent form--effectively transforming the document into a 
provider directory--but it would also require the listing of part 2 
programs that are not participating in the HIE, which would be 
misleading and likely draw objections from these programs.
    Moreover, the identities of part 2 programs that may be sources of 
information are constantly changing as new programs are licensed or 
join the HIE. This would mean that every time a participant sought to 
access a patient's information in an HIE, it would have to provide the 
patient with a consent form listing all of these new providers, and the 
participant would constantly need to print new forms with updated lists 
of part 2 programs in the state. This would even apply in the vast 
majority of cases where no part 2 information would be exchanged, since 
a participant in a consent-to-access model often does not know whether 
the sought-after information contains part 2 information and, 
therefore, needs to assume that it does. Requiring participants to 
print lengthy consent forms with an updated list of part 2 programs 
every time a new part 2 program is licensed in the relevant state (and 
developing a system to inform every participant about such updates) is 
simply not feasible. The community consent-to-access model was 
implemented specifically in order to meet the spirit and letter of the 
1987 part 2 regulations. In addition, federal and state governments 
have invested hundreds of millions of dollars to build statewide health 
information networks in reliance on the 1987 part 2 regulations, which 
allow consent forms to have a general designation of ``From Whom'' the 
records are being disclosed. Theoretically, it is possible for part 2 
programs to switch to a consent-to-disclose model while all other 
participants continue to operate under a consent-to-access model.
    Fourth, the flexibility provided in the ``To Whom'' and ``From 
Whom'' sections of the consent form are balanced by the specificity in 
the ``Amount and Kind'' and ``Purpose'' sections of the consent form. 
SAMHSA has revised the ``Amount and Kind'' element on the consent form 
to require the consent form to explicitly describe the substance use 
disorder-related information to be disclosed so that patients will be 
aware of the substance use disorder information they are authorizing to 
disclose when they sign the consent form. In addition, under the 
current (1987) regulation, consent forms are required to include the 
purpose of the disclosure. Any disclosure made under these regulations 
must be limited to that information which is necessary to carry out the 
purpose of the disclosure.
5. New Requirements
    SAMHSA is modifying this aspect of the proposal. SAMHSA proposed to 
add two new requirements related to the patient's signing of the 
consent form. First, SAMHSA proposed a provision that would have 
required the part 2 program or other lawful holder of patient 
identifying information to include a statement on the consent form that 
the patient understands the terms of their consent. For the reasons 
explained below, SAMHSA is not incorporating this requirement into 
Sec.  2.31 in this final rule. Second, SAMHSA revised Sec.  2.31 to 
require the part 2 program or other lawful holder of patient 
identifying information to include a statement on the consent form that 
the patient understands their right, pursuant to Sec.  2.13(d), to 
request and be provided a list of entities to which their information 
has been disclosed when the patient includes a general designation on 
the consent form. SAMHSA is including this requirement in the final 
rule (see Sec.  2.31(a)(4)(iii)(B)(3)(i)).
Public Comments
    A few commenters supported the additional statement clarifying that 
the patient understands the terms of consent and their rights. One 
commenter suggested expanding the statement to include language about 
the potential consequences of utilizing a general designation in the 
``To Whom'' and ``From Whom'' fields, which would address concerns 
about the use of two general designations, while preserving the 
flexibility allowed in the ``From Whom'' section of the current (1987) 
regulation.
    However, other commenters opposed updating the consent requirements 
because doing so would require providers to update consent forms or 
would require a separate substance use disorder consent form. Several 
commenters questioned the purpose of

[[Page 6089]]

the additional signed statement. A commenter criticized the proposed 
language and argued that it was an attempt to avoid liability.
    Several commenters argued that patients would not have the capacity 
to understand what they are signing. Furthermore, another commenter 
stated that a signed statement saying that the patient has read the 
terms of the consent does not mean the patient actually read and 
understood the consent. A commenter recommended a provision to allow 
the treating physician to sign a consent for substance use disorder 
records for patients who may lack the cognitive ability to sign a 
waiver.
SAMHSA Response
    SAMHSA agrees with the commenters that the requirement that the 
part 2 program or other lawful holder of patient identifying 
information must include a statement on the consent form that the 
patient understands the terms of their consent is unnecessary. As 
commenters stated, a signature on a confirmation statement does not 
assure that the patient has, in fact, read or understood it. It is also 
the case, as commenters stated, that some patients may not have the 
capacity, at the time they are admitted, to provide an informed 
consent. Therefore, SAMHSA has eliminated this requirement.

K. Prohibition on Re-Disclosure (Sec.  2.32)

    SAMHSA is adopting this section as proposed except for a clarifying 
revision to Sec.  2.32(a). As discussed in the NPRM preamble, the 
prohibition on re-disclosure provision only applies to information that 
would identify, directly or indirectly, an individual as having been 
diagnosed, treated, or referred for treatment for a substance use 
disorder and allows other health-related information shared by the part 
2 program to be re-disclosed, if permissible under the applicable law. 
SAMHSA also clarified in the NPRM preamble that, if data provenance 
(the historical record of the data and its origins) reveals information 
that would identify, directly or indirectly, an individual as having or 
having had a substance use disorder, the information is prohibited from 
being re-disclosed. In addition, SAMHSA revised Sec.  2.32 to clarify 
that the federal rules restrict any use of the information to 
criminally investigate or prosecute any patient with a substance use 
disorder, except as provided in Sec. Sec.  2.12(c)(5) and 2.65.
1. General
Public Comments
    Several commenters generally supported the prohibition on re-
disclosure, with some stating that the prohibition ensured the 
confidentiality of the patient's information and would facilitate 
broader sharing of information among providers and programs in support 
of integrated care, thus increasing quality of care. A commenter 
supported the delineation between substance use disorder data and other 
health-related data, particularly the flexibility to share portions of 
a patient's record that do not fall under part 2 requirements. Another 
commenter supported application of the prohibition on re-disclosure to 
individuals or entities that receive confidential identifying 
information from lawful holders.
    However, many commenters generally disagreed with the prohibition 
on re-disclosure. Commenters argued that the prohibition created 
unnecessary barriers and challenges for health care providers and would 
jeopardize patient treatment and care coordination (e.g., due to over-
restriction of medical records). One commenter argued that the 
prohibition would prevent the inclusion of substance use disorder 
treatment information within HIE, ACOs, CCOs, and research 
institutions. Another commenter stated the prohibition would prevent 
substance use disorder treatment clinics from being incorporated into 
integrated care networks. A commenter said the prohibition on re-
disclosure would prohibit providers or payers from correcting or 
supplementing knowledge of another provider based on fear of violating 
the law. Lastly, a commenter said the proposed rules prohibition on re-
disclosure was not different from the current (1987) regulation and 
therefore no clarification was necessary.
SAMHSA Response
    SAMHSA is adopting Sec.  2.32 as proposed except for a minor 
clarification in Sec.  2.32(a). As discussed elsewhere in this final 
rule, SAMHSA is attempting to balance the facilitation of information 
exchange within new health care models that promote integrated care 
with the continued need for confidentiality protections that encourage 
patients to seek treatment without fear of compromising their privacy. 
SAMHSA acknowledges the legitimate concerns of commenters regarding how 
care coordination relates to patient safety. However, SAMHSA must 
consider the intent of the governing statute (42 U.S.C. 290dd-2), which 
is to protect the confidentiality of substance use disorder patient 
records. SAMHSA believes that the prohibition on the re-disclosure of 
information that would identify, directly or indirectly, an individual 
as having been diagnosed, treated, or referred for treatment for a 
substance use disorder comports with its statutory mandate. SAMHSA 
notes that the revisions to Sec.  2.32 clarify that the prohibition on 
re-disclosure only applies to information that would identify an 
individual as having been diagnosed, treated, or referred for treatment 
for a substance use disorder, but does not apply to health information 
unrelated to the substance use disorder, such as treatment for an 
unrelated health condition. These revisions should minimize decisions 
by part 2 programs to protect an entire patient record.
Public Comments
    Several commenters argued that the original statute for the 
substance use disorder regulations did not prohibit re-disclosure. 
Another commenter argued that HIPAA did not exist when the original 
regulations regarding substance use disorder data were promulgated and 
that the re-disclosure prohibition was not needed in today's legal 
environment. Another commenter stated that the re-disclosure 
prohibition is at odds with the goals of The Mental Health Parity and 
Addiction Equity Act and the Affordable Care Act.
SAMHSA Response
    While the statute may not be explicit with regard to certain 
provisions in 42 CFR part 2, the statute directs the Secretary to 
prescribe regulations to carry out the purpose of the statute, which 
may include definitions and may provide for such safeguards and 
procedures that in the judgment of the Secretary are necessary or 
proper to effectuate the purposes of this section, to prevent 
circumvention or evasion thereof, or to facilitate compliance 
therewith.
    Because 42 CFR part 2 and its governing statute are separate and 
distinct from HIPAA and due to its targeted population, part 2 provides 
more stringent federal protections than most other health privacy laws, 
including HIPAA. However, SAMHSA aligned policy with HIPAA where 
possible.
    SAMHSA strives to facilitate information exchange within new health 
care models while addressing the legitimate privacy concerns of 
patients seeking treatment for a substance use disorder. These concerns 
include: The potential for loss of employment, loss of housing, loss of 
child custody, discrimination by medical professionals and insurers, 
arrest, prosecution, and incarceration.

[[Page 6090]]

2. Impact of Re-Disclosure Prohibition on Patient Privacy and Patient 
Choice
Public Comments
    Several commenters expressed concerns that the prohibition on re-
disclosure did not improve patient privacy protections. A commenter 
stated that the proposed changes allowed more disclosures without 
patient notice, undermining the goal of protecting a patient's privacy. 
A commenter argued that any information given by a substance use 
disorder treatment program, including a refusal to provide information, 
could identify an individual as having a substance use disorder 
(whether or not the patient actually does) or having received treatment 
for a substance use disorder. Another commenter argued against 
expanding the scope of part 2 to non-substance use disorder conditions 
which may unfairly suggest the presence of a substance use disorder.
    Several commenters expressed concern that the prohibition on re-
disclosure interfered with a patient's choice on whether to disclose 
their medical record. Commenters argued that the prohibition on re-
disclosure imposed an unnecessary burden on substance use disorder 
patients who wish to have the same level of quality coordinated care as 
other patients. Several commenters expressed concern that the 
prohibition on re-disclosure required patients to anticipate future 
care. Several commenters argued that a patient should be allowed to 
consent to or otherwise control the re-disclosure of their information.
SAMHSA Response
    Patients may permit re-disclosures of their information via written 
consent. Part 2-compliant consent forms can authorize an exchange of 
information between multiple parties named in the consent form. The key 
is to make sure the consent form authorizes each party to disclose to 
the other ones the information specified and for the purpose specified, 
in the consent. In addition, the revised consent requirements allow 
patients, under certain circumstances, to authorize disclosure of their 
information via a general designation (e.g., to ``all my current and 
future treating providers'') rather than to specifically name each 
recipient.
    As SAMHSA has stated in this regulation, the ``To Whom'' section of 
the consent form can authorize a disclosure of patient identifying 
information to an entity that does not have a treating provider 
relationship with the patient whose information is being disclosed and 
acts as an intermediary for its participants, such as an HIO, and a 
general designation of individual and entities with a treating provider 
relationship with the patient whose information is being disclosed that 
are participants. The required statement prohibiting re-disclosure 
should accompany the information disclosed through consent along with a 
copy of the part 2-compliant consent form (or the pertinent information 
on the consent form necessary for the intermediary to comply with the 
signed consent), so that each subsequent recipient of that information 
is notified of the prohibition on re-disclosure.
3. Disclosure of Information that May Indicate a Substance Use Disorder
Public Comments
    Several commenters argued that determining which conditions and 
medications would ``identify a patient as having or having had a 
substance abuse order'' would be a burden on providers. Commenters said 
most staff within an HIE do not have the qualifications (e.g., clinical 
knowledge regarding medical conditions and medications) to distinguish 
which information could indicate an individual's substance use disorder 
and would thus need to be trained accordingly. Commenters stressed that 
the difficulty in determining what patient information would indicate a 
patient had a substance use disorder would discourage providers and 
health plans from exchanging information, further inhibiting 
coordinated care and enforcing differential treatment of individuals 
with substance use disorders.
    Several commenters expressed concern that the language of the 
proposed rule was too broad. A commenter said the provision was 
problematic because many medications are frequently related to 
substance use disorder or other physical or mental conditions, so there 
is a risk of indicating a patient had a substance use disorder whether 
or not the patient actually did have a substance use disorder. 
Similarly, commenters argued that preventing disclosure of information 
that suggests a substance use disorder is too broad and would overly 
restrict the information available to health care providers, thus 
endangering patient safety. A commenter recommended that SAMHSA 
interpret ``identifies a patient as having or having had a substance 
use disorder'' to mean only information that actually identifies a 
patient as having a substance use disorder, rather than including 
information that merely suggests that a person might have an substance 
use disorder. A commenter recommended that the provision be interpreted 
as written in the rule language, not as expansively considered in the 
NPRM preamble.
    One commenter argued that a prescription for a certain drug is not 
enough to identify a person as having a substance use disorder, let 
alone indicate the person is receiving care from a substance use 
disorder program. The commenter stated that this ambiguity is 
sufficient to be able to say that the information does not ``identify'' 
the person as having a substance use disorder or, moreover, that they 
are being treated in a program.
    A commenter stated that, when the data sharing of the records are 
redacted to remove all evidence of substance use disorder they become 
worthless in terms of ensuring improved client care. Further, this 
commenter said that there is no way to ensure such redaction would be 
done effectively and that there is a high risk of inadvertent 
disclosure, which cannot be made private again.
SAMHSA Response
    Comments received by SAMHSA suggest that the discussion in the NPRM 
of re-disclosure regarding medications and examples provided were not 
clear. Both the proposed rule and this final rule prohibit re-
disclosure of part 2 information that would identify, directly or 
indirectly, an individual as having been diagnosed, treated, or 
referred for treatment for a substance use disorder, such as indicated 
through standard medical codes, descriptive language, or both, unless 
further disclosure is expressly permitted by the written consent of the 
individual whose information is being disclosed or is otherwise 
permitted by the part 2 statute or regulations. Such information could, 
in some circumstances, include part 2 information concerning a 
patient's prescription for a medication typically used for medication-
assisted treatment or a disease or condition frequently associated with 
substance use disorders. While certain medical information in and of 
itself may not identify a patient as having a substance use disorder 
and approved medications may be used for various purposes, the context 
of this preamble and Sec.  2.32 concerns the re-disclosure of 
information that is directly related to the patient's undergoing 
treatment for substance use disorders. Therefore, it is considerably 
more likely that the re-disclosure of such information would result in 
identifying the patient as receiving treatment for a substance use 
disorder. By contrast, a

[[Page 6091]]

patient who is not receiving such treatment (and, therefore, whose 
health information is not covered by this rule) would not face such 
risks even if their medication or condition is frequently associated 
with substance use disorders. It is also important to note that in some 
cases, patients may expressly consent to further re-disclosure and that 
such re-disclosure may in some cases be allowed under other provisions 
of this rule. SAMHSA understands that this is an important topic and 
may provide additional subregulatory guidance on this issue after the 
publication of this final rule.
4. Technical Challenges in Preventing Unauthorized Re-Disclosure
Public Comments
    Commenters expressed concern that, due to how information is 
exchanged electronically, it may be technically difficult for the 
medical industry to prevent re-disclosure. Commenters argued that 
providers do not have the technical ability to segregate substance use 
disorder content and redact that information from being sent to new 
providers who use or review the record. More specifically, a commenter 
argued that EHR currently have the ability to contribute patient data 
to an HIE or a Regional Health Information Organization (RHIO) at the 
patient level, not at the services rendered level. A commenter stated 
that this capability was five to ten years away. A commenter argued 
that if the outputs of the DS4P's pilots were refined and required 
under the federal health IT certification program, there would have 
been solution for the re-disclosure of substance use disorder 
information.
    Several commenters expressed concern about the lack of technical 
standards. A commenter recommended that SAMHSA adopt clear technical 
methods and standards for recipients of disclosures, by which part 2 
providers and programs would be able to identify which records are not 
part 2 sensitive and can be incorporated directly into recipient's EHR. 
Similarly, a commenter stated there needed to be standards for all EHR 
Vendors and HIEs to address the re-disclosure prohibition.
    Some commenters expressed concern about the burden of upgrading 
their record system to comply with the prohibition on re-disclosure. 
Commenters stated that the re-disclosure prohibition would require 
upgrades and modifications to EHR and HIEs. A commenter stated that 
SAMHSA should provide funding to upgrade HIE systems or HIEs would be 
likely to refuse to accept substance use disorder data.
    Many commenters said the prohibition on re-disclosure and the 
technical limitations many providers faced in preventing re-disclosure 
would have adverse impacts on sharing of information and patient care. 
A commenter stated that, due to the technical limitations, some 
providers would continue to prohibit re-disclosure of the patient's 
entire medical record. Other commenters argued that the technical 
limitations would result in substance use disorder information being 
kept out of the electronic health care environment, leaving gaps that 
could contribute to poor patient outcomes. A commenter stated that part 
2 programs would be unable to participate in integrated care delivery 
models because their system was not equipped to segregate substance use 
disorder data.
    A commenter stated that SAMHSA should encourage the expansion of 
meaningful use to allow behavioral health care providers to adopt data 
segmentation technology. A commenter stated that, in light of the EHR 
requirements under meaningful use, SAMHSA should consider ways to 
reduce the burden on entities using EHR with respect to disclosure 
statements under Sec.  2.32. Another commenter argued that SAMHSA 
should simply issue consent recommendations and incorporate more 
complex structures, such as data segmentation, in a broader mandate or 
on other requirements in order to allow sufficient time for 
implementation.
SAMHSA Response
    SAMHSA actively supports the continued development of data 
standards to support the integration of substance use disorder 
treatment in emerging health care models. The Data Segmentation for 
Privacy (DS4P) initiative within ONC's Standards and Interoperability 
(S&I) Framework facilitated the development of standards to improve the 
interoperability of EHRs containing sensitive information that must be 
protected to a greater degree than other health information due to 42 
CFR part 2 and similar state laws. The DS4P standard allows a provider 
to tag a C-CDA document with privacy metadata that expresses the data 
classification and possible re-disclosure restrictions placed on the 
data by applicable law. This aids in the electronic exchange of 
sensitive health information. In October 2015, ONC adopted the DS4P 
standard as part of the 2015 Edition health IT certification criteria. 
The DS4P certification criteria require health IT to demonstrate the 
ability to send and received summary care records that are document-
level tagged. SAMHSA will continue to work with ONC to further refine 
the DS4P standard so that it can be applied to segment data at the data 
element level in the manner described in ONC's ``Connecting Health and 
Care for the Nation: A Shared Nationwide Interoperability Roadmap--
Version 1.0 Final (Roadmap),'' \2\ and to accelerate the adopting of 
the DS4P send and receive standards.
---------------------------------------------------------------------------

    \2\ https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0.pdf.
---------------------------------------------------------------------------

    Regarding re-disclosure, the primary advantage of continuing the 
prohibition on re-disclosure by recipients of a disclosure with patient 
consent is that it assures a greater measure of confidentiality for 
patient identifying information. SAMHSA strives to facilitate 
information exchange within new health care models while addressing the 
legitimate privacy concerns of patients seeking treatment for a 
substance use disorder. These concerns include: The potential for loss 
of employment, loss of housing, loss of child custody, discrimination 
by medical professionals and insurers, arrest, prosecution, and 
incarceration.
    The prohibition on re-disclosure predates this rulemaking and 
providers were already required to comply with the existing provision. 
SAMHSA proposed only minor changes to the provision for clarity, which 
should not necessitate system upgrades. Therefore, SAMHSA declines to 
respond to comments regarding the burdens of system upgrades to comply 
with the prohibition on re-disclosure.
    Finally, SAMHSA works closely with its federal colleagues to 
improve the integration of substance use disorder treatment providers 
and their data. Although the part 2 authorizing statute does not give 
SAMHSA authority to mandate data segmentation, as noted above, DS4P was 
included in the ONC 2015 Edition Health IT Certification Criteria (2015 
Edition). SAMHSA has also supported the development of the application 
branded Consent2Share, an open-source health IT solution based on DS4P 
which assists in consent management and data segmentation and will 
continue to work to improve the granularity of how the DS4P standard 
operates.

[[Page 6092]]

5. Requests for Clarification of the Re-Disclosure Prohibition
Public Comments
    Commenters requested clarification on various aspects of the re-
disclosure prohibition. Some commenters asked for clarification on what 
records were subject to the re-disclosure prohibition (e.g., the actual 
record, or the part 2-compliant record that is now incorporated into 
the physician's notes at the receiving institution). The commenters 
requested examples of how data may, or may not, be disclosed after 
lawful receipt of part 2 data.
    A commenter suggested that SAMHSA confirm that only records that 
originated at a part 2 program are subject to the prohibition on re-
disclosure.
SAMHSA Response
    Once patient identifying information has been initially disclosed 
(with or without patient consent), no re-disclosure is permitted 
without the patient's express consent to re-disclose or unless 
otherwise permitted by the part 2 statute or regulations. Only 
disclosure of patient identifying information made with the patient's 
written consent must be accompanied by a written notice regarding the 
part 2 prohibition on re-disclosure. Although there is no requirement 
to provide such written notice to individuals and entities who receive 
information through other means under the part 2 program, all lawful 
holders must comply with the part 2 program requirements, including, 
but not limited to the limitations on re-disclosure.
    Regarding requested confirmation that only records originated at a 
part 2 program are subject to the prohibition on re-disclosure, SAMHSA 
clarifies that individuals and entities that are not covered by part 2 
that possess substance use disorder data that did not originate in a 
part 2-covered provider are not subject to the part 2 program 
requirements. However, if those individuals and entities received that 
information that is subject to part 2 via patient consent (with or 
without the notice of prohibition on re-disclosure) or through any 
other means under the part 2 program (i.e., through means that made 
them a lawful holder), they would be required to comply with part 2.
Public Comments
    Several commenters asked for clarification with regard to 
disclosing prescription medications. A few commenters asked whether 
prescription medications could be disclosed without consent if the 
prescriber states that the prescription is not for substance use 
disorder treatment. Another commenter asked what the requirements were 
for medications that are used ``off label'' to treat substance use 
disorder and medications that treat withdrawal. A commenter asked for 
clarification on whether providers in part 2 programs, who do not 
reveal their part 2 program affiliation, would be prohibited from 
disclosing information about substance use disorder prescriptions that 
are also prescribed for non-substance use disorder purposes, unless the 
patient has consented to the disclosure.
SAMHSA Response
    SAMHSA agrees that part 2 would permit the disclosure of 
information without patient consent relative to a medication that is 
used for both substance use disorder and non-substance use disorder 
purposes, even when it is being prescribed for the purpose of substance 
use disorder treatment. In disclosing the information, both the 
provider and the data provenance must not identify the provider as 
being affiliated with a part 2 program or prescribing the substance use 
disorder medication for substance use disorder treatment.
Public Comments
    Regarding the prohibition on re-disclosure, a commenter requested 
that SAMHSA provide clarification on what impact a court order has on 
sharing information otherwise deemed confidential under the part 2 
regulations.
SAMHSA Response
    SAMHSA has previously stated in FAQ guidance concerning re-
disclosures that when information is disclosed pursuant to an 
authorizing court order, part 2 requires that steps be taken to protect 
patient confidentiality. In a civil case, part 2 requires that the 
court order authorizing a disclosure include measures necessary to 
limit disclosure for the patient's protection, which could include 
sealing from public scrutiny the record of any proceeding for which 
disclosure of a patient's record has been ordered [42 CFR 2.64(e)(3)]. 
In a criminal case, such order must limit disclosure to those law 
enforcement and prosecutorial officials who are responsible for or are 
conducting the investigation or prosecution, and must limit their use 
of the record to cases involving extremely serious crimes or suspected 
crimes [42 CRF Sec.  2.65(e)(2)].
Public Comments
    A commenter asked how a mixed-use mental health and substance use 
treatment facility should handle re-disclosure and how SBIRT would be 
addressed under this section.
SAMHSA Response
    Only the substance use disorder information is covered by part 2. 
The mental health information is not. The prohibition on re-disclosure 
only applies to information that would identify, directly or 
indirectly, an individual as having been diagnosed, treated, or 
referred for treatment for a substance use disorder, such as indicated 
through standard medical codes, descriptive language, or both, and 
allows other health-related information shared by the part 2 program to 
be re-disclosed, if permissible under other applicable laws.
6. Recommendations To Improve the Prohibition on Re-Disclosure
Public Comments
    Several commenters recommended exclusions to the prohibition on re-
disclosure of substance use disorder patient data. A commenter said 
patients should be able to consent to the disclosure of substance use 
disorder information to a covered entity and such information would be 
protected by HIPAA, but would be free from the re-disclosure 
prohibition. Some commenters said SAMHSA should permit re-disclosure of 
substance use disorder treatment information for the purpose of 
treatment and/or care coordination. Another commenter suggested an 
exemption for providers within a given PDMP, CCO, ACO or HIE, for the 
purposes of treatment, payment, or health care operations. A commenter 
said SAMHSA should allow re-disclosures without patient consent for 
public health purposes to prevent disease or control injury or 
disability. Lastly, a commenter said SAMHSA should add a category under 
subpart D ``Disclosures without Patient Consent'' to include state 
health data organizations that collect data under a legislative 
authority.
SAMHSA Response
    Due to its targeted population, part 2 provides more stringent 
federal protections than most other health privacy laws, including 
HIPAA. In light of the statute, SAMHSA declines to create the specific 
suggested exclusions from the use and disclosure restrictions. SAMHSA 
will specifically address disclosures to subcontractors and contractors 
for health care purposes in the SNRPM.

[[Page 6093]]

Public Comments
    Commenters requested that SAMHSA provide guidance in several areas, 
including the type of permissible information that can be disclosed; 
applicability to co-occurring disorders; and applicability to multi-use 
organizations. A commenter said SAMHSA should publish the medical codes 
(e.g., ICD-10s) that are affected by this provision.
SAMHSA Response
    As for the type of permissible information that can be disclosed, 
the proposed clarifications to Sec.  2.32 clarify that the prohibition 
on re-disclosure only applies to information that would identify, 
directly or indirectly, an individual as having been diagnosed, 
treated, or referred for treatment for a substance use disorder, such 
as indicated through standard medical codes, descriptive language, or 
both, and allows other health-related information shared by the part 2 
program to be re-disclosed, if permissible under other applicable laws.
    Regarding the re-disclosure of information related to co-occurring 
disorders, only the substance use disorder information is covered by 
part 2. The mental health information in a patient record is not. 
However, part 2 programs must ensure adequate confidentiality 
protections for mental health patient data that are applicable based on 
any relevant federal or state law.
Public Comments
    Commenters proposed many other recommendations to improve the re-
disclosure provision. One commenter said the rule should specify the 
consequences part 2 providers will face if they violate the proposed 
rule's prohibition on re-disclosure. A commenter said non-part 2 
programs that prescribe substance use disorder medication should not be 
forbidden from disclosing such prescriptions, nor required to state the 
purpose of the medication. A commenter said the rule should continue to 
prohibit information being shared with law enforcement for criminal 
prosecution. A commenter said SAMHSA should include an updated sample 
Notice of Prohibition of Re-disclosure in the final rule. One commenter 
said patients should have the ability to remove their substance use 
disorder history from their medical record after ten years. A commenter 
said SAMHSA should rescind the proposed prohibition on re-disclosure 
relative to general designations and advocate for the medical community 
to do more within their industry to recognize and provide appropriate, 
comprehensive care for those living with substance use disorders.
SAMHSA Response
    Regarding the consequences for violation of the re-disclosure 
prohibition, each disclosure made with the patient's written consent 
must be accompanied by the notice of prohibition on re-disclosure. 
Under 42 U.S.C. 290dd-2 (f), any person who violates any provision of 
this section or any regulation issued pursuant to this section shall be 
fined in accordance with Title 18.
    Regarding the comment on non-part 2 prescribers, prescribers that 
are not covered by part 2 are not prohibited from disclosing such 
prescriptions nor required to specify the purpose of such 
prescriptions.
    On prohibition of information being shared with law enforcement for 
criminal prosecution, this prohibition remains in effect. Specifically, 
SAMHSA has clarified Sec.  2.32(a) to state ``[t]he federal rules 
restrict any use of the information to criminally investigate or 
prosecute any patient with a substance use disorder, except as provided 
at Sec. Sec.  2.12(c)(5) and 2.65.''
Public Comments
    A commenter stated that individuals or entities who are not part 2 
programs may not be familiar with the specific consent requirements of 
part 2, so the next-to-last sentence of Sec.  2.32 should include a 
citation to Sec.  2.31.
SAMHSA Response
    SAMHSA appreciates the suggestion and has revised Sec.  2.32 to add 
a reference to the Sec.  2.31 to the penultimate sentence in paragraph 
(a).

L. Disclosures to Prevent Multiple Enrollments (Sec.  2.34)

    SAMHSA is adopting this section as proposed. SAMHSA has modernized 
Sec.  2.34 by updating terminology and revising corresponding 
definitions. SAMHSA also consolidated definitions by moving definitions 
from this section to the part 2 definitions provision (Sec.  2.11), as 
discussed in Section III.D.
Public Comments
    A few commenters supported disclosures to prevent multiple 
enrollments. Some urged the proposed regulations to go further and 
specifically allow registries in the form of HIEs or PDMPs to share 
controlled substance prescriptions in the same manner that it would 
allow withdrawal management or maintenance treatment programs. The aim 
would be to prevent multiple prescribing of prescription drugs that can 
be abused. Other commenters argued that the registry should be 
available to check enrollment beyond 200 miles. Asserting that the 
requirement to list every site that may be contacted in the consent 
document is an unusual burden, one of these commenters suggested that 
the concern can be better addressed by indicating ``any licensed 
treatment center within the state when a patient presents for 
treatment.'' One commenter requested clarification as to what type of 
``central registry'' is being considered for disclosure of patient 
records. Another suggested language that allows for multiple payments 
to providers in situations where clients are enrolled in multiple 
programs and where programs may be obtaining multiple payments for 
multiple services.
SAMHSA Response:
    Central registries, defined as ``an organization that obtains from 
two or more member programs patient identifying information about 
individuals applying for withdrawal management or maintenance treatment 
for the purpose of avoiding an individual's concurrent enrollment in 
more than one treatment program,'' serve a different purpose than HIEs 
or PDMPs. According to the Centers for Disease Control and Prevention, 
PDMPs are state-run electronic databases used to track the prescribing 
and dispensing of controlled prescription drugs to patients. They are 
designed, in part, to monitor this information for suspected abuse or 
diversion (i.e., channeling drugs into illegal use), and can give a 
prescriber or pharmacist critical information regarding a patient's 
controlled substance prescription history. Although PDMPs may serve 
many valuable purposes, SAMHSA decided not to address issues pertaining 
to e-prescribing and PDMPs in the final rule because, as stated in the 
NPRM, they were not ripe for rulemaking at the time due to the state of 
technology and because the majority of part 2 programs are not 
prescribing controlled substances electronically.
    Under Sec.  2.34(a)(3)(ii), the consent may authorize a disclosure 
to any withdrawal management or maintenance treatment program 
established within 200 miles of the program after the consent is given 
without naming any such program. Regarding comments on the 200-mile 
limit, SAMHSA declines to make any changes to the 200-mile limit 
because it is unlikely that a patient would be

[[Page 6094]]

enrolled in multiple programs greater than 200 miles from each other. 
The regulations do not confine the 200-mile limit to within a state.
    As for the request to allow a consent for disclosure to ``any 
licensed treatment center within the state where a patient presents for 
treatment,'' SAMHSA has concluded that the proposed specificity is 
needed. Section 2.34 requires that the consent must list the name and 
address of each central registry and each known withdrawal management 
or maintenance treatment program to which a disclosure will be made. 
This specificity was retained because the purpose of the section is to 
prevent multiple enrollments that would result in a patient receiving 
substance use disorder treatment medication from more than one 
provider, thereby increasing the likelihood for an adverse event or 
diversion.
    Regarding the request to allow for multiple payments to providers 
in situations where clients are enrolled in multiple programs and where 
programs may be obtaining multiple payments for multiple services, 
SAMHSA has determined that this request it outside of the scope of the 
proposed part 2 changes in the NPRM.

M. Medical Emergencies (Sec.  2.51)

    SAMHSA is adopting this section as proposed. SAMHSA has revised the 
medical emergency exception to give providers more discretion to 
determine when a ``bona fide medical emergency'' (42 U.S.C. 290dd-
2(b)(2)(A)) exists. The revised language states that patient 
identifying information may be disclosed to medical personnel to the 
extent necessary to meet a bona fide medical emergency in which the 
patient's prior informed consent cannot be obtained. SAMHSA continues 
to require the part 2 program to immediately document, in writing, 
specific information related to the medical emergency.
1. General
Public Comments
    Many commenters expressed support for the proposed change in 
language of the medical emergency exception to provide medical 
personnel with increased discretion to determine a ``bona fide medical 
emergency.'' Some commenters expressly supported aligning the 
regulatory language with the statutory language for medical 
emergencies. A commenter supported the special rule that would allow 
the disclosure of patient identifying information to medical personnel 
at the FDA who provide reason to believe that the health of any 
individual may be threatened by a product under the FDA's jurisdiction 
and that the information used solely for notifying the patient or their 
physicians of the potential dangers.
    However, several commenters warned that part 2 programs should not 
be expected to assume the unrealistic burden of liability for a HIE's 
capability to comply with all part 2 requirements. Another commenter 
argued the current medical emergency exception is clear under current 
(1987) law and providers are already making the determination as to 
what constitutes an emergency.
SAMHSA Response
    SAMHSA appreciates the support of commenters on this issue. With 
regard to the comment about the burden of liability, SAMHSA asserts 
that the treating provider must make the determination as to whether a 
bona fide medical emergency exists. However, concern alone about 
potential drug interaction may not be sufficient to meet the standard 
of a medical emergency. Thus, based on the circumstances of the 
presenting situation, SAMHSA recommends that health care providers 
obtain consent from the patient where feasible.
2. Definition of ``Bona Fide Medical Emergency''
Public Comments
    Commenters provided various suggestions for expanding the 
definition to include disclosure of records for mental health 
involuntary commitment evaluations and other psychiatric emergencies; 
to detoxification centers; when there is ``risk of serious harm'' to 
self or others by reason of an substance use disorder; in order to save 
a life or prevent further injury of a person who is not able to make a 
rational decision due to mental impairment; and to prevent suicide. 
Several commenters asserted the revisions should include an exception 
for disclosure without consent in order to prevent medical emergencies 
from occurring in the first place. Other commenters suggested not 
limiting this section to only medical emergencies, but allowing 
disclosures for treatment, payment, and operation purposes. A few 
commenters supported adding a duty to warn exception where a substance 
use disorder patient discloses intent, plan, or means to inflict harm 
onto another individual or the public.
SAMHSA Response
    On the request to expand the definition, while the statute 
authorizes an exception for a bona fide medical emergency, broadening 
this provision to include non-emergency situations would be 
inconsistent with the statutory scheme. With respect to warnings, part 
2 does not impose a duty to warn--or a duty to disclose any 
information. It only governs when disclosures may be made, not when 
they must be made. SAMHSA has previously provided FAQ guidance on when 
a part 2 program may make a disclosure without divulging patient 
identifying information. SAMHSA will monitor this issue and may 
consider whether additional subregulatory guidance in the future may be 
helpful.
    Regarding involuntary commitment, patient identifying information 
may be disclosed to medical personnel to the extent necessary to meet a 
bona fide medical emergency in which the patient's prior informed 
consent cannot be obtained. This may include situations in which the 
patient is not regarded as being legally competent under the laws of 
their jurisdiction. Such circumstances may apply when a patient is 
subject to an involuntary commitment (i.e., formally committed for 
behavioral health treatment by a court, board, commission, or other 
lawful authority). Consistent with Sec.  2.51, during the period of 
time a patient is not regarded as being legally competent, any 
previously established, unrevoked, or unmodified general designation 
remains valid for their current treating providers until such time as 
the individual's competency is restored. The treating provider(s) 
would, in such circumstances, be expected to follow provisions of this 
rule pursuant to medical emergencies, including all documentation 
requirements. Importantly, at any time when a patient is legally 
competent, they may modify their general designation consistent with 
the provisions of this final rule.
Public Comments
    Other commenters suggested restrictions on the definition of ``bona 
fide medical emergency'' or other limitations to the medical emergency 
exception. Several recommended that the final rule explicitly state 
that the medical emergency exception continues to be limited to 
circumstances in which an individual needs immediate medical care and 
the patient's consent cannot be obtained. The medical emergency 
exception does not apply to situations where the patient could but will 
not consent, since the exception should not be used to avoid obtaining 
consent. A commenter urged that a ``bona fide medical emergency'' be 
limited to circumstances in which an individual

[[Page 6095]]

needs immediate medical care because of an immediate (not future) 
threat to a person's health.
    A commenter asserted that it be specified that a ``medical 
emergency'' is determined by the treating provider.
    A commenter asserted that the information disclosed in a ``bona 
fide medical emergency'' should be more clearly limited and the rule 
should require the provider to affirmatively share the required 
documentation of the disclosure with the patient.
    A commenter stated that part 2 information disclosed in a medical 
emergency should not be re-disclosed for criminal investigation or 
prosecution.
    A few commenters advocated for emergency care providers to be 
permitted to access only limited part 2 information available through a 
HIE.
SAMHSA Response
    On situations in which the patient could but will not consent, 
SAMHSA has not revised the regulatory language, but agrees that 
``patient consent could not be obtained'' refers to the fact that the 
patient was incapable of providing consent, not that the patient 
refused consent.
    With regard to the request that a ``medical emergency'' be 
determined by the treating provider, SAMHSA clarifies that any health 
care provider who is treating the patient for a medical emergency can 
make that determination.
    On limiting the information disclosed, Sec.  2.13(a) of the rule 
indicates that the amount of information to be disclosed ``must be 
limited to that information which is necessary to carry out the purpose 
of the disclosure.''
    With regard to the comment on re-disclosure, SAMHSA will address 
re-disclosure of part 2 information obtained during a medical emergency 
in subregulatory guidance rather than in the rule, as it has in the 
past.
Public Comments
    Several commenters asserted that automated or pre-determinations 
for medical emergencies should be allowed. A commenter suggested that 
pre-defining the criteria for medical emergency would enable HIEs to 
automate the decisions about whether a patient visit is a medical 
emergency. The commenter said such criteria could be defined by each 
individual hospital or could be based on national standards. Another 
commenter argued that Level of Care Utilization System (LOCUS) scores 
and the ASAM levels could be used as clinical standards for determining 
``bona fide emergency'' situations where behavioral health information 
should be more broadly shared.
SAMHSA Response
    Automated electronic health information systems can be programmed 
to flag specific patient information for medical personnel to use in 
determining whether a bona fide medical emergency exists and may be 
programmed to provide alerts to authorized providers. However, as 
SAMHSA has explained in previous FAQ guidance, one may not automate the 
determination of a medical emergency.
Public Comments
    Many commenters requested examples of emergency situations in order 
to minimize confusion among providers and organizations as to the 
circumstances under which medical emergencies would be valid. Many of 
these commenters provided their own instances requesting clarification 
if disclosure would be necessary.
SAMHSA Response
    SAMHSA plans to provide the requested examples in subregulatory 
guidance after the publication of this final rule.
3. Documentation of Medical Emergency
Public Comments
    Many commenters argued for removal of the requirement that a part 2 
program immediately document a disclosure pursuant to a medical 
emergency. A commenter stated that SAMHSA should simplify the existing 
onerous documentation requirements that impede vital sharing of 
information. Another commenter suggested part 2 programs should rely on 
other functionalities that retain disclosure and specific information 
related to the medical emergency, such as audit reports.
    A commenter suggested the language be modified to allow the part 2 
program to document the disclosure ``promptly'' rather than 
``immediately.''
    Other commenters suggested eliminating the requirement to provide 
``the name of the medical personnel to whom disclosure was made.''
    Another commenter asserted that the rule should allow an HIE to 
maintain documentation of disclosures for the part 2 program and 
provide ongoing access to such information.
    A commenter suggested that a ``list of the information disclosed'' 
be added to the list of information that must be entered into the 
patient record at the time of the emergency disclosure.
SAMHSA Response
    SAMHSA is not convinced of the benefit of replacing ``immediately'' 
with ``promptly,'' particularly since neither term is defined in the 
final rule. With regard to the suggestion to eliminate the requirement 
to provide ``the name of the medical personnel to whom disclosure was 
made,'' the current (1987) part 2 regulations (as well as the 
regulatory language in the NPRM) require part 2 programs to document 
the name of the medical personnel to whom disclosure was made and their 
affiliation with any health care facility because it is important for 
that information to be available to the part 2 program and the patient.
4. Other Comments on Medical Emergencies
Public Comments
    Some commenters suggested that SAMHSA expand who is authorized to 
access emergency records. Some commenters requested the definition of 
``medical personnel'' include any professional who provides health-
related services, including behavioral health services, rather than 
being limited to medical doctors, nurses, and emergency medical 
technicians. Other commenters suggested the language be changed so that 
``non-medical personnel'' who are currently working with clients in an 
emergency situation have access to the patient emergency record. A 
commenter argued that substance use disorder patients commonly face 
medical emergencies and therefore it is prudent for an emergency 
department be named or identified under the ``general disclosure'' 
provision.
SAMHSA Response
    Part 2 allows patient identifying information to be disclosed to 
medical personnel in a medical emergency. Part 2 does not define the 
term ``medical personnel'' but merely provides that information can be 
given to medical personnel who have a need for information about a 
patient in a bona fide medical emergency. It is up to the health care 
provider or facility treating the emergency to determine the existence 
of a medical emergency and which personnel are needed to address the 
medical emergency. The name of the medical personnel to whom the 
disclosure was made, their affiliation with any health care facility, 
the name of the individual making the disclosure, the date and time of 
the disclosure, and the nature of the medical emergency must be 
documented in the patient's records by the part 2 program disclosing

[[Page 6096]]

the information. SAMHSA does not have the authority to permit 
information to be disclosed to ``non-medical personnel'' pursuant to a 
medical emergency because the authorizing statute for the regulations 
codified at 42 CFR part 2 limits disclosures to ``medical personnel.''
    With regard to identifying emergency departments under the 
``general disclosure'' provision, the medical emergency exception 
requires that a provider determine that a bona fide medical emergency 
exists and that a patient's visit to an emergency room does not 
automatically constitute such an emergency. SAMHSA reiterates that 
there is a difference between refusal to consent and being incapable of 
consenting to disclosure.
Public Comments
    Commenters requested clarification on which entity, the receiving 
emergency department or HIE, would be obligated to maintain part 2-
compliance with information received through a declared patient 
emergency. A commenter argued the rule should state that a hospital 
emergency room or other health care provider that obtains program 
information under the medical emergency exception would not be subject 
to part 2 rules with respect to such program information.
SAMHSA Response
    Part 2 requires that when a disclosure is made in connection with a 
medical emergency, the part 2 program must document in the patient's 
record the name and affiliation of the recipient of the information, 
the name of the individual making the disclosure, the date and time of 
the disclosure, and the nature of the emergency. Thus, data systems 
must be designed to ensure that the part 2 program is notified when a 
``break the glass'' disclosure occurs and part 2 records are released 
pursuant to a medical emergency. The notification must include all the 
information that the part 2 program is required to document in the 
patient's records. The information about emergency disclosures should 
also be kept in the HIE's electronic system. Regarding the requests for 
clarification on part 2 applicability to information disclosed pursuant 
to a medical emergency, SAMHSA understands the importance of these 
questions. However, because these issues are not related to specific 
proposals made in the NPRM, SAMHSA plans to address them in 
subregulatory guidance after the publication of the final rule.
Public Comments
    A commenter warned that emergency disclosures for requesting of 
part 2 records can occur by means other than solely through an HIE.
SAMHSA Response
    The EHR is the vehicle for the disclosure of the part 2 record but 
not the decision-maker. The name of the person who makes the 
determination to disclose and discloses the information electronically 
through an EHR system should be recorded. SAMHSA clarifies that the 
example used of an HIE was not meant to be exhaustive to include all 
potential sources of disclosures.

N. Research (Sec.  2.52)

    SAMHSA is modifying this section from the regulatory text proposed, 
as described in detail below. SAMHSA is implementing several changes to 
the research provision. First, we have revised the section heading by 
deleting the word ``activities.'' In addition, SAMHSA has revised the 
research exception to permit data protected by 42 CFR part 2 to be 
disclosed by any individual or entity that is in lawful possession of 
part 2 data (lawful holder of part 2 data) under certain conditions.
    SAMHSA also addressed data linkages because the process of linking 
two or more streams of data opens up new research opportunities and 
potential risks. In the NPRM, SAMHSA proposed to permit researchers to 
request to link data sets that include patient identifying information 
if (1) the data linkage uses data from a federal data repository, and 
(2) the project, including a data protection plan, is reviewed and 
approved by an Institutional Review Board (IRB) registered with the 
Office for Human Research Protections (OHRP) in accordance with 45 CFR 
part 46. SAMHSA requested comments in the NPRM on whether to expand the 
data linkages provision beyond federal data repositories. After 
considering the public comments received on this topic, as discussed in 
greater detail below, SAMHSA has revised the data linkages provision to 
permit researchers to link to federal and non-federal data repositories 
provided certain conditions are met.
    The revised Sec.  2.52 permits a researcher to include part 2 data 
in reports only in aggregate form. SAMHSA clarified in this final rule 
that, with respect to these types of reports, the patient identifying 
information has been rendered non-identifiable such that the 
information cannot be re-identified and serve as an unauthorized means 
to identify a patient, directly or indirectly as having or having had a 
substance use disorder. SAMHSA requires any individual or entity 
conducting scientific research using patient identifying information to 
meet additional requirements to ensure compliance with confidentiality 
provisions under part 2. Note that de-identified information can be 
shared for the purposes of research; this was the status quo under the 
previous part 2 regulations, and this final rule does not change that.
    Finally, Sec.  2.52 addresses, in addition to the maintenance of 
part 2 data, the retention and disposal of such information used in 
research. SAMHSA expanded the provisions in Sec.  2.16 (Security for 
records) and references the policies and procedures established under 
Sec.  2.16 in revised Sec.  2.52. The NPRM language in (a)(1) only 
referenced ``the HIPAA privacy rule at 45 CFR 164.512(i)'' while the 
final rule regulatory language in (a)(1) now says: ``consistent with 
the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as 
applicable''.
1. General
Public Comments
    Many commenters expressed support for revising the research 
exception to permit data protected by part 2 to be disclosed to 
qualified personnel for the purpose of conducting scientific research 
by a part 2 program or any other individual or entity that is in lawful 
possession of part 2 data (lawful holder of part 2 data). Many 
commenters expressed general support for expanding the circumstances in 
which research may be conducted with part 2 data. Many commenters 
supported disclosure of data from other lawful holders of substance use 
disorder records with researchers. Commenters supported the prevention 
of data scrubbing of records and other data suppression related to 
substance use disorders. Some commenters specified support to stop 
``suppression'' of Medicare and Medicaid data from any records 
associated with substance use disorder.
SAMHSA Response
    SAMHSA's revisions to the research provision address these concerns 
regarding access to substance use disorder information from CMS claims/
encounter data disclosed for research purposes. First, the research 
provision permits part 2 programs and other lawful holders of patient 
identifying information (not just part 2 program directors) to disclose 
data protected by

[[Page 6097]]

42 CFR part 2 to qualified personnel for the purpose of conducting 
scientific research if the researcher provides documentation of meeting 
certain requirements related to other existing protections for human 
research. Second, SAMHSA also addressed data linkages to enable 
researchers holding part 2 data to link to data sets from federal and 
non-federal data repositories provided certain conditions are met as 
spelled out in section 2.52.
Public Comments
    Another commenter supported the use of data use agreements for all 
research transfers of part 2 information and requested the proposed 
regulation provide examples of these agreements. A commenter stated 
that the agency should allow research of additional administrative data 
sets such as those held by HIEs, ACOs, state Medicaid agencies, 
commercial insurance companies, and Medicare Advantage plans with 
appropriate IRB reviews.
SAMHSA Response
    Although not required by Sec.  2.52, the regulation would permit 
any lawful holder of patient identifying information to require a 
researcher sign a data use agreement spelling out these requirements.
    SAMHSA is adopting its proposal regarding the research exception to 
permit data protected by 42 CFR part 2 to be disclosed to qualified 
personnel for the purpose of conducting scientific research by a part 2 
program or any other individual or entity that is in lawful possession 
of part 2 data if the researcher provides documentation of meeting 
certain requirements related to other existing protections for human 
research. If an entity meets the requirements of an ``other lawful 
holder of patient identifying information,'' as described in the 
preamble of this final rule, the entity would be authorized to disclose 
part 2 data for research purposes in accordance with Sec.  2.52.
Public Comments
    Another commenter asked a series of questions related to the 
release of data by lawful holders that are not part 2 programs (e.g., 
HIEs). The commenter asked how these HIEs, third-party payers, etc., 
will be able to determine that a researcher will maintain the 
confidential patient identifying information in accordance with the 
security requirements set out in Sec.  2.52(a)(2); how will the 
``lawful holders'' be able to assess whether the potential benefits of 
the research outweighs any risks to confidentiality as required by 
Sec.  2.52(a)(3); and what individual at these various ``lawful 
holders'' will be the equivalent of a part 2 program director and have 
the authority to make these decisions. The commenter stated that it is 
almost certain that these ``lawful holders'' will not sufficiently know 
the confidentiality regulations so as to ensure the researchers are 
aware of, and will comply with the prohibition against re-disclosure 
specified in Sec.  2.52(b).
SAMHSA Response
    SAMHSA examined the existing regulations that protect human 
subjects in research and concluded that, if those requirements were 
fulfilled, 42 CFR part 2 would ensure confidentiality protections 
consistent with the statute, while providing the expanded authority for 
disclosing patient identifying information. Requirements that ensure 
compliance with HIPAA and the Common Rule (e.g., IRB and/or privacy 
board review) with respect to research provide these assurances, 
including that the researcher has a plan to protect and destroy 
identifiers and to not re-disclose the information in an unauthorized 
manner. The individual who would make the determination to disclose 
part 2 data on behalf of a part 2 program or other lawful holder would 
be the individual designated as director or managing director, or 
individual otherwise vested with authority to act as chief executive 
officer or their designee. In addition, there is nothing in the 
regulation that requires this individual to disclose the data, even if 
the researcher provides documentation of compliance with the 
requirements under Sec.  2.52.
Public Comments
    A commenter stated that the proposed rule adopted an overly narrow 
approach to disclosures for scientific research, by limiting part 2 
disclosures only to entities or individuals subject to the HIPAA 
Privacy Rule or the HHS Common Rule. The commenter stated that because 
the commenter is not a HIPAA covered entity or business associate under 
HIPAA, and is not currently subject to the Common Rule, the commenter 
does not appear to meet the conditions required for disclosure for 
scientific research. The commenter stated that limiting disclosures for 
research purposes only to entities or individuals subject to the HIPAA 
Privacy Rule and/or Common Rule is inconsistent with the language and 
intent of the governing statute, which broadly authorizes disclosures 
to qualified personnel for the purposes of conducting scientific 
research.'' (42 U.S.C. 290dd-2(b)(2)(B)). The commenter urged SAMHSA to 
interpret research broadly to include state analytic activities to 
identify patterns and variations in the cost, quality and delivery of 
health care, similar to the approach adopted by CMS for the release of 
CMS claims/encounter data to state agencies.
SAMHSA Response
    The revised research exception will now permit data protected by 42 
CFR part 2 to be disclosed for research purposes by part 2 programs and 
other lawful holders of patient identifying information not just by 
part 2 program directors as the 1987 final rule regulations require. 
Because SAMHSA is expanding the authority for disclosing patient 
identifying information beyond part 2 program directors, it was 
necessary to establish a mechanism to ensure that confidentiality 
protections consistent with the statute were fulfilled in all cases. 
SAMHSA determined that the existing regulations that protect human 
subjects in research would accomplish this, and, therefore, decided to 
limit the permitted disclosures for research purposes under part 2 to 
instances in which the researchers would meet the requirements 
governing their receipt of protected health information from a covered 
entity under the HIPAA privacy rule and/or the requirements governing 
research on human subjects under the HHS Common Rule. Under this 
expanded authority, the HIPAA standards would be applied as a test 
regardless of whether the data source for the disclosure was a HIPAA 
covered entity.
    Under 42 CFR part 2, the research provision provides clear policies 
on conducting research and protecting the confidentiality of patient 
identifying information, including their obligations to comply with 
requirements under 42 CFR 2.16, Security for Records.
Public Comments
    A commenter stated that SAMHSA, in coordination with state 
regulators, should work together to issue guidance related to the 
application of the federal part 2 requirements to substance use 
disorder information that may be requested by states for public health 
and other purposes.
SAMHSA Response
    The statute authorizing part 2 contains specific limited exceptions 
to the consent requirement, and making a change to exempt states from 
this requirement, under certain conditions, would be inconsistent with 
the statutory scheme.

[[Page 6098]]

Public Comments
    One commenter stated that the expansion of the disclosure of 
patient identifying information should be limited to CMS and/or state 
governmental agencies that have authority over substance use disorder 
treatment services. The commenter stated that an unintended consequence 
of implementing the potential of wide-spread disclosure of previously 
protected information is that the protections the confidentiality 
regulations afforded patients will be eviscerated as essentially all 
the recipients of protected information, for the last 40 years will no 
longer be bound by the prohibition of re-disclosure, subjecting the 
patient's information to re-disclosure, without the patient's consent, 
to any individual or entity representing that they are conducting 
scientific research. The commenter argued that SAMHSA should limit the 
number of entities who can release patient identifying information to 
those who actually have the resources to verify that such disclosure to 
a researcher is for a valid research purpose; can ensure proper 
research protections are in place; and affirm the patient will not be 
more vulnerable as a result of the disclosure. The vast majority of 
lawful holders cannot adequately perform this analysis and therefore 
cannot protect the patient's interest as required under the part 2 
regulations.
SAMHSA Response
    SAMHSA declines to narrow the scope of the research provision as 
suggested. In developing the proposed rule, SAMHSA examined the 
existing regulations that protect human subjects in research and 
concluded that, if those requirements were fulfilled, 42 CFR part 2 
would ensure confidentiality protections consistent with the statute, 
while providing the expanded authority for disclosing patient 
identifying information. Specifically, IRBs determine that, when 
appropriate, there are adequate provisions to protect the privacy of 
subjects and to maintain the confidentiality of data before approving 
the research (45 CFR 46.111(a)(7)). SAMHSA is interested in affording 
patients protected by 42 CFR part 2 the same opportunity to benefit 
from advanced research protocols while continuing to safeguard their 
privacy, and narrowing the scope of lawful holders that may disclose 
part 2 data for research purposes, as suggested by the commenter would 
limit the ability of patients to benefit from these research efforts.
Public Comments
    Other commenters expressed concern about the expanded research 
exception. A commenter stated that the proposed provision would create 
a wide opportunity for data sharing with increased risk of adverse 
impact. Similarly, a commenter warned that the research exception 
revision poses unnecessary risk of data breach of patient's 
confidentiality.
    SAMHSA received a large number of comments, particularly from 
researchers, expressing support for the revised research provision. 
These commenters expressed concern that, without this revised 
provision, researchers' access to substance use disorder-related data 
in Medicare and Medicaid claims/encounter databases would be limited to 
instances in which consent could be obtained. A number of commenters 
cited a study by K. Rough et al. published in the March 15, 2016, issue 
of the Journal of the American Medical Association that found the 
exclusion of part 2 data from Medicare and Medicaid claims/encounter 
data in research contexts coincided with decreases in the rates of 
diagnoses for certain conditions commonly co-occurring with substance 
use disorder. Commenters reiterated a point made in the article that 
underestimating diagnoses has the potential to bias health services 
research studies and epidemiological analyses. Some commenters also 
stated that implementing appropriate data safeguards can protect 
patient privacy while still allowing researchers access to critical 
data.
SAMHSA Response
    SAMHSA agrees with the commenters' assertions regarding how the 
exclusion of this substance use disorder data hampers vital public 
health research, particularly in light of the growing national opioid 
epidemic and is finalizing the research data access proposal in the 
final rule.
    With respect to concerns about privacy and the expansion of the 
research exception, SAMHSA clarifies that the research exception is 
intended to permit data protected by 42 CFR part 2 to be disclosed to 
qualified personnel for the purpose of conducting scientific research 
by a part 2 program or any other individual or entity that is in lawful 
possession of part 2 data (lawful holder of part 2 data).
    The research provision (Sec.  2.52(b)) already includes a 
requirement that the researcher receiving the part 2 data is fully 
bound by 42 CFR part 2. Although not required by Sec.  2.52, the 
regulation would permit any lawful holder of patient identifying 
information to require a researcher to sign a data use agreement 
spelling out these requirements. Lawful holders of patient identifying 
information may disclose part 2 data without patient consent for 
research purposes only under the specified circumstances under the 
research provision.
Public Comments
    A commenter requested clarification as to whether ``lawful 
holders'' may disclose part 2 data to third parties to conduct research 
or whether the ``lawful holder'' has to conduct the research itself.
    Citing the HIPAA tracking criteria for disclosures outside the 
entity pursuant to a waiver of authorization, another commenter asked 
SAMHSA to clarify what tracking requirements would apply to disclosure 
of part 2 data for purposes of research. This commenter also asked 
SAMHSA to clarify whether disclosure for purposes of research means 
sharing the data with anyone for research purposes or only applies when 
part 2 data is shared with an outside entity.
SAMHSA Response
    The research provision permits part 2 programs and other lawful 
holders of patient identifying information to disclose data protected 
by 42 CFR part 2 to qualified personnel for the purpose of conducting 
scientific research if the researcher provides documentation of meeting 
certain requirements related to other existing protections for human 
research. ``Qualified personnel'' is a statutory term and SAMHSA has 
clarified that this term includes those individuals who meet the 
requirements specified in the research provision to receive part 2 data 
for the purpose of conducting scientific research.
    The proposed rule did not include a tracking requirement for 
information disclosed under the research exception and so we are 
declining to include such a requirement in the final rule.
Public Comments
    Another commenter reasoned that municipalities should be able to 
receive and match patient identifying information and then use the de-
identified data for planning and analysis purposes (e.g., determining 
how many criminal justice-involved defendants have a previous history 
of substance use disorder treatment).
SAMHSA Response
    SAMHSA declines to make the recommended expansion to the research

[[Page 6099]]

provision. SAMHSA is revising the research exception to permit data 
protected by 42 CFR part 2 to be disclosed to qualified personnel for 
the purpose of conducting scientific research by a part 2 program or 
any other individual or entity that is in lawful possession of part 2 
data (lawful holder of part 2 data).''Qualified personnel'' is a 
statutory term and SAMHSA has clarified that this term includes those 
individuals who meet the requirements specified in the research 
provision to receive part 2 data for the purpose of conducting 
scientific research. This term would not preclude researchers from 
conducting such research efforts on behalf of a municipality. However, 
part 2 prohibits researchers from re-disclosing patient identifying 
information except back to the individual or entity from whom that 
patient identifying information was obtained or as permitted under 
Sec.  2.52(c) of this section, and permits researchers to include part 
2 data in reports only in aggregate form in which patient identifying 
information has been rendered non-identifiable such that the 
information cannot be re-identified and serve as an unauthorized means 
to identify a patient, directly or indirectly, as having or having had 
a substance use disorder.
Public Comments
    A commenter expressed support for the strengthened proposed 
research provision whereby patient identifying information may be 
released only after the program director has determined the research 
recipient has obtained appropriate IRB and/or privacy board approval 
and consent. Another commenter asserted that information that is de-
identified and presented in aggregate should be permitted to be more 
readily used in research. The commenter stated that this was another 
area where SAMHSA can promote greater alignment with HIPAA, which 
provides allowances for covered information that is de-identified and 
presented in the aggregate.
SAMHSA Response
    Part 2 only applies to information that would identify a patient as 
having or having had a substance use disorder. The revised research 
provision allows researchers to include part 2 data in reports only in 
aggregate form in which patient identifying information has been 
rendered non-identifiable such that the information cannot be re-
identified and serve as an unauthorized means to identify a patient, 
directly or indirectly, as having or having had a substance use 
disorder. The revised Sec.  2.52 also requires researchers to maintain 
and destroy patient identifying information in accordance with the 
security policies and procedures established under Sec.  2.16. SAMHSA 
aligned policy with HIPAA where possible. However, 42 CFR part 2 and 
its governing statute are separate and distinct from HIPAA, and the 
part 2 regulations use different terminology than used in HIPAA.
Public Comments
    A commenter requested clarification on whether data disclosed to 
qualified personnel under Sec.  2.52 would include ``identifiable 
information.'' For example, this commenter asked why a name would be 
relevant if the data and information would be used for research. 
Another commenter stated that certain patient identifying information 
such as social security numbers should not be included, as it serves no 
purpose to researchers. The commenter stated that this can easily be 
mitigated by data segmentation and consent management, but until then 
the rule should be maintained in that the part 2 program director is 
the only individual authorized to release of information.
SAMHSA Response
    The part 2 data that may be disclosed for research purposes include 
patient identifying information, as that term is defined in Sec.  2.11. 
One reason researchers would need identifiable information is to link 
part 2 data to other data sets, or for conducting data linkages. SAMHSA 
also proposed to address data linkages, which requires identifiable 
information, because the process of linking two or more streams of data 
opens up new research opportunities and potential risks. For example, 
the practice of requesting data linkages from other data sources to 
study the longitudinal effects of treatment is becoming widespread. 
SAMHSA is interested in affording patients protected by 42 CFR part 2 
the same opportunity to benefit from these advanced research protocols 
while continuing to safeguard their privacy. Likewise, SAMHSA revised 
the research provision to enable part 2 data to be disclosed for 
research purposes by part 2 programs and other lawful holders of 
patient identifying information so that patients may benefit from the 
additional scientific research that will be conducted and that will 
facilitate continual quality improvement of part 2 programs and the 
important services they offer. This additional research would not be 
able to be conducted if SAMHSA were to continue to maintain the 
existing part 2 research provision, as suggested.
2. Suggestions for Improvement of the Research Provisions
Public Comments
    Some commenters made suggestions to improve privacy protections as 
it relates to research. A commenter suggested that the research 
provision require a certificate of confidentiality as a prerequisite to 
researcher access to part 2 information.
SAMHSA Response
    The research provision (Sec.  2.52(b)) already includes a 
requirement that the researcher receiving the part 2 data is fully 
bound by 42 CFR part 2. Although not required by Sec.  2.52, the 
regulation would permit any lawful holder of patient identifying 
information to require a researcher sign a data use agreement spelling 
out these requirements.
    According to NIH, certificates of confidentiality do not take the 
place of good data security or clear policies and procedures for data 
protection, which are essential to the protection of research 
participants' privacy. Under 42 CFR part 2, the research provision 
provides clear policies on conducting research and protecting the 
confidentiality of patient identifying information, including their 
obligations to comply with requirements under 42 CFR 2.16, Security for 
Records.
Public Comments
    A commenter concluded that the number of entities who could release 
patient identifying information should be limited to those who have the 
resources to verify the research is valid and the patient will not 
become more vulnerable as result of disclosure. A commenter suggested 
that strict policies be in place at all levels of research 
organizations to assure that prohibited re-disclosure of patient 
information does not occur. A commenter asserted that aligning part 2's 
requirements for a valid written consent with those applicable under 
the HIPAA Privacy Rule would avoid confusion. One commenter suggested 
that the filing of conflict of interest statements by the primary 
investigators and co-investigators be required. A commenter suggested a 
change in language to clarify that researchers will resist any judicial 
demand for access to patient records, except as permitted by these 
regulations.
SAMHSA Response
    SAMHSA examined the existing regulations that protect human 
subjects in research and concluded that, if those requirements were 
fulfilled, 42 CFR part

[[Page 6100]]

2 would ensure confidentiality protections consistent with the statute, 
while providing the expanded authority for disclosing patient 
identifying information. Requirements that ensure compliance with HIPAA 
and the Common Rule (e.g., IRB and/or privacy board review) with 
respect to research provide these assurances, including that the 
researcher has a plan to protect and destroy identifiers and to not re-
disclose the information in an unauthorized manner. Disclosure of part 
2 data also would be allowable for research that qualifies for 
exemption under the Common Rule due to the lower risk to subjects in 
the circumstances where exemptions apply, and this has been clarified 
in Sec.  2.52(a)(2). The individual who would make the determination to 
disclose part 2 data on behalf of a part 2 program or other lawful 
holder would be the individual designated as director or managing 
director, or an individual otherwise vested with authority to act as 
chief executive officer or their designee. In addition, there is 
nothing in the regulation that requires this individual to disclose the 
data, even if the researcher provides documentation of compliance with 
the requirements under Sec.  2.52.
    SAMHSA declines to make the recommended change regarding conflicts 
of interest to the research section (Sec.  2.52). The revised research 
provision requires reviews, either by an IRB and/or privacy board, for 
the specific purpose of minimizing risk to patients and their privacy. 
The research provision also requires researchers requesting data 
linkages, as described in Sec.  2.52(c), to have the request reviewed 
and approved by an IRB registered with the Department of Health and 
Human Services, Office for Human Research Protections in accordance 
with 45 CFR part 46 to ensure that patient privacy is considered and 
the need for identifiable data is justified. In addition, HHS has 
issued subregulatory guidance that, to the extent financial interests 
may affect the rights and welfare of human subjects in research, IRBs, 
institutions, and investigators need to consider what actions regarding 
financial interests may be necessary to protect those subjects.
    SAMHSA proposed to require any individual or entity conducting 
scientific research using patient identifying information to meet 
additional requirements to ensure compliance with confidentiality 
provisions under part 2. Among these are a provision (Sec.  2.52(b)(1)) 
that ``requires researchers to be fully bound by these regulations and, 
if necessary, to resist in judicial proceedings any efforts to obtain 
access to patient records except as permitted by these regulations.''
Public Comments
    Another commenter suggested that the rule allow an extended 
disclosure period specific to research that could be included in the 
initial disclosure approval.
SAMHSA Response
    The part 2 regulations do not specify a disclosure period in the 
research provision.
Public Comments
    A commenter said that it would bring clarity and aid entities 
seeking to comply with the proposed rule if it included a definition of 
``repository'' and of ``scientific research.'' The commenter stated 
that the HHS Common Rule provisions, referenced repeatedly in the 
proposed rule, apply only to activities which meet the definition of 
research involving human subjects. It is not clear whether SAMHSA 
intends to adopt Common Rule definitions or create a separate scheme.
SAMHSA Response
    SAMHSA did not propose a regulatory definition for these terms in 
the NPRM and respectfully declines to define the terms in the final 
rule as suggested. ``Scientific research'' is a statutory term that is 
not defined. Researchers requesting part 2 data for the purposes of 
conducting scientific research and whose research is subject to the 
Common Rule would need to comply with requirements for the Common Rule 
as well as those of part 2. SAMHSA refers to the term ``repository'' in 
the context of the data linkages provision, and intended the term to 
broadly refer to data that is stored and managed. SAMHSA may address 
undefined terms that require further elaboration in subregulatory 
guidance or in subsequent rulemaking.
Public Comments
    One commenter supported provisions that allow states to work with 
outside entities, which are HIPAA and Common Rule compliant, to conduct 
research that will improve care and drive quality outcomes for Medicaid 
beneficiaries with a substance use disorder.
SAMHSA Response
    SAMHSA supports the efforts of part 2 stakeholders to work together 
collaboratively and in compliance with the law. Part 2 prohibits 
researchers from re-disclosing patient identifying information except 
back to the individual or entity from whom that patient identifying 
information was obtained or as permitted under the data linkages 
provision. Researchers may include part 2 data in reports only in 
aggregate form in which patient identifying information has been 
rendered non-identifiable such that the information cannot be re-
identified and serve as an unauthorized means to identify a patient, 
directly or indirectly, as having or having had a substance use 
disorder.
3. HIPAA and HHS Common Rule Requirements
Public Comments
    Many commenters expressed support for aligning requirements for 
disclosure of information for conducting research with existing 
requirements for research as regulated by the HHS Common Rule (45 CFR 
part 46). A commenter remarked that an alternate approach would be to 
create a single category of consent for research purposes.
SAMHSA Response
    In this part 2 final rule, SAMHSA has implemented certain revisions 
that are predicated on the current version of the Common Rule (45 CFR 
part 46, Protection of Human Subjects, promulgated in 1991). Should 
conflicting policies be created in the future, SAMHSA will take 
appropriate action (e.g., issue an NPRM or technical correction). With 
respect to creating a single category of consent for research, the 
existing consent requirements permit patient consent for the disclosure 
of patient identifying information for the purpose of scientific 
research.
4. Data Linkages
    SAMHSA revised Sec.  2.52 from the proposed regulatory text by 
separating out the data linkages provisions into its own paragraph, 
Sec.  2.52(c) for purposes of clarity and readability. In addition, the 
final Sec.  2.52 addresses data linkages to enable researchers holding 
part 2 data to link to data sets from federal and non-federal data 
repositories as explained in greater detail below. SAMHSA proposed to 
permit researchers to request to link data sets that include patient 
identifying information under certain conditions. We proposed to limit 
the data repositories from which a researcher may request data for data 
linkages purposes to federal data repositories because federal agencies 
that maintain data repositories have policies and procedures in place 
to protect the security and confidentiality of the patient identifying 
information that must be submitted by a researcher in order to link the 
data sets. SAMHSA

[[Page 6101]]

sought input from the public regarding whether to expand the data 
linkages provision beyond federal data repositories; what 
confidentiality, privacy, and security safeguards are in place for 
those non-federal data repositories; and whether those safeguards are 
sufficient to protect the security and confidentiality of the patient 
identifying information.
Public Comments
    Several commenters suggested that researchers be allowed to perform 
data linkages between data sets containing substance use disorder data. 
However, some warned that the proposed rule was unclear regarding data 
linkages. One commenter said SAMHSA should clarify that researchers 
have the option to submit data to a federal data repository, like CMS, 
for linking of federal data, but are not required to do so. Other 
commenters argued that proposed Sec.  2.52 should explicitly allow 
researchers to perform their own data linkages between data sets 
containing substance use disorder records. A commenter asserted that 
non-profit entities who engage in research should be distinct from for-
profit organizations and that for-profit organizations should not be 
allowed access to large linked data sets.
    Many commenters expressed support for permitting linkage with non-
federal repositories where adequate, flexible safeguards are in place 
to protect the security and confidentiality of part 2 data. A commenter 
asserted that only allowing researchers to combine 42 CFR part 2 
records received without patient consent with records from a federal 
repository is not consistent with the goal of enhancing research 
conducted with data protected by part 2. In particular, commenters 
pointed out that many state, local, tribal, and corporate data 
repositories with hospital emergency department and discharge, trauma 
registry, and birth and death records would not be covered by the 
federal data linkages language in the proposed rule, thereby hampering 
important research and evaluation activities. Additionally, commenters 
supported the expansion of data linkages in order to better support the 
analysis required by evolving health care delivery and payment models, 
such as Accountable Care Organizations.
    Commenters urged that appropriate privacy and security protections 
are in place, to include physical security and disposition of data if 
SAMHSA permits linkages to non-federal data repositories. One commenter 
remarked that protections imposed by federal repositories that are not 
imposed by other repositories should be identified and considered as 
requirements, so as not to lose the insight offered through additional 
linkage opportunities. Another suggested implementation of data use 
agreement language to non-federal repositories. A commenter reasoned 
IRBs or privacy officers could ensure other repositories are in 
compliance with part 2 requirements.
    However, a few commenters did not support expansion of data linkage 
to non-federal repositories. Some commenters expressed concerns about 
the security of data in both federal and non-federal data repositories 
citing examples of healthcare data breaches. One commenter concluded 
data linkage to any data repositories be withdrawn from the proposed 
language citing the federal agencies as well as health care data 
repositories inability to adequately safeguard personal information. 
Another commenter suggested data repositories performing the data 
linkages, if outside of part 2 entity, not be given information subject 
to part 2.
SAMHSA Response
    SAMHSA would like to clarify that the data linkages provision is 
not intended to prohibit a researcher from linking a data set in the 
researcher's possession that contains part 2 data with a data set from 
a third party source, so long as the part 2 data is not further 
disclosed in the data linkage process and the researcher adheres to any 
applicable confidentiality, privacy, and security requirements and 
safeguards. Regarding the comment on for-profit organizations, whether 
the researcher is a for-profit or not-for-profit organization, the 
researcher would be required to have IRB approval and/or privacy board 
review of their research, and, additionally, IRB approval of the 
research project that contains the data linkage component, to ensure 
risks to the patient and their privacy are minimized. In addition, part 
2 prohibits researchers from re-disclosing patient identifying 
information except back to the individual or entity from whom that 
patient identifying information was obtained or as permitted under the 
data linkages provision. Researchers may include part 2 data in reports 
only in aggregate form in which patient identifying information has 
been rendered non-identifiable such that the information cannot be re-
identified and serve as an unauthorized means to identify a patient, 
directly or indirectly, as having or having had a substance use 
disorder.
    In response to public comments, SAMHSA has decided in the final 
rule to permit data linkages to both federal and non-federal data 
repositories subject to the conditions explained below. SAMHSA believes 
that these changes will enhance research while still ensuring the 
protection of part 2 patient identifying information. SAMHSA agrees 
with commenters that many non-federal data repositories, as well as 
federal data repositories, contain data that is critical to research 
and, therefore, SAMHSA is expanding data linkages provisions.
    In the data linkages provision of this final rule (Sec.  2.52(c)), 
SAMHSA revises its proposal to enable researchers holding part 2 data 
to link to data sets from any repository, including non-federal 
repositories, provided that the linkage has been reviewed and approved 
by an Institutional Review Board registered with the Department of 
Health and Human Services, Office for Human Research Protections in 
accordance with 45 CFR part 46 to ensure that patient privacy is 
considered and the need for identifiable data is justified. In addition 
to having the request reviewed and approved by an IRB, the researcher 
must ensure that patient identifying information obtained under the 
rule's research provisions is not provided to law enforcement agencies 
or officials. SAMHSA states in the final rule that the data repository 
is fully bound by the provisions of part 2 upon receipt of the patient 
identifying data and must, after providing the researcher with the 
linked data, destroy or delete the linked data from its records, 
including sanitizing any associated hard copy or electronic media, to 
render the patient identifying information non-retrievable in a manner 
consistent with the policies and procedures established under Sec.  
2.16 Security for records. In addition, the data repository must ensure 
that any data obtained pursuant to part 2's research provisions is not 
provided to law enforcement agencies or officials.
Public Comments
    One commenter recommended that SAMHSA expand data linkages beyond 
research to the broader need for it to be inclusive of coordinated 
care. The commenter stated that this is another area where SAMHSA could 
look to existing HIPAA provisions and align the part 2 provisions 
accordingly.
SAMHSA Response
    SAMHSA declines to make the revision suggested by the commenter. 
The transfer of part 2 information for the purposes of research, as 
allowed under Sec.  2.52, is an exception to patient consent, and, 
therefore, the data linkages provision cannot be expanded

[[Page 6102]]

to other parts of the regulation. Because of its targeted population, 
part 2 provides more stringent federal protections than most other 
health privacy laws, including HIPAA. However, SAMHSA aligned policy 
with HIPAA where possible.
5. Multi-Payer Claims Database
Public Comments
    Many commenters urged the final rule to explicitly include a 
statement on the authority granted to MPCDs (also referred to as APCDs) 
that maintain adequate safeguards to collect, link, and disseminate 
substance use disorder records without patient consent for research 
purposes. Several commenters argued that many states have established 
state-sponsored MPCD systems and urged the proposed rule to 
specifically ensure substance use disorder data are not systematically 
excluded from state MPCD systems, allowing part 2 data to be collected, 
linked, and disseminated without patient consent for research purposes. 
A commenter requested specific guidance as to whether MPCDs could be 
lawful holders of part 2 data with the same disclosure requirements as 
those for HIEs. A commenter stated that the rule should authorize state 
data repositories such as an MPCD to link part 2 data to other data for 
research purposes.
SAMHSA Response
    For an MPCD or any entity to disclose part 2 data for research 
purposes under the rule's research exception to consent requirements 
(Sec.  2.52), the entity must be a ``lawful holder of patient 
identifying information.'' Under the research provision, any lawful 
holder of part 2 data may disclose the data to qualified researchers 
that meet the requirements under the HHS Common Rule or HIPAA Privacy 
Rule. As SAMHSA discussed in the NPRM preamble, a ``lawful holder'' of 
patient identifying information is an individual or entity who has 
received such information in accordance with the part 2 requirements, 
and, therefore, is bound by 42 CFR part 2. Examples of potential 
``lawful holders'' of patient identifying information include a 
patient's treating provider, a hospital emergency room, an insurance 
company, an individual or entity performing an audit or evaluation, or 
an individual or entity conducting scientific research. As permitted by 
the authorizing statute and under these regulations, any lawful holder 
of patient identifying information may disclose part 2 data without 
patient consent for research purposes under the circumstances specified 
under the research provision.
    Regarding the specific scenario raised by commenters, SAMHSA wishes 
to clarify that MPCDs and other data intermediaries are permitted to 
obtain part 2 data under the research exception provided in Sec.  2.52, 
provided that the conditions of the research exception are met. 
Furthermore, an MPCD or data intermediary that obtains part 2 data in 
this fashion would be considered a ``lawful holder'' under these final 
regulations and would therefore be permitted to redisclose part 2 data 
for research purposes, subject to the other conditions imposed under 
Sec.  2.52. The final rule edits the language under paragraph 2.52(a) 
to clarify that the regulations do not prohibit such a disclosure.
    Except as provided in paragraph 2.52(c), a researcher may not 
redisclose patient identifying information for data linkages purposes. 
SAMHSA's data linkages provision permits researchers to request to link 
data sets that include patient identifying information if the data 
linkages component is reviewed and approved by an IRB registered with 
OHRP in accordance with 45 CFR part 46 and certain other conditions are 
met. The data linkages provision is not intended to prohibit a 
researcher from linking a data set in the researcher's possession that 
contains part 2 data with a data set from a third-party source, so long 
as the part 2 data is not further disclosed in the data linkage process 
and any applicable confidentiality, privacy, and other conditions as 
specified in this rule are adhered to.

O. Audit and Evaluation (Sec.  2.53)

    SAMHSA is modifying the proposed language as discussed below. 
SAMHSA has revised the section heading by deleting the word 
``activities.'' SAMHSA modernized this section to include provisions 
governing both paper and electronic patient records. In addition, we 
revised the requirements for destroying patient identifying information 
by citing the expanded Security for Records section (Sec.  2.16). 
Furthermore, we updated the Medicare or Medicaid audit or evaluation 
paragraph title to include Children's Health Insurance Program (CHIP) 
and, in subsequent language, refer to Medicare, Medicaid, and CHIP.
    The Sec.  2.53 revisions permit the part 2 program, not just the 
part 2 program director, to determine who is qualified to conduct an 
audit or evaluation of the part 2 program. The revised language also 
permits an audit or evaluation necessary to meet the requirements of a 
CMS-regulated ACO or similar CMS-regulated organization (including a 
CMS-regulated QE), under certain conditions, by better aligning the 
criteria in this section with those set forth in the Affordable Care 
Act (regulating ACOs, in part, at 42 U.S.C. 1395jjj). We have specified 
that such ACO or similar CMS-regulated entities must have in place 
administrative and/or clinical systems. While the NPRM indicated both 
types of systems were required, it has been noted that some ACO or 
similar CMS-regulated entities will not have both clinical and 
administrative systems. We also have clarified in the final rule that 
the ACO or similar CMS-regulated organization (including a CMS-
regulated QE) is subject to periodic evaluations by, or receives 
patient identifying information from, CMS or its agents. To ensure that 
patient identifying information is protected, the ACO or similar CMS-
regulated organization (including a CMS-regulated QE) that is the 
subject of, or is conducting, the audit or evaluation must have a 
signed Participation Agreement with CMS or similar documentation that 
demonstrates that the organization and its auditors or evaluators must 
conduct the audit and evaluation activities in full compliance with all 
applicable provisions of 42 U.S.C. 290dd-2 and 42 CFR part 2.
Public Comments
    Several commenters provided comments with regard to Sec.  2.53, 
Audit and Evaluation. A few commenters discussed the application of 
this section to Medicare and Medicaid. A couple of commenters 
recommended clarifying that Medicaid agencies are permitted under the 
QSO exception to disclose part 2 information to third-party payers for 
audit or evaluation purposes. These commenters also suggested that 
Medicaid and other third-party payers may use (third-party) contractors 
and vendors to assist beneficiaries and perform such activities as 
program integrity activities. The commenters argued that the QSO 
exception described above should include communications between third-
party payers such as Medicaid agencies and other holders of part 2 data 
and QSOs to help ensure ``operational efficiency.'' Another commenter 
suggested that the revisions concerning the auditing process and 
Participation Agreements would be too burdensome, and would be 
inconsistently applied because Medicare and Medicaid do not have to 
comply with the auditing requirements, whereas providers do. Further, a 
couple of commenters stated that part 2 programs would be confused in

[[Page 6103]]

attempting to decipher which organizations have Participating 
Agreements with CMS in place, further exacerbating the existing 
compliance issues with part 2. A commenter requested that SAMHSA 
clarify whether Medicaid program ACOs and external quality review 
organizations (EQRO) are considered ``CMS-regulated'' for the purposes 
of permitted disclosures. The commenter suggested that Medicaid program 
entities should be considered CMS-regulated entities.
SAMHSA Response
    A QSO is an individual or entity that provides a service to a part 
2 program consistent with a QSOA (see Sec. Sec.  2.11, Definitions; 
2.12(c)(4), Applicability). A QSOA is a two-way agreement between a 
part 2 program and the individual or entity providing the desired 
service. Therefore, to be a QSO, the contracted entity must be 
providing the service to a part 2 program. The QSOA authorizes 
communication only between the part 2 program and QSO. Third-party 
payers, such as Medicaid, are not considered part 2 programs as defined 
in this rule, and are not eligible to have QSO through a QSOA. That 
said, comments to the proposed rule raised questions that indicate that 
there may be varying interpretations of the current (1987) part 2 
rule's restrictions regarding the use of contractors/subcontractors in 
contexts other than the QSO context, such as the sharing of part 2 
information by third-party payers with contractors and subcontractors 
to carry out activities related to audit and evaluation and program 
integrity, and we intend to address such scenarios with greater clarity 
in an SNPRM.. As stated under Sec.  2.12(a)(1), Restrictions on 
disclosures, the restrictions on disclosures in these regulations apply 
to any information, whether recorded or not, which would identify a 
patient as having or having had a substance use disorder either 
directly, by reference to publicly available information, or through 
verification of such information by another person. Patient identifying 
information that has been rendered non-identifiable in a manner that 
creates a very low risk of re-identification may be disclosed.
    With regard to the concern that the proposed revisions to Sec.  
2.53 would be burdensome and create confusion when part 2 programs have 
to determine who has a Participation Agreement or similar documentation 
in place, CMS-regulated entities that, among other requirements, are 
subject to periodic evaluations by CMS or its agents, or are required 
by CMS to evaluate participants in the ACO or similar CMS-regulated 
organization (including a CMS-regulated QE) relative to CMS-defined or 
approved quality and/or cost measures should be able to produce 
evidence that they have Participation Agreements or similar 
documentation in place with CMS if requested by a part 2 program.
    As to whether Medicaid program ACOs and EQROs are considered ``CMS-
regulated,'' this rule explicitly states that ACOs and similar 
organizations regulated by CMS may, subject to certain conditions, 
disclose or require participants in the organization to disclose part 
2-covered information in order for the organization to meet CMS audit 
and evaluation requirements. Other entities may also be considered 
``CMS-regulated'' depending on the particular circumstances, for 
example, as a result of their direct supervision by CMS, the 
establishment by CMS of regulations governing their conduct or 
qualification, or, in the case of Medicaid and CHIP-related entities, 
CMS' approval of state plans or waivers and supervision of the state 
agencies. Medicaid program ACOs and EQROs do fit within the entities 
covered by the audit and evaluation provisions of the part 2 program. 
SAMHSA may further elaborate on this topic in subregulatory guidance 
issued following the publication of the final rule.
Public Comments
    A few commenters provided input on SAMHSA's proposal to permit 
audit or evaluation necessary to meet the requirements of a CMS-
regulated ACO or similar CMS-regulated organization (including a CMS-
regulated QE), under certain conditions. A couple of commenters 
recommended that SAMHSA modify part 2 to permit CMS to provide all 
claims with substance use disorder treatment information through the 
Claim and Claim Line Feed (CCLF) file so patients can receive 
comprehensive, quality treatment and programs can operate more 
efficiently and effectively. The commenters suggested that because 42 
U.S.C. 290dd-2(b)(2)(B) permits substance use disorder treatment 
program to disclose treatment records without the consent of the 
patient for the purpose of audits or evaluation; Sec.  2.53 of the 
proposed rule also permits substance use disorder treatment programs to 
disclose treatment records to ACOs or other CMS-regulated organizations 
to allow the organizations to meet CMS's audit and evaluation 
requirements for participation; therefore the provision could be 
expanded, or clarified, to also permit CMS to disclose substance use 
disorder treatment information to ACOs and bundled payment participants 
for audit and evaluation activities. Another commenter expressed 
concern about the expansion of the part 2 audit and evaluation 
exception to include ACOs, because ACOs are continually ``auditing'' 
programs as a continual process of evaluating and monitoring and part 
2's language makes clear that an audit or evaluation is a time-limited 
activity that is not intended to permit ongoing access to program 
records. This commenter asserted that the part 2 audit and evaluation 
exception should not be allowed to result in a practice that 
circumvents the need to obtain a patient's consent to access their 
information.
    One commenter noted that CMS's application of part 2 in its removal 
of substance use disorder treatment information from the monthly CCLF, 
in which CMS redacts any claim submitted by any provider where a 
substance use disorder is either the principal or secondary diagnosis, 
causes CMS to remove claims from the CCLF file that are not produced by 
federally assisted substance use disorder treatment programs. The 
commenter urged SAMHSA to work with CMS to develop a pathway to include 
substance use disorder treatment information in the CCLF data file.
SAMHSA Response
    CMS may disclose patient identifying information to a CMS-regulated 
ACO or similar CMS-regulated organization (including a CMS-regulated 
QE) for Medicare audit and evaluation purposes pursuant to Sec.  
2.53(c), which provides that ``[p]atient identifying information, as 
defined in Sec.  2.11, may be disclosed under paragraph (c) of this 
section to any individual or entity for the purpose of conducting a 
Medicare, Medicaid, or CHIP audit or evaluation. . . .'' Neither the 
statute nor the part 2 regulations define audit or evaluation. However, 
under this section of the audit and evaluation exception, the purpose 
of the disclosure must be to conduct a Medicare, Medicaid, or CHIP 
audit or evaluation. This may include audit or evaluation activities, 
such as reviews of financial performance or the quality of health care 
services delivered, undertaken by the CMS-regulated organization itself 
to review its own performance. The exception does not cover any 
activities conducted by ACOs that may not be reasonably construed as 
being related to such a purpose.
Public Comments
    Commenters provided other recommendations related to this section. 
A commenter suggested that Sec.  2.53(d) should be revised to permit 
disclosure

[[Page 6104]]

of patient information to entities that have administrative control 
over auditors. Another commenter suggested that SAMHSA consider 
allowing ``lawful holders'' the ability to share information for audit 
and evaluation services, with the agreement that the service provider 
must adhere to part 2.
    Another commenter recommended that SAMHSA convene a group of state, 
local, and provider representatives to develop draft guidance.
SAMHSA Response
    Regarding the suggestion that Sec.  2.53(d) should be revised to 
permit disclosure of patient information to entities that have 
administrative control over auditors, except as provided in Sec.  
2.53(c), patient identifying information disclosed under this section 
may be disclosed only back to the program from which it was obtained 
and used only to carry out an audit or evaluation purpose or to 
investigate or prosecute criminal or other activities, as authorized by 
a court order entered under Sec.  2.66.
    As recommended by a commenter, SAMHSA plans to develop and publish 
subregulatory guidance regarding the application of Sec.  2.53 audit 
and evaluation disclosures after publication of this final rule.

P. Other Public Comments on the Proposed Rule

1. Requests To Extend the Public Comment Period
Public Comments
    Several commenters requested extension to the public comment 
period. Commenters stated the complexity and importance of the rule 
warranted additional time for reflection and comment. A few commenters 
requested that the comment period be extended for one year to allow for 
a more open process. A couple of commenters suggested that in addition 
to extending the comment period for one year, public hearings also be 
held across the county.
SAMHSA Response
    While SAMHSA recognizes that the issues addressed in the part 2 
NPRM are complex and important, we concluded that the 60-day comment 
period was sufficient to provide the public a meaningful opportunity to 
comment, and this conclusion is supported by the hundreds of complex 
and thoughtful comments received. Additionally, the NPRM was available 
to the public for a preliminary review on the Federal Register Web site 
upon submission of the NPRM to the Federal Register, which was several 
days prior to publication, thereby providing stakeholders additional 
time prior to the publication date. Finally, on June 11, 2014, SAMHSA 
held a public listening session and, invited through a Federal Register 
notice, general comments, as well as comments on six key provisions of 
42 CFR part 2.
2. Rulemaking Process
Public Comments
    One commenter expressed concern that SAMHSA did not summarize or 
address specific comments from stakeholders who participated in the 
public listening sessions.
    Another commenter said that the part 2 changes should move forward 
but should be monitored and modified accordingly over the next two to 
three years.
SAMHSA Response
    SAMHSA will undertake further rulemaking as necessary and intends 
to respond to issues raised with respect to the part 2 regulations, as 
they have in the past, through subregulatory guidance.
    SAMHSA considered all comments received in the June 2014 public 
Listening Session on the part 2 regulations. As explained in the NPRM, 
feedback from the Listening Session was considered and helped to inform 
the development of the February 2016 NPRM (see 81 FR 6988, 6993). 
SAMHSA posted all comments received in response to the Listening 
Session Federal Register Notice on its Web site: http://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations.
3. Implementation Timeline and Other Barriers to Implementation
Public Comments
    To allay privacy concerns, a commenter said that SAMHSA should 
delay the proposed part 2 changes to further develop its Consent2Share 
application and encourage wider adoption. Similarly, a commenter 
recommended further testing and evaluation on IT solutions before 
issuing part 2 changes. This commenter further urged SAMHSA to address 
these issues in the final rule by specifically detailing a process for 
updating the Consent2Share tool so that its design specifications 
remain compatible with the rapidly advancing and very fluid EHR design 
landscape.
SAMHSA Response
    SAMHSA declines to accept these recommendations to delay 
publication of a final rule pending technology developments or 
Congressional action. Technology adoption is an ongoing process, and 
the majority of current EHR and HIE applications may not have the 
capability to support the DS4P initiative. In addition, paper records 
are still used today in some part 2 programs and shared through 
facsimile (FAX). In addition, SAMHSA's publication of a final rule 
would not prevent further Congressional action with respect to part 2.
Public Comments
    One commenter expressed concern that applying electronic data 
segmentation in conjunction with patient privacy preferences can 
significantly increase the complexity of the workflow process and have 
unintended consequences on system performance and response times at the 
point of care. The commenter recommended that SAMHSA, in conjunction 
with other federal agencies, advisory bodies, such as the National 
Committee on Vital and Health Statistics (NCVHS), and public and 
private stakeholders should convene public discussions to evaluate the 
possibility of data segmentation standards in electronic systems, the 
benefits and potential unintended consequences that may result, along 
with the associated costs and anticipated consumer uses of such 
standards and processes.
    In addition to the technical challenges, a commenter said that 
SAMHSA should recognize other barriers to implementation of part 2 
changes, including complexity in navigating individual state 
regulations, challenges around mapping to clinical codes, and lack of a 
standardized service discovery mechanism to ensure capability of 
exchanging systems to evaluate the ability to receive and interpret a 
tagged document.
SAMHSA Response
    SAMHSA recognizes the concerns expressed by the commenter; however, 
SAMHSA's jurisdiction is limited to those regulations over which it has 
authority. We note that the part 2 regulations permit, but do not 
require, data segmentation.
4. Educational Opportunities
Public Comments
    Some commenters urged SAMHSA to provide trainings/webinars and 
technical assistance after the final rule is adopted so that substance 
use disorder providers, other health care providers, and patients will 
understand the changes to ensure compliance with the rule. Expressing 
concern that many people will not understand the idea of

[[Page 6105]]

an HIE or a registry, one commenter suggested creating paid space for a 
nurse visit to walk a consumer through the consent.
    A few commenters encouraged SAMHSA to invest in provider and 
patient education efforts on the value of integrated care, the role of 
information sharing in enabling integrated care, how the consent 
process works, patient rights under 42 CFR part 2, and the implications 
of providing consent to share personal health information.
    A commenter encouraged SAMHSA to continue its efforts to provide 
guidance as to how part 2's requirements can be incorporated into HIE 
systems, suggesting that many of the perceived part 2 issues can be 
resolved by proper education regarding the actual requirements and how 
information can be exchanged pursuant to part 2 with little, if any, 
additional effort if proper operational practices are utilized by 
health care providers and management organizations.
    One commenter suggested that SAMHSA establish a consumer engagement 
committee or seek input from an existing national consumer advisory 
council to support part 2 programs in complying with certain areas of 
the rule, such as developing user-friendly consent forms and crafting 
educational materials for patients. One commenter suggested that SAMHSA 
contract with the Legal Action Center to create a webinar or FAQ to 
provide guidance to community health centers and other ``multi-use'' 
organizations as to the applicability of part 2.
    Another commenter recommended that SAMHSA develop educational 
materials targeted at pharmacists because of the pharmacy profession's 
growing role in substance use disorder treatment.
SAMHSA Response
    SAMHSA appreciates these comments on educational opportunities and 
plans to address specific commenter requests in subregulatory guidance 
after the publication of the final rule. SAMHSA will consider 
additional educational activities, such as trainings, webinars, and 
establishing engagement committees, should SAMHSA determine the need 
during implementation of the final rule.
5. Increased Enforcement
Public Comments
    Some commenters urged SAMHSA to ensure that part 2 provides for 
meaningful enforcement and penalties, with a few reasoning that the 
rule would create new avenues for the exchanges of patients' substance 
use disorder information, especially to other parts of the health care 
system that may have little to no experience treating substance use 
disorder or complying with part 2. One of these commenters asserted 
that fines imposed for part 2 violations are so minimal that they are 
not a deterrent to intentional or accidental violations. A commenter 
suggested that SAMHSA adopt the HIPAA penalties contained in the HITECH 
Act and specify that any disclosures of information in violation of 
this statute must be excluded from evidence and deemed inadmissible for 
use in any administrative, civil, or criminal proceeding.
    Urging SAMHSA to review and correct the enforcement concerns of the 
underlying statute, one commenter argued that the current 
confidentiality obligations have questionable enforcement authority 
because there is no express provision in Title 18 pertaining to the 
confidentiality of drug and alcohol treatment records. Although the 
original part 2 underlying statute set forth specific fines, the 
commenter explained that a subsequent revision (by Pub. L. 102-321) 
eliminated the fines leaving only a reference to Title 18. Moreover, 
the commenter said that by the proposed transfer of the existing 
enforcement authority from FDA to SAMHSA, the proposed rule appears to 
remove enforcement authority that actually exists to a potential state 
of unenforceability. Similarly, another commenter stated that SAMHSA 
does not have legislative authority to impose penalties for disclosure. 
No mention of privacy law violation fines, penalties, or offenses exist 
in Title 18. Thus, the current confidentiality obligations have no 
enforcement authority. The commenter stated that entities receiving 
unauthorized information would likely not be subject to penalties 
unless a common law breach of privacy lawsuit is filed.
SAMHSA Response
    The Department of Justice is responsible for enforcing violations 
of 42 CFR part 2 in accordance with Title 18 of the United States Code. 
Title 42 U.S.C. 290dd-2 provides that ``[a]ny person who violates any 
provision of [the] section or any regulation issued pursuant to [the] 
section shall be fined in accordance with title 18.'' Reports of 
violation of the regulations may be directed to the United States 
Attorney's Office (USAO) for the judicial district in which the 
violation occurs or may be directed to SAMHSA for possible referral to 
the relevant USAO. A report of any violation of these regulations by an 
opioid treatment program may be directed to the relevant USAO as well 
as the SAMHSA office for opioid treatment program oversight, pursuant 
to 42 CFR part 8.
6. Other Miscellaneous Comments on the Proposed Rule
Public Comments
    A commenter suggested that SAMHSA revise the title of part 2 to 
``Confidentiality of Patient Records Relevant to Substance Use 
Disorders and Associated Behavioral Diagnoses,'' to ensure person-
centered language is used.
SAMHSA Response
    To be consistent with recognized classification manuals, current 
diagnostic lexicon, and commonly used descriptive terminology, SAMHSA 
proposed to refer to alcohol abuse and drug abuse collectively as 
``substance use disorder,'' and, for consistency, proposed to revise 
the title of 42 CFR part 2 from ``Confidentiality of Alcohol and Drug 
Abuse Patient Records'' to ``Confidentiality of Substance Use Disorder 
Patient Records.''
Public Comments
    Some commenters made specific suggestions or requested 
clarification regarding parts of the part 2 regulations that were not 
the subject of the proposed changes in the NPRM. For example, 
commenters addressed Sec. Sec.  2.14 (Minor patients), 2.20 
(Relationship to state laws), and 2.21 (Relationship to federal 
statutes protecting research subjects against compulsory disclosure of 
their identity).
SAMHSA Response
    SAMHSA acknowledges commenters' questions and suggestions relating 
to all aspects of the part 2 regulations. However, for purposes of this 
final rule, SAMHSA generally considered comments submitted on 
provisions for which changes were not proposed in the February 2016 
NPRM to be outside of the scope of this rulemaking. SAMHSA will take 
such comments and recommendations under advisement and may issue 
subregulatory guidance in the future to address some of these issues 
brought up by commenters.
Public Comments
    Another commenter also urged SAMHSA to work with CMS to ensure that 
when proper criteria are met, such as through a QSOA and/or a signed 
consent form, patient substance use claim information is available to 
ACOs through their CCLF files. Asserting that it is a major blind spot 
in the ability of an ACO to manage total care if it does

[[Page 6106]]

not have data on substance use disorder data, a commenter encouraged 
SAMHSA to work with CMS on ways to effectively manage substance use 
disorder care within the administration of the ACO program. One 
commenter suggested that SAMHSA work with federal agencies, states, 
localities, and providers to identify the cost/burden of the rule on 
entities and professionals. The commenter also recommended that SAMHSA 
work with the CMS and the Office of the National Coordinator for Health 
Information Technology (ONC) to align the rule with guidance permitting 
the HITECH enhanced funding for administrative costs to other 
providers.
SAMHSA Response
    SAMHSA will continue to work with CMS and its other federal 
partners to ensure the effective and timely implementation of the part 
2 final rule.
Public Comments
    Because a state provides health care, including federally funded 
substance use disorder treatment programs, to inmates in the state jail 
system, a commenter stated that the part 2 regulations impact the 
methods by which care is coordinated for inmates and urged SAMHSA to 
consider part 2's impact on incarcerated populations.
SAMHSA Response
    SAMHSA considered how the regulations would impact part 2 programs 
and lawful holders of patient identifying information, as well as other 
stakeholders. All part 2 programs and other lawful holders of patient 
identifying information must comply with part 2. If a jail or prison 
meets the definition of a part 2 program, it would be required to 
comply with part 2.
Public Comments
    One commenter stated that there should be an option for the patient 
to have the ability to remove their substance use disorder history from 
their medical record after a ten-year minimum time period.
SAMHSA Response
    Although SAMHSA is not prescribing any specific retention period, 
the expectation is the both paper and electronic records would comply 
with applicable federal, state, and local retention laws.
Public Comments
    A commenter requested that SAMHSA provide a description of 42 CFR 
part 2-covered entities similar to the designation under HIPAA.
SAMHSA Response
    SAMHSA may address applicability in subregulatory guidance or in 
subsequent rulemaking.

VI. Rulemaking Analyses

A. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 60-day notice in the FR and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. We 
provided for this comment period as part of the NPRM. The part 2 
information collections are approved under OMB Control No. 0930-0092, 
and SAMHSA will shortly submit the changes associated with this rule to 
OMB for review.
    This rule includes changes to information collection requirements, 
that is, reporting, recordkeeping or third-party disclosure 
requirements, as defined under the PRA (5 CFR part 1320). Some of the 
provisions involve changes from the information collections set out in 
the previous regulations. Information collection requirements are: (1) 
Section 2.13(d)--Disclosure: Requires entities named by patients using 
general designation under Sec.  2.31(a)(4)(iv)(C) to provide a list of 
entities to which the patient's information has been disclosed to 
participants pursuant to the general designation, (2) Section 2.22--
Disclosure: Requires each program notify each patient that federal law 
and regulations protect the confidentiality of substance use disorder 
patient records and provide a written summary of the effect of this law 
and these regulations, (3) Section 2.51--Recordkeeping: This provision 
requires the program to document a disclosure of a patient record to 
authorized medical personnel in a bona fide medical emergency as 
defined in Sec.  2.51. The regulation is silent on retention period for 
keeping these records as this will vary according to state laws. It is 
expected that these records will be kept as part of the patients' 
health records. The major change from current (1987) regulations is the 
list of disclosures requirement at Section 2.13(d). SAMHSA proposed 
that entities named on a consent form that disclose patient identifying 
information to their participants under the general designation must 
provide patients, upon request, a list of entities to which their 
information has been disclosed pursuant to a general designation (i.e., 
list of disclosures). Impact of this provision is noted below. SAMHSA 
notes that entities are not required to use the general designation 
permitted under Sec.  2.31(a)(4)(iii)(B)(3)(i).
    Under the PRA, the time, effort, and financial resources necessary 
to meet the information collection requirements referenced in this 
section are to be considered in rulemaking. The NPRM solicited comments 
on PRA issues. Commenters did not raise concerns regarding the burden 
for information collection requirements for the recordkeeping and 
notification provisions above. Though commenters expressed concern 
about some aspects of the list of disclosures requirements, these 
comments did not suggest that the burden of information collection 
would increase for 42 CFR part 2-compliant entities. Indeed, one 
commenter noted that current practice for many facilities to maintain 
both paper and electronic records may be both burdensome and 
inefficient. By promoting use of EHRs, changes in this rule may help to 
improve efficiency for providers. Some commenters also hypothesized 
that complying with the list of disclosures requirement would require 
such steps as developing a tracking system; or manual review or audit 
of all records; and mailing of letters through U.S. mail. Entities 
should already be collecting and retaining information needed to comply 
with the list of disclosures requirement. The final rule does not 
impose requirements to manually review all records, mail letters using 
the U.S. Postal Service or develop a tracking system specifically to 
comply with the list of disclosures provisions. For instance, we note 
below that entities could comply with the List of Disclosures 
requirement by either collecting this information electronically by 
using audit logs to obtain the required information or by keeping a 
paper record. Similarly, we point out that list of disclosures may be 
transmitted through such methods as mail or email or through other 
means preferred by the patient. We discuss the list of disclosures 
requirements further in the impact analysis section below.
    Annual burden estimates for these requirements are summarized in 
the table below:

[[Page 6107]]



                                                            Table 2--Annual Burden Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                          Annual  number
                                                of         Responses per       Total         Hours per      Total hour      Hourly wage     Total cost
                                            respondents     respondent       responses       response         burden           cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Disclosures
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.13 (d).........................      \1\ 19,548               1          19,548        \2\ 4.15          81,124    \3\ $36.9175      $2,995,000
42 CFR 2.22.............................      \4\ 12,034             155   \5\ 1,861,693             .20       372,338.6       \6\ 40.26      14,990,000
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.51.............................          12,034               2          24,068            .167           4,019       \7\ 34.16         137,000
                                         ---------------------------------------------------------------------------------------------------------------
    Total...............................      \8\ 31,582  ..............       1,905,309  ..............         457,482  ..............      18,123,000
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the
  total number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests
  equal the average of the total number of requests for a 0.1 percent request rate and a 2 percent request rate. SAMHSA notes that this estimate
  reflects the number of patient requests rather than the number of impacted entities as some entities may receive more than one request.
\2\ The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3
  hours for entities that produce such a list from paper records. Because 90 percent of entities are estimated to collect the information electronically
  using an audit log and 10 percent are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 x
  4 hours) + (0.1 x 3 hours)]. Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, the total estimated
  time for providing a patient a list of disclosures is 4.15 hours (3.9 hours + 0.25 hours).
\3\ The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of
  disclosures. The hourly rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of
  disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor
  Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29-2071,
  31-9092) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\4\ The number of publicly funded alcohol and drug facilities based on SAMHSA's 2013 National Survey of Substance Abuse Treatment Services (N-SSATS).
  The estimated annual number of respondents, 12,034, is based on N-SSATS data and reflects facilities receiving federal funding. However, under N-SSATS
  an organization may complete survey responses for multiple facilities.
\5\ The average number of annual treatment admissions from SAMHSA's 2010-2012 TEDS.
\6\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
  Classification code (21-1011) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\7\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
  Classification code (43-0000) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\8\ The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of
  disclosures.

    As described in greater detail in Section VI.B, Regulatory Impact 
Analysis, the respondents for the collection of information under Sec.  
2.22 and 2.51 are publicly (federal, state, or local) funded, assisted, 
or regulated substance use disorder treatment programs. The estimate of 
the number of such programs (respondents) is based on the results of 
the 2013 N-SSATS, and the average number of annual total responses is 
based on 2010-2012 information on patient admissions reported to the 
Treatment Episode Data Set (TEDS), approved under OMB Control No. 0930-
0106 and OMB Control No. 0930-0335.
    The respondents for the collection of information under Sec.  
2.13(d) are entities named on the consent form that disclose 
information to their participants pursuant to the general designation. 
These entities primarily would be organizations that facilitate the 
exchange of health information (e.g., HIEs) or coordinate care (e.g., 
ACOs, CCOs, and CPCMHs), but other organizations, such as research 
institutions, also may disclose patient identifying information to 
their participants (e.g., clinical researchers) pursuant to the general 
designation on the consent form. Because there are no definitive data 
sources for this potential range of organizations, we are not 
associating requests for a list of disclosures with any particular type 
of organization. Consequently, the number of organizations that must 
respond to list of disclosures requests is based on the total number of 
requests each year.

B. Regulatory Impact Analysis

1. Public Comments on Notice of Proposed Rulemaking Regulatory Impact 
Analysis
a. Support for Cost Estimates
Public Comments
    SAMHSA received roughly 376 comments on the proposed rule. However, 
relatively few comments focused on the Regulatory Impact Analysis. We 
respond to these comments below and have made changes in our analysis, 
when appropriate, to reflect these comments.
    A few commenters suggested that the estimated costs outlined by 
SAMHSA in the proposed rule are in line with actual costs. For 
instance, one commenter suggested that the estimated total cost of $239 
million over 10 years would not be unduly burdensome and would improve 
patient care and safety. A commenter stated that costs would be minimal 
for integrating the requirement properly to sanitize and dispose of 
records into training and instruction. Another commenter stated that 
the costs related to modifying release forms and training staff would 
be absorbed by organizations and would not impact business processes. 
Explaining that in order to reflect the revision in title of 42 CFR 
part 2, a modification of the printed and on-line versions of 
applicable CFR Titles would be necessary, a commenter concluded that 
because of regular updates to CFRs, the incorporation of amendments 
made as part of this rule should not result in a significant economic 
impact.
SAMHSA Response
    SAMHSA acknowledges and appreciates the comments received that 
expressed support for the cost estimates in the NPRM. Though SAMSHA 
does not attempt in this rule to quantify benefits, it is important to 
note that updates to 42 CFR part 2 may result in long-term cost savings 
as well due to improved care coordination and integration and more 
efficient use of data for research and performance improvement 
purposes.
b. Assertions That SAMHSA Underestimated Costs
Public Comments
    Some commenters generally asserted that the compliance and 
implementation costs were underestimated. One commenter suggested that 
cost effectiveness of complying with the proposed regulation will 
impact members and patients because of the additional costs associated 
with implementation (e.g., outreach and education, changes to

[[Page 6108]]

consent forms), which undermines care coordination and effective 
delivery of services. Another commenter suggested that the projected 
costs of complying with part 2 should include costs for other 
institutions that are affected with re-disclosure of the provision; 
costs to individual practitioners or health organizations with few 
clinicians that fall under part 2; vendor-related costs; costs for 
software development and upgrades should be added to the costs of 
electronic record purchase and maintenance; cost to HIE; and costs to 
hire administrative staff.
    A few commenters suggested that the estimated $8,000 cost per 
facility to implement consent management was too low, failing to 
reflect fully development, testing and process costs. One commenter 
suggested that the estimated $8,000 cost per facility to implement 
consent management likely does not consider vendor-related costs such 
as development, testing, training, adoption and process modifications 
that may need to occur, only the cost of the infrastructure investment. 
Commenters urged SAMHSA and federal partners to consider funding HIT 
adoption by behavioral health providers. Another commenter stated that 
the proposed rule underestimated the cost of scaling efforts to 
integrate DS4P and Consent2Share, including upgrades and iterations 
across EHR products. Commenters also suggested SAMHSA modify its DS4P 
efforts to reflect updated 42 CFR part 2 requirements. Lastly, a 
commenter suggested that the estimate of $8,000 to comply with the 
proposal underestimates the costs for existing pharmacy management 
systems to add new functionality and applications and does not include 
other software or security requirements, training, or other 
implementation costs associated with the proposed rule. Another 
commenter generally suggested that the estimated cost burden of 
transitioning to a new consent form will be greater than proposed in 
the proposed rule.
    Several commenters mentioned other specific areas in which SAMHSA 
underestimated costs. One commenter suggested that the costs estimated 
related to EHR customizations are underestimated because there is no 
current standard interoperability within EHRs that address part 2 
information. Another commenter also shared their own experience in 
which they estimated a cost of $30,000 to comply with 42 CFR part 2 
when including 2 substance use specialists as part of an integrated 
treatment model using an electronic health record. This commenter 
asserted based on their own experience that if small entities attempt 
to develop integrated substance use disorder treatment programs they 
may face similar costs, including information technology time and 
efforts to modify EHRs to include restrictions on sharing of 42 CFR 
part 2 information in an integrated setting prohibitive. Another 
commenter stated that time, resources and training would be required to 
implement proposed changes to Sec. Sec.  2.12, 2.31, and 2.32, and that 
personnel and financial constraints are common within the health care 
industry. The commenter estimated that the ability to adapt currently 
used electronic health records to segregate certain patient information 
will also take considerable effort and time. A commenter stated that 
the proposed cost analysis associated with staff training is inaccurate 
because it assumes that only substance use disorder counselors would 
need training when, in actuality, other fields would also need to be 
trained because they could potentially become lawful holders of the 
patient information (e.g., social work, psychology, medicine, managed 
care, HIE, research organizations). The commenter added that additional 
work will be needed to redact patient records to be in compliance with 
the data sharing elements related to information that could identify a 
patient as a substantive abuse disorder patient. A commenter stated 
that the cost to organizations to comply with the requirement for U.S. 
mail transmissions will be significant.
SAMHSA Response
    Though commenters suggested anecdotally that SAMHSA underestimated 
the burden of 42 CFR part 2-compliance, SAMHSA notes the availability 
of data segmentation tools such as Consent2Share, an open source tool 
for consent management that is compliant with 42 CFR part 2. As noted 
above (in Section V.J.1.c), SAMHSA will be shortly releasing an updated 
version of Consent2Share with improved functionality and ability to 
meet the list of disclosures requirements. Provided that a facility 
already is using electronic health records and can partner with a 
health information exchange using Consent2Share or similar software, 
SAMHSA believes based on current efforts to pilot an updated version of 
Consent2Share that a cost of between $6,000 and $10,000 is reasonable. 
At the individual clinic level, initial set-up, training and testing 
are expected to constitute the main expenses. D4SP, Consent2Share, and 
similar tools make it feasible for entities to comply with updated 42 
CFR part 2 requirements at reasonable cost.
    While we acknowledge comments that entities other than those 
directly subject to this rule may be impacted by its provisions, 
including vendors of EHR products, such impacts are outside the scope 
of the regulation. We do not mandate vendors to perform additional 
activities. Nonetheless, SAMHSA will monitor such impacts and, to the 
extent feasible, work with stakeholders and federal partners to develop 
fact sheets and other materials to assist in outreach to patients and 
others about changes made in this rule. Likewise, while SAMHSA is 
unable to directly fund updates to EHRs, SAMHSA continues to work 
closely with ONC and others to ensure inclusion of behavioral health 
providers in ongoing information technology programs (See http://www.samhsa.gov/health-information-technology/samhsas-efforts; https://www.healthit.gov/policy-researchers-implementers/behavioral-health).
    We acknowledge that the cost of updating consent forms may be 
greater than we had proposed and have made changes to our cost 
estimates in this final rule to reflect the need to update forms to 
meet new requirements. We note that most of these costs may only need 
to be incurred once and in the past some organizations have made sample 
template forms and materials available (See e.g., http://lac.org/resources/substance-use-resources/confidentiality-resources/sample-forms-confidentiality/). SAMHSA may, at a future time, develop sample 
templates and forms to ease compliance costs.
c. Other Comments on Costs
Public Comments
    Some commenters said existing functionalities within EHR systems 
and consent management tools do not easily separate or redact substance 
use disorder information from general medical information when such 
systems are shared across an integrated health system. Similarly, 
commenters expressed concern that the proposed rule could have the 
opposite effect of its intended purpose by causing HIEs to exclude part 
2 information from information exchanges entirely since most HIEs and 
EHRs today do not support data segmentation. Asserting that the 
proposed part 2 changes would require HIEs to create an architecture 
for data management that provides for the segmentation of substance use 
disorder and general behavioral health data from physical health care 
data, including a way to have consent operate differently in each of 
the environments, one commenter asserted that this is a costly 
challenging administrative burden that

[[Page 6109]]

does nothing to promote the sharing of information between all 
necessary providers for the integration of coordination of care.
    A commenter suggested that the financial burden of the proposed 
rule would vary depending on the size or complexity of the covered 
entity.
    Another commenter asserted that the rule should not be adopted 
because it would result in increased health care costs. The commenter 
stated that SAMHSA is not able to estimate additional costs that are 
likely to occur when adding sensitive substantive abuse disorder 
treatment information of patients to electronic health information 
systems without patient consent (e.g., additional security, costs 
related to breaches, class action lawsuits for breached information, 
and loss of business due to breaches). The commenter concluded that, 
because these costs do not provide additional substance use disorder or 
health care services, and instead remove dollars from health care 
services, the proposed rule is in conflict with SAMHSA's proposed goal 
of reducing unnecessary health care costs.
SAMHSA Response
    SAMHSA agrees that costs may vary based on an institution's size, 
complexity and patient population served. However, we anticipate that 
over time compliance costs will drop significantly as institutions 
implement initial compliance efforts. SAMHSA notes that EHRs already 
are widely used in many health care settings with no evidence of class 
action lawsuits, loss of business or other speculative impacts (see 
e.g., http://dashboard.healthit.gov/quickstats/quickstats.php). Though 
SAMHSA is concerned about health care costs, the use of EHRs is likely 
both to improve care and reduce costs over time. Changes made in this 
rule will help to support EHR adoption and integration of care. Though 
in general EHR adoption among behavioral health providers lags behind 
that of other health care providers, forthcoming N-SSATS data reflect 
that more than 25 percent of surveyed substance use disorder treatment 
facilities used EHRs only and more than half use EHRs and paper-based 
records. Such growing adoption by substance use disorder treatment 
facilities reflects that EHR use is consistent with good quality of 
care and 42 CFR part 2 compliance.
2. Statement of Need
    This final rule reflects changes in the health care system and 
behavioral health, such as the increasing use of electronic health 
records and drive toward greater integration of physical and behavioral 
health care. Despite efforts to enhance integration and coordination of 
care, however, it remains important to ensure persons seeking treatment 
for substance use disorders can remain confident as to the safeguarding 
of their medical information. This rule updates 42 CFR part 2 to 
balance these important needs.
3. Overall Impact
    SAMHSA examined the impacts of this final rule as required by 
Executive Order 12866 on Regulatory Planning and Review (September 30, 
1993), Executive Order 13563 on Improving Regulation and Regulatory 
Review (January 18, 2011), the Regulatory Flexibility Act (RFA) 
(September 19, 1980, Pub. L. 96-354), Section 1102(b) of the Social 
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism 
(August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)). 
Executive Orders 12866 and 13563 direct agencies to assess all costs 
and benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). Section 3(f) of Executive 
Order 12866 defines a ``significant regulatory action'' as an action 
that is likely to result in a rule: (1) Having an annual effect on the 
economy of $100 million or more in any one year, or adversely and 
materially affecting a sector of the economy, productivity, 
competition, jobs, the environment, public health or safety, or state, 
local or tribal governments or communities (also referred to as 
``economically significant''); (2) creating a serious inconsistency or 
otherwise interfering with an action taken or planned by another 
agency; (3) materially altering the budgetary impacts of entitlement 
grants, user fees, or loan programs or the rights and obligations of 
recipients thereof; or (4) raising novel legal or policy issues arising 
out of legal mandates, the President's priorities, or the principles 
set forth in the Executive Order.
    A regulatory impact analysis must be prepared for major rules with 
economically significant effects ($100 million or more in any one 
year). This rule does not reach the economic threshold and thus is not 
considered to be an economically significant rule. However, because 
this rule raises novel policy issues arising out of legal mandates, the 
rule is considered ``a significant regulatory action,'' this regulatory 
impact analysis has been prepared, and the rule has been reviewed by 
OMB.
    When estimating the total costs associated with changes to the 42 
CFR part 2 regulations, we assumed five sets of costs: updates to 
health IT systems costs, costs for staff training and updates to 
training curriculum, costs to update patient consent forms, costs 
associated with providing patients a list of entities to which their 
information has been disclosed pursuant to a general designation on the 
consent form (i.e., the List of Disclosures requirement), and 
implementation costs associated with the List of Disclosures 
requirements. We assumed that costs associated with modifications to 
existing health IT systems, staff training costs associated with 
updating staff training materials, and costs to update consent forms 
would be one-time costs the first year the final rule is in effect and 
would not carry forward into future years. Staff training costs other 
than those associated with updating training materials were assumed to 
be ongoing annual costs to part 2 programs, also beginning in the first 
year that the final rule is in effect. The List of Disclosures costs 
were assumed to be ongoing annual costs to entities named on a consent 
form that disclose patient identifying information to their 
participants under the general designation. In the NPRM, SAMHSA 
proposed to require non-treating providers to implement the List of 
Disclosures requirement at any time, but they cannot use the general 
designation without being able to provide a List of Disclosures. 
Therefore, we assumed that starting in year 1 ten percent of entities 
would decide to implement each year, resulting in 100 percent of 
entities implementing by year 10. We note that it is possible that some 
entities will never implement this requirement and choose to forego use 
of the general designation.
    We estimated, therefore, that in the first year that the final rule 
is in effect, the total costs associated with updates to 42 CFR part 2 
will be about $70, 691,000. In year two, we estimate that costs will be 
roughly $17,680,000 and increase annually as a larger share of entities 
implement List of Disclosures requirements and respond to disclosure 
requests. Over the 10-year period of 2016-2025, the total undiscounted 
cost of the part 2 changes will be about $241 million in 2016 dollars. 
When future costs are discounted at 3 percent or 7 percent per year, 
the total costs become approximately $217, 586,000 or

[[Page 6110]]

$193,098,000, respectively. These costs are presented in the tables 
below.

                                                     Table 3--Total Cost of 42 CFR Part 2 Revisions
                                                       [Note: Numbers may not add due to rounding]
                   [Note that all costs presented in this analysis are rounded to avoid communicating inaccurate levels of precision]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                             Staff training      Consent form         List of
                           Year                                  costs             updates          disclosures      Health IT costs      Total costs
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                     [2016 dollars]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                         (A)                (B)                (C)                (D)                (E)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2016.....................................................        $15,521,000         $2,104,000         $4,930,000        $48,136,000        $70,691,000
2017.....................................................         12,438,000                  0          5,242,000                  0         17,680,000
2018.....................................................         12,438,000                  0          5,554,000                  0         17,992,000
2019.....................................................         12,438,000                  0          5,866,000                  0         18,304,000
2020.....................................................         12,438,000                  0          6,178,000                  0         18,616,000
2021.....................................................         12,438,000                  0          6,490,000                  0         18,928,000
2022.....................................................         12,438,000                  0          6,802,000                  0         19,240,000
2023.....................................................         12,438,000                  0          7,114,000                  0         19,552,000
2024.....................................................         12,438,000                  0          7,426,000                  0         19,864,000
2025.....................................................         12,438,000                  0          7,738,000                  0         20,176,000
Total....................................................        127,463,000          2,104,000         63,338,000         48,136,000        241,040,000
--------------------------------------------------------------------------------------------------------------------------------------------------------


                       Table 4--Total Cost of 42 CFR Part 2 Revisions--Annual Discounting
                                   [Note: Numbers may not add due to rounding]
----------------------------------------------------------------------------------------------------------------
                                                                              Total with 3%      Total with 7%
                          Year                              Total costs           annual             annual
                                                                               discounting        discounting
----------------------------------------------------------------------------------------------------------------
                                                 [2016 dollars]
----------------------------------------------------------------------------------------------------------------
                                                                       (E)                (F)                (G)
----------------------------------------------------------------------------------------------------------------
2016...................................................        $70,691,000        $70,691,000        $70,691,000
2017...................................................         17,680,000         17,165,000         16,523,000
2018...................................................         17,992,000         16,959,000         15,715,000
2019...................................................         18,304,000         16,751,000         14,941,000
2020...................................................         18,616,000         16,540,000         14,202,000
2021...................................................         18,928,000         16,327,000         13,495,000
2022...................................................         19,240,000         16,113,000         12,820,000
2023...................................................         19,552,000         15,897,000         12,176,000
2024...................................................         19,864,000         15,681,000         11,561,000
2025...................................................         20,176,000         15,463,000         10,974,200
Total..................................................        241,040,000        217,586,000        193,098,000
Annualized.............................................  .................      25,507,717.01      27,492,811.02
----------------------------------------------------------------------------------------------------------------
Note: Numbers may not add due to rounding.

    The costs associated with the proposed revisions stem from staff 
training and updates to training curriculum, updates to patient consent 
forms, compliance with the List of Disclosures requirement (including 
implementation costs), and updates to health IT infrastructure for 
information exchange. Based on data from the 2013 N-SSATS, we estimated 
that 12,034 hospitals, outpatient treatment centers, and residential 
treatment facilities are covered by part 2. N-SSATS is an annual survey 
of U.S. substance use disorder treatment facilities. Data is collected 
on facility location, characteristics, and service utilization. Not all 
treatment providers included in N-SSATs are believed to be under the 
jurisdiction of the part 2 regulations. The 12,034 number is a subset 
of the 14,148 substance use disorder treatment facilities that 
responded to the 2013 N-SSATS, and includes all federally operated 
facilities, facilities that reported receiving public funding other 
than Medicare and Medicaid, facilities that reported accepting 
Medicare, Medicaid, TRICARE, and/or Access to Recovery (ATR) voucher 
payments, or were SAMHSA-certified Opioid Treatment Programs. If a 
facility did not have at least one of these conditions, it was 
interpreted not to have received any federal funding and, therefore, 
not included in the estimate. The estimated annual number of 
respondents, 12,034, is based on N-SSATS data and reflects facilities 
receiving federal funding. However, under N-SSATS an organization may 
complete survey responses for multiple facilities it oversees. Thus, an 
organization with three facilities may complete three separate surveys.
    If an independently practicing clinician does not meet the 
requirements of paragraph (1) of the definition of Program they may be 
subject to 42 CFR part 2 if they constitute an identified unit within a 
general medical facility which holds itself out as providing, and 
provides, substance use disorder diagnosis, treatment, or referral for 
treatment or if their primary function in the facility or practice is 
the provision of such services and they are identified as providing 
such services. Due to data limitations, it was not possible to estimate 
the costs

[[Page 6111]]

for independently practicing providers covered by part 2 that did not 
participate in the 2013 N-SSATS. For example, data from American Board 
of Addiction Medicine (ABAM) provides the number of physicians since 
2000 who have active ABAM certification. However, there is no source 
for the number of physicians who have not participated in the ABAM 
certification process. In addition, it is not possible to determine 
which ABAM-certified physicians practice in a general medical setting 
rather than in a specialty treatment facility that was already counted 
in the N-SSATS data.
    Several provisions in the NPRM referenced ``other lawful holders of 
patient identifying information'' in combination with part 2 programs. 
These other lawful holders must comply with part 2 requirements with 
respect to information they maintain that is covered by part 2 
regulations. However, because this group could encompass a wide range 
of organizations, depending on whether they received part 2 data via 
patient consent or as a result of one of the limited exceptions to the 
consent requirement specified in the regulations, we are unable to 
include estimates regarding the number and type of these organizations 
and only included part 2 programs in this analysis.
    In addition to the part 2 programs described above, SAMHSA proposed 
that entities named on a consent form that disclose patient identifying 
information to their participants under the general designation must 
provide patients, upon request, a list of entities to which their 
information has been disclosed pursuant to a general designation (i.e., 
list of disclosures). These entities primarily would include 
organizations that facilitate the exchange of health information (e.g., 
HIEs), and may also include organizations responsible for care 
coordination (e.g., ACOs, CCOs, and CPCMHs). The most recent estimates 
of these types of entities are 67 functional, publicly funded HIEs and 
161 functional, privately funded HIEs in 2013.\1\ As of January 2015, 
there were an estimated 744 ACOs covering approximately 23.5 million 
individuals.\2\ Finally, the National Committee for Quality Assurance 
(NCQA) recently noted that there are now more than 10,000 NCQA-
recognized CPCMHs.\3\ While these types of organizations were the 
primary focus of this provision on the consent form, other types of 
entities, such as research institutions, may also disclose patient 
identifying information to their participants (e.g., clinical 
researchers) pursuant to the general designation on the consent form. 
Because there are no definitive data sources for this potential range 
of organizations, we are not associating requests for lists of 
disclosures with any particular type of organization. We, instead, 
estimate the number of organizations that must respond to list of 
disclosures requests based on the total number of requests each year.
a. Direct Costs of Implementing the Proposed Regulations
    There is no known baseline estimate of the current costs associated 
with 42 CFR part 2-compliance. However, as reflected by commenters who 
requested alignment between HIPAA and 42 CFR part 2, HIPAA 
authorization and notification requirements have similarities to 
requirements of 42 CFR part 2 (see http://www.hhs.gov/hipaa/for-professionals/privacy/index.html). Instead, therefore, in the absence 
of data and studies specifically focused on compliance with 42 CFR part 
2, SAMHSA has estimated these costs based on a range of published costs 
associated with HIPAA implementation and compliance.4 5
i. Staff Training
    Because SAMHSA lacks specific data regarding the cost of staff 
training to comply with 42 CFR part 2, SAMHSA has examined analogous 
HIPAA implementation costs. A Standard HIPAA training that meets or 
exceeds the federal training requirements is, on average, one hour 
long.\6\ Therefore, we also estimated one hour of training per staff to 
achieve proficiency in the 42 CFR part 2 regulations. To estimate the 
labor costs associated with staff training, we averaged the average 
hourly costs for counseling staff in specialty treatment centers 
($20.33 \7\), hospital treatment centers ($21.80 \8\), and solo 
practice offices ($24.67 \[9]\). The resulting average wage rate was 
$22.27 per hour. In order to account for benefits and overhead costs 
associated with staff time, we multiplied the average hourly wage rate 
by two. These estimates were only for training costs associated with 
counseling staff, who we assume will have primary responsibility for 
executing the functions associated with the part 2 revisions.
    It is important as well to note that many current staff already 
have familiarity with current (1987) 42 CFR part 2 requirements. With 
regard to training materials, most part 2 programs are assumed to 
already have training curricula in place that covers current (1987) 42 
CFR part 2 regulations, and, therefore, these facilities would only 
need to update existing training materials rather than develop new 
materials. Part 2 entities may determine the content of this training. 
The American Hospital Association estimated that the costs for the 
development of Privacy and Confidentiality training, which would 
include the development of training materials and instructor labor 
costs, was $16 per employee training hour in 2000.\[10]\ Because we 
assumed that part 2 programs would be updating existing rather than 
developing entirely new training materials, we estimated the cost of 
training development to be one-half of the cost of developing new 
materials, or $8 per employee. Adjusted for inflation,\[11]\ training 
development costs in 2016 would be $11.04 per employee.
    Using SAMHSA's 2010-2012 TEDS average annual number of treatment 
admissions (n=1,861,693) as an estimate of the annual number of 
patients at part 2 programs and calculated staffing numbers based on a 
range of counseling staff-to-client ratios (i.e., 1 to 10 \[12]\ and 1 
to 5 \[13]\ ). Based on these assumptions, staff training costs 
associated with part 2 patient consent procedures were projected to 
range from $10.3 million to $20.7 million in 2016. We averaged the two 
estimated costs for staff training to determine the final overall 
estimate of $15,521,000. We assumed the costs associated with updating 
training materials will be a one-time cost. Therefore, in subsequent 
years, we assumed the costs associated with staff training would be a 
function of the average hourly wage rate (multiplied by two to account 
for benefits and overhead costs) and the estimated number of staff 
(developed based on the same two staff-to-client ratios described above 
multiplied by estimated patient counts). Staff training costs 
associated with part 2 revisions were projected to range from $8.3 
million to $16.6 million after 2016. We averaged the two estimated 
costs for staff training to determine the final overall estimate of 
$12,438,000.
ii. Updates to Consent Forms
    Updates to the 42 CFR part 2 regulations will need to be reflected 
in patient consent forms. As there is no literature to date on costs to 
update forms for 42 CFR part 2, we examined results from a 2008 study 
from the Mayo Clinic Health Care Systems[thinsp]\[14]\ that reported 
actuarial costs for HIPAA implementation activities. These costs were 
about $1 per patient visit. Adjusted for inflation, costs associated 
with updating the patient consent forms in 2016 would be $1.13 per 
patient visit. We used the average number of substance abuse treatment 
admissions

[[Page 6112]]

from SAMHSA's 2010-2012 TEDS as our estimate of the number of clients 
treated on an annual basis by part 2 facilities. The total cost burden 
associated with updating the consent forms to reflect to the updated 42 
CFR part 2 regulations would be approximately $2,104,000 (1,861,693 * 
$1.13).\[14]\
iii. List of Disclosures Costs
    The proposed part 2 regulations allow patients who have consented 
to disclose their identifying information using a general designation 
to request a list of entities to which their information has been 
disclosed pursuant to the general designation. Under this final rule, 
entities named on a consent form that disclose patient identifying 
information to their participants under the general designation will be 
required to provide a list of disclosures after receiving a patient 
request. Under the List of Disclosures requirements, a patient could 
make a request, for example, to an organization that facilitates the 
exchange of health information (e.g., an HIE) or an organization 
responsible for coordinating care (e.g., an ACO) for a list of 
disclosures that would include the name of the entity to whom each 
disclosure was made, the date of the disclosure, and a brief 
description of the patient identifying information disclosed, and 
include this information for all entities to whom the patient 
identifying information has been disclosed pursuant to the general 
designation in the past two years.
    For purposes of the analysis, we assumed that entities disclosing 
patient identifying information to their participants pursuant to a 
patient's general designation on a consent form are already collecting 
the information necessary to comply with the List of Disclosures 
requirement, in some form, either electronically or using paper 
records. We also assumed that these entities could comply with the List 
of Disclosures requirement by either collecting this information 
electronically by using audit logs to obtain the required information 
or by keeping a paper record. However, to address possible concerns 
about technical feasibility and other implementation issues, SAMHSA 
finalizes its proposal that the List of Disclosures requirement may be 
implemented at any time, but non-treating providers cannot use the 
general designation without being able to provide a List of Disclosures 
to allow entities collecting this information time to review their 
operations and business processes and to decide whether technological 
solutions are needed to enable them to more efficiently comply with the 
requirement.
    In order to make preliminary estimates of the implementation costs, 
we first estimated the number of potentially impacted entities based on 
the anticipated number of patient requests for a disclosure report in a 
calendar year. We used the average number of substance use disorder 
treatment admissions from SAMHSA's 2010-2012 TEDS (n = 1,861,693) as 
the number of patients treated annually by part 2 programs. We then 
used the average of a 0.1 and 2 percent patient request rate as our 
estimate of the number of impacted entities (n = 19,548).
    From there, we assumed 10 percent of the impacted entities would 
use paper records to comply with the disclosure reporting requirements 
(n = 1,995) and would have minimal implementation costs. Among the 
remaining entities, many may be able to comply with the disclosure 
reporting requirements without developing or implementing new 
technologies. For entities that do choose to either update their 
existing capabilities or develop and implement new technologies to 
facilitate compliance, we assumed two sets of costs: (1) Planning and 
policy development costs and (2) system update costs. SAMHSA notes that 
the Office of the National Coordinator for Health Information 
Technology and other organizations are encouraging adoption of 
electronic health records to allow providers to access patient records 
remotely, improve communication with patients and other providers and 
reduce errors (https://www.healthit.gov/providers-professionals/benefits-electronic-health-records-ehrs)). For these reasons, we 
believe that the trend toward adoption of electronic health records 
will continue.
    Absent any data on the number of facilities that would require new 
technology or the type of technology to be implemented, we assumed that 
twenty-five percent (n = 4,398) of the remaining entities would choose 
to upgrade their existing health IT systems. The actual system upgrade 
costs will vary considerably based on the type of upgrades that are 
required. Some entities may only require minor system updates to 
streamline the reporting requirements, while others may choose to 
implement an entirely new system. Given these data limitations, we 
assumed an average, per-entity cost, of $2,500 for planning development 
costs and an average, per-entity cost, of $8,000 for system upgrades 
for a total cost of $10,500. We assume that ten percent of entities 
will implement each year, resulting in 100 percent of the 4,398 
entities having implemented the system planning and upgrades by year 
10. The implementation costs for List of Disclosures reporting 
compliance in year 1, and each year thereafter, are estimated to be 
approximately $4,618,000 ([4,398*0.10] * [8,000+2,500]). We acknowledge 
that without better data on the number of facilities that may require 
new technology and the number of facilities that would use the general 
designation and therefore be required to comply with the list of 
disclosures requirement, this approach may overestimate or 
underestimate the costs.
    As entities begin to comply with the disclosure reporting 
requirements, we assumed that the majority of the costs associated with 
the List of Disclosures requirement would primarily come from staff 
time needed to prepare a list of disclosures upon a patient's request. 
We also assumed that the information would need to be converted to a 
format that is accessible to patients.
    For those entities with a health IT system, we expected that 
disclosure information would be available in the system's audit log. We 
also assumed that, unless the audit log has some sort of electronic 
filtering system, it would contain information above and beyond the 
requirements for complying with a request for a list of disclosures. We 
had also assumed that the staff accessing and filtering an audit log to 
compile the information for lists of disclosures would be health 
information technicians. The average hourly rate for health information 
technicians is $19.44 an hour.\[15]\ In order to account for benefits 
and overhead costs associated with staff time, we multiplied the hourly 
wage rate by two. Absent any existing information on the amount of time 
associated with producing a list of disclosures from an audit log, we 
assumed it would take a health information technician half a day (or 4 
hours) on average, to produce the list from an audit log.
    For entities using paper records to track disclosures, we expected 
that a staff member would need to gather and aggregate the requested 
list of disclosures from paper records. We assumed medical record 
technicians would be the staff with the primary responsibility for 
compiling the information for a list of disclosures. The average hourly 
rate for medical record technicians is $19.44 an hour an hour.\[16]\ In 
order to account for benefits and overhead costs associated with staff 
time, we multiplied the hourly wage rate by two. Absent any existing

[[Page 6113]]

information on the amount of time associated with producing a list of 
disclosures from paper records, we assumed it would take a medical 
record technician 3 hours, on average, to produce the list from paper 
records. \[17]\
    The number of requests for a list of disclosures will determine the 
overall burden associated with the List of Disclosures reporting 
requirements. However, because this is a new requirement, there were no 
data on which to base an estimated number of requests per year. We 
expected that the rate of requests will be relatively low. We therefore 
calculated the total costs for two rates, 0.1 percent and 2 percent of 
patients per year.
    We used the average number of substance use disorder treatment 
admissions from SAMHSA's 2010-2012 TEDS as the number of patients 
treated annually by part 2 programs. Assuming that 10 percent of 
patients making requests (n = 186.17 to n = 3,723.39) would request a 
list of disclosures from entities that track disclosures through paper 
records and 90 percent of patients making requests (n = 1,675.52 to n = 
33,510.47) would make such a request of entities that track disclosures 
through health IT audit logs, the estimated costs to develop lists of 
disclosures range from roughly $21,700 to $434,300 for entities using 
paper records, and $261,000 to $5,212,000 for entities using audit 
logs. (These ranges reflect the costs based on the two estimated 
patient rates of request referenced above (i.e., 0.1 percent and 2 
percent of patients per year)).
    Once a list of disclosures has been produced, it can be returned to 
the patient either by email or mail. Since the method of sending the 
list of disclosures depends on patient preference, we assumed that 50 
percent of the lists of disclosures would be sent by email and 50 
percent by first-class mail. We assumed that mailing and supply costs 
related to list of disclosures notifications were $0.10 supply cost per 
notification and $0.49 postage cost per mailing. We also estimated that 
it would take an administrative staff member 15 minutes to prepare each 
list of disclosures for mailing and/or transmitting, and that staff 
preparing the letters earn $15.34  \[18]\ per hour. In order to account 
for benefits and overhead costs associated with staff time, we 
multiplied the hourly wage rate by two. The estimated costs for list of 
disclosures notifications range from approximately $7, 700 to $154,000 
for notifications sent by first-class mail, and $7, 140 to $143, 000 
for notifications sent by email.
    To produce the final overall cost estimate, we took the average of 
the minimum and maximum estimated costs to develop lists of disclosures 
by entities collecting the information electronically by using an audit 
log, and the average of the minimum and maximum estimated costs to 
develop lists of disclosures by entities using paper records. We then 
added the averages together to produce our estimate of the total cost 
to entities to develop lists of disclosures. Next we took the average 
of the minimum and maximum estimated costs for list of disclosures 
notifications sent via email and the minimum and maximum estimated 
costs for such notifications sent via first-class mail. We then added 
these two averages together to produce our estimate of the total cost 
to entities for list of disclosures notifications. Finally, the 
development and notification costs for these lists of disclosures were 
added together for the final estimate of costs associated with 
complying with List of Disclosures reporting requirements. The total 
cost for List of Disclosures reporting compliance across all entities 
was roughly $3,120,000 in 2016 dollars. Complying with List of 
Disclosures requirements is assumed to be an ongoing, annual activity 
for entities that have completed the system upgrade and comply with the 
disclosure requirements. Since we assume 10 percent of entities begin 
to comply with the requirements each year, year 1 reporting compliance 
costs is roughly $312,000 (3,120,000*0.10) and $624,000 (3,120, 
000*0.20) in year 2, and continues to increase each year until year 10 
all entities are complying and have annual compliance costs of 
$3,120,000

                           Table 5--Total Estimated Disclosure Reporting Costs in 2018
                                   [Note: Numbers may not add due to rounding]
----------------------------------------------------------------------------------------------------------------
                                                         Minimum estimated  Maximum estimated  Average estimated
                                                                cost               cost               cost
----------------------------------------------------------------------------------------------------------------
Facilities with a Health IT System.....................           $261,000         $5,212,000         $2,736,000
Facilities without a Health IT System..................             21,700            434,300            228,000
                                                        --------------------------------------------------------
    Total Costs........................................  .................  .................          2,964,000
Average Number of Facilities...........................  .................  .................             19,548
----------------------------------------------------------------------------------------------------------------


                         Table 6--Total Estimated Disclosure Notification Costs in 2018
                                   [Note: Numbers may not add due to rounding]
----------------------------------------------------------------------------------------------------------------
                                                         Minimum estimated  Maximum estimated  Average estimated
                                                                cost               cost               cost
----------------------------------------------------------------------------------------------------------------
Email Notification.....................................             $7,100           $143,000            $75,000
First Class Mail Notification..........................              7,700            154,000             81,000
                                                        --------------------------------------------------------
    Total Costs........................................  .................  .................            156,000
----------------------------------------------------------------------------------------------------------------

iv. IT Updates
    SAMHSA, in collaboration with ONC and federal and community 
stakeholders, has developed Consent2Share which is an open source tool 
for consent management and data segmentation that is designed to 
integrate with existing EHR and HIE systems. SAMHSA plans to release 
shortly an updated version of Consent2Share with improved functionality 
and ability to meet list of disclosures requirements.
    The Consent2Share architecture has a front-end, patient facing 
system known as Patient Consent Management and a backend control system 
known as

[[Page 6114]]

Access Control Services. Communications with EHR vendors indicated that 
the cost to facilities of purchasing and installing additional 
functionality to existing electronic medical records applications, such 
as Consent2Share, typically range from $2,500 to $5,000. Because the 
add-on systems for part 2 programs may be more complex than standard 
patient monitoring systems, we estimated that the cost of adding the 
new functionality would be approximately $8,000 per facility. We also 
assumed that this would be a one-time expense, rather than a recurring 
cost, for each provider. SAMHSA acknowledges that there may be 
fluctuation in costs among affected entities from the average cost. 
However, though costs could possibly be higher for some entities, 
information shared by commenters was largely anecdotal and it is 
unclear how such data could be broadly extrapolated to a wide range of 
entities.
    Furthermore, national estimates indicated that no more than 50 
percent of substance use disorder treatment facilities have an 
operational ``computerized administrative information system.'' \[19]\ 
We, therefore, estimated that only half of the 12,034 part 2 programs 
(i.e., 6,017 facilities) would have operational health IT systems that 
would require modifications to account for the changes to 42 CFR part 
2. With 6,017 part 2 programs with operational information systems, we 
estimated that each facility would need to spend $8,000 to modify their 
health IT system, which would lead to a total burden for updating 
health IT systems of $48.1 million. Updating health IT systems would be 
a one-time cost, and maintenance costs should be part of general health 
IT maintenance costs in later years. The final rule does not require 
that part 2 programs adopt health IT systems so there are no health IT 
costs associated with substance use disorder treatment facilities that 
continue to use paper records.

C. Regulatory Flexibility Act (RFA)

    The RFA requires agencies to analyze options for regulatory relief 
of small entities. For purposes of the RFA, small entities include 
small businesses, nonprofit organizations, and small governmental 
jurisdictions. Most hospitals and most other providers are small 
entities, either by nonprofit status or by having revenues of less than 
$7.5 million to $38.5 million in any one year. Individuals and states 
are not included in the definition of a small entity. We are not 
preparing an analysis for the RFA because we have determined, and the 
Secretary certifies, that this final rule will not have a significant 
economic impact on a substantial number of small entities. While the 
changes in the regulations will apply to all part 2 programs, the 
impact on these entities would be quite small. Specifically, as 
described in the Overall Impact section, the cost to part 2 programs 
associated with updates to 42 CFR part 2 in the first year that the 
final rule is in effect will be $76.1 million, a figure that due to a 
number of one-time updates, is the highest for any of the 10 years 
estimated. The per-entity economic impact in the first year will be 
approximately $6,300 ($76,100,000 / 12,034), a figure that is unlikely 
to represent 3 percent of revenues for 5 percent of impacted small 
entities. Consequently, it has been determined that the final rule will 
not have a significant economic impact on small entities.
    In addition, Section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of Section 603 of the RFA. For 
purposes of Section 1102(b) of the Act, we defined a small rural 
hospital as a hospital that is located outside of a Metropolitan 
Statistical Area for Medicare payment regulations and has fewer than 
100 beds. We are not preparing an analysis for Section 1102(b) of the 
Act because we have determined, and the Secretary certifies, that this 
final rule will not have a significant impact on the operations of a 
substantial number of small rural hospitals.

D. Unfunded Mandates Reform Act

    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any one year of 
$100 million in 1995 dollars, updated annually for inflation. In 2016, 
that threshold is approximately $146 million. This rule will have no 
consequential effect on state, local, or tribal governments or on the 
private sector.

E. Federalism (Executive Order 13132)

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts state law, or otherwise has Federalism 
implications. Since this rule does not impose any costs on state or 
local governments, the requirements of Executive Order 13132 are not 
applicable.
    SAMHSA is modernizing 42 CFR part 2. With respect to our revisions 
to the part 2 regulations, we do not believe that this final rule will 
have a significant impact as it gives more flexibility to individuals 
and entities covered by 42 CFR part 2 but also adds privacy protections 
within the consent requirements for the patient. We are revising the 
part 2 regulations in response to concerns that 42 CFR part 2 was 
outdated and burdensome.
    Executive Order 13132 on Federalism (August 4, 1999) establishes 
certain requirements that an agency must meet when it promulgates a 
proposed rule (and subsequent final rule) that imposes substantial 
direct requirement costs on state and local governments, preempts state 
law, or otherwise has Federalism implications. We have reviewed this 
final rule under the threshold criteria of Executive Order 13132, 
Federalism, and have determined that it will not have substantial 
direct effects on the rights, roles, and responsibilities of states, 
local or tribal governments.
Conclusion
    SAMHSA is enacting changes to modernize 42 CFR part 2. With respect 
to our revisions to the regulations, we do not believe that this final 
rule will have a significant impact as it gives more flexibility to 
individuals and entities covered by 42 CFR part 2 but also increases 
privacy protections within the consent requirements and adds an 
additional confidentiality safeguard for patients. This final rule does 
not reach the threshold for requiring a regulatory impact analysis by 
Executive Orders 12866 and 13563 and thus is not considered an 
economically significant rule. This rule will not have a significant 
economic impact on a substantial number of small entities. This rule 
will not have a significant impact on the operations of a substantial 
number of small rural hospitals. Since this rule does not impose any 
costs on state or local governments, the requirements of Executive 
Order 13132 on federalism are not applicable.
    Footnotes

    1. Trends in Health Information Exchanges (Trends in Health 
Information Exchanges) https://innovations.ahrq.gov/perspectives/trends-health-information-exchanges#3.
    2. Muhlestein, D. (2015). Growth and Dispersion of Accountable 
Care Organizations in 2015. Health Affairs Blog, 19.
    3. National Committee for Quality Assurance. A Victory Lap . . . 
For Patients.

[[Page 6115]]

Blog, May 15, 2015. http://blog.ncqa.org/a-victory-lap-for-patients/
.
    4. Kilbridge, P. (2003). The cost of HIPAA compliance. New 
England Journal of Medicine, 348(15), 1423-1477.
    5. Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., 
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs 
and patient perceptions of privacy safeguards at Mayo Clinic. Joint 
Commission Journal on Quality and Patient Safety, 34 (1), 27-35.
    6. 65 FR 82462, 82770 (Dec. 28, 2000) (Standards for Privacy of 
Individually Identifiable Health Information).
    7. Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed May 2, 2015] 
Outpatient Mental Health and Substance Abuse Centers (NAICS code 
621420), Standard Occupations Classification code (211011) 
[www.bls.gov/oes/].
    8. Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed May 2, 2014] 
Psychiatric and Substance Abuse Hospitals (NAICS code 622200), 
Standard Occupations Classification code (211011) [www.bls.gov/oes/
].
    9. Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed September 23, 2014] 
Offices of Mental Health Practitioners (except Physicians) (NAICS 
code 621330), Standard Occupations Classification code (211011) 
[www.bls.gov/oes/].
    10. These estimates are not HHS estimates nor are they HHS-
endorsed cost estimates of HIPAA implementation and compliance.
    11. Calculated using the Consumer Price Index.
    12. North Carolina NC Administrative Code [accessed September 
23, 2014]. [http://reports.oah.state.nc.us/ncac/title%2010a%20-%20health%20and%20human%20services/chapter%2013%20-%20nc%20medical%20care%20commission/subchapter%20b/10a%20ncac%2013b%20.5203.pdf.]
    13. Commonwealth of Pennsylvania--Department of Health Staffing 
Requirements for Drug and Alcohol Treatment Activities [accessed 
September 23, 2014]. [http://www.pacode.com/secure/data/028/chapter704/s704.12.html.]
    14. Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., 
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs 
and patient perceptions of privacy safeguards at Mayo Clinic. Joint 
Commission Journal on Quality and Patient Safety, 34 (1), 27-35.
    15. Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, Standard Occupations 
Classification code (29-2071) [www.bls.gov/oes/].
    16. IBID.
    17. For facilities that maintain paper records, consent forms 
would indicate who has been given access to the record. By contrast, 
our understanding of health IT audit logs is that they include a 
record of all instances in which a record has been accessed. The 
audit log will include a record of who accessed the system, the date 
the record was accessed, and what operations were performed. The 
audit logs, therefore, will include considerably more data than what 
we would anticipate finding in paper records. Unless the audit log 
has an electronic filtering system, we are assuming that a health 
information technician will need to manually review all records in 
an audit log in order to compile the necessary information for a 
list of disclosures.
    18. Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, [accessed June 3, 2015], 
Standard Occupations Classification code (31-9092) [www.bls.gov/oes/
].
    19. McLellan, A.T., Kathleen Meyers, K., Contemporary addiction 
treatment: A review of systems problems for adults and adolescents, 
Biological Psychiatry, Volume 56, Issue 10, 15 November 2004, Pages 
764-770, ISSN 0006-3223, http://dx.doi.org/10.1016/j.biopsych.2004.06.018.

List of Subjects in 42 CFR Part 2

    Alcohol abuse, Alcoholism, Drug abuse, Grant programs-health, 
Health records, Privacy, Reporting, and Recordkeeping requirements.

0
For the reasons stated in the preamble of this final rule, SAMHSA 
revises 42 CFR part 2 to read as follows:

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

Subpart A--Introduction
Sec.
2.1 Statutory authority for confidentiality of substance use 
disorder patient records.
2.2 Purpose and effect.
2.3 Criminal penalty for violation.
2.4 Reports of violations.
Subpart B--General Provisions
Sec.
2.11 Definitions.
2.12 Applicability.
2.13 Confidentiality restrictions and safeguards.
2.14 Minor patients.
2.15 Incompetent and deceased patients.
2.16 Security for records.
2.17 Undercover agents and informants.
2.18 Restrictions on the use of identification cards.
2.19 Disposition of records by discontinued programs.
2.20 Relationship to state laws.
2.21 Relationship to federal statutes protecting research subjects 
against compulsory disclosure of their identity.
2.22 Notice to patients of federal confidentiality requirements.
2.23 Patient access and restrictions on use.
Subpart C--Disclosures with Patient Consent
Sec.
2.31 Consent requirements.
2.32 Prohibition on re-disclosure.
2.33 Disclosures permitted with written consent.
2.34 Disclosures to prevent multiple enrollments.
2.35 Disclosures to elements of the criminal justice system which 
have referred patients.
Subpart D--Disclosures without Patient Consent
Sec.
2.51 Medical emergencies.
2.52 Research.
2.53 Audit and evaluation.
Subpart E--Court Orders Authorizing Disclosure and Use
Sec.
2.61 Legal effect of order.
2.62 Order not applicable to records disclosed without consent to 
researchers, auditors and evaluators.
2.63 Confidential communications.
2.64 Procedures and criteria for orders authorizing disclosures for 
noncriminal purposes.
2.65 Procedures and criteria for orders authorizing disclosure and 
use of records to criminally investigate or prosecute patients.
2.66 Procedures and criteria for orders authorizing disclosure and 
use of records to investigate or prosecute a part 2 program or the 
person holding the records.
2.67 Orders authorizing the use of undercover agents and informants 
to criminally investigate employees or agents of a part 2 program.

    Authority:  42 U.S.C. 290dd-2.

Subpart A--Introduction


Sec.  2.1  Statutory authority for confidentiality of substance use 
disorder patient records.

    Title 42, United States Code, Section 290dd-2(g) authorizes the 
Secretary to prescribe regulations. Such regulations may contain such 
definitions, and may provide for such safeguards and procedures, 
including procedures and criteria for the issuance and scope of orders, 
as in the judgment of the Secretary are necessary or proper to 
effectuate the purposes of this statute, to prevent circumvention or 
evasion thereof, or to facilitate compliance therewith.


Sec.  2.2  Purpose and effect.

    (a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in 
this part impose restrictions upon the disclosure and use of substance 
use disorder patient records which are maintained in connection with 
the performance of any part 2 program. The regulations in this part 
include the following subparts:
    (1) Subpart B of this part: General Provisions, including 
definitions, applicability, and general restrictions;
    (2) Subpart C of this part: Disclosures with Patient Consent, 
including disclosures which require patient consent and the consent 
form requirements;
    (3) Subpart D of this part: Disclosures without Patient Consent, 
including disclosures which do not require patient

[[Page 6116]]

consent or an authorizing court order; and
    (4) Subpart E of this part: Court Orders Authorizing Disclosure and 
Use, including disclosures and uses of patient records which may be 
made with an authorizing court order and the procedures and criteria 
for the entry and scope of those orders.
    (b) Effect. (1) The regulations in this part prohibit the 
disclosure and use of patient records unless certain circumstances 
exist. If any circumstance exists under which disclosure is permitted, 
that circumstance acts to remove the prohibition on disclosure but it 
does not compel disclosure. Thus, the regulations do not require 
disclosure under any circumstances.
    (2) The regulations in this part are not intended to direct the 
manner in which substantive functions such as research, treatment, and 
evaluation are carried out. They are intended to ensure that a patient 
receiving treatment for a substance use disorder in a part 2 program is 
not made more vulnerable by reason of the availability of their patient 
record than an individual with a substance use disorder who does not 
seek treatment.
    (3) Because there is a criminal penalty for violating the 
regulations, they are to be construed strictly in favor of the 
potential violator in the same manner as a criminal statute (see M. 
Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 
707-08 (1946)).


Sec.  2.3  Criminal penalty for violation.

    Under 42 U.S.C. 290dd-2(f), any person who violates any provision 
of this section or any regulation issued pursuant to this section shall 
be fined in accordance with Title 18 of the U.S. Code.


Sec.  2.4  Reports of violations.

    (a) The report of any violation of the regulations in this part may 
be directed to the United States Attorney for the judicial district in 
which the violation occurs.
    (b) The report of any violation of the regulations in this part by 
an opioid treatment program may be directed to the United States 
Attorney for the judicial district in which the violation occurs as 
well as to the Substance Abuse and Mental Health Services 
Administration (SAMHSA) office responsible for opioid treatment program 
oversight.

Subpart B--General Provisions


Sec.  2.11  Definitions.

    For purposes of the regulations in this part:
    Central registry means an organization which obtains from two or 
more member programs patient identifying information about individuals 
applying for withdrawal management or maintenance treatment for the 
purpose of avoiding an individual's concurrent enrollment in more than 
one treatment program.
    Diagnosis means any reference to an individual's substance use 
disorder or to a condition which is identified as having been caused by 
that substance use disorder which is made for the purpose of treatment 
or referral for treatment.
    Disclose means to communicate any information identifying a patient 
as being or having been diagnosed with a substance use disorder, having 
or having had a substance use disorder, or being or having been 
referred for treatment of a substance use disorder either directly, by 
reference to publicly available information, or through verification of 
such identification by another person.
    Federally assisted--see Sec.  2.12(b).
    Informant means an individual:
    (1) Who is a patient or employee of a part 2 program or who becomes 
a patient or employee of a part 2 program at the request of a law 
enforcement agency or official; and
    (2) Who at the request of a law enforcement agency or official 
observes one or more patients or employees of the part 2 program for 
the purpose of reporting the information obtained to the law 
enforcement agency or official.
    Maintenance treatment means long-term pharmacotherapy for 
individuals with substance use disorders that reduces the pathological 
pursuit of reward and/or relief and supports remission of substance use 
disorder-related symptoms.
    Member program means a withdrawal management or maintenance 
treatment program which reports patient identifying information to a 
central registry and which is in the same state as that central 
registry or is in a state that participates in data sharing with the 
central registry of the program in question.
    Minor, as used in the regulations in this part, means an individual 
who has not attained the age of majority specified in the applicable 
state law, or if no age of majority is specified in the applicable 
state law, the age of 18 years.
    Part 2 program means a federally assisted program (federally 
assisted as defined in Sec.  2.12(b) and program as defined in this 
section). See Sec.  2.12(e)(1) for examples.
    Part 2 program director means:
    (1) In the case of a part 2 program that is an individual, that 
individual.
    (2) In the case of a part 2 program that is an entity, the 
individual designated as director or managing director, or individual 
otherwise vested with authority to act as chief executive officer of 
the part 2 program.
    Patient means any individual who has applied for or been given 
diagnosis, treatment, or referral for treatment for a substance use 
disorder at a part 2 program. Patient includes any individual who, 
after arrest on a criminal charge, is identified as an individual with 
a substance use disorder in order to determine that individual's 
eligibility to participate in a part 2 program. This definition 
includes both current and former patients.
    Patient identifying information means the name, address, social 
security number, fingerprints, photograph, or similar information by 
which the identity of a patient, as defined in this section, can be 
determined with reasonable accuracy either directly or by reference to 
other information. The term does not include a number assigned to a 
patient by a part 2 program, for internal use only by the part 2 
program, if that number does not consist of or contain numbers (such as 
a social security, or driver's license number) that could be used to 
identify a patient with reasonable accuracy from sources external to 
the part 2 program.
    Person means an individual, partnership, corporation, federal, 
state or local government agency, or any other legal entity, (also 
referred to as ``individual or entity'').
    Program means:
    (1) An individual or entity (other than a general medical facility) 
who holds itself out as providing, and provides, substance use disorder 
diagnosis, treatment, or referral for treatment; or
    (2) An identified unit within a general medical facility that holds 
itself out as providing, and provides, substance use disorder 
diagnosis, treatment, or referral for treatment; or
    (3) Medical personnel or other staff in a general medical facility 
whose primary function is the provision of substance use disorder 
diagnosis, treatment, or referral for treatment and who are identified 
as such providers.
    Qualified service organization means an individual or entity who:
    (1) Provides services to a part 2 program, such as data processing, 
bill collecting, dosage preparation, laboratory analyses, or legal, 
accounting, population health management, medical staffing, or other 
professional services, or services to prevent or treat child

[[Page 6117]]

abuse or neglect, including training on nutrition and child care and 
individual and group therapy, and
    (2) Has entered into a written agreement with a part 2 program 
under which that individual or entity:
    (i) Acknowledges that in receiving, storing, processing, or 
otherwise dealing with any patient records from the part 2 program, it 
is fully bound by the regulations in this part; and
    (ii) If necessary, will resist in judicial proceedings any efforts 
to obtain access to patient identifying information related to 
substance use disorder diagnosis, treatment, or referral for treatment 
except as permitted by the regulations in this part.
    Records means any information, whether recorded or not, created by, 
received, or acquired by a part 2 program relating to a patient (e.g., 
diagnosis, treatment and referral for treatment information, billing 
information, emails, voice mails, and texts). For the purpose of the 
regulations in this part, records include both paper and electronic 
records.
    Substance use disorder means a cluster of cognitive, behavioral, 
and physiological symptoms indicating that the individual continues 
using the substance despite significant substance-related problems such 
as impaired control, social impairment, risky use, and pharmacological 
tolerance and withdrawal. For the purposes of the regulations in this 
part, this definition does not include tobacco or caffeine use.
    Third-party payer means an individual or entity who pays and/or 
agrees to pay for diagnosis or treatment furnished to a patient on the 
basis of a contractual relationship with the patient or a member of the 
patient's family or on the basis of the patient's eligibility for 
federal, state, or local governmental benefits.
    Treating provider relationship means that, regardless of whether 
there has been an actual in-person encounter:
    (1) A patient is, agrees to, or is legally required to be 
diagnosed, evaluated, and/or treated, or agrees to accept consultation, 
for any condition by an individual or entity, and;
    (2) The individual or entity undertakes or agrees to undertake 
diagnosis, evaluation, and/or treatment of the patient, or consultation 
with the patient, for any condition.
    Treatment means the care of a patient suffering from a substance 
use disorder, a condition which is identified as having been caused by 
the substance use disorder, or both, in order to reduce or eliminate 
the adverse effects upon the patient.
    Undercover agent means any federal, state, or local law enforcement 
agency or official who enrolls in or becomes an employee of a part 2 
program for the purpose of investigating a suspected violation of law 
or who pursues that purpose after enrolling or becoming employed for 
other purposes.
    Withdrawal management means the use of pharmacotherapies to treat 
or attenuate the problematic signs and symptoms arising when heavy and/
or prolonged substance use is reduced or discontinued.


Sec.  2.12   Applicability.

    (a) General--(1) Restrictions on disclosure. The restrictions on 
disclosure in the regulations in this part apply to any information, 
whether or not recorded, which:
    (i) Would identify a patient as having or having had a substance 
use disorder either directly, by reference to publicly available 
information, or through verification of such identification by another 
person; and
    (ii) Is drug abuse information obtained by a federally assisted 
drug abuse program after March 20, 1972 (part 2 program), or is alcohol 
abuse information obtained by a federally assisted alcohol abuse 
program after May 13, 1974 (part 2 program); or if obtained before the 
pertinent date, is maintained by a part 2 program after that date as 
part of an ongoing treatment episode which extends past that date; for 
the purpose of treating a substance use disorder, making a diagnosis 
for that treatment, or making a referral for that treatment.
    (2) Restriction on use. The restriction on use of information to 
initiate or substantiate any criminal charges against a patient or to 
conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c)) 
applies to any information, whether or not recorded, which is drug 
abuse information obtained by a federally assisted drug abuse program 
after March 20, 1972 (part 2 program), or is alcohol abuse information 
obtained by a federally assisted alcohol abuse program after May 13, 
1974 (part 2 program); or if obtained before the pertinent date, is 
maintained by a part 2 program after that date as part of an ongoing 
treatment episode which extends past that date; for the purpose of 
treating a substance use disorder, making a diagnosis for the 
treatment, or making a referral for the treatment.
    (b) Federal assistance. A program is considered to be federally 
assisted if:
    (1) It is conducted in whole or in part, whether directly or by 
contract or otherwise by any department or agency of the United States 
(but see paragraphs (c)(1) and (2) of this section relating to the 
Department of Veterans Affairs and the Armed Forces);
    (2) It is being carried out under a license, certification, 
registration, or other authorization granted by any department or 
agency of the United States including but not limited to:
    (i) Participating provider in the Medicare program;
    (ii) Authorization to conduct maintenance treatment or withdrawal 
management; or
    (iii) Registration to dispense a substance under the Controlled 
Substances Act to the extent the controlled substance is used in the 
treatment of substance use disorders;
    (3) It is supported by funds provided by any department or agency 
of the United States by being:
    (i) A recipient of federal financial assistance in any form, 
including financial assistance which does not directly pay for the 
substance use disorder diagnosis, treatment, or referral for treatment; 
or
    (ii) Conducted by a state or local government unit which, through 
general or special revenue sharing or other forms of assistance, 
receives federal funds which could be (but are not necessarily) spent 
for the substance use disorder program; or
    (4) It is assisted by the Internal Revenue Service of the 
Department of the Treasury through the allowance of income tax 
deductions for contributions to the program or through the granting of 
tax exempt status to the program.
    (c) Exceptions-- (1) Department of Veterans Affairs. These 
regulations do not apply to information on substance use disorder 
patients maintained in connection with the Department of Veterans 
Affairs' provision of hospital care, nursing home care, domiciliary 
care, and medical services under Title 38, U.S.C. Those records are 
governed by 38 U.S.C. 7332 and regulations issued under that authority 
by the Secretary of Veterans Affairs.
    (2) Armed Forces. The regulations in this part apply to any 
information described in paragraph (a) of this section which was 
obtained by any component of the Armed Forces during a period when the 
patient was subject to the Uniform Code of Military Justice except:
    (i) Any interchange of that information within the Armed Forces; 
and
    (ii) Any interchange of that information between the Armed Forces 
and those components of the Department of Veterans Affairs furnishing 
health care to veterans.

[[Page 6118]]

    (3) Communication within a part 2 program or between a part 2 
program and an entity having direct administrative control over that 
part 2 program. The restrictions on disclosure in the regulations in 
this part do not apply to communications of information between or 
among personnel having a need for the information in connection with 
their duties that arise out of the provision of diagnosis, treatment, 
or referral for treatment of patients with substance use disorders if 
the communications are:
    (i) Within a part 2 program; or
    (ii) Between a part 2 program and an entity that has direct 
administrative control over the program.
    (4) Qualified service organizations. The restrictions on disclosure 
in the regulations in this part do not apply to communications between 
a part 2 program and a qualified service organization of information 
needed by the qualified service organization to provide services to the 
program.
    (5) Crimes on part 2 program premises or against part 2 program 
personnel. The restrictions on disclosure and use in the regulations in 
this part do not apply to communications from part 2 program personnel 
to law enforcement agencies or officials which:
    (i) Are directly related to a patient's commission of a crime on 
the premises of the part 2 program or against part 2 program personnel 
or to a threat to commit such a crime; and
    (ii) Are limited to the circumstances of the incident, including 
the patient status of the individual committing or threatening to 
commit the crime, that individual's name and address, and that 
individual's last known whereabouts.
    (6) Reports of suspected child abuse and neglect. The restrictions 
on disclosure and use in the regulations in this part do not apply to 
the reporting under state law of incidents of suspected child abuse and 
neglect to the appropriate state or local authorities. However, the 
restrictions continue to apply to the original substance use disorder 
patient records maintained by the part 2 program including their 
disclosure and use for civil or criminal proceedings which may arise 
out of the report of suspected child abuse and neglect.
    (d) Applicability to recipients of information-- (1) Restriction on 
use of information. The restriction on the use of any information 
subject to the regulations in this part to initiate or substantiate any 
criminal charges against a patient or to conduct any criminal 
investigation of a patient applies to any person who obtains that 
information from a part 2 program, regardless of the status of the 
person obtaining the information or whether the information was 
obtained in accordance with the regulations in this part. This 
restriction on use bars, among other things, the introduction of that 
information as evidence in a criminal proceeding and any other use of 
the information to investigate or prosecute a patient with respect to a 
suspected crime. Information obtained by undercover agents or 
informants (see Sec.  [thinsp]2.17) or through patient access (see 
Sec.  [thinsp]2.23) is subject to the restriction on use.
    (2) Restrictions on disclosures--(i) Third-party payers, 
administrative entities, and others. The restrictions on disclosure in 
the regulations in this part apply to:
    (A) Third-party payers with regard to records disclosed to them by 
part 2 programs or under Sec.  2.31(a)(4)(iii)(A);
    (B) Entities having direct administrative control over part 2 
programs with regard to information that is subject to the regulations 
in this part communicated to them by the part 2 program under paragraph 
(c)(3) of this section; and
    (C) Individuals or entities who receive patient records directly 
from a part 2 program or other lawful holder of patient identifying 
information and who are notified of the prohibition on re-disclosure in 
accordance with Sec.  2.32.
    (ii) [Reserved]
    (e) Explanation of applicability--(1) Coverage. These regulations 
cover any information (including information on referral and intake) 
about patients receiving diagnosis, treatment, or referral for 
treatment for a substance use disorder created by a part 2 program. 
Coverage includes, but is not limited to, those treatment or 
rehabilitation programs, employee assistance programs, programs within 
general hospitals, school-based programs, and private practitioners who 
hold themselves out as providing, and provide substance use disorder 
diagnosis, treatment, or referral for treatment. However, the 
regulations in this part would not apply, for example, to emergency 
room personnel who refer a patient to the intensive care unit for an 
apparent overdose, unless the primary function of such personnel is the 
provision of substance use disorder diagnosis, treatment, or referral 
for treatment and they are identified as providing such services or the 
emergency room has promoted itself to the community as a provider of 
such services.
    (2) Federal assistance to program required. If a patient's 
substance use disorder diagnosis, treatment, or referral for treatment 
is not provided by a part 2 program, that patient's record is not 
covered by the regulations in this part. Thus, it is possible for an 
individual patient to benefit from federal support and not be covered 
by the confidentiality regulations because the program in which the 
patient is enrolled is not federally assisted as defined in paragraph 
(b) of this section. For example, if a federal court placed an 
individual in a private for-profit program and made a payment to the 
program on behalf of that individual, that patient's record would not 
be covered by the regulations in this part unless the program itself 
received federal assistance as defined by paragraph (b) of this 
section.
    (3) Information to which restrictions are applicable. Whether a 
restriction applies to use or disclosure affects the type of 
information which may be disclosed. The restrictions on disclosure 
apply to any information which would identify a patient as having or 
having had a substance use disorder. The restriction on use of 
information to bring criminal charges against a patient for a crime 
applies to any information obtained by the part 2 program for the 
purpose of diagnosis, treatment, or referral for treatment of patients 
with substance use disorders. (Note that restrictions on use and 
disclosure apply to recipients of information under paragraph (d) of 
this section.)
    (4) How type of diagnosis affects coverage. These regulations cover 
any record of a diagnosis identifying a patient as having or having had 
a substance use disorder which is initially prepared by a part 2 
provider in connection with the treatment or referral for treatment of 
a patient with a substance use disorder. A diagnosis prepared for the 
purpose of treatment or referral for treatment but which is not so used 
is covered by the regulations in this part. The following are not 
covered by the regulations in this part:
    (i) Diagnosis which is made solely for the purpose of providing 
evidence for use by law enforcement agencies or officials; or
    (ii) A diagnosis of drug overdose or alcohol intoxication which 
clearly shows that the individual involved does not have a substance 
use disorder (e.g., involuntary ingestion of alcohol or drugs or 
reaction to a prescribed dosage of one or more drugs).


Sec.  2.13  Confidentiality restrictions and safeguards.

    (a) General. The patient records subject to the regulations in this 
part may be disclosed or used only as permitted by the regulations in 
this part

[[Page 6119]]

and may not otherwise be disclosed or used in any civil, criminal, 
administrative, or legislative proceedings conducted by any federal, 
state, or local authority. Any disclosure made under the regulations in 
this part must be limited to that information which is necessary to 
carry out the purpose of the disclosure.
    (b) Unconditional compliance required. The restrictions on 
disclosure and use in the regulations in this part apply whether or not 
the part 2 program or other lawful holder of the patient identifying 
information believes that the person seeking the information already 
has it, has other means of obtaining it, is a law enforcement agency or 
official or other government official, has obtained a subpoena, or 
asserts any other justification for a disclosure or use which is not 
permitted by the regulations in this part.
    (c) Acknowledging the presence of patients: Responding to requests. 
(1) The presence of an identified patient in a health care facility or 
component of a health care facility which is publicly identified as a 
place where only substance use disorder diagnosis, treatment, or 
referral for treatment is provided may be acknowledged only if the 
patient's written consent is obtained in accordance with subpart C of 
this part or if an authorizing court order is entered in accordance 
with subpart E of this part. The regulations permit acknowledgement of 
the presence of an identified patient in a health care facility or part 
of a health care facility if the health care facility is not publicly 
identified as only a substance use disorder diagnosis, treatment, or 
referral for treatment facility, and if the acknowledgement does not 
reveal that the patient has a substance use disorder.
    (2) Any answer to a request for a disclosure of patient records 
which is not permissible under the regulations in this part must be 
made in a way that will not affirmatively reveal that an identified 
individual has been, or is being, diagnosed or treated for a substance 
use disorder. An inquiring party may be provided a copy of the 
regulations in this part and advised that they restrict the disclosure 
of substance use disorder patient records, but may not be told 
affirmatively that the regulations restrict the disclosure of the 
records of an identified patient.
    (d) List of disclosures. Upon request, patients who have consented 
to disclose their patient identifying information using a general 
designation pursuant to Sec.  2.31(a)(4)(iii)(B)(3) must be provided a 
list of entities to which their information has been disclosed pursuant 
to the general designation.
    (1) Under this paragraph (d), patient requests:
    (i) Must be made in writing; and
    (ii) Are limited to disclosures made within the past two years;
    (2) Under this paragraph (d), the entity named on the consent form 
that discloses information pursuant to a patient's general designation 
(the entity that serves as an intermediary, as described in Sec.  
2.31(a)(4)(iii)(B)) must:
    (i) Respond in 30 or fewer days of receipt of the written request; 
and
    (ii) Provide, for each disclosure, the name(s) of the entity(-ies) 
to which the disclosure was made, the date of the disclosure, and a 
brief description of the patient identifying information disclosed.
    (3) The part 2 program is not responsible for compliance with this 
paragraph (d); the entity that serves as an intermediary, as described 
in Sec.  2.31(a)(4)(iii)(B), is responsible for compliance with the 
list of disclosures requirement.


Sec.  2.14  Minor patients.

    (a) State law not requiring parental consent to treatment. If a 
minor patient acting alone has the legal capacity under the applicable 
state law to apply for and obtain substance use disorder treatment, any 
written consent for disclosure authorized under subpart C of this part 
may be given only by the minor patient. This restriction includes, but 
is not limited to, any disclosure of patient identifying information to 
the parent or guardian of a minor patient for the purpose of obtaining 
financial reimbursement. These regulations do not prohibit a part 2 
program from refusing to provide treatment until the minor patient 
consents to the disclosure necessary to obtain reimbursement, but 
refusal to provide treatment may be prohibited under a state or local 
law requiring the program to furnish the service irrespective of 
ability to pay.
    (b) State law requiring parental consent to treatment. (1) Where 
state law requires consent of a parent, guardian, or other individual 
for a minor to obtain treatment for a substance use disorder, any 
written consent for disclosure authorized under subpart C of this part 
must be given by both the minor and their parent, guardian, or other 
individual authorized under state law to act in the minor's behalf.
    (2) Where state law requires parental consent to treatment, the 
fact of a minor's application for treatment may be communicated to the 
minor's parent, guardian, or other individual authorized under state 
law to act in the minor's behalf only if:
    (i) The minor has given written consent to the disclosure in 
accordance with subpart C of this part; or
    (ii) The minor lacks the capacity to make a rational choice 
regarding such consent as judged by the part 2 program director under 
paragraph (c) of this section.
    (c) Minor applicant for services lacks capacity for rational 
choice. Facts relevant to reducing a substantial threat to the life or 
physical well-being of the minor applicant or any other individual may 
be disclosed to the parent, guardian, or other individual authorized 
under state law to act in the minor's behalf if the part 2 program 
director judges that:
    (1) A minor applicant for services lacks capacity because of 
extreme youthor mental or physical condition to make a rational 
decision on whether to consent to a disclosure under subpart C of this 
part to their parent, guardian, or other individual authorized under 
state law to act in the minor's behalf; and
    (2) The minor applicant's situation poses a substantial threat to 
the life or physical well-being of the minor applicant or any other 
individual which may be reduced by communicating relevant facts to the 
minor's parent, guardian, or other individual authorized under state 
law to act in the minor's behalf.


Sec.  2.15  Incompetent and deceased patients.

    (a) Incompetent patients other than minors--(1) Adjudication of 
incompetence. In the case of a patient who has been adjudicated as 
lacking the capacity, for any reason other than insufficient age, to 
their own affairs, any consent which is required under the regulations 
in this part may be given by the guardian or other individual 
authorized under state law to act in the patient's behalf.
    (2) No adjudication of incompetency. In the case of a patient, 
other than a minor or one who has been adjudicated incompetent, that 
for any period suffers from a medical condition that prevents knowing 
or effective action on their own behalf, the part 2 program director 
may exercise the right of the patient to consent to a disclosure under 
subpart C of this part for the sole purpose of obtaining payment for 
services from a third-party payer.
    (b) Deceased patients--(1) Vital statistics. These regulations do 
not restrict the disclosure of patient identifying information relating 
to the cause of death of a patient under laws requiring the collection 
of death or other vital statistics or permitting inquiry into the cause 
of death.

[[Page 6120]]

    (2) Consent by personal representative. Any other disclosure of 
information identifying a deceased patient as having a substance use 
disorder is subject to the regulations in this part. If a written 
consent to the disclosure is required, that consent may be given by an 
executor, administrator, or other personal representative appointed 
under applicable state law. If there is no such applicable state law 
appointment, the consent may be given by the patient's spouse or, if 
none, by any responsible member of the patient's family.


Sec.  2.16  Security for records.

    (a) The part 2 program or other lawful holder of patient 
identifying information must have in place formal policies and 
procedures to reasonably protect against unauthorized uses and 
disclosures of patient identifying information and to protect against 
reasonably anticipated threats or hazards to the security of patient 
identifying information. These formal policies and procedures must 
address:
    (1) Paper records, including:
    (i) Transferring and removing such records;
    (ii) Destroying such records, including sanitizing the hard copy 
media associated with the paper printouts, to render the patient 
identifying information non-retrievable;
    (iii) Maintaining such records in a secure room, locked file 
cabinet, safe, or other similar container, or storage facility when not 
in use;
    (iv) Using and accessing workstations, secure rooms, locked file 
cabinets, safes, or other similar containers, and storage facilities 
that use or store such information; and
    (v) Rendering patient identifying information non-identifiable in a 
manner that creates a very low risk of re-identification (e.g., 
removing direct identifiers).
    (2) Electronic records, including:
    (i) Creating, receiving, maintaining, and transmitting such 
records;
    (ii) Destroying such records, including sanitizing the electronic 
media on which such records are stored, to render the patient 
identifying information non-retrievable;
    (iii) Using and accessing electronic records or other electronic 
media containing patient identifying information; and
    (iv) Rendering the patient identifying information non-identifiable 
in a manner that creates a very low risk of re-identification (e.g., 
removing direct identifiers).
    (b) [Reserved]


Sec.  2.17  Undercover agents and informants.

    (a) Restrictions on placement. Except as specifically authorized by 
a court order granted under Sec.  2.67, no part 2 program may knowingly 
employ, or enroll as a patient, any undercover agent or informant.
    (b) Restriction on use of information. No information obtained by 
an undercover agent or informant, whether or not that undercover agent 
or informant is placed in a part 2 program pursuant to an authorizing 
court order, may be used to criminally investigate or prosecute any 
patient.


Sec.  2.18  Restrictions on the use of identification cards.

    No person may require any patient to carry in their immediate 
possession while away from the part 2 program premises any card or 
other object which would identify the patient as having a substance use 
disorder. This section does not prohibit a person from requiring 
patients to use or carry cards or other identification objects on the 
premises of a part 2 program.


Sec.  2.19  Disposition of records by discontinued programs.

    (a) General. If a part 2 program discontinues operations or is 
taken over or acquired by another program, it must remove patient 
identifying information from its records or destroy its records, 
including sanitizing any associated hard copy or electronic media, to 
render the patient identifying information non-retrievable in a manner 
consistent with the policies and procedures established under Sec.  
2.16, unless:
    (1) The patient who is the subject of the records gives written 
consent (meeting the requirements of Sec.  2.31) to a transfer of the 
records to the acquiring program or to any other program designated in 
the consent (the manner of obtaining this consent must minimize the 
likelihood of a disclosure of patient identifying information to a 
third party); or
    (2) There is a legal requirement that the records be kept for a 
period specified by law which does not expire until after the 
discontinuation or acquisition of the part 2 program.
    (b) Special procedure where retention period required by law. If 
paragraph (a)(2) of this section applies:
    (1) Records, which are paper, must be:
    (i) Sealed in envelopes or other containers labeled as follows: 
``Records of [insert name of program] required to be maintained under 
[insert citation to statute, regulation, court order or other legal 
authority requiring that records be kept] until a date not later than 
[insert appropriate date]'';
    (A) All hard copy media from which the paper records were produced, 
such as printer and facsimile ribbons, drums, etc., must be sanitized 
to render the data non-retrievable; and
    (B) [Reserved]
    (ii) Held under the restrictions of the regulations in this part by 
a responsible person who must, as soon as practicable after the end of 
the required retention period specified on the label, destroy the 
records and sanitize any associated hard copy media to render the 
patient identifying information non-retrievable in a manner consistent 
with the discontinued program's or acquiring program's policies and 
procedures established under Sec.  2.16.
    (2) Records, which are electronic, must be:
    (i) Transferred to a portable electronic device with implemented 
encryption to encrypt the data at rest so that there is a low 
probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key; or
    (ii) Transferred, along with a backup copy, to separate electronic 
media, so that both the records and the backup copy have implemented 
encryption to encrypt the data at rest so that there is a low 
probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key; and
    (iii) Within one year of the discontinuation or acquisition of the 
program, all electronic media on which the patient records or patient 
identifying information resided prior to being transferred to the 
device specified in (i) above or the original and backup electronic 
media specified in (ii) above, including email and other electronic 
communications, must be sanitized to render the patient identifying 
information non-retrievable in a manner consistent with the 
discontinued program's or acquiring program's policies and procedures 
established under Sec.  2.16; and
    (iv) The portable electronic device or the original and backup 
electronic media must be:
    (A) Sealed in a container along with any equipment needed to read 
or access the information, and labeled as follows: ``Records of [insert 
name of program] required to be maintained under [insert citation to 
statute, regulation, court order or other legal authority requiring 
that records be kept] until a date not later than [insert appropriate 
date];'' and
    (B) Held under the restrictions of the regulations in this part by 
a responsible person who must store the container in a manner that will 
protect the

[[Page 6121]]

information (e.g., climate controlled environment); and
    (v) The responsible person must be included on the access control 
list and be provided a means for decrypting the data. The responsible 
person must store the decryption tools on a device or at a location 
separate from the data they are used to encrypt or decrypt; and
    (vi) As soon as practicable after the end of the required retention 
period specified on the label, the portable electronic device or the 
original and backup electronic media must be sanitized to render the 
patient identifying information non-retrievable consistent with the 
policies established under Sec.  2.16.


Sec.  2.20  Relationship to state laws.

    The statute authorizing the regulations in this part (42 U.S.C. 
290dd-2) does not preempt the field of law which they cover to the 
exclusion of all state laws in that field. If a disclosure permitted 
under the regulations in this part is prohibited under state law, 
neither the regulations in this part nor the authorizing statute may be 
construed to authorize any violation of that state law. However, no 
state law may either authorize or compel any disclosure prohibited by 
the regulations in this part.


Sec.  2.21  Relationship to federal statutes protecting research 
subjects against compulsory disclosure of their identity.

    (a) Research privilege description. There may be concurrent 
coverage of patient identifying information by the regulations in this 
part and by administrative action taken under section 502(c) of the 
Controlled Substances Act (21 U.S.C. 872(c) and the implementing 
regulations at 21 CFR part 1316); or section 301(d) of the Public 
Health Service Act (42 U.S.C. 241(d) and the implementing regulations 
at 42 CFR part 2a). These research privilege statutes confer on the 
Secretary of Health and Human Services and on the Attorney General, 
respectively, the power to authorize researchers conducting certain 
types of research to withhold from all persons not connected with the 
research the names and other identifying information concerning 
individuals who are the subjects of the research.
    (b) Effect of concurrent coverage. These regulations restrict the 
disclosure and use of information about patients, while administrative 
action taken under the research privilege statutes and implementing 
regulations protects a person engaged in applicable research from being 
compelled to disclose any identifying characteristics of the 
individuals who are the subjects of that research. The issuance under 
subpart E of this part of a court order authorizing a disclosure of 
information about a patient does not affect an exercise of authority 
under these research privilege statutes.


Sec.  2.22  Notice to patients of federal confidentiality requirements.

    (a) Notice required. At the time of admission to a part 2 program 
or, in the case that a patient does not have capacity upon admission to 
understand his or her medical status, as soon thereafter as the patient 
attains such capacity, each part 2 program shall:
    (1) Communicate to the patient that federal law and regulations 
protect the confidentiality of substance use disorder patient records; 
and
    (2) Give to the patient a summary in writing of the federal law and 
regulations.
    (b) Required elements of written summary. The written summary of 
the federal law and regulations must include:
    (1) A general description of the limited circumstances under which 
a part 2 program may acknowledge that an individual is present or 
disclose outside the part 2 program information identifying a patient 
as having or having had a substance use disorder;
    (2) A statement that violation of the federal law and regulations 
by a part 2 program is a crime and that suspected violations may be 
reported to appropriate authorities consistent with Sec.  2.4, along 
with contact information;
    (3) A statement that information related to a patient's commission 
of a crime on the premises of the part 2 program or against personnel 
of the part 2 program is not protected;
    (4) A statement that reports of suspected child abuse and neglect 
made under state law to appropriate state or local authorities are not 
protected; and
    (5) A citation to the federal law and regulations.
    (c) Program options. The part 2 program must devise a notice to 
comply with the requirement to provide the patient with a summary in 
writing of the federal law and regulations. In this written summary, 
the part 2 program also may include information concerning state law 
and any of the part 2 program's policies that are not inconsistent with 
state and federal law on the subject of confidentiality of substance 
use disorder patient records.


Sec.  2.23  Patient access and restrictions on use.

    (a) Patient access not prohibited. These regulations do not 
prohibit a part 2 program from giving a patient access to their own 
records, including the opportunity to inspect and copy any records that 
the part 2 program maintains about the patient. The part 2 program is 
not required to obtain a patient's written consent or other 
authorization under the regulations in this part in order to provide 
such access to the patient.
    (b) Restriction on use of information. Information obtained by 
patient access to his or her patient record is subject to the 
restriction on use of this information to initiate or substantiate any 
criminal charges against the patient or to conduct any criminal 
investigation of the patient as provided for under Sec.  2.12(d)(1).

Subpart C--Disclosures With Patient Consent


Sec.  2.31  Consent requirements.

    (a) Required elements for written consent. A written consent to a 
disclosure under the regulations in this part may be paper or 
electronic and must include:
    (1) The name of the patient.
    (2) The specific name(s) or general designation(s) of the part 2 
program(s), entity(ies), or individual(s) permitted to make the 
disclosure.
    (3) How much and what kind of information is to be disclosed, 
including an explicit description of the substance use disorder 
information that may be disclosed.
    (4)(i) The name(s) of the individual(s) to whom a disclosure is to 
be made; or
    (ii) Entities with a treating provider relationship with the 
patient. If the recipient entity has a treating provider relationship 
with the patient whose information is being disclosed, such as a 
hospital, a health care clinic, or a private practice, the name of that 
entity; or
    (iii) Entities without a treating provider relationship with the 
patient.
    (A) If the recipient entity does not have a treating provider 
relationship with the patient whose information is being disclosed and 
is a third-party payer, the name of the entity; or
    (B) If the recipient entity does not have a treating provider 
relationship with the patient whose information is being disclosed and 
is not covered by paragraph (a)(4)(iii)(A) of this section, such as an 
entity that facilitates the exchange of health information or a 
research institution, the name(s) of the entity(-ies); and
    (1) The name(s) of an individual participant(s); or
    (2) The name(s) of an entity participant(s) that has a treating 
provider relationship with the patient whose information is being 
disclosed; or

[[Page 6122]]

    (3) A general designation of an individual or entity participant(s) 
or class of participants that must be limited to a participant(s) who 
has a treating provider relationship with the patient whose information 
is being disclosed.
    (i) When using a general designation, a statement must be included 
on the consent form that the patient (or other individual authorized to 
sign in lieu of the patient), confirms their understanding that, upon 
their request and consistent with this part, they must be provided a 
list of entities to which their information has been disclosed pursuant 
to the general designation (see Sec.  2.13(d)).
    (ii) [Reserved]
    (5) The purpose of the disclosure. In accordance with Sec.  
2.13(a), the disclosure must be limited to that information which is 
necessary to carry out the stated purpose.
    (6) A statement that the consent is subject to revocation at any 
time except to the extent that the part 2 program or other lawful 
holder of patient identifying information that is permitted to make the 
disclosure has already acted in reliance on it. Acting in reliance 
includes the provision of treatment services in reliance on a valid 
consent to disclose information to a third-party payer
    (7) The date, event, or condition upon which the consent will 
expire if not revoked before. This date, event, or condition must 
ensure that the consent will last no longer than reasonably necessary 
to serve the purpose for which it is provided.
    (8) The signature of the patient and, when required for a patient 
who is a minor, the signature of an individual authorized to give 
consent under Sec.  2.14; or, when required for a patient who is 
incompetent or deceased, the signature of an individual authorized to 
sign under Sec.  2.15. Electronic signatures are permitted to the 
extent that they are not prohibited by any applicable law.
    (9) The date on which the consent is signed.
    (b) Expired, deficient, or false consent. A disclosure may not be 
made on the basis of a consent which:
    (1) Has expired;
    (2) On its face substantially fails to conform to any of the 
requirements set forth in paragraph (a) of this section;
    (3) Is known to have been revoked; or
    (4) Is known, or through reasonable diligence could be known, by 
the individual or entity holding the records to be materially false.


Sec.  2.32  Prohibition on re-disclosure.

    (a) Notice to accompany disclosure. Each disclosure made with the 
patient's written consent must be accompanied by the following written 
statement: This information has been disclosed to you from records 
protected by federal confidentiality rules (42 CFR part 2). The federal 
rules prohibit you from making any further disclosure of information in 
this record that identifies a patient as having or having had a 
substance use disorder either directly, by reference to publicly 
available information, or through verification of such identification 
by another person unless further disclosure is expressly permitted by 
the written consent of the individual whose information is being 
disclosed or as otherwise permitted by 42 CFR part 2. A general 
authorization for the release of medical or other information is NOT 
sufficient for this purpose (see Sec.  2.31). The federal rules 
restrict any use of the information to investigate or prosecute with 
regard to a crime any patient with a substance use disorder, except as 
provided at Sec. Sec.  2.12(c)(5) and 2.65.
    (b) [Reserved]


Sec.  2.33  Disclosures permitted with written consent.

    If a patient consents to a disclosure of their records under Sec.  
2.31, a program may disclose those records in accordance with that 
consent to any person identified in the consent, except that 
disclosures to central registries and in connection with criminal 
justice referrals must meet the requirements of Sec. Sec.  2.34 and 
2.35, respectively.


Sec.  2.34  Disclosures to prevent multiple enrollments.

    (a) Restrictions on disclosure. A part 2 program, as defined in 
Sec.  2.11, may disclose patient records to a central registry or to 
any withdrawal management or maintenance treatment program not more 
than 200 miles away for the purpose of preventing the multiple 
enrollment of a patient only if:
    (1) The disclosure is made when:
    (i) The patient is accepted for treatment;
    (ii) The type or dosage of the drug is changed; or
    (iii) The treatment is interrupted, resumed or terminated.
    (2) The disclosure is limited to:
    (i) Patient identifying information;
    (ii) Type and dosage of the drug; and
    (iii) Relevant dates.
    (3) The disclosure is made with the patient's written consent 
meeting the requirements of Sec.  2.31, except that:
    (i) The consent must list the name and address of each central 
registry and each known withdrawal management or maintenance treatment 
program to which a disclosure will be made; and
    (ii) The consent may authorize a disclosure to any withdrawal 
management or maintenance treatment program established within 200 
miles of the program, but does not need to individually name all 
programs.
    (b) Use of information limited to prevention of multiple 
enrollments. A central registry and any withdrawal management or 
maintenance treatment program to which information is disclosed to 
prevent multiple enrollments may not re-disclose or use patient 
identifying information for any purpose other than the prevention of 
multiple enrollments unless authorized by a court order under subpart E 
of this part.
    (c) Permitted disclosure by a central registry to prevent a 
multiple enrollment. When a member program asks a central registry if 
an identified patient is enrolled in another member program and the 
registry determines that the patient is so enrolled, the registry may 
disclose:
    (1) The name, address, and telephone number of the member 
program(s) in which the patient is already enrolled to the inquiring 
member program; and
    (2) The name, address, and telephone number of the inquiring member 
program to the member program(s) in which the patient is already 
enrolled. The member programs may communicate as necessary to verify 
that no error has been made and to prevent or eliminate any multiple 
enrollments.
    (d) Permitted disclosure by a withdrawal management or maintenance 
treatment program to prevent a multiple enrollment. A withdrawal 
management or maintenance treatment program which has received a 
disclosure under this section and has determined that the patient is 
already enrolled may communicate as necessary with the program making 
the disclosure to verify that no error has been made and to prevent or 
eliminate any multiple enrollments.


Sec.  2.35  Disclosures to elements of the criminal justice system 
which have referred patients.

    (a) A part 2 program may disclose information about a patient to 
those individuals within the criminal justice system who have made 
participation in the part 2 program a condition of the disposition of 
any criminal proceedings against the patient or of the patient's parole 
or other release from custody if:
    (1) The disclosure is made only to those individuals within the 
criminal justice system who have a need for the information in 
connection with their duty to monitor the patient's progress

[[Page 6123]]

(e.g., a prosecuting attorney who is withholding charges against the 
patient, a court granting pretrial or post-trial release, probation or 
parole officers responsible for supervision of the patient); and
    (2) The patient has signed a written consent meeting the 
requirements of Sec.  2.31 (except paragraph (a)(8) which is 
inconsistent with the revocation provisions of paragraph (c) of this 
section) and the requirements of paragraphs (b) and (c) of this 
section.
    (b) Duration of consent. The written consent must state the period 
during which it remains in effect. This period must be reasonable, 
taking into account:
    (1) The anticipated length of the treatment;
    (2) The type of criminal proceeding involved, the need for the 
information in connection with the final disposition of that 
proceeding, and when the final disposition will occur; and
    (3) Such other factors as the part 2 program, the patient, and the 
individual(s) within the criminal justice system who will receive the 
disclosure consider pertinent.
    (c) Revocation of consent. The written consent must state that it 
is revocable upon the passage of a specified amount of time or the 
occurrence of a specified, ascertainable event. The time or occurrence 
upon which consent becomes revocable may be no later than the final 
disposition of the conditional release or other action in connection 
with which consent was given.
    (d) Restrictions on re-disclosure and use. An individual within the 
criminal justice system who receives patient information under this 
section may re-disclose and use it only to carry out that individual's 
official duties with regard to the patient's conditional release or 
other action in connection with which the consent was given.

Subpart D--Disclosures Without Patient Consent


Sec.  2.51  Medical emergencies.

    (a) General rule. Under the procedures required by paragraph (c) of 
this section, patient identifying information may be disclosed to 
medical personnel to the extent necessary to meet a bona fide medical 
emergency in which the patient's prior informed consent cannot be 
obtained.
    (b) Special rule. Patient identifying information may be disclosed 
to medical personnel of the Food and Drug Administration (FDA) who 
assert a reason to believe that the health of any individual may be 
threatened by an error in the manufacture, labeling, or sale of a 
product under FDA jurisdiction, and that the information will be used 
for the exclusive purpose of notifying patients or their physicians of 
potential dangers.
    (c) Procedures. Immediately following disclosure, the part 2 
program shall document, in writing, the disclosure in the patient's 
records, including:
    (1) The name of the medical personnel to whom disclosure was made 
and their affiliation with any health care facility;
    (2) The name of the individual making the disclosure;
    (3) The date and time of the disclosure; and
    (4) The nature of the emergency (or error, if the report was to 
FDA).


Sec.  2.52  Research.

    (a) Notwithstanding other provisions of this part, including 
paragraph (b)(2) of this section, patient identifying information may 
be disclosed by the part 2 program or other lawful holder of part 2 
data, for the purpose of conducting scientific research if the 
individual designated as director or managing director, or individual 
otherwise vested with authority to act as chief executive officer or 
their designee makes a determination that the recipient of the patient 
identifying information:
    (1) If a HIPAA-covered entity or business associate, has obtained 
and documented authorization from the patient, or a waiver or 
alteration of authorization, consistent with the HIPAA Privacy Rule at 
45 CFR 164.508 or 164.512(i), as applicable; or
    (2) If subject to the HHS regulations regarding the protection of 
human subjects (45 CFR part 46), either provides documentation that the 
researcher is in compliance with the requirements of the HHS 
regulations, including the requirements related to informed consent or 
a waiver of consent (45 CFR 46.111 and 46.116) or that the research 
qualifies for exemption under the HHS regulations (45 CFR 46.101(b) and 
any successor regulations; or
    (3) If both a HIPAA covered entity or business associate and 
subject to the HHS regulations regarding the protection of human 
subjects, has met the requirements of paragraphs (a)(1) and (2) of this 
section; and
    (4) If neither a HIPAA covered entity or business associate or 
subject to the HHS regulations regarding the protection of human 
subjects, this section does not apply.
    (b) Any individual or entity conducting scientific research using 
patient identifying information obtained under paragraph (a) of this 
section:
    (1) Is fully bound by the regulations in this part and, if 
necessary, will resist in judicial proceedings any efforts to obtain 
access to patient records except as permitted by the regulations in 
this part.
    (2) Must not re-disclose patient identifying information except 
back to the individual or entity from whom that patient identifying 
information was obtained or as permitted under paragraph (c) of this 
section.
    (3) May include part 2 data in research reports only in aggregate 
form in which patient identifying information has been rendered non-
identifiable such that the information cannot be re-identified and 
serve as an unauthorized means to identify a patient, directly or 
indirectly, as having or having had a substance use disorder.
    (4) Must maintain and destroy patient identifying information in 
accordance with the security policies and procedures established under 
Sec.  2.16.
    (5) Must retain records in compliance with applicable federal, 
state, and local record retention laws.
    (c) Data linkages--(1) Researchers. Any individual or entity 
conducting scientific research using patient identifying information 
obtained under paragraph (a) of this section that requests linkages to 
data sets from a data repository(-ies) holding patient identifying 
information must:
    (i) Have the request reviewed and approved by an Institutional 
Review Board (IRB) registered with the Department of Health and Human 
Services, Office for Human Research Protections in accordance with 45 
CFR part 46 to ensure that patient privacy is considered and the need 
for identifiable data is justified. Upon request, the researcher may be 
required to provide evidence of the IRB approval of the research 
project that contains the data linkage component.
    (ii) Ensure that patient identifying information obtained under 
paragraph (a) of this section is not provided to law enforcement 
agencies or officials.
    (2) Data repositories. For purposes of this section, a data 
repository is fully bound by the provisions of part 2 upon receipt of 
the patient identifying data and must:
    (i) After providing the researcher with the linked data, destroy or 
delete the linked data from its records, including sanitizing any 
associated hard copy or electronic media, to render the patient 
identifying information non-retrievable in a manner consistent with the 
policies and procedures established under Sec.  2.16 Security for 
records.
    (ii) Ensure that patient identifying information obtained under 
paragraph (a) of this section is not provided to law enforcement 
agencies or officials.

[[Page 6124]]

    (2) Except as provided in paragraph (c) of this section, a 
researcher may not redisclose patient identifying information for data 
linkages purposes.


Sec.  2.53  Audit and evaluation.

    (a) Records not copied or removed. If patient records are not 
downloaded, copied or removed from the part 2 program premises or 
forwarded electronically to another electronic system or device, 
patient identifying information, as defined in Sec.  2.11, may be 
disclosed in the course of a review of records on the part 2 program 
premises to any individual or entity who agrees in writing to comply 
with the limitations on re-disclosure and use in paragraph (d) of this 
section and who:
    (1) Performs the audit or evaluation on behalf of:
    (i) Any federal, state, or local government agency which provides 
financial assistance to the part 2 program or is authorized by law to 
regulate its activities; or
    (ii) Any individual or entity who provides financial assistance to 
the part 2 program, which is a third-party payer covering patients in 
the part 2 program, or which is a quality improvement organization 
performing a utilization or quality control review; or
    (2) Is determined by the part 2 program to be qualified to conduct 
an audit or evaluation of the part 2 program.
    (b) Copying, removing, downloading, or forwarding patient records. 
Records containing patient identifying information, as defined in Sec.  
2.11, may be copied or removed from a part 2 program premises or 
downloaded or forwarded to another electronic system or device from the 
part 2 program's electronic records by any individual or entity who:
    (1) Agrees in writing to:
    (i) Maintain and destroy the patient identifying information in a 
manner consistent with the policies and procedures established under 
Sec.  2.16;
    (ii) Retain records in compliance with applicable federal, state, 
and local record retention laws; and
    (iii) Comply with the limitations on disclosure and use in 
paragraph (d) of this section; and
    (2) Performs the audit or evaluation on behalf of:
    (i) Any federal, state, or local government agency which provides 
financial assistance to the part 2 program or is authorized by law to 
regulate its activities; or
    (ii) Any individual or entity who provides financial assistance to 
the part 2 program, which is a third-party payer covering patients in 
the part 2 program, or which is a quality improvement organization 
performing a utilization or quality control review.
    (c) Medicare, Medicaid, Children's Health Insurance Program (CHIP), 
or related audit or evaluation. (1) Patient identifying information, as 
defined in Sec.  2.11, may be disclosed under paragraph (c) of this 
section to any individual or entity for the purpose of conducting a 
Medicare, Medicaid, or CHIP audit or evaluation, including an audit or 
evaluation necessary to meet the requirements for a Centers for 
Medicare & Medicaid Services (CMS)-regulated accountable care 
organization (CMS-regulated ACO) or similar CMS-regulated organization 
(including a CMS-regulated Qualified Entity (QE)), if the individual or 
entity agrees in writing to comply with the following:
    (i) Maintain and destroy the patient identifying information in a 
manner consistent with the policies and procedures established under 
Sec.  2.16;
    (ii) Retain records in compliance with applicable federal, state, 
and local record retention laws; and
    (iii) Comply with the limitations on disclosure and use in 
paragraph (d) of this section.
    (2) A Medicare, Medicaid, or CHIP audit or evaluation under this 
section includes a civil or administrative investigation of a part 2 
program by any federal, state, or local government agency with 
oversight responsibilities for Medicare, Medicaid, or CHIP and includes 
administrative enforcement, against the part 2 program by the 
government agency, of any remedy authorized by law to be imposed as a 
result of the findings of the investigation.
    (3) An audit or evaluation necessary to meet the requirements for a 
CMS-regulated ACO or similar CMS-regulated organization (including a 
CMS-regulated QE) must be conducted in accordance with the following:
    (i) A CMS-regulated ACO or similar CMS-regulated organization 
(including a CMS-regulated QE) must:
    (A) Have in place administrative and/or clinical systems; and
    (B) Have in place a leadership and management structure, including 
a governing body and chief executive officer with responsibility for 
oversight of the organization's management and for ensuring compliance 
with and adherence to the terms and conditions of the Participation 
Agreement or similar documentation with CMS; and
    (ii) A CMS-regulated ACO or similar CMS-regulated organization 
(including a CMS-regulated QE) must have a signed Participation 
Agreement or similar documentation with CMS, which provides that the 
CMS-regulated ACO or similar CMS-regulated organization (including a 
CMS-regulated QE):
    (A) Is subject to periodic evaluations by CMS or its agents, or is 
required by CMS to evaluate participants in the CMS-regulated ACO or 
similar CMS-regulated organization (including a CMS-regulated QE) 
relative to CMS-defined or approved quality and/or cost measures;
    (B) Must designate an executive who has the authority to legally 
bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and 
this part and the terms and conditions of the Participation Agreement 
in order to receive patient identifying information from CMS or its 
agents;
    (C) Agrees to comply with all applicable provisions of 42 U.S.C. 
290dd-2 and this part;
    (D) Must ensure that any audit or evaluation involving patient 
identifying information occurs in a confidential and controlled setting 
approved by the designated executive;
    (E) Must ensure that any communications or reports or other 
documents resulting from an audit or evaluation under this section do 
not allow for the direct or indirect identification (e.g., through the 
use of codes) of a patient as having or having had a substance use 
disorder; and
    (F) Must establish policies and procedures to protect the 
confidentiality of the patient identifying information consistent with 
this part, the terms and conditions of the Participation Agreement, and 
the requirements set forth in paragraph (c)(1) of this section.
    (4) Program, as defined in Sec.  2.11, includes an employee of, or 
provider of medical services under the program when the employee or 
provider is the subject of a civil investigation or administrative 
remedy, as those terms are used in paragraph (c)(2) of this section.
    (5) If a disclosure to an individual or entity is authorized under 
this section for a Medicare, Medicaid, or CHIP audit or evaluation, 
including a civil investigation or administrative remedy, as those 
terms are used in paragraph (c)(2) of this section, then a quality 
improvement organization which obtains the information under paragraph 
(a) or (b) of this section may disclose the information to that 
individual or entity but only for the purpose of conducting a Medicare, 
Medicaid, or CHIP audit or evaluation.
    (6) The provisions of this paragraph do not authorize the part 2 
program, the federal, state, or local government agency, or any other 
individual or entity to disclose or use patient identifying

[[Page 6125]]

information obtained during the audit or evaluation for any purposes 
other than those necessary to complete the audit or evaluation as 
specified in paragraph (c) of this section.
    (d) Limitations on disclosure and use. Except as provided in 
paragraph (c) of this section, patient identifying information 
disclosed under this section may be disclosed only back to the program 
from which it was obtained and used only to carry out an audit or 
evaluation purpose or to investigate or prosecute criminal or other 
activities, as authorized by a court order entered under Sec.  2.66.

Subpart E--Court Orders Authorizing Disclosure and Use


Sec.  2.61  Legal effect of order.

    (a) Effect. An order of a court of competent jurisdiction entered 
under this subpart is a unique kind of court order. Its only purpose is 
to authorize a disclosure or use of patient information which would 
otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in 
this part. Such an order does not compel disclosure. A subpoena or a 
similar legal mandate must be issued in order to compel disclosure. 
This mandate may be entered at the same time as and accompany an 
authorizing court order entered under the regulations in this part.
    (b) Examples. (1) A person holding records subject to the 
regulations in this part receives a subpoena for those records. The 
person may not disclose the records in response to the subpoena unless 
a court of competent jurisdiction enters an authorizing order under the 
regulations in this part.
    (2) An authorizing court order is entered under the regulations in 
this part, but the person holding the records does not want to make the 
disclosure. If there is no subpoena or other compulsory process or a 
subpoena for the records has expired or been quashed, that person may 
refuse to make the disclosure. Upon the entry of a valid subpoena or 
other compulsory process the person holding the records must disclose, 
unless there is a valid legal defense to the process other than the 
confidentiality restrictions of the regulations in this part.


Sec.  2.62  Order not applicable to records disclosed without consent 
to researchers, auditors and evaluators.

    A court order under the regulations in this part may not authorize 
qualified personnel, who have received patient identifying information 
without consent for the purpose of conducting research, audit or 
evaluation, to disclose that information or use it to conduct any 
criminal investigation or prosecution of a patient. However, a court 
order under Sec.  2.66 may authorize disclosure and use of records to 
investigate or prosecute qualified personnel holding the records.


Sec.  2.63  Confidential communications.

    (a) A court order under the regulations in this part may authorize 
disclosure of confidential communications made by a patient to a part 2 
program in the course of diagnosis, treatment, or referral for 
treatment only if:
    (1) The disclosure is necessary to protect against an existing 
threat to life or of serious bodily injury, including circumstances 
which constitute suspected child abuse and neglect and verbal threats 
against third parties;
    (2) The disclosure is necessary in connection with investigation or 
prosecution of an extremely serious crime allegedly committed by the 
patient, such as one which directly threatens loss of life or serious 
bodily injury, including homicide, rape, kidnapping, armed robbery, 
assault with a deadly weapon, or child abuse and neglect; or
    (3) The disclosure is in connection with litigation or an 
administrative proceeding in which the patient offers testimony or 
other evidence pertaining to the content of the confidential 
communications.
    (b) [Reserved]


Sec.  2.64  Procedures and criteria for orders authorizing disclosures 
for noncriminal purposes.

    (a) Application. An order authorizing the disclosure of patient 
records for purposes other than criminal investigation or prosecution 
may be applied for by any person having a legally recognized interest 
in the disclosure which is sought. The application may be filed 
separately or as part of a pending civil action in which the applicant 
asserts that the patient records are needed to provide evidence. An 
application must use a fictitious name, such as John Doe, to refer to 
any patient and may not contain or otherwise disclose any patient 
identifying information unless the patient is the applicant or has 
given written consent (meeting the requirements of the regulations in 
this part) to disclosure or the court has ordered the record of the 
proceeding sealed from public scrutiny.
    (b) Notice. The patient and the person holding the records from 
whom disclosure is sought must be provided:
    (1) Adequate notice in a manner which does not disclose patient 
identifying information to other persons; and
    (2) An opportunity to file a written response to the application, 
or to appear in person, for the limited purpose of providing evidence 
on the statutory and regulatory criteria for the issuance of the court 
order as described in Sec.  2.64(d).
    (c) Review of evidence: Conduct of hearing. Any oral argument, 
review of evidence, or hearing on the application must be held in the 
judge's chambers or in some manner which ensures that patient 
identifying information is not disclosed to anyone other than a party 
to the proceeding, the patient, or the person holding the record, 
unless the patient requests an open hearing in a manner which meets the 
written consent requirements of the regulations in this part. The 
proceeding may include an examination by the judge of the patient 
records referred to in the application.
    (d) Criteria for entry of order. An order under this section may be 
entered only if the court determines that good cause exists. To make 
this determination the court must find that:
    (1) Other ways of obtaining the information are not available or 
would not be effective; and
    (2) The public interest and need for the disclosure outweigh the 
potential injury to the patient, the physician-patient relationship and 
the treatment services.
    (e) Content of order. An order authorizing a disclosure must:
    (1) Limit disclosure to those parts of the patient's record which 
are essential to fulfill the objective of the order;
    (2) Limit disclosure to those persons whose need for information is 
the basis for the order; and
    (3) Include such other measures as are necessary to limit 
disclosure for the protection of the patient, the physician-patient 
relationship and the treatment services; for example, sealing from 
public scrutiny the record of any proceeding for which disclosure of a 
patient's record has been ordered.


Sec.  2.65  Procedures and criteria for orders authorizing disclosure 
and use of records to criminally investigate or prosecute patients.

    (a) Application. An order authorizing the disclosure or use of 
patient records to investigate or prosecute a patient in connection 
with a criminal proceeding may be applied for by the person holding the 
records or by any law enforcement or prosecutorial officials who are 
responsible for conducting investigative or prosecutorial activities 
with respect to the enforcement of criminal laws. The application may 
be

[[Page 6126]]

filed separately, as part of an application for a subpoena or other 
compulsory process, or in a pending criminal action. An application 
must use a fictitious name such as John Doe, to refer to any patient 
and may not contain or otherwise disclose patient identifying 
information unless the court has ordered the record of the proceeding 
sealed from public scrutiny.
    (b) Notice and hearing. Unless an order under Sec.  2.66 is sought 
in addition to an order under this section, the person holding the 
records must be provided:
    (1) Adequate notice (in a manner which will not disclose patient 
identifying information to other persons) of an application by a law 
enforcement agency or official;
    (2) An opportunity to appear and be heard for the limited purpose 
of providing evidence on the statutory and regulatory criteria for the 
issuance of the court order as described in Sec.  2.65(d); and
    (3) An opportunity to be represented by counsel independent of 
counsel for an applicant who is a law enforcement agency or official.
    (c) Review of evidence: Conduct of hearings. Any oral argument, 
review of evidence, or hearing on the application shall be held in the 
judge's chambers or in some other manner which ensures that patient 
identifying information is not disclosed to anyone other than a party 
to the proceedings, the patient, or the person holding the records. The 
proceeding may include an examination by the judge of the patient 
records referred to in the application.
    (d) Criteria. A court may authorize the disclosure and use of 
patient records for the purpose of conducting a criminal investigation 
or prosecution of a patient only if the court finds that all of the 
following criteria are met:
    (1) The crime involved is extremely serious, such as one which 
causes or directly threatens loss of life or serious bodily injury 
including homicide, rape, kidnapping, armed robbery, assault with a 
deadly weapon, and child abuse and neglect.
    (2) There is a reasonable likelihood that the records will disclose 
information of substantial value in the investigation or prosecution.
    (3) Other ways of obtaining the information are not available or 
would not be effective.
    (4) The potential injury to the patient, to the physician-patient 
relationship and to the ability of the part 2 program to provide 
services to other patients is outweighed by the public interest and the 
need for the disclosure.
    (5) If the applicant is a law enforcement agency or official, that:
    (i) The person holding the records has been afforded the 
opportunity to be represented by independent counsel; and
    (ii) Any person holding the records which is an entity within 
federal, state, or local government has in fact been represented by 
counsel independent of the applicant.
    (e) Content of order. Any order authorizing a disclosure or use of 
patient records under this section must:
    (1) Limit disclosure and use to those parts of the patient's record 
which are essential to fulfill the objective of the order;
    (2) Limit disclosure to those law enforcement and prosecutorial 
officials who are responsible for, or are conducting, the investigation 
or prosecution, and limit their use of the records to investigation and 
prosecution of the extremely serious crime or suspected crime specified 
in the application; and
    (3) Include such other measures as are necessary to limit 
disclosure and use to the fulfillment of only that public interest and 
need found by the court.


Sec.  2.66  Procedures and criteria for orders authorizing disclosure 
and use of records to investigate or prosecute a part 2 program or the 
person holding the records.

    (a) Application. (1) An order authorizing the disclosure or use of 
patient records to investigate or prosecute a part 2 program or the 
person holding the records (or employees or agents of that part 2 
program or person holding the records) in connection with a criminal or 
administrative matter may be applied for by any administrative, 
regulatory, supervisory, investigative, law enforcement, or 
prosecutorial agency having jurisdiction over the program's or person's 
activities.
    (2) The application may be filed separately or as part of a pending 
civil or criminal action against a part 2 program or the person holding 
the records (or agents or employees of the part 2 program or person 
holding the records) in which the applicant asserts that the patient 
records are needed to provide material evidence. The application must 
use a fictitious name, such as John Doe, to refer to any patient and 
may not contain or otherwise disclose any patient identifying 
information unless the court has ordered the record of the proceeding 
sealed from public scrutiny or the patient has provided written consent 
(meeting the requirements of Sec.  2.31) to that disclosure.
    (b) Notice not required. An application under this section may, in 
the discretion of the court, be granted without notice. Although no 
express notice is required to the part 2 program, to the person holding 
the records, or to any patient whose records are to be disclosed, upon 
implementation of an order so granted any of the above persons must be 
afforded an opportunity to seek revocation or amendment of that order, 
limited to the presentation of evidence on the statutory and regulatory 
criteria for the issuance of the court order in accordance with Sec.  
2.66(c).
    (c) Requirements for order. An order under this section must be 
entered in accordance with, and comply with the requirements of, 
paragraphs (d) and (e) of Sec.  2.64.
    (d) Limitations on disclosure and use of patient identifying 
information. (1) An order entered under this section must require the 
deletion of patient identifying information from any documents made 
available to the public.
    (2) No information obtained under this section may be used to 
conduct any investigation or prosecution of a patient in connection 
with a criminal matter, or be used as the basis for an application for 
an order under Sec.  2.65.


Sec.  2.67  Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.

    (a) Application. A court order authorizing the placement of an 
undercover agent or informant in a part 2 program as an employee or 
patient may be applied for by any law enforcement or prosecutorial 
agency which has reason to believe that employees or agents of the part 
2 program are engaged in criminal misconduct.
    (b) Notice. The part 2 program director must be given adequate 
notice of the application and an opportunity to appear and be heard 
(for the limited purpose of providing evidence on the statutory and 
regulatory criteria for the issuance of the court order in accordance 
with Sec.  2.67(c)), unless the application asserts that:
    (1) The part 2 program director is involved in the suspected 
criminal activities to be investigated by the undercover agent or 
informant; or
    (2) The part 2 program director will intentionally or 
unintentionally disclose the proposed placement of an undercover agent 
or informant to the employees or agents of the program who are 
suspected of criminal activities.
    (c) Criteria. An order under this section may be entered only if 
the court determines that good cause exists. To

[[Page 6127]]

make this determination the court must find all of the following:
    (1) There is reason to believe that an employee or agent of the 
part 2 program is engaged in criminal activity;
    (2) Other ways of obtaining evidence of the suspected criminal 
activity are not available or would not be effective; and
    (3) The public interest and need for the placement of an undercover 
agent or informant in the part 2 program outweigh the potential injury 
to patients of the part 2 program, physician-patient relationships and 
the treatment services.
    (d) Content of order. An order authorizing the placement of an 
undercover agent or informant in a part 2 program must:
    (1) Specifically authorize the placement of an undercover agent or 
an informant;
    (2) Limit the total period of the placement to six months;
    (3) Prohibit the undercover agent or informant from disclosing any 
patient identifying information obtained from the placement except as 
necessary to investigate or prosecute employees or agents of the part 2 
program in connection with the suspected criminal activity; and
    (4) Include any other measures which are appropriate to limit any 
potential disruption of the part 2 program by the placement and any 
potential for a real or apparent breach of patient confidentiality; for 
example, sealing from public scrutiny the record of any proceeding for 
which disclosure of a patient's record has been ordered.
    (e) Limitation on use of information. No information obtained by an 
undercover agent or informant placed in a part 2 program under this 
section may be used to investigate or prosecute any patient in 
connection with a criminal matter or as the basis for an application 
for an order under Sec.  2.65.

    Dated: December 20, 2016.
Kana Enomoto,
Acting Deputy Assistant Secretary for Mental Health and Substance Use.
Sylvia M. Burwell,
Secretary.
[FR Doc. 2017-00719 Filed 1-13-17; 11:15 am]
 BILLING CODE 4162-20-P