Proposed Rule2022-25784
Confidentiality of Substance Use Disorder (SUD) Patient Records
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
December 2, 2022
Issuing agencies
Health and Human Services Department
Abstract
The Department of Health and Human Services (HHS or "the Department") is issuing this notice of proposed rulemaking (NPRM) to solicit public comment on its proposal to modify its regulations to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 231 (Friday, December 2, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 231 (Friday, December 2, 2022)]
[Proposed Rules]
[Pages 74216-74287]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-25784]
[[Page 74215]]
Vol. 87
Friday,
No. 231
December 2, 2022
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 2
45 CFR Part 164
Confidentiality of Substance Use Disorder (SUD) Patient Records;
Proposed Rule
��Federal Register / Vol. 87, No. 231 / Friday, December 2, 2022 /
Proposed Rules��
[[Page 74216]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
42 CFR Part 2
45 CFR Part 164
RIN 0945-AA16
Confidentiality of Substance Use Disorder (SUD) Patient Records
AGENCY: Office for Civil Rights (OCR), Office of the Secretary,
Department of Health and Human Services; Substance Abuse and Mental
Health Services Administration (SAMHSA), Department of Health and Human
Services.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS or ``the
Department'') is issuing this notice of proposed rulemaking (NPRM) to
solicit public comment on its proposal to modify its regulations to
implement section 3221 of the Coronavirus Aid, Relief, and Economic
Security (CARES) Act.
DATES: Comments due on or before January 31, 2023.
ADDRESSES: Written comments may be submitted through any of the methods
specified below. Please do not submit duplicate comments.
<bullet> Federal eRulemaking Portal: You may submit electronic
comments at <a href="http://www.regulations.gov">http://www.regulations.gov</a> by searching for the Docket ID
number HHS-OCR-0945-AA16. Follow the instructions at <a href="http://www.regulations.gov">http://www.regulations.gov</a> for submitting electronic comments. Attachments
should be in Microsoft Word or Portable Document Format (PDF).
<bullet> Regular, Express, or Overnight Mail: You may mail written
comments (one original and two copies) to the following address only:
U.S. Department of Health and Human Services, Office for Civil Rights,
Attention: SUD Patient Records, Hubert H. Humphrey Building, Room 509F,
200 Independence Avenue SW, Washington, DC 20201.
Inspection of Public Comments: All comments received by the
accepted methods and due date specified above may be posted without
change to content to <a href="http://www.regulations.gov">http://www.regulations.gov</a>, which may include
personal information provided about the commenter, and such posting may
occur after the closing of the comment period. However, the Department
may redact certain content from comments before posting, including
threatening language, hate speech, profanity, graphic images, or
individually identifiable information about a third-party individual
other than the commenter.
Because of the large number of public comments normally received on
Federal Register documents, OCR is not able to provide individual
acknowledgments of receipt.
Please allow sufficient time for mailed comments to be received
timely in the event of delivery or security delays.
Please note that comments submitted by fax or email and those
submitted after the comment period will not be accepted. In addition,
comments that are labeled as confidential business information or whose
disclosure to the public is restricted by statute will not be accepted.
Docket: For complete access to background documents or posted
comments, go to <a href="http://www.regulations.gov">http://www.regulations.gov</a> and search for Docket ID
number HHS-OCR-0945-AA16.
FOR FURTHER INFORMATION CONTACT: Lester Coffer at (800) 368-1019 or
(800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION: The discussion below includes an Executive
Summary and overview describing the need for the proposed rules, a
description of the statutory and regulatory background of the proposed
rules, a section-by-section description of the proposed modifications,
and the impact statement and other required regulatory analyses. The
Department solicits public comment on all aspects of the proposed
rules. Persons interested in commenting on the provisions of the
proposed rules can assist the Department by preceding discussion of any
particular provision or topic with a citation to the section of the
proposed rule being discussed.
Table of Contents
I. Executive Summary
A. Overview
B. Effective and Compliance Dates
C. Summary of Major Proposals
II. Background and Need for Proposed Rule
A. Statutory and Regulatory Background
B. Earlier Efforts To Align Part 2 With the HIPAA Rules
C. Section 3221 of the Coronavirus Aid, Relief, and Economic
Security (CARES) Act
III. Section-by-Section Description of Proposed Amendments to 42 CFR
Part 2
A. Sec. 2.1--Statutory Authority for Confidentiality of
Substance Use Disorder Patient Records
B. Sec. 2.2--Purpose and Effect
C. Sec. 2.3--Civil and Criminal Penalties for Violations
(Proposed Heading)
D. Sec. 2.4--Complaints of Violations (Proposed Heading)
E. Sec. 2.11--Definitions
F. Sec. 2.12--Applicability
G. Sec. 2.13--Confidentiality Restrictions and Safeguards
H. Sec. 2.14--Minor Patients
I. Sec. 2.15--Patients Who Lack Capacity and Deceased Patients
(Proposed Heading)
J. Sec. 2.16--Security for Records and Notification of Breaches
(Proposed Heading)
K. Sec. 2.17--Undercover Agents and Informants
L. Sec. 2.19--Disposition of Records by Discontinued Programs
M. Sec. 2.20--Relationship to State Laws
N. Sec. 2.21--Relationship to Federal Statutes Protecting
Research Subjects Against Compulsory Disclosure of Their Identity
O. Sec. 2.22-- Notice to Patients of Federal Confidentiality
Requirements; and 45 CFR 164.520--Notice of Privacy Practices for
Protected Health information
P. Sec. 2.23 --Patient Access and Restrictions on Use and
Disclosure (Proposed Heading)
Q. Sec. 2.24--Requirements for Intermediaries (Redesignated and
Proposed Heading)
R. Sec. 2.25--Accounting of Disclosures (Proposed Heading)
S. Sec. 2.26--Right To Request Privacy Protection for Records
(proposed Heading)
T. Subpart C--Uses and Disclosures With Patient Consent
(Proposed Heading)
U. Sec. 2.31--Consent Requirements
V. Sec. 2.32--Notice To Accompany Disclosure (Proposed Heading)
W. Sec. 2.33--Uses and Disclosures Permitted With Written
Consent (Proposed Heading)
X. Sec. 2.34 --Uses and Disclosures To Prevent Multiple
Enrollments (Proposed Heading)
Y. Sec. 2.35--Disclosures to Elements of the Criminal Justice
System Which Have Referred Patients
Z. Subpart D--Uses and Disclosures Without Patient Consent
(Proposed Heading)
AA. Sec. 2.51--Medical Emergencies
BB. Sec. 2.52--Scientific Research (Proposed Heading)
CC. Sec. 2.53--Management Audits, Financial Audits, and Program
Evaluation (Proposed Heading)
DD. Sec. 2.54--Disclosures for Public Health (Proposed Heading)
EE. Subpart E--Court Orders Authorizing Use and Disclosure
(Proposed Heading)
FF. Sec. 2.61--Legal Effect of Order
GG. Sec. 2.62-- Order Not Applicable to Records Disclosed
Without Consent to Researchers, Auditors and Evaluators
HH. Sec. 2.63--Confidential Communications
II. Sec. 2.64--Procedures and Criteria for Orders Authorizing
Uses and Disclosures for Noncriminal Purposes (Proposed Heading)
JJ. Sec. 2.65--Procedures and Criteria for Orders Authorizing
Use and Disclosure of Records To Criminally Investigate or Prosecute
Patients (Proposed Heading)
KK. Sec. 2.66--Procedures and Criteria for Orders Authorizing
Use and Disclosure of Records To Investigate or Prosecute a Part 2
Program or Person Holding the Records (Proposed Heading)
[[Page 74217]]
LL. Sec. 2.67--Orders Authorizing the Use of Undercover Agents
and Informants To Investigate Employees or Agents of a Part 2
Program in Connection With a Criminal Matter
MM. Sec. 2.68--Report to the Secretary (Proposed Heading)
IV. Request for Comments
V. Public Participation
VI. Regulatory Impact Analysis
A. Executive Orders 12866 and 13563 and Related Executive Orders
on Regulatory Review
1. Summary of the Proposed Rule
2. Need for the Proposed Rule
3. Cost-Benefit Analysis
4. Consideration of Regulatory Alternatives
5. Request for Comments on Costs and Benefits
B. Regulatory Flexibility Act
C. Unfunded Mandates Reform Act
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized Burden Hours for 42 CFR
Part 2
2. Explanation of Estimated Capital Expenses for 42 CFR Part 2
3. Explanation of Estimated Annualized Burden Hours for 45 CFR
164.520
Executive Summary
Overview
In this Notice of Proposed Rulemaking (NPRM), the Department
proposes to modify certain provisions of part 2 of title 42 of the Code
of Federal Regulations (42 CFR part 2 or ``Part 2'') \1\ to implement
statutory amendments to section 290dd-2 of title 42 United States Code
(42 U.S.C. 290dd-2) enacted in section 3221 of the Coronavirus Aid,
Relief, and Economic Security (CARES) Act.\2\
---------------------------------------------------------------------------
\1\ For readability, the Department refers to specific sections
of 42 CFR part 2 using a shortened citation with the ``Sec. ''
symbol except where necessary to distinguish title 42 citations from
other CFR titles, such as title 45 CFR, and in footnotes where the
full reference is used.
\2\ Public Law 116-136, 134 Stat. 281 (March 27, 2020).
---------------------------------------------------------------------------
Part 2 currently imposes different requirements for substance use
disorder (SUD) treatment records protected by Part 2 (``Part 2
records'') \3\ than the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) \4\ Privacy, Security, Breach Notification, and
Enforcement Rules (``HIPAA Rules'') \5\ apply to protected health
information (PHI).\6\ The statutory and regulatory schemes apply to
different types of entities and create dual obligations and compliance
challenges for HIPAA covered entities \7\ and business associates \8\
that maintain PHI and Part 2 records, and thus are subject to both sets
of rules.\9\ Treatment providers have also expressed concerns that they
lack access to complete information when treating patients.\10\ Section
290dd-2, as amended by section 3221 of the CARES Act, aligns certain
Part 2 requirements more closely to requirements of the HIPAA Rules to
improve the ability of entities that are subject to Part 2 to use and
disclose Part 2 records and makes other changes to Part 2, as described
in this preamble.
---------------------------------------------------------------------------
\3\ See 42 U.S.C. 290dd-2(a). ``Records of the identity,
diagnosis, prognosis, or treatment of any patient which are
maintained in connection with the performance of any program or
activity relating to substance use disorder education, prevention,
training, treatment, rehabilitation, or research, which is
conducted, regulated, or directly or indirectly assisted by any
department or agency of the United States shall, except as provided
in subsection (e), be confidential and be disclosed only for the
purposes and under the circumstances expressly authorized under
subsection (b)''.
\4\ See the Administrative Simplification provisions of title
II, subtitle F, of HIPAA (Public Law 104-191), 110 Stat. 1936
(August 21, 1996) which added a new part C to title XI of the Social
Security Act (secs.1171-1179 of the Social Security Act, 42 U.S.C.
1320d-1320d-8), as amended by the Health Information Technology for
Economic and Clinical Health (HITECH) Act, enacted as title XIII of
division A and title IV of division B of the American Recovery and
Reinvestment Act of 2009 (ARRA), Public Law 111-5, 123 Stat. 226
(February 17, 2009).
\5\ See the Privacy Rule, 45 CFR parts 160 and 164, subparts A
and E; the Security Rule 45 CFR parts 160 and 164, subparts A and C;
the Breach Notification Rule, 45 CFR part 164, subpart D; and the
Enforcement Rule, 45 CFR part 160, subparts C, D, and E. Breach
notification requirements were added by the HITECH Act.
\6\ PHI is individually identifiable health information
maintained or transmitted by or on behalf of a HIPAA covered entity.
See 45 CFR 160.103 (definitions of ``Individually identifiable
health information'' and Protected health information'').
\7\ Covered entities are health care providers who transmit
health information electronically in connection with any transaction
for which the Department has adopted an electronic transaction
standard, health plans, and health care clearinghouses. See 45 CFR
160.103 (definition of ``Covered entity'').
\8\ A business associate is a person, other than a workforce
member, that performs certain functions or activities for or on
behalf of a covered entity, or that provides certain services to a
covered entity involving the disclosure of PHI to the person. See 45
CFR 160.103 (definition of ``Business associate'').
\9\ See ``Part 2 Proposed Rule Brings Clarity and Reduces
Regulatory Burdens for Substance Use Disorder Providers, but
Challenges Remain'' (September 2019), <a href="https://www.mintz.com/insights-center/viewpoints/2146/2019-09-part-2-proposed-rule-brings-clarity-and-reduces-regulatory">https://www.mintz.com/insights-center/viewpoints/2146/2019-09-part-2-proposed-rule-brings-clarity-and-reduces-regulatory</a>; ``HIPAA: A Trap for the Unwary''
(May 2014), <a href="https://www.dykema.com/resources-alerts-HIPAA-A-Trap-for-the-Unwary_5-2014.html">https://www.dykema.com/resources-alerts-HIPAA-A-Trap-for-the-Unwary_5-2014.html</a>; and correspondence from Partnership to
Amend 42 CFR part 2 (March 2019), <a href="https://www.pcpcc.org/sites/default/files/news_files/Response%20from%20Partnership%20to%20Amend%2042%20CFR%20Part%202.pdf">https://www.pcpcc.org/sites/default/files/news_files/Response%20from%20Partnership%20to%20Amend%2042%20CFR%20Part%202.pdf</a>.
\10\ See Published Comments--Request for Public Comment on the
Confidentiality of Alcohol and Drug Abuse Patient Records, 79 FR
26929 (May 2014) Document 26, (June 23, 2014) at page 20, <a href="https://www.samhsa.gov/sites/default/files/about_us/who_we_are/comments-100-120.pdf">https://www.samhsa.gov/sites/default/files/about_us/who_we_are/comments-100-120.pdf</a>; ``Privacy Laws are Hurting the Care of Patients with
Addiction'' (July 2018), <a href="https://www.statnews.com/2018/07/13/privacy-laws-patients-addiction/">https://www.statnews.com/2018/07/13/privacy-laws-patients-addiction/</a>.
---------------------------------------------------------------------------
Paragraphs (b), (c), and (f) of section 290dd-2, as amended by
section 3221 of the CARES Act, contain modified or new requirements for
patient consent and redisclosure of Part 2 records; \11\ new rights to
obtain an accounting of disclosures made with consent \12\ and to
request restrictions on disclosures; \13\ greater restrictions against
the use and disclosure of records in civil, criminal, administrative,
and legislative proceedings against patients; \14\ and new civil money
penalties (CMPs) for violations of Part 2.\15\ Paragraphs (i), (j), and
(k) of section 290dd-2, as amended by section 3221 of the CARES Act,
add new requirements to prohibit discrimination,\16\ impose breach
notification obligations,\17\ and incorporate definitions from the
HIPAA Rules into Part 2.\18\ Finally, section 3221(i) of the CARES Act
requires the Department to update its Notice of Privacy Practices (NPP)
requirements in the HIPAA Privacy Rule (``Privacy Rule'') at 45 CFR
164.520 to address uses and disclosures of Part 2 records and
individual rights with respect to those records.\19\ This NPRM contains
proposals to implement the CARES Act provisions relating to health
information privacy; the Department intends to develop a separate
rulemaking to implement the CARES Act antidiscrimination prohibitions.
---------------------------------------------------------------------------
\11\ 42 U.S.C. 290dd-2(b)(1).
\12\ 42 U.S.C. 290dd-2(b)(1)(B).
\13\ 42 U.S.C. 290dd-2(b)(1)(D). Additionally, section 3221 of
the CARES Act further emphasizes the patient's right to request
restrictions on disclosures in both the Rules of Construction and
the Sense of Congress. See CARES Act secs. 3221(j)(1) and (k)(2),
respectively.
\14\ 42 U.S.C. 290dd-2(c).
\15\ 42 U.S.C. 290dd-2(f).
\16\ CARES Act sec. 3221(g) added paragraph (i) to 42 U.S.C.
290dd-2 to insert an express prohibition against discrimination on
the basis of information received pursuant to a disclosure of
records. See 42 U.S.C. 290dd-2(i).
\17\ 42 U.S.C. 290dd-2(j).
\18\ 42 U.S.C. 290dd-2(k).
\19\ CARES Act sec. 3221(i)(2).
---------------------------------------------------------------------------
In addition to changes mandated by the CARES Act, the Department
proposes to address concerns about potential unintended consequences
for government agencies of the change in enforcement authority and
penalties for violations of Part 2. Specifically, the Department
proposes to create a limitation on liability for agencies and persons
acting on their behalf, that investigate and prosecute Part 2 programs
(to be defined as ``investigative agencies'') and unknowingly receive
records subject to Part 2 before applying for the requisite
[[Page 74218]]
court order, provided they first exercise reasonable diligence by
attempting to determine if the targeted provider is a Part 2 program.
The proposal would permit investigative agencies to seek a court order
after obtaining records in such situations. An additional proposal
would require agencies using this safe harbor to report annually to the
Secretary.
Effective and Compliance Dates
The proposed effective date of a final rule would be 60 days after
publication and the compliance date would be 22 months after the
effective date. Entities subject to a final rule would have until the
compliance date to establish and implement policies and practices to
achieve compliance.
Part 2 does not contain a standard compliance period for changes to
the regulations; however, the HIPAA Rules generally require covered
entities and business associates to comply with new or modified
standards or implementation specifications no later than 180 days from
the effective date of any such standards or implementation
specifications, except as otherwise provided (e.g., in a specific
rulemaking).\20\ While the proposed rule would make only minor
modifications to the Privacy Rule, the Department proposes to provide
the same, substantial compliance period for both the proposed
modifications to 45 CFR 164.520 and the more extensive Part 2
modifications. Accordingly, the Department would begin enforcement of
the new and revised standards, in both regulations, 24 months after
publication of a final rule. This compliance period would allow Part 2
programs to revise existing policies and practices, complete other
implementation requirements, and train their workforce members on the
changes, as well as minimize administrative burdens on entities subject
to the Privacy Rule.
---------------------------------------------------------------------------
\20\ See 45 CFR 160.105.
---------------------------------------------------------------------------
The Department requests comment on whether the 22-month compliance
period is an appropriate length of time for entities subject to a final
rule to come into compliance and any benefits or unintended adverse
consequences for entities or individuals of a shorter or longer
compliance period.
Additionally, for the proposed accounting of disclosures
requirements, the Department proposes to toll the compliance date for
Part 2 programs until the effective date of a final rule on the HIPAA
accounting of disclosures standard, 45 CFR 164.528. This would ensure
that Part 2 programs do not incur new compliance obligations before
covered entities and business associates under the Privacy Rule are
obligated to comply.
Summary of Major Proposals
The Department proposes the following changes to 42 CFR part 2 that
revise, delete, replace, or add sections to implement statutory
requirements enacted pursuant to section 3221 of the CARES Act. The
Department also proposes to amend 42 CFR part 2 to reflect applicable
standards in the HIPAA Rules, reflect language used in the HIPAA Rules,
align regulatory text with statutory spelling,\21\ and improve clarity
or readability. Additionally, the Department proposes to modify the NPP
requirements in 45 CFR 164.520 consistent with section 3221(i) of the
CARES Act.
---------------------------------------------------------------------------
\21\ 42 U.S.C. 290dd-2(b)(1)(B) provides in part that ``[a]ny
information so disclosed may be redisclosed in accordance with the
HIPAA regulations.'' To align with the statute's spelling of the
term ``redisclosed'' and for drafting consistency, the Department
proposes to modify the term ``re-disclosed'' (and related root
words) to remove the hyphen, where appropriate, throughout this
document. See, e.g., proposed Sec. Sec. 2.12(d)(2)(i)(C);
2.12(d)(2)(ii); 2.32(a)(1); 2.33(c); 2.34(b); 2.35(d); 2.52(b)(2);
2.53(a).
---------------------------------------------------------------------------
This section summarizes major proposals in this NPRM. Additional
proposed revisions are not listed here because they are not considered
major.\22\ All proposed changes are discussed in detail in section III
of this NPRM:
---------------------------------------------------------------------------
\22\ Generally, the proposals not listed make wording changes,
not substantive changes. These proposals are reviewable in the
regulatory text and include proposals to modify Sec. 2.17,
Undercover agents and informants; Sec. 2.20, Relationship to state
laws; Sec. 2.21 Relationship to federal statutes protecting
research subjects against compulsory disclosure of their identity;
and Sec. 2.34, Uses and Disclosures to prevent multiple enrollments
(proposed heading).
---------------------------------------------------------------------------
1. Sec. 2.1--Statutory authority for confidentiality of substance
use disorder patient records.
Revise Sec. 2.1 to more closely reflect the authority granted in
42 U.S.C. 290dd-2(g), especially with respect to court orders
authorizing the disclosure of records.
2. Sec. 2.2--Purpose and effect.
Amend paragraph (b) of Sec. 2.2 to reflect that Sec. 2.3(b)
compels disclosures to the Secretary that are necessary for enforcement
of this rule, using language adapted from the Privacy Rule at 45 CFR
164.502(a)(2)(ii). Add a new paragraph (b)(3) to this section to
prohibit any limits on a patient's right to request restrictions on use
of records for treatment, payment, or health care operations (TPO) or a
covered entity's choice to obtain consent to use or disclose records
for TPO purposes as provided in the Privacy Rule.
3. Sec. 2.3--Civil and criminal penalties for violations (proposed
heading).
Amend the heading and replace title 18 U.S.C. enforcement with
references to the HIPAA enforcement authorities in the Social Security
Act at sections 1176 (civil enforcement, including the CMP tiers
established by the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009) and 1177 (criminal
penalties),\23\ as implemented in the Enforcement Rule.\24\ Create a
limitation on civil or criminal liability under Part 2 for
investigative agencies that act with reasonable diligence before making
a demand for records in the course of an investigation or prosecution
of a Part 2 program or person holding the record, provided that certain
conditions are met.\25\
---------------------------------------------------------------------------
\23\ See Public Law 111-5, 123 Stat. 226 (February 17, 2009).
Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939)
amended sections 1176 and 1177 of the Social Security Act (codified
at 42 U.S.C. 1320d-5) to add civil and criminal penalty tiers for
violations of the HIPAA Administrative Simplification provisions.
\24\ See 45 CFR part 160.
\25\ Although this provision is not expressly required by the
CARES Act, it falls within the Department's general rulemaking
authority in 42 U.S.C. 290dd-2(g), and is needed to address the
logical consequences of the changes required by sec. 3221.
---------------------------------------------------------------------------
4. Sec. 2.4--Complaints of violations (proposed heading).
Amend the heading and insert requirements consistent with those
applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h),
including: a requirement to establish a process for the Part 2 program
to receive complaints, a prohibition against taking adverse action
against patients who file complaints, and a prohibition against
requiring individuals to waive the right to file a complaint as a
condition of providing treatment, enrollment, payment, or eligibility
for services.
5. Sec. 2.11--Definitions.
Add new terms and definitions to align with the following statutory
and regulatory HIPAA terms: Breach, Business associate, Covered entity,
Health care operations, HIPAA, HIPAA regulations, Payment, Person,
Public health authority, Treatment, Unsecured protected health
information, and Use. Create new defined terms Intermediary,
Investigative agency, and Unsecured record, and modify the definitions
of Informant, Part 2 program director, Patient, Program, Records,
Third-party payer, Treating provider relationship, and Qualified
service organization.
6. Sec. 2.12--Applicability.
Replace ``Armed Forces'' with ``Uniformed Services'' in paragraph
(c)(2) of Sec. 2.12. Incorporate four
[[Page 74219]]
statutory examples of restrictions on the use or disclosure of Part 2
records to initiate or substantiate any criminal charges against a
patient or to conduct any criminal investigation of a patient. Add
language to qualify the term third-party payer with the phrase ``as
defined in this part.'' Revise paragraph (e)(4)(i) to clarify when a
diagnosis is not covered by Part 2.
7. Sec. 2.13--Confidentiality restrictions and safeguards.
Redesignate Sec. 2.13(d) requiring a list of disclosures as new
Sec. 2.24 and modify the text for clarity. Amend the heading to
distinguish the right to a list of disclosures made by intermediaries
from the proposed new right to an accounting of disclosures made by a
Part 2 program.
8. Sec. 2.14--Minor patients.
Change the verb ``judges'' to ``determines'' to describe a program
director's evaluation and decision that a minor lacks decision making
capacity.
9. Sec. 2.15--Patients who lack capacity and deceased patients
(proposed heading).
Replace outdated language, clarify that paragraph (a) of this
section refers to an adjudication by a court of a patient's lack of
capacity to make health care decisions while paragraph (b) refers to a
patient's lack of capacity to make health care decisions without court
adjudication, and add health plans to the list of entities to which a
program may disclose records without consent.
10. Sec. 2.16--Security for records and notification of breaches
(proposed heading).
Apply the HITECH Act breach notification provisions \26\ that are
currently implemented in the Breach Notification Rule to breaches of
records by Part 2 programs and retitle the provision to include breach
notification to implement CARES Act provisions. Modify the provision to
refer to the Privacy Rule de-identification standard at 45 CFR 164.514.
---------------------------------------------------------------------------
\26\ Section 13400 of the HITECH Act (codified at 42 U.S.C.
17921) defined the term ``Breach''. Section 13402 of the HITECH Act
(codified at 42 U.S.C. 17932) enacted breach notification
provisions, discussed in detail below.
---------------------------------------------------------------------------
11. Sec. 2.19--Disposition of records by discontinued programs.
Add an exception to clarify that these provisions do not apply to
transfers, retrocessions, and reassumptions of Part 2 programs pursuant
to the Indian Self-Determination and Education Assistance Act (ISDEAA),
in order to facilitate the responsibilities set forth in 25 U.S.C.
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25
U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA
regulations. Modernize the language to refer to ``non-electronic''
records and include ``paper'' records as an example of non-electronic
records.
12. Sec. 2.22--Notice to patients of federal confidentiality
requirements.
Modify the Part 2 confidentiality notice requirements (hereinafter,
``Patient Notice'') to align with the NPP and address protections
required by 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES
Act, for entities that create or maintain Part 2 records.
13. Sec. 2.23--Patient access and restrictions on use and
disclosure (proposed heading).
Add the term ``disclosure'' to the heading and body of this section
to clarify that information obtained by patient access to their record
may not be used or disclosed for purposes of a criminal charge or
criminal investigation.
14. Sec. 2.24--Requirements for intermediaries (redesignated and
proposed heading).
Retitle the redesignated section (to be moved from Sec. 2.13(d))
as ``Requirements for intermediaries'' to clarify the responsibilities
of recipients of records received under a consent with a general
designation, such as health information exchanges, research
institutions, accountable care organizations, and care management
organizations.
15. Sec. 2.25--Accounting of disclosures (proposed heading).
Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as
amended by the section 3221 of the CARES Act, to incorporate into Part
2 the HITECH Act right to an accounting of certain disclosures of
records for up to three years prior to the date the accounting is
requested and add a right to an accounting of disclosures of records
that mirrors the standard in the Privacy Rule at 45 CFR 164.528.
16. Sec. 2.26--Right to request privacy protection for records
(proposed heading).
Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as
amended by the section 3221 of the CARES Act, to incorporate into Part
2 the HITECH Act rights implemented in the Privacy Rule at 45 CFR
164.522, namely: (1) a patient right to request restrictions on
disclosures of records otherwise permitted for TPO purposes, and (2) a
patient right to obtain restrictions on disclosures to health plans for
services paid in full by the patient.
17. Subpart C--Uses and Disclosures With Patient Consent (proposed
heading).
Change the heading of subpart C to ``Uses and Disclosures With
Patient Consent'' to reflect changes made to the provisions of this
subpart related to the consent to use and disclose Part 2 records,
consistent with 42 U.S.C. 290dd-2(b), as amended by the section 3221(b)
of the CARES Act.
18. Sec. 2.31--Consent requirements.
Align the content requirements for Part 2 written consent with the
content requirements for a valid HIPAA authorization and clarify how
recipients may be designated in a consent to use and disclose Part 2
records for TPO.
19. Sec. 2.32--Notice to accompany disclosure (proposed heading).
Change the heading of this section and align the content
requirements for the required notice that accompanies a disclosure of
records (hereinafter ``notice to accompany disclosure'') with the
requirements of 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of
the CARES Act.
20. Sec. 2.33--Uses and disclosures permitted with written consent
(proposed heading).
To align this provision with the statutory authority in 42 U.S.C.
290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, replace
the provisions requiring consent for uses and disclosures for payment
and certain health care operations with permission to use and disclose
records for TPO with a single consent given once for all such future
uses and disclosures, until such time as the patient revokes the
consent in writing. Create redisclosure permissions for two categories
of recipients of Part 2 records pursuant to a written consent: (1)
Permit a Part 2 program, covered entity, or business associate that
receives Part 2 records pursuant to a written consent for TPO purposes
to redisclose the records in any manner permitted by the Privacy Rule,
except for certain proceedings against the patient; \27\ and (2) Permit
a lawful holder that is not a covered entity, business associate, or
Part 2 program to redisclose Part 2 records for payment and health care
operations to its contractors, subcontractors, or legal representatives
as needed to carry out the activities in the consent.
---------------------------------------------------------------------------
\27\ See 42 U.S.C. 290dd-2(b)(1)(B) and (2)(c).
---------------------------------------------------------------------------
21. Sec. 2.35--Disclosures to elements of the criminal justice
system which have referred patients.
For clarity, replace ``individuals'' with ``persons'' and clarify
that permitted redisclosures of information are from Part 2 records.
22. Subpart D--Uses and Disclosures Without Patient Consent
(proposed heading).
Change the heading of subpart D to ``Uses and Disclosures Without
Patient Consent'' to reflect changes made to the
[[Page 74220]]
provisions of this subpart related to the consent to use and disclose
Part 2 records, consistent with 42 U.S.C. 290dd-2 as amended by the
CARES Act.
23. Sec. 2.51--Medical emergencies.
For clarity in Sec. 2.51(c)(2), replace the term ``individual''
with the term ``person.''
24. Sec. 2.52--Scientific research (proposed heading).
Revise the heading of Sec. 2.52 to reflect statutory language. To
further align Part 2 with the Privacy Rule, replace the requirements to
render Part 2 data in research reports non identifiable with the
Privacy Rule's de-identification standard in 45 CFR 164.514.
25. Sec. 2.53--Management audits, financial audits, and program
evaluation (proposed heading).
Revise the heading of Sec. 2.53 to reflect statutory language. To
support implementation of 42 U.S.C. 290dd-2(b)(1), as amended by
section 3221(b) of the CARES Act, add a provision to acknowledge the
permission for use and disclosure of records for health care operations
purposes based on written consent of the patient and the permission to
redisclose such records as permitted by the HIPAA Privacy Rule if the
recipient is a Part 2 program, covered entity, or business associate.
26. Sec. 2.54--Disclosures for public health (proposed heading).
Add a new Sec. 2.54 to implement 42 U.S.C. 290dd-2(b)(2)(D), as
amended by section 3221(c) of the CARES Act, to permit disclosure of
records without patient consent to public health authorities provided
that the records disclosed are de-identified according to the standards
established in section 45 CFR 164.514.
27. Subpart E--Court Orders Authorizing Use and Disclosure
(proposed heading).
Change the heading of subpart E to reflect changes made to the
provisions of this subpart related to the uses and disclosure of Part 2
records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c),
as amended by sections 3221(b) and (e) of the CARES Act.
28. Sec. 2.61--Legal effect of order.
Add the term ``use'' to clarify that the legal effect of a court
order would include authorizing the use and disclosure of records,
consistent with 42 U.S.C. 290dd-2(b) and (c), as amended by section
3221(e) of the CARES Act.
29. Sec. 2.62--Order not applicable to records disclosed without
consent to researchers, auditors, and evaluators.
For clarity, replace the term ``qualified personnel'' with a
reference to the criteria that define such persons.
30. Sec. 2.63--Confidential communications.
Revise paragraph (c) of Sec. 2.63 to expressly include civil,
criminal, administrative, and legislative proceedings as forums where
the requirements for a court order under this part would apply, to
implement 42 U.S.C. 290dd-2(c), as amended by section 3221(c) of the
CARES Act.
31. Sec. 2.64--Procedures and criteria for orders authorizing uses
and disclosures for noncriminal purposes (proposed heading).
Expand the types of forums where restrictions on use and disclosure
of records in civil proceedings against patients apply \28\ to
expressly include administrative and legislative proceedings and also
restrict the use of testimony conveying information in a record in
civil proceedings against patients, absent consent or a court order.
Add the term ``uses'' to the heading and in this section to align it
with current statutory authority.
---------------------------------------------------------------------------
\28\ See 42 CFR part 2, subpart E.
---------------------------------------------------------------------------
32. Sec. 2.65--Procedures and criteria for orders authorizing use
and disclosure of records to criminally investigate or prosecute
patients (proposed heading).
Expand the types of forums where restrictions on uses and
disclosure of records in criminal proceedings against patients apply
\29\ to expressly include administrative and legislative proceedings
and also restrict the use of testimony conveying information in a Part
2 record in criminal proceedings against patients, absent consent or a
court order.
---------------------------------------------------------------------------
\29\ Id.
---------------------------------------------------------------------------
33. Sec. 2.66--Procedures and criteria for orders authorizing use
and disclosure to investigate or prosecute a part 2 program or the
person holding the records (proposed heading).
Create requirements for investigative agencies to follow in the
event they discover in good faith that they received Part 2 records
during an investigation or prosecution of a Part 2 program or the
person holding the records before seeking a court order as required
under Sec. 2.66.
34. Sec. 2.67--Orders authorizing the use of undercover agents and
informants to investigate employees or agents of a part 2 program in
connection with a criminal matter.
Add new criteria for issuance of a court order in instances where
an application is submitted after the placement of an undercover agent
or informant has already occurred, requiring an investigative agency to
satisfy the conditions at Sec. 2.3(b).
35. Sec. 2.68--Report to the Secretary (proposed heading).
Create new requirements for investigative agencies to file annual
reports about the instances in which they applied for a court order
after receipt of Part 2 records or placement of an undercover agent or
informant as provided in Sec. 2.66 and Sec. 2.67.
36. 45 CFR 164.520--Notice of privacy practices for protected
health information.
Revise 45 CFR 164.520 to implement updates to the NPP to address
Part 2 confidentiality requirements, as required by section 3221(i)(2)
of the CARES Act.
Background and Need for Proposed Rule
There are approximately 16,066 publicly funded SUD treatment
facilities \30\ and 1.8 million HIPAA covered entities and business
associates, with an unknown percentage of entities subject to both
HIPAA and Part 2. Part 2 records often also meet the definition of PHI
when maintained by HIPAA covered entities (or their business associates
on the covered entities' behalf). To ensure compliance with both sets
of regulatory requirements, dually regulated entities subject to both
Part 2 and the HIPAA Rules (i.e., covered entities that also are Part 2
programs) must track and segregate the records that are subject to Part
2 from the records that are subject only to the HIPAA Rules and obtain
specific written consent for most uses and disclosures of Part 2
records (including uses and disclosures for non-emergency treatment
purposes). The Department has been urged by many stakeholders to change
Part 2 to eliminate the need for data segmentation.\31\
---------------------------------------------------------------------------
\30\ See Substance Abuse and Mental Health Services
Administration, National Survey of Substance Abuse Treatment
Services (N-SSATS): 2020. Data on Substance Abuse Treatment
Facilities. Rockville, MD: Substance Abuse and Mental Health
Services Administration, 2021, <a href="https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf">https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf</a>.
\31\ For example, the Ohio Behavioral Health Providers Network
(Network) in an August 21, 2020, letter to SAMHSA, and the
Partnership to Amend Part 2 in a similar January 8, 2021, letter to
the U.S. Department of Health and Human Services (HHS), both urge
that there should be no requirement for data segmentation or
segregation after written consent is obtained and Part 2 records are
transmitted to a health information exchange or care management
entity that is a business associate of a covered entity covered by
the new CARES Act consent language. In the letter, the Network
states that such requirements are difficult to implement in
federally qualified health centers and other integrated settings in
which SUD treatment may be provided. See also public comments
expressed and summarized in 85 FR 42986, <a href="https://www.federalregister.gov/documents/2020/07/15/2020-14675/confidentiality-of-substance-use-disorder-patient-records">https://www.federalregister.gov/documents/2020/07/15/2020-14675/confidentiality-of-substance-use-disorder-patient-records</a>; and see
<a href="https://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf">https://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf</a>.
---------------------------------------------------------------------------
[[Page 74221]]
The preamble to the 2000 Final Privacy Rule explained how entities
subject to the Privacy Rule and Part 2 could comply with both rules
because in most cases the rules do not conflict. The Privacy Rule
permits, but does not require, some disclosures that are not permitted
by Part 2. Complying with Part 2's prohibitions on such disclosures
would not be a violation of the Privacy Rule. And in instances where
Part 2 permits disclosures that would otherwise be restricted by the
Privacy Rule, an entity that is subject to both sets of regulations
would be able to comply with the Privacy Rule's restrictions without
violating Part 2.\32\
---------------------------------------------------------------------------
\32\ See 65 FR 82482 (December 28, 2000).
---------------------------------------------------------------------------
Although the Department intended to facilitate compliance by
entities subject to both regulatory schemes, significant differences in
the statutorily permitted uses and disclosures of Part 2 records and
PHI contributed to ongoing operational compliance challenges. For
example, once a HIPAA covered entity or business associate disclosed
PHI to a person who was not a covered entity or business associate, the
information was no longer protected by the Privacy Rule, and thus the
Privacy Rule's limitations on uses and disclosures did not apply. In
contrast, Part 2 strictly limited the redisclosure of Part 2 records by
any individual or entity that received a Part 2 record directly from a
Part 2 program or other ``lawful holder'' of patient identifying
information, absent written patient consent or as otherwise permitted
under the regulations.<SUP>33 34</SUP>
---------------------------------------------------------------------------
\33\ See 42 CFR 2.12(d)(2)(i)(C).
\34\ See 42 CFR 2.11, definitions of ``Patient identifying
information'' and ``Disclose''.
---------------------------------------------------------------------------
Regarding Part 2 records, a treating provider that is not a Part 2
program could record information about the treatment of an individual's
SUD in its non-Part 2 records, even if it gleaned the information from
a Part 2 record, and the information in the non-Part 2 records would
not be subject to Part 2; however, any Part 2 records received from a
Part 2 program or other lawful holder would need to be segregated or
segmented.\35\ Previously, the need to segment Part 2 records from
other health records created data ``silos'' that hampered the
integration of SUD treatment records into covered entities' electronic
record systems and billing processes. Some lawmakers have argued that
these silos perpetuated negative stereotypes about persons with SUD and
inhibited coordination of care <SUP>36 37</SUP> during the opioid
epidemic.\38\ In 2019, the National Association of Attorneys General
(NAAG) urged Congress to update the 40-year-old Part 2 regulation that
was created in a time of ``intense stigma'' surrounding SUD treatment
because it now serves to ``perpetuate that stigma, as the principle
underlying these rules is that [SUD] treatment is shameful and records
of it should be withheld from other treatment providers in ways that we
do not withhold records of treatment of other chronic diseases.'' \39\
In that same year ``nearly 50,000 people in the United States died from
opioid-involved overdoses.'' \40\ During a congressional hearing, ``The
Opioid Crisis: The Role of Technology and Data in Preventing and
Treating Addiction,'' Senator Patty Murray (D-WA) observed that,
``[t]echnology and data offer important opportunities to address the
opioid crisis, to prevent addi[c]tion, and avoid the tragedy so many
families are facing.'' \41\
---------------------------------------------------------------------------
\35\ See 42 CFR 2.12(d)(2)(ii).
\36\ See, e.g., remarks of U.S. Representative Earl Blumenauer:
``If substance use disorder treatment is not included in your entire
medical records, then they are not complete. It makes care
coordination more difficult and can lead to devastating outcomes.
This bill works to remove the stigma that comes with substance use
disorders and ensures necessary information is available for safe,
efficient, and transparent treatment for all patients.'' See also
remarks of U.S. Representative Markwayne Mullin: ``It's time that we
stop stigmatizing those struggling with opioid abuse and give
physicians the tools they need to help their patients. Mental health
and physical health have been treated in a silo for too long. Our
bill breaks down those barriers so the doctor can treat the whole
patient. I'm proud to introduce this bill with my colleagues so that
we can provide 21st century care to those who need it the most'',
<a href="https://blumenauer.house.gov/media-center/press-releases/blumenauer-and-mullin-introduce-bipartisan-legislation-address-opioid">https://blumenauer.house.gov/media-center/press-releases/blumenauer-and-mullin-introduce-bipartisan-legislation-address-opioid</a>.
\37\ But see 85 FR 42986 (July 15, 2020), in which the
Department finalized a rule permitting the disclosure of Part 2
records for care coordination by certain ``lawful holders'' that
receive a record for payment or health care operation activities
directly from a Part 2 program or other lawful holder.
\38\ In 2017, the Department declared a public health emergency
related to the opioid crisis. See Public Health Emergency (October
26, 2017), <a href="https://www.hhs.gov/sites/default/files/opioid%20PHE%20Declaration-no-sig.pdf">https://www.hhs.gov/sites/default/files/opioid%20PHE%20Declaration-no-sig.pdf</a>. <a href="https://www.phe.gov/emergency/news/healthactions/phe/Pages/opioids.aspx">https://www.phe.gov/emergency/news/healthactions/phe/Pages/opioids.aspx</a>.
\39\ NAAG Requests Removal of Federal Barriers to Treat Opioid
Use Disorder (August 5, 2019), at <a href="https://www.naag.org/policy-letter/naag-requests-removal-of-federal-barriers-to-treat-opioid-use-disorder/">https://www.naag.org/policy-letter/naag-requests-removal-of-federal-barriers-to-treat-opioid-use-disorder/</a>.
\40\ Opioid Overdose Crisis, National Institutes of Health
National Institute on Drug Abuse (March 11, 2021), <a href="https://www.drugabuse.gov/drug-topics/opioids/opioid-overdose-crisis">https://www.drugabuse.gov/drug-topics/opioids/opioid-overdose-crisis</a>. See
also CDC/NCHS, National Vital Statistics System, Mortality. CDC
WONDER, Atlanta, GA: US Department of Health and Human Services,
CDC; 2019, <a href="https://wonder.cdc.gov">https://wonder.cdc.gov</a>.
\41\ Hearing of the Committee on Health, Education, Labor, and
Pensions United States Senate, ``The Role of Technology and Data in
Preventing and Treating Addiction.'' (February 27, 2018), <a href="https://www.govinfo.gov/content/pkg/CHRG-115shrg28855/pdf/CHRG-115shrg28855.pdf">https://www.govinfo.gov/content/pkg/CHRG-115shrg28855/pdf/CHRG-115shrg28855.pdf</a>.
---------------------------------------------------------------------------
To address these concerns, Congress enacted the CARES Act, which
requires the Department to promulgate regulations modifying the
confidentiality requirements for Part 2 records.\42\ This rulemaking
proposes modifications to 42 CFR part 2 and the Privacy Rule that are
necessary to implement the statutory amendments made to 42 U.S.C.
290dd-2, and additional modifications to Part 2 to better align certain
provisions of Part 2 to the Privacy Rule and address concerns about
potential liability for government agencies in the course of
investigating and prosecuting Part 2 programs under the new penalties
and enforcement scheme.
---------------------------------------------------------------------------
\42\ See sec. 3221(i) of the CARES Act.
---------------------------------------------------------------------------
A. Statutory and Regulatory Background
Congress enacted the first federal confidentiality protections for
SUD records in section 333 of the Comprehensive Alcohol Abuse and
Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970.\43\
The statute authorized ``persons engaged in research on, or treatment
with respect to, alcohol abuse and alcoholism to protect the privacy of
individuals who [were] the subject of such research or treatment'' from
persons not connected with the conduct of the research or treatment by
withholding identifying information.
---------------------------------------------------------------------------
\43\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (December
31, 1970) (codified at 42 U.S.C. 2688h).
---------------------------------------------------------------------------
Section 408 of the Drug Abuse Office and Treatment Act of 1972 \44\
applied confidentiality requirements to records relating to drug abuse
prevention authorized or assisted under any provision of the Act.
Section 408 permitted disclosure, with a patient's written consent, for
diagnosis or treatment by medical personnel and to government personnel
for obtaining patient benefits to which the patient is entitled. The
1972 Act also established exceptions to the consent requirement to
permit disclosures for bona fide medical emergencies; to qualified
personnel for conducting certain activities, such as scientific
research or financial audit or program evaluation, as long as the
patient is not identified in any reports; and as authorized by court
[[Page 74222]]
order granted after application showing good cause.\45\
---------------------------------------------------------------------------
\44\ See sec. 408, Public Law 92-255, 86 Stat. 65 (March 21,
1972) (codified at 21 U.S.C. 1175). Section 408 also prohibited the
use of a covered record for use or initiation or substantiation of
criminal charges against a patient or investigation of a patient.
Section 408 provided for a fine in the amount of $500 for a first
offense violation, and not more than $5,000 for each subsequent
offense.
\45\ Id.
---------------------------------------------------------------------------
The Comprehensive Alcohol Abuse and Alcoholism Prevention,
Treatment, and Rehabilitation Act Amendments of 1974 \46\ expanded the
types of records protected by confidentiality restrictions to include
records relating to alcoholism, alcohol abuse, and drug abuse
prevention, maintained in connection with any program or activity
conducted, regulated, or directly or indirectly federally assisted by
any United States agency. The 1974 Act also permitted the disclosure of
records based on prior written patient consent only to the extent such
disclosures were allowed under Federal regulations. Additionally, the
1974 Act excluded the interchange of records within the Armed Forces or
components of the U.S. Department of Veterans Affairs (VA), then known
as the Veterans' Administration, from the confidentiality
restrictions.\47\
---------------------------------------------------------------------------
\46\ See sec. 101, title I, Public Law 93-282, 88 Stat. 126 (May
14, 1974), providing that: ``This title [enacting this section and
sections 4542, 4553, 4576, and 4577 of this title, amending sections
242a, 4571, 4572, 4573, 4581, and 4582 of this title, and enacting
provisions set out as notes under sections 4581 and 4582 of this
title] may be cited as the `Comprehensive Alcohol Abuse and
Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments
of 1974''.
\47\ See sec. 408, title I, Public Law 92-255, 86 Stat. 79
(March 21, 1972) (originally codified at 21 U.S.C. 1175). See 21
U.S.C. 1175 note for complete statutory history.
---------------------------------------------------------------------------
In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health
Administration Reorganization Act (ADAMHA Reorganization Act) \48\
added section 543, Confidentiality of Records, to the Public Health
Service Act (PHSA) (codified at 42 U.S.C. 290dd-2) (``Part 2
statute''), which narrowed the grounds upon which a court could grant
an order permitting disclosure of such records from ``good cause''
(i.e., based on weighing the public interest in the need for disclosure
against the injury to the patient, physician patient relationship and
treatment services) \49\ to ``the need to avert a substantial risk of
death or serious bodily harm.'' \50\ Congress also established criminal
penalties for Part 2 violations under title 18 of the United States
Code, Crimes and Criminal Procedure.\51\ Finally, section 543 granted
broad authority to the Secretary to prescribe regulations to carry out
the purposes of section 543 and provide for safeguards and procedures,
including criteria for the issuance and scope of court orders to
authorize disclosure of SUD records, ``as in the judgment of the
Secretary are necessary or proper to effectuate the purposes of this
section, to prevent circumvention or evasion thereof, or to facilitate
compliance therewith.'' \52\
---------------------------------------------------------------------------
\48\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10,
1992) (codified at 42 U.S.C. 201 note).
\49\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (December
31, 1970).
\50\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10,
1992) (codified at 42 U.S.C. 201 note).
\51\ Id., adding sec. 543(b)(2)(C) to the PHSA.
\52\ Id., adding sec. 543(g) to the PHSA.
---------------------------------------------------------------------------
In 1975, the Department, promulgated the first federal regulations
implementing statutory SUD confidentiality provisions at 42 CFR part
2.\53\ In 1987, the Department published a final rule making
substantive changes to the scope of Part 2 to clarify the regulations
and ease the burden of compliance by Part 2 programs within the
parameters of the existing statutory restrictions.\54\ After the 1992
enactment of the ADAMHA Reorganization Act (Pub. L. 102-321), the
Department later clarified the definition of ``program'' in a 1995
final rule to narrow the scope of Part 2 regulations pertaining to
medical facilities to cover only those entities or units within a
general medical facility that hold themselves out as providing
diagnosis, treatment, or referral for treatment, or specialized
personnel (who are identified as providing such services as a primary
function) and which directly or indirectly receive federal
assistance.\55\
---------------------------------------------------------------------------
\53\ See 40 FR 27802 (July 1, 1975).
\54\ See 52 FR 21796 (June 9, 1987). See also Notice of Decision
to Develop Regulations, 45 FR 53 (January 2, 1980) and 48 FR 38758
(August 25, 1983).
\55\ See 60 FR 22296 (May 5, 1995). See also 59 FR 42561 (August
18, 1994) and 59 FR 45063 (August 31, 1994). The ambiguity of the
definition of ``program'' was identified in United States v. Eide,
875 F. 2d 1429 (9th Cir. 1989) where the court held that the general
emergency room is a ``program'' as defined by the regulations.
---------------------------------------------------------------------------
HIPAA and the HITECH Act
In 1996, Congress enacted HIPAA,\56\ which included Administrative
Simplification provisions requiring the establishment of national
standards \57\ to protect the privacy and security of individuals'
health information and establishing civil money and criminal penalties
for violations of the requirements, among other provisions.\58\ The
Administrative Simplification provisions and implementing regulations
apply to covered entities, which are health care providers who conduct
covered health care transactions electronically, health plans, and
health care clearinghouses.\59\ Certain provisions of the HIPAA Rules
also apply directly to business associates of covered entities.\60\
---------------------------------------------------------------------------
\56\ See Public Law 104-191, 110 Stat. 1936 (August 21, 1996).
\57\ Cited at fn. 3. See also sec. 264 of HIPAA (codified at 42
U.S.C. 1320d-2 note).
\58\ See 42 U.S.C. 1320d-1-1320d-9. With respect to privacy
standards, Congress directed the Department to ``address at least
the following: (1) The rights that an individual who is a subject of
individually identifiable health information should have. (2) The
procedures that should be established for the exercise of such
rights. (3) The uses and disclosures of such information that should
be authorized or required.'' 42 U.S.C. 1320d-2 note.
\59\ See 42 U.S.C. 1320d-1 (applying Administrative
Simplification provisions to covered entities).
\60\ See ``Office for Civil Rights Fact Sheet on Direct
Liability of Business Associates under HIPAA'' (May 2019) for a
comprehensive list of requirements in the HIPAA Rules that apply
directly to business associates (available at <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html">https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html</a>).
---------------------------------------------------------------------------
The Privacy Rule, including provisions implemented as a result of
the HITECH Act,\61\ regulates the use and disclosure of PHI by covered
entities and business associates, requires covered entities to have
safeguards in place to protect the privacy of PHI, and requires covered
entities to obtain the written authorization of an individual to use
and disclose the individual's PHI unless otherwise permitted by the
Privacy Rule.\62\ The Privacy Rule includes several use and disclosure
permissions that are relevant to this NPRM, including the permissions
for covered entities to use and disclose PHI without written
authorization from an individual for TPO; \63\ to public health
authorities for public health purposes; \64\ and for research in the
form of a limited data set \65\ or pursuant to a waiver of
authorization by a Privacy Board or Institutional Review Board.\66\ The
Privacy Rule also establishes the rights of individuals with respect to
their PHI, including the rights to: receive adequate notice of a
covered entity's privacy
[[Page 74223]]
practices; to request restrictions of certain uses and disclosures; to
access (i.e., to inspect and obtain a copy of) their PHI; to request an
amendment of their PHI; and to receive an accounting of certain
disclosures of their PHI.\67\ Finally, the Privacy Rule specifies
standards for de-identification of PHI such that, when applied, the
information is no longer individually identifiable health information
and subject to the HIPAA Rules.\68\
---------------------------------------------------------------------------
\61\ The HITECH Act extended the applicability of certain
Privacy Rule requirements and all of the Security Rule requirements
to the business associates of covered entities; required HIPAA
covered entities and business associates to provide for notification
of breaches of unsecured PHI (implemented by the Breach Notification
Rule); established new limitations on the use and disclosure of PHI
for marketing and fundraising purposes; prohibited the sale of PHI;
required consideration of whether a limited data set can serve as
the minimum necessary amount of information for uses and disclosures
of PHI; and expanded individuals' rights to access electronic copies
of their PHI in an EHR, to receive an accounting of disclosures of
their PHI with respect to ePHI, and to request restrictions on
certain disclosures of PHI to health plans. In addition, subtitle D
strengthened and expanded HIPAA's enforcement provisions. See
subtitle D of title XIII of the HITECH Act, entitled ``Privacy'',
for all provisions (codified in title 42 of U.S.C.).
\62\ See 45 CFR 164.502(a).
\63\ See 45 CFR 164.506.
\64\ See 45 CFR 164.512(b).
\65\ See 45 CFR 164.514(e)(1-4).
\66\ See 45 CFR 164.512(i).
\67\ See 45 CFR 164.520, 164.522, 164.524, 164.526 and 164.528.
\68\ See 45 CFR 164.514(a-c).
---------------------------------------------------------------------------
The Security Rule, codified at 45 CFR parts 160 and 164, subparts A
and C, requires covered entities and their business associates to
implement administrative, physical, and technical safeguards to protect
electronic PHI (ePHI). Specifically, covered entities and business
associates must ensure the confidentiality, integrity, and availability
of all ePHI they create, receive, maintain, or transmit; \69\ protect
against reasonably anticipated threats or hazards to the security or
integrity of the information \70\ and reasonably anticipated
impermissible uses or disclosures; \71\ and ensure compliance by their
workforce.\72\
---------------------------------------------------------------------------
\69\ See 45 CFR 164.306(a)(1).
\70\ See 45 CFR 164.306(a)(2).
\71\ See 45 CFR 164.306(a)(3).
\72\ See 45 CFR 164.306(a)(4).
---------------------------------------------------------------------------
The Breach Notification Rule, codified at 45 CFR parts 160 and 164,
subparts A and D, implements HITECH Act requirements \73\ for covered
entities to provide notification to affected individuals, the
Secretary, and in some cases the media, following a breach of unsecured
PHI. The Breach Notification Rule also requires a covered entity's
business associate that experiences a breach of unsecured PHI to notify
the covered entity of the breach. A breach is, generally, an
impermissible use or disclosure under the Privacy Rule that compromises
the security or privacy of ``unsecured'' PHI, subject to three
exceptions: \74\ (1) the unintentional acquisition, access, or use of
PHI by a workforce member or person acting under the authority of a
covered entity or business associate, if such acquisition, access, or
use was made in good faith and within the scope of authority; (2) the
inadvertent disclosure of PHI by a person authorized to access PHI at a
covered entity or business associate to another person authorized to
access PHI at the covered entity or business associate, or organized
health care arrangement (OHCA) in which the covered entity
participates; and (3) the covered entity or business associate making
the disclosure has a good faith belief that the unauthorized person to
whom the impermissible disclosure was made, would not have been able to
retain the information.
---------------------------------------------------------------------------
\73\ See sec. 13402 of the HITECH Act (codified at 42 U.S.C.
17932).
\74\ See 45 CFR 164.402 para. (1).
---------------------------------------------------------------------------
The Breach Notification Rule provides that a covered entity may
rebut the presumption that such impermissible use or disclosure
constituted a breach by demonstrating that there is a low probability
that PHI has been compromised based on a risk assessment of at least
four required factors: (1) the nature and extent of the PHI involved,
including the types of identifiers and the likelihood of re-
identification; (2) the unauthorized person who used the PHI or to whom
the disclosure was made; (3) whether the PHI was actually acquired or
viewed; and (4) the extent to which the risk to the PHI has been
mitigated.\75\
---------------------------------------------------------------------------
\75\ Ibid. para. (2).
---------------------------------------------------------------------------
The Enforcement Rule, codified at 45 CFR part 160, subparts C, D,
and E, includes standards and procedures relating to investigations
into complaints about noncompliance with the HIPAA Rules, compliance
reviews, the imposition of (CMPs), and procedures for hearings. The
Enforcement Rule states generally that the Secretary will impose a CMP
upon a covered entity or business associate if the Secretary determines
that the covered entity or business associate violated a HIPAA
Administrative Simplification provision.\76\ However, the Enforcement
Rule also provides for informal resolution of potential
noncompliance,\77\ which occurs through voluntary compliance by the
regulated entity, corrective action, or a resolution agreement with the
payment of a settlement amount to OCR.
---------------------------------------------------------------------------
\76\ Criminal penalties may be imposed by the Department of
Justice for certain violations under 42 U.S.C. 1320d-6.
\77\ See 45 CFR 160.304. See also 45 CFR 160.416 and 160.514.
---------------------------------------------------------------------------
The Department promulgated or modified key provisions of the HIPAA
Rules as part of the 2013 Omnibus Final Rule, in which the Department
implemented applicable provisions of the HITECH Act, among other
modifications. For example, the Department strengthened privacy and
security protections for PHI, finalized breach notification
requirements, and enhanced enforcement by increasing potential CMPs for
violations, including establishing tiers of penalties based on
entities' level of culpability.\78\ The Secretary of HHS delegated
authority to OCR to make decisions regarding the implementation and
interpretation of the Privacy, Security, Breach Notification, and
Enforcement Rules.\79\ \80\
---------------------------------------------------------------------------
\78\ See 78 FR 5566 (January 25, 2013).
\79\ See Office for Civil Rights; Statement of Delegation of
Authority, 65 FR 82381 (December 28, 2000); Office for Civil Rights;
Delegation of Authority, 74 FR 38630 (August 4, 2009); Statement of
Organization, Functions and Delegations of Authority, 81 FR 95622
(December 28, 2016).
\80\ See 65 FR 82381 (December 28, 2000).
---------------------------------------------------------------------------
Earlier Efforts To Align Part 2 With the HIPAA Rules
Prior to amendment by the CARES Act, section 290dd-2 provided that
records could be disclosed only with the patient's specific written
consent for each disclosure, with limited exceptions.\81\ The
exceptions related to records maintained by VA or the Armed Forces and,
for example, disclosures for continuity of care in emergency situations
or between personnel who have a need for the information in connection
with their duties that arise out of the provision of the diagnosis,
treatment, or referral for treatment of patients with SUD.\82\ The
exceptions did not include, for example, a disclosure of Part 2 records
by a Part 2 program to a third-party medical provider to treat a
condition other than SUD absent an emergency situation. Therefore, the
current Part 2 implementing regulations require specific patient
consent for most uses and disclosures of Part 2 records, including for
non-emergency treatment purposes. In contrast, the Privacy Rule permits
covered entities to use and disclose an individual's PHI for TPO
without the individual's valid HIPAA authorization.\83\
---------------------------------------------------------------------------
\81\ The limited exceptions are codified in current regulation
at 42 CFR 2.12(c), 42 CFR part 2 subpart D, and 42 CFR 2.33(b).
\82\ See 42 CFR 2.12(c)(3). These disclosures are limited to
communications within a Part 2 program or between a Part 2 program
and an entity having direct administrative control over the Part 2
program.
\83\ See 45 CFR 164.501.
---------------------------------------------------------------------------
The Department has modified and clarified Part 2 several times to
align certain provisions more closely with the Privacy Rule,\84\
address changes in health information technology, and provide greater
flexibility for disclosures of patient identifying information within
the health care system, while continuing to protect the confidentiality
of Part 2 records.\85\ For example, the Department clarified in a 2017
final rule that the definition of ``patient identifying information''
in Part 2 includes the individual identifiers listed in the Privacy
Rule at
[[Page 74224]]
45 CFR 164.514(b)(2)(i) for those identifiers that are not already
listed in the Part 2 definition.\86\
---------------------------------------------------------------------------
\84\ See 85 FR 42986 and 83 FR 239 (January 3, 2018).
\85\ 82 FR 6052 (January 18, 2017). See also 81 FR 6988
(February 9, 2016).
\86\ See 82 FR 6052, 6064.
---------------------------------------------------------------------------
In 2018, the Department issued a final rule clarifying the
circumstances under which lawful holders and their legal
representatives, contractors, and subcontractors could use and disclose
Part 2 records related to payment and health care operations in Sec.
2.33(b) and for audit or evaluation-related purposes. The Department
clarified that previously listed types of payment and health care
operations uses and disclosures under the lawful holder permission in
Sec. 2.33(b) were illustrative, and not necessarily definitive so as
to be included in regulatory text.\87\ The Department also acknowledged
the similarity of the list of activities to those included in the
Privacy Rule definition of ``health care operations'' but declined to
fully incorporate that definition into Part 2.\88\ The Department
specifically excluded care coordination and case management from the
list of payment and health care operations activities permitted without
patient consent under Part 2 based on a determination that these
activities are akin to treatment. The Department also codified in
regulatory text language for an abbreviated notice to accompany
disclosure of Part 2 records.\89\ Although the rule retained the
requirement that a patient must consent before a lawful holder may
redisclose Part 2 records for treatment,\90\ the Department explained
that the purpose of the Part 2 regulations is to ensure that a patient
is not made more vulnerable by reason of the availability of a
treatment record than an individual with a SUD who chooses not to seek
treatment. The Department simultaneously recognized the legitimate
needs of lawful holders to obtain payment and conduct health care
operations as long as the core protections of Part 2 are
maintained.\91\
---------------------------------------------------------------------------
\87\ See 83 FR 239, 241-242.
\88\ Id. at 242.
\89\ 83 FR 239 (January 3, 2018). See also 82 FR 5485 (January
18, 2017).
\90\ Id. at 242.
\91\ Id.
---------------------------------------------------------------------------
In a final rule published July 15, 2020,\92\ the Department
retained the requirement that programs obtain prior written consent
before disclosing Part 2 records in the first instance (outside of
recognized exceptions). At the same time the Department reversed its
previous exclusion of care coordination and case management from the
list of payment and health care operations in Sec. 2.33(b) for which a
lawful holder may make further disclosures to its contractors,
subcontractors, and legal representatives.\93\ The Department based
this change on comments received on the proposed rule in 2019 and on
section 3221(d)(4) of the CARES Act, which incorporated the Privacy
Rule definition of health care operations, including care coordination
and case management activities, into paragraph (k)(4) of 42 U.S.C.
290dd-2.\94\ The July 2020 final rule also modified the consent
requirements in Sec. 2.31 by establishing special requirements for
written consent \95\ when the recipient of Part 2 records is a health
information exchange (HIE) (as defined in 45 CFR 171.102 \96\). In this
NPRM, the Department now proposes a definition for the term
``intermediary'' \97\ to further facilitate the exchange of Part 2
records in new models of care, including those involving an HIE, a
research institution providing treatment, an accountable care
organization, or a care management organization.
---------------------------------------------------------------------------
\92\ 85 FR 42986. See also 84 FR 44568.
\93\ See 42 CFR 2.33(b).
\94\ See 85 FR 42986, 43008-009. Sec. 3221(k)(4) expressed the
Sense of Congress that the Department should exclude clause (v) of
paragraph 6 of 45 CFR 164.501 (relating to creating de-identified
health information or a limited data set, and fundraising for the
benefit of the covered entity) from the definition of ``health care
operations'' in applying the definition to these records.
\95\ See 85 FR 42986, 43006.
\96\ See 85 FR 42986, 43006, See also 21st Century Cures Act:
Interoperability, Information Blocking, and the ONC Health IT
Certification Program, 85 FR 25642 (May 1, 2020).
\97\ See proposed 42 CFR 2.11, Definitions: Intermediary means a
person who has received records under a general designation in a
written patient consent to be disclosed to one or more of its member
participants for the treatment of the patient--e.g., a health
information exchange, a research institution that is providing
treatment, an accountable care organization, or a care management
organization.
---------------------------------------------------------------------------
The Department again modified Part 2 on December 14, 2020,\98\ by
amending the confidential communications section of Sec. 2.63(a)(2),
which enumerated a basis for a court order authorizing the use of a
record when ``the disclosure is necessary in connection with
investigation or prosecution of an extremely serious crime allegedly
committed by the patient.'' The December 2020 final rule removed the
phrase ``allegedly committed by the patient,'' explaining that the
phrase was included in previous rulemaking by error, and clarifying
that a court has the authority to permit disclosure of confidential
communications when the disclosure is necessary in connection with
investigation or prosecution of an extremely serious crime that was
allegedly committed by either a patient or an individual other than the
patient.
---------------------------------------------------------------------------
\98\ 85 FR 80626 (December 14, 2020).
---------------------------------------------------------------------------
Section 3221 of the Coronavirus Aid, Relief, and Economic Security
(CARES) Act
On March 27, 2020, Congress enacted the CARES Act \99\ to provide
emergency assistance to individuals, families, and businesses affected
by the COVID-19 pandemic. Section 3221 of the CARES Act,
Confidentiality and Disclosure of Records Relating to Substance Use
Disorder, substantially amended 42 U.S.C. 290dd-2 to more closely align
federal privacy standards applicable to Part 2 records with HIPAA and
HITECH Act privacy use and disclosure standards, breach notification
standards, and enforcement authorities that apply to PHI, among other
modifications.
---------------------------------------------------------------------------
\99\ Public Law 116-136, 134 Stat. 281 (March 27, 2020).
Significant components of section 3221 are codified at 42 U.S.C.
290dd-2 as further detailed in this NPRM.
---------------------------------------------------------------------------
The requirements in sections 42 U.S.C. 290dd-2(b), (c), and (f), as
amended by section 3221 of the CARES Act, with respect to patient
consent and redisclosures of SUD records, now align more closely with
Privacy Rule provisions permitting uses and disclosures for TPO and
establish certain patient rights with respect to their Part 2 records
consistent with provisions of the HITECH Act; restrict the use and
disclosure of Part 2 records in legal proceedings; and set civil and
criminal penalties for violations, respectively. Section 3221 also
amended 42 U.S.C. 290dd-2j) and (k) by adding HITECH Act breach
notification requirements and new terms and definitions consistent with
the HIPAA Rules and the HITECH Act, respectively. Finally, section 3221
requires the Department to modify the NPP \100\ requirements at 45 CFR
164.520 so that covered entities and Part 2 programs provide notice to
individuals regarding privacy practices related to Part 2 records,
including patients' rights and uses and disclosures that are permitted
or required without authorization.
---------------------------------------------------------------------------
\100\ Section 3221(i) requires the Secretary to update 45 CFR
164.520, the Privacy Rule requirements with respect to the NPP.
---------------------------------------------------------------------------
Paragraph (b) of section 3221, Disclosures to Covered Entities
Consistent with HIPAA, adds a new paragraph (1), Consent, to section
543 of the PHSA \101\ and expands the ability of covered entities,
business associates, and Part 2 programs to use and disclose Part 2
records for TPO. The text of section 3221(b) adding paragraph (1)(B) to
42 U.S.C. 290dd-2 states that once
[[Page 74225]]
prior written consent of the patient has been obtained, those contents
may be used or disclosed by a covered entity, business associate, or a
program subject to this section for the purposes of treatment, payment,
and health care operations as permitted by the HIPAA regulations. Any
disclosed information may then be redisclosed in accordance with the
HIPAA regulations.
---------------------------------------------------------------------------
\101\ Paragraph (1) is codified at 42 U.S.C. 290dd-2(b).
---------------------------------------------------------------------------
To the extent that 42 U.S.C. 290dd-2(b)(1) now provides for a
general written consent covering all future uses and disclosures for
TPO ``as permitted by the HIPAA regulations,'' and expressly permits
the redisclosure of Part 2 records received for TPO ``in accordance
with the HIPAA regulations,'' the Department believes that this means
that the entity receiving the records based on such general consent,
and then redisclosing the records, must be a covered entity, business
associate, or Part 2 program. The Department's proposals throughout
this NPRM are premised on its reading of section 3221(b) as applying to
redisclosures of Part 2 records by covered entities, business
associates, and Part 2 programs, including those covered entities that
are Part 2 programs.
In addition to the provisions of section 3221 described above,
paragraph (g) of section 3221, Antidiscrimination, adds a new provision
(i)(1) to 42 U.S.C. 290dd-2 to prohibit discrimination against an
individual based on their Part 2 records in: (A) admission, access to,
or treatment for health care; (B) hiring, firing, or terms of
employment, or receipt of worker's compensation; (C) the sale, rental,
or continued rental of housing; (D) access to Federal, State, or local
courts; or (E) access to or maintenance of social services and benefits
provided or funded by Federal, State, or local governments.\102\
Further, the new paragraph (i)(2) prohibits discrimination by any
recipient of Federal funds against individuals based on their Part 2
records.\103\ As a recent legal analysis noted, ``The decision to
protect individuals whose disclosed patient records reveal or appear to
reveal current illegal use of drugs is also consistent with Section
3221's specific purpose to remove well-founded fear of discrimination
as a barrier to treatment.'' \104\ Patients with SUD who are currently
using illegal drugs are not protected from discrimination on the basis
of their illegal drug use under existing law of the Rehabilitation Act
of 1973,\105\ Americans with Disabilities Act (ADA),\106\ the
Affordable Care Act,\107\ and the Fair Housing Act.\108\ The CARES Act
nondiscrimination provision, in conjunction with the newly applicable
HITECH Act penalty tiers, will serve to protect the treatment records
of all patients with SUD, whether or not they are currently using
illicit drugs. The Department intends to implement the CARES Act
antidiscrimination provisions in a separate rulemaking.
---------------------------------------------------------------------------
\102\ See sec. 3221(g) of the CARES Act.
\103\ Id.
\104\ See Dineen, Kelly K., & Pendo, Elizabeth, ``Substance Use
Disorder Discrimination and the CARES Act: Using Disability Law to
Inform Part 2 Rulemaking'' (February 2, 2021) (available at <a href="https://arizonastatelawjournal.org/wp-content/uploads/2021/02/02-Dineen-_-Pendo.pdf">https://arizonastatelawjournal.org/wp-content/uploads/2021/02/02-Dineen-_-Pendo.pdf</a>) and Johnson, Kimberly, ``COVID-19: Isolating the Problems
in Privacy Protection for Individuals with Substance Use Disorder''
(May 1, 2021) (available at <a href="https://ssrn.com/abstract=3837955">https://ssrn.com/abstract=3837955</a>). See
also remarks of U.S. Representative Michael C. Burgess: ``Current
[P]art 2 law does not protect individuals from discrimination based
on their treatment records and, to this date, there have been no
criminal actions undertaken to enforce [P]art 2.'' (available at
<a href="https://www.congress.gov/congressional-record/2018/06/20/house-section/article/H5325-1">https://www.congress.gov/congressional-record/2018/06/20/house-section/article/H5325-1</a>).
\105\ See sec. 504, Public Law 93-112, 86 Stat. 355 (September
26, 1973) (codified at 29 U.S.C. 701, 705).
\106\ See Public Law 101-336, 104 Stat. 327 (July 26, 1990)
(codified at 42 U.S.C. 12101, 12210).
\107\ See sec. 1557, Public Law 111-148, 124 Stat. 119 (March
23, 2010) (codified at 42 U.S.C. 18001, 18116).
\108\ See sec. 3601-19, Public Law 90-284, 82 Stat. 81 (April
11, 1968) (codified at 42 U.S.C. 3601, 3602).
---------------------------------------------------------------------------
Section-by-Section Description of Proposed Amendments to 42 CFR Part 2
Below, the Department describes the proposals in this NPRM to amend
42 CFR part 2 and 45 CFR 164.520 to implement changes made to 42 U.S.C.
290dd-2, as amended by section 3221 of the CARES Act. Some of the
Department's proposals are not expressly required by the CARES Act, but
are proposed to align the language of this part with that in the
Privacy Rule and to clarify already-existing Part 2 permissions or
restrictions. The Department believes these additional proposals fall
within the Department's scope of regulatory authority and are necessary
to facilitate implementation of the CARES Act. For example,
consistently throughout this NPRM, the Department proposes to re-order
the terms ``disclosure and use'' to ``use and disclosure'' \109\ to
better align the language of Part 2 with the Privacy Rule which
generally regulates the ``use and disclosure'' of PHI.\110\ The
Department does not believe these proposed changes are substantive, but
requests comment on this assumption. In another example, the Department
proposes to add the term ``use'' to where only the term ``disclose''
exists in regulatory text, or in some cases to add the term
``disclose'' to an existing ``use'' because it more accurately
describes the scope of the activity that is the subject of the
regulatory provision or could be within the scope of the activity.
These changes are aligned with changes made to 42 U.S.C. 290dd-2
paragraph (b)(1)(A) by section 3221(b) of the CARES Act (providing that
Part 2 records may be used or disclosed in accordance with prior
written consent); to 42 U.S.C. 290dd-2(b)(1)(B) and (b)(1)(C) by
section 3221(b) of the CARES Act (providing that the contents of Part 2
records may be used or disclosed by covered entities, business
associates, or programs in accordance with the HIPAA Rules for TPO
purposes); and to paragraph 42 U.S.C. 290dd-2(c) by section 3221(e) of
the CARES Act (prohibiting disclosure and use of Part 2 records in
proceedings against the patient). The Department describes these
proposed additions of terms in each section of this NPRM where
applicable.\111\ The Department requests
[[Page 74226]]
comment on its proposals to reorder the terms ``use'' and
``disclosure'' as described, and to add the term ``use'' to clarify
these regulations as described above.
---------------------------------------------------------------------------
\109\ See e.g., proposed regulatory text at Sec. Sec.
2.2(a)(2), (a)(3), and (b)(1), Purpose and effect; 2.12(c)(5) and
(c)(6), Applicability; 2.13(a) and (b), Confidentiality restrictions
and safeguards; 2.21(b), Relationship to federal statutes protecting
research subjects against compulsory disclosure of their identity;
2.34(b), Disclosures to prevent multiple enrollments; 2.35(d),
Disclosures to elements of the criminal justice system which have
referred patients; 2.53(a), (b)(1)(iii), (e)(1)(iii), (e)(6), (f),
Management audits, financial audits, and program evaluation
(proposed heading); subpart E, Court Orders Authorizing Use and
Disclosure (proposed heading); 2.61(a), Legal effect of order; 2.62,
Order not applicable to records disclosed without consent to
researchers, auditors and evaluators; 2.65 heading, 2.65(a) and (d),
2.65(e), (e)(1), and (e)(3), Procedures and criteria for orders
authorizing use and disclosure of records to criminally investigate
or prosecute patients (proposed heading); 2.66 heading, 2.66(a)(1)
and 2.66(d), Procedures and criteria for orders authorizing use and
disclosure of records to investigate or prosecute a part 2 program
or the person holding the records (proposed heading).
\110\ Consistently, the Department refers to ``uses and
disclosures'' or ``use and disclosure'' in the Privacy Rule. See,
e.g., 45 CFR 164.502 Uses and disclosures of protected health
information: General rules.
\111\ See, e.g., proposed Sec. Sec. 2.12(a)(1), (c)(3) and
(c)(4), (d)(2), and (e)(3), Applicability; 2.13(a), Confidentiality
restrictions and safeguards; 2.14(a) and (b), Minor patients;
2.15(a)(2), (b)(1) and (b)(2), Patients who lack capacity and
deceased patients; 2.20, Relationship to state laws; 2.23 Patient
access and restrictions on use and disclosure (proposed heading) and
2.33(b); Subpart C--Uses and Disclosures With Patient Consent
(proposed heading); 2.31(a), (a)(1) and (2), (a)(4)(ii)(B), (a)(10),
and (a)(10)(i) and (ii), Consent requirements; 2.33 Uses and
disclosures permitted with written consent (proposed heading), and
paragraphs 2.33(a), (b), (b)(1), and (b)(2); Subpart D--Uses and
Disclosures Without Patient Consent (proposed heading); 2.53(e)(5),
Management audits, financial audits, and program evaluation 2.61(a)
and (b)(1) and (b)(2), Legal Effect of order; 2.64 heading,
Procedures and criteria for orders authorizing uses and disclosures
for non-criminal purposes (proposed heading), and paragraphs (a) and
(e); 2.65(a) Procedures and criteria for orders authorizing use and
disclosure of records to criminally investigate or prosecute
patients (proposed heading); 2.67 (d)(3), Orders authorizing the use
of undercover agents and informants to investigate employees or
agents of a part 2 program in connection with a criminal matter.
---------------------------------------------------------------------------
In addition, the Department proposes changes to subpart E, Court
Orders Authorizing Use and Disclosure, relying on both the Secretary's
broad rulemaking authority under section 543 of the PHSA and on the
authority granted in section 3221 of the CARES Act. The Department
proposes to heighten protections against use or disclosure of records
in proceedings against patients by aligning the regulatory language
regarding the scope of proceedings to which subpart E applies with the
amended statute to expressly include administrative and legislative
proceedings \112\ and to expressly include testimony that relays
information contained in records.\113\ Additionally, the Department is
adopting the HIPAA phrasing of ``use and disclosure'' in most instances
where only one of those terms is used in the current regulation,
including throughout subpart E.
---------------------------------------------------------------------------
\112\ See proposed Sec. Sec. 2.63, 2.64, 2.65.
\113\ See proposed Sec. Sec. 2.64. 2.65, 2.66.
---------------------------------------------------------------------------
The Department also proposes additional changes to facilitate
compliance by investigative agencies when they seek records for
investigations and prosecutions of Part 2 programs pursuant to
applicable authorities. In particular, the Department proposes to limit
liability for violations when an investigative agency unknowingly
receives Part 2 records in the course of investigating a Part 2 program
or person holding Part 2 records, provided the agency takes certain
actions, and to require annual reporting to the Secretary by
investigative agencies about the use of the proposed safe harbor. The
Department is proposing these changes because the Department believes
the proposals are a necessary consequence of the new enforcement
penalties for violations of Part 2 \114\ pursuant to 42 U.S.C. 290dd-
2(f) as amended by section 3221 (f) and the expanded scope of
proceedings where a court order is required \115\ pursuant to 42 U.S.C.
290dd-2(c) as amended by section 3221(e). In particular, the Department
understands that investigative agencies could potentially become
subject to the new penalties for violations in the event that they are
unaware that a provider under investigation is subject to Part 2 and as
a result they fail to follow the requirements of subpart E before
obtaining the provider's records. The Department requests comment on
these additional proposed changes.
---------------------------------------------------------------------------
\114\ See proposed Sec. 2.3.
\115\ E.g., Expressly including legislative and administrative
proceedings and testimony relaying information contained in records,
as discussed above.
---------------------------------------------------------------------------
The Department further requests comment on all proposals described
in the following paragraphs of this NPRM, including those expressly
implementing CARES Act amendments to section 290dd-2, those the
Department describes as necessary to further align this part with the
Privacy Rule, and those proposals described as necessary to clarify the
full scope of activities that it is regulating in this part. The
Department also requests comment on all aspects of the Regulatory
Impact Analysis, including the assumptions and estimates about the
costs and benefits of the proposed changes, and the alternatives the
Department considered when developing the proposals in this NPRM. The
Department proposes the following amendments to this part:
A. Sec. 2.1--Statutory Authority for Confidentiality of Substance Use
Disorder Patient Records
The Department proposes to revise Sec. 2.1 to more closely align
this section with the statutory text of 42 U.S.C. 290dd-2(g) and add
references to subsection 290dd-2(b)(2)(C) related to the issuance of
court orders authorizing disclosures of Part 2 records.
Sec. 2.2--Purpose and Effect
Section 2.2 of 42 CFR part 2 establishes the purpose and effect of
regulations imposed in this part upon the use and disclosure of Part 2
records. The Department proposes to add language to paragraph (b) of
Sec. 2.2 to conform that paragraph to changes proposed to Sec. 2.3(b)
that would compel disclosures to the Secretary that are necessary for
enforcement of this rule. The new language is adapted from a similar
provision of the Privacy Rule at 45 CFR 164.502(a)(2)(ii).
The Department also proposes to replace the phrase ``disclosure and
use'' by re-ordering the phrase to ``use or disclosure'' at Sec. Sec.
2.2(a), (a)(4), and 2.2(b)(1), to align the language with that used in
the Privacy Rule.
The Department proposes several changes in Sec. 2.2 that would
facilitate implementation of the CARES Act in general. For example, in
Sec. Sec. 2.2(a)(2), (a)(3), and (b)(1), the Department proposes to
add the phrase ``uses and'' in front of the existing term ``disclose''
or ``disclosures.'' The Department proposes these additions in
Sec. Sec. 2.2(a)(2) and (3), which list subparts C and D of this part,
to conform to changes the Department proposes to the heading titles of
subparts C and D. In those heading titles, the Department proposes to
refer to ``Uses and Disclosures with Patient Consent'' and ``Uses and
Disclosures without Patient Consent'' respectively.
In Sec. 2.2(b)(1), Effect, the Department proposes to refer to
``use and disclosure'' instead of only ``disclosure'' to better
describe how the regulations in this part, as modified by the CARES
Act, prohibit the ``use and disclosure'' of Part 2 records. The
Department proposes to modify the end of Sec. 2.2(b)(1) to provide
that the regulations generally do not generally require the use or
disclosure of Part 2 records under any circumstance except when
disclosure is required by the Secretary to investigate or determine a
person's compliance with this part pursuant to Sec. 2.3(b), now
proposed for modification to reflect newly required civil and criminal
penalties for violations of this part.
Finally, the Department proposes to add a new paragraph (b)(3) to
Sec. 2.2 to incorporate the rules of construction in section
3221(j)(1) and (2) of the CARES Act. Accordingly, the proposed
paragraphs would provide that nothing in this part shall be construed
to limit a patient's right to request restrictions on use of records
for TPO or a covered entity's choice to obtain consent to use or
disclose records for TPO purposes as provided in the Privacy Rule.
In addition to the above-described proposed amendments to Sec.
2.2, the Department proposes minor wording changes to improve
readability or conform the use of terms to newly proposed definitions.
These proposals are reflected in proposed regulatory text and may be
reflected throughout this NPRM and include:
<bullet> Inserting a parenthetical reference to ``records'' to
reflect how the Department proposes to refer to SUD records; and
<bullet> Striking the word ``patient'' from in front of the term
``record''.
The Department requests comments on all proposed changes to this
section.
[[Page 74227]]
Sec. 2.3--Civil and Criminal Penalties for Violations (Proposed
Heading)
Section 2.3 of 42 CFR part 2 currently requires that any person who
violates any provision of the Part 2 regulations be criminally fined in
accordance with title 18 U.S.C. As amended by section 3221(f) of the
CARES Act, 42 U.S.C. 290dd-2(f) applies the provisions of Sec. Sec.
1176 and 1177 of the Social Security Act to a Part 2 program for a
violation of 42 CFR part 2 in the same manner as they apply to a
covered entity for a violation of part C of title XI of the Social
Security Act. Therefore, the Department proposes to replace title 18
criminal enforcement with civil and criminal penalties under Sec. Sec.
1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6),
respectively, as implemented in the Enforcement Rule.
Specifically, the Department proposes to rename Sec. 2.3 as Civil
and criminal penalties for violations and reorganize Sec. 2.3 into
section paragraphs 2.3(a), (b), and (c). Proposed Sec. 2.3(a) would
incorporate the penalty provisions of 42 U.S.C. 290dd-2(f), which apply
the civil and criminal penalties of Sec. Sec. 1176 and 1177 of the
Social Security Act, respectively, to violations of Part 2.
After consultation with the Department of Justice, the Department
proposes in Sec. 2.3(b) to create a limitation on civil or criminal
liability for persons acting on behalf of investigative agencies when,
in the course of investigating or prosecuting a Part 2 program or other
person holding Part 2 records, they may unknowingly receive Part 2
records without first obtaining the requisite court order, provided
that specified conditions are met. Such a safe harbor, as proposed,
would be limited to only instances where records are obtained for the
purposes of investigating a program or person holding the record, not a
patient. Investigative agencies are required to follow Part 2
requirements for obtaining, using, and disclosing Part 2 records as
part of an investigation or prosecution; such requirements include
seeking a court order, filing protective orders, maintaining security
for records, and ensuring that records obtained in program
investigations are not used in legal actions against patients who are
the subjects of the records. Investigative agencies' potential
liability for violating Part 2 has increased due to the expanded
application of HIPAA/HITECH Act penalties for violations, codified at
42 U.S.C. 1320d-5 (CMPs) and 1320d-6 (criminal penalties), to
violations of Part 2. In addition, the need for investigation and
prosecution of bad actors has increased in accordance with the
intensity and duration of the opioid overdose epidemic.\116\ The
Department solicits comments on the need for investigation of Part 2
programs and holders of Part 2 records and a related safe harbor for
law enforcement due to proposed changes in enforcement of Part 2
requirements.
---------------------------------------------------------------------------
\116\ See Opioid Enforcement Effort, Department of Justice,
Consumer Protection Branch, <a href="https://www.justice.gov/civil/consumer-protection-branch/opioid">https://www.justice.gov/civil/consumer-protection-branch/opioid</a> and Understanding the Epidemic, Centers for
Disease Prevention and Control, <a href="https://www.cdc.gov/drugoverdose/epidemic/index.html">https://www.cdc.gov/drugoverdose/epidemic/index.html</a>.
---------------------------------------------------------------------------
To address concerns about potential liability for Part 2 violations
arising from investigators who, in good faith, unknowingly receive Part
2 records, the Department proposes at Sec. 2.3(b) to create a
limitation on civil or criminal liability for persons acting on behalf
of investigative agencies if they unknowingly receive Part 2 records
without first obtaining the required court order while investigating or
prosecuting a Part 2 program or other person holding Part 2 records (or
their employees or agents). The limitation on liability would be
available for uses or disclosures inconsistent with Part 2 when the
person acted with reasonable diligence to determine in advance whether
Part 2 applied to the records or program. Paragraph (b)(1) would also
clarify what constitutes ``reasonable diligence'' in determining
whether Part 2 applies to a record or program before an investigative
agency makes an investigative demand or places an undercover agent with
the program or person holding the records. Reasonable diligence would
require acting within a reasonable period of time, but no more than 60
days prior to, the request for records or placement of an undercover
agent or informant. Reasonable diligence would include taking the
following actions to determine whether a health care practice or
provider (where it is reasonable to believe that the practice or
provider provides SUD diagnostic, treatment, or referral for treatment
services) provides such services by:
(1) checking a prescription drug monitoring program in the state
where the provider is located, if available and accessible to the
agency under state law; or
(2) checking the website or physical location of the provider.
In addition, Sec. 2.3(b) would require an investigative agency to
meet any other applicable requirements within Part 2 for any use or
disclosure of the records that occurred, or will occur, after the
investigative agency knew, or by exercising reasonable diligence would
have known, that it received Part 2 records. The Department has added
applicable requirements in Sec. 2.66 and Sec. 2.67, discussed below,
and requests comment on the impact of the proposed safe harbor on
patient privacy and access to SUD treatment.
The proposed safe harbor could promote public safety by permitting
government agencies to investigate or prosecute Part 2 programs and
persons holding Part 2 records for suspected criminal activity, in good
faith without risk of HIPAA/HITECH Act penalties. The current rule
contains no mechanism for an investigative agency to correct an error
if it unknowingly obtains Part 2 records and as a result fails to
obtain the required court order in advance. By proposing a pathway for
investigative agencies to seek the required court order after the fact
(a pathway that is only available for agencies that have first
exercised reasonable diligence to determine in advance whether Part 2
applies), the proposal creates an incentive for investigative agencies
to take steps that should reduce the need for ``after the fact'' court
orders. Thus, investigative agencies that follow the proposed
reasonable diligence steps and yet unknowingly receive Part 2 records
and then seek a court order would be less likely to be denied on the
basis of a procedural shortcoming and would not risk incurring HIPAA/
HITECH Act penalties. Investigative agencies that do not use reasonable
diligence as proposed at Sec. 2.3(b)(1) would be precluded from
seeking a court order to use or disclose Part 2 records that they later
discover in their possession.
The Department acknowledges that proposed Sec. 2.3(b) may be
viewed as a reduction in privacy protection, but believes that the
exclusive application to investigations and prosecution of programs and
holders of records affords an overall benefit without harming patient
confidentiality when the proposed additional protections in Sec. Sec.
2.66 and 2.67 are applied.\117\ The Department has limited the proposed
safe harbor to investigative agencies that unknowingly obtain Part 2
records and relies on the CMP tiers to allow appropriate flexibility
when a Part 2 program has unknowingly violated Part 2. However, the
Department solicits comments on situations for which a safe harbor
should be considered for SUD providers that unknowingly hold Part 2
records and unknowingly disclose them
[[Page 74228]]
in violation of Part 2. As mentioned above, the Department also
solicits comments on the impact of this proposed safe harbor to patient
privacy and access to SUD treatment.
---------------------------------------------------------------------------
\117\ For example, using ``John Doe'' in the application for a
court order and keeping records that contain patient identifying
information under seal.
---------------------------------------------------------------------------
The Department does not intend to modify the applicability of Sec.
2.12 or Sec. 2.53 for investigative agencies, but to make the proposed
safe harbor available in those situations where a court order would
otherwise be required for a government agency to use or disclose
records under these regulations. Thus, under Sec. 2.12(c) an agency
with direct administrative control over a Part 2 program still would
not be subject to the Part 2 limits on communications between the
program and the agency for purposes of diagnosis, treatment, or
referral of patients, although the agency is also an investigative
agency due to its supervisory role. Similarly, the disclosure
permission under Sec. 2.53 would continue to apply to audits and
evaluations conducted by a health oversight agency without patient
consent. The Department does not believe that the text of section
3221(e) of the CARES Act indicates congressional intent to alter the
established oversight mechanisms for Part 2 programs, including those
that provide services reimbursed by Medicare, Medicaid, and Children's
Health Insurance Program (CHIP).
Proposed Sec. 2.3(c) would specify that the Enforcement Rule \118\
shall apply to violations of Part 2 in the same manner as they apply to
covered entities and business associates for violations of part C of
title XI of the Social Security Act and its implementing regulations
with respect to PHI.\119\ The Department requests comment on the likely
benefits and costs of these proposed changes.
---------------------------------------------------------------------------
\118\ See 45 CFR part 160, subparts C (Compliance and
Investigations), D (Imposition of Civil Money Penalties), and E
(Procedures for Hearings). See also sec. 13410 of the HITECH Act
(codified at 42 U.S.C. 17929).
\119\ This proposal would implement the required statutory
framework establishing that civil and criminal penalties apply to
violations of this part, as the Secretary exercises only civil
enforcement authority. The Department of Justice has authority to
impose criminal penalties where applicable. See 68 FR 18895, 18896
(April 17, 2003).
---------------------------------------------------------------------------
Sec. 2.4--Complaints of Violations (Proposed Heading)
Paragraphs (a) and (b) of this section currently provide that
reports of violations of the Part 2 regulations may be directed to the
U.S. Attorney for the judicial district in which the violation occurs
and reports of any violation by an opioid treatment program may be
directed to the U.S. Attorney and also to the Substance Abuse and
Mental Health Services Administration (SAMHSA). Section 290dd-2(f), as
amended by section 3221(f) of the CARES Act, grants civil enforcement
authority to the Department, which currently exercises its HIPAA
enforcement authority under 1176 of the Social Security Act in
accordance with the Enforcement Rule. To implement the change from U.S.
Attorney enforcement, the Department proposes to re-title the heading
to this section, replacing ``Reports of violations'' with ``Complaints
of violations,'' and to replace the existing provisions about directing
reports of Part 2 violations to the U.S. Attorney's Office and to
SAMHSA with provisions about filing complaints of potential violations
with a Part 2 program or the Secretary. The Department notes that
SAMHSA continues to regulate opioid treatment programs (OTPs) and may
receive reports of alleged violations by OTPs of federal opioid
treatment standards, including privacy and confidentiality
requirements.
Specifically, the Department proposes to add Sec. 2.4(a) to
require a Part 2 program to have a process to receive complaints
concerning the program's compliance with the Part 2 regulations.
Proposed Sec. 2.4(b) would provide that a program may not intimidate,
threaten, coerce, discriminate against, or take other retaliatory
action against any patient for the exercise of any right established,
or for participation in any process provided for, in Part 2, including
the filing of a complaint. The Department also proposes to add Sec.
2.4(c) to prohibit a program from requiring patients to waive their
right to file a complaint as a condition of the provision of treatment,
payment, enrollment, or eligibility for any program subject to Part 2.
The proposed changes to Sec. 2.4 would align Part 2 with Privacy
Rule provisions concerning complaints. Section 2.4(a) is consistent
with the administrative requirements in 45 CFR 164.530(d), Standard:
Complaints to the covered entity. Proposed Sec. 2.4(b) would align
with the Privacy Rule provision at 45 CFR 164.530(g), Standard:
Refraining from intimidating or retaliatory acts. The proposed Sec.
2.4(c) would be consistent with the Privacy Rule provision at 45 CFR
164.530(h), Standard: Waiver of rights. Thus, Part 2 programs that are
also covered entities already have these administrative requirements in
place, but programs that are not covered entities would need to adopt
new policies and procedures.
The Department requests comment on these proposed changes,
including any concerns about potential unintended negative consequences
on programs or patients of aligning Sec. 2.4 with the cited provisions
of the Privacy Rule.
Sec. 2.11--Definitions
Section 2.11 includes definitions for key regulatory terms in 42
CFR part 2. The Department proposes to add thirteen defined regulatory
terms and modify the definitions of ten existing terms. The proposed
new or modified definitions would be: Breach, Business associate,
Covered entity, Health care operations, HIPAA, HIPAA regulations,
Informant, Intermediary, Investigative agency, Part 2 program director,
Patient, Payment, Person, Program, Public health authority, Qualified
service organization, Records, Third-party payer, Treating provider
relationship, Treatment, Unsecured protected health information,
Unsecured record, and Use. Most of these terms and definitions would be
added or modified by referencing existing HIPAA regulatory terms in 45
CFR parts 160 and 164, either in accordance with the adoption of such
definitions by section 3221(d) of the CARES Act, which added paragraph
(k) (containing definitions) to 42 U.S.C. 290dd-2, or as a logical
outgrowth of CARES Act amendments. Several other definitions would be
modified for clarity and consistency, as described below. The
Department requests comment on all proposals to add new or modify
existing definitions to this part. Breach. The proposed definition of
Breach would adopt the Breach Notification Rule definition by reference
to 45 CFR 164.402, but as applied to Part 2 records rather than to PHI.
The Department proposes this definition to implement paragraph (k) of
42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring
that the term in this part be given the same meaning of the term for
the purposes of the HIPAA regulations. Because the CARES Act requires
Part 2 programs to comply with HITECH Act breach notification
requirements, a Part 2 regulatory definition of breach is necessary to
implement and enforce these requirements.
Business associate. The Department proposes to adopt the same
meaning of this term as is used in the HIPAA Rules. This proposal would
implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section
3221(d) of the CARES Act, requiring the term in this part be given the
same meaning of the term for the purposes of the HIPAA regulations.
Covered entity. The Department proposes to adopt the same meaning
of this term as is used in the HIPAA Rule. This proposal would
implement the new paragraph (k) of 42 U.S.C. 290dd-
[[Page 74229]]
2, added by section 3221(d) of the CARES Act, requiring the term in
this part be given the same meaning of the term for the purposes of the
HIPAA regulations.
Health care operations. The proposal would incorporate the HIPAA
Privacy Rule definition for health care operations.\120\
---------------------------------------------------------------------------
\120\ See 45 CFR 164.501 (definition of ``Health care
operations'').
---------------------------------------------------------------------------
HIPAA. Although not required by the CARES Act, the Department
proposes to add a definition of HIPAA that encompasses the statutory
and regulatory provisions pertaining to the privacy, security, breach
notification, and enforcement standards with respect to PHI. This
definition would exclude other components of the HIPAA statute, such as
insurance portability, and other HIPAA regulatory standards, such as
the standard electronic transactions regulation, which are not relevant
to this proposed rule. The Department proposes this definition to make
clear the specific components of the relevant statutes that would be
incorporated into this part.
HIPAA regulations. The current rule does not define HIPAA
regulations. The proposed definition is based on the statutory
definition added by the CARES Act and has the same meaning as ``HIPAA
Rules,'' which refers to the HIPAA Privacy, Security, Breach
Notification, and Enforcement Rules, when used in this document, OCR
rulemaking, and OCR's guidance and other materials. For purposes of
this rulemaking, the term does not include Standard Unique Identifiers,
Standard Electronic Transactions, and Code Sets, 42 CFR part 162--
Administrative Requirements.
Informant. Within the definition of ``informant,'' the Department
proposes to replace the term ``individual'' with the term ``person'' as
is used in the HIPAA Rules and discussed below.
Intermediary. The current rule uses the term intermediary in Sec.
2.13(d)(2) \121\ without providing a definition. To improve
understanding of the requirements for intermediaries, and to
distinguish those requirements from the proposed accounting of
disclosure requirements, the Department proposes to establish a
definition of intermediary.
---------------------------------------------------------------------------
\121\ Section 2.13(d)(2) refers to the description of an
intermediary in Sec. 2.31(a)(4)(ii)(B).
---------------------------------------------------------------------------
Examples of an intermediary include, but are not limited to, a
health information exchange, a research institution that is providing
treatment, an accountable care organization, or a care management
organization. In contrast, a research institution that is not providing
treatment or a health app that is providing individual patients with
access to their records would not be considered an intermediary. Member
participants of an intermediary refers to health care provider
practices or health-related organizations. It does not include
individual health plan subscribers or workforce members who share
access to the same electronic health record system.
In the current rule, if a patient provides a written consent that
is specific to treatment, the general designation of a recipient entity
who is an intermediary may be used and the patient would have a right
to obtain a list of recipients to whom the intermediary has disclosed
their record.
Under section 3221 of the CARES Act, a patient consent may contain
a general designation of recipients for treatment, payment, and health
care operations. Without regulatory clarification this could result in
the recipients exchanging health information through an HIE/HIN or
other means without triggering the intermediary requirements. To avoid
this unintended consequence, the Department proposes additional changes
to Sec. 2.31(a)(4) to ensure that intermediaries continue to be named
whenever they are used to exchange Part 2 records.
Under this proposal, an intermediary would be a person who has
received records, under a general designation in a written patient
consent, for the purpose of disclosing the records to one or more of
its member participants who has a treating provider relationship with
the patient. The term intermediary is based on the function of the
person--receiving records and disclosing them to other providers as a
key element of its role--rather than on a title or category of an
organization or business. For example, an electronic health record
vendor that enables entities at two different health systems to share
records likely would be an intermediary. That same vendor would not be
an intermediary when used by employees in different departments of a
hospital to access the same patient's records. Where an intermediary is
also a business associate under the HIPAA Rules, it would be subject to
the requirements of both an intermediary and a business associate.
The requirements for intermediaries would remain unchanged but
would be redesignated from Sec. 2.13(d), Lists of disclosures, to new
Sec. 2.24, Requirements for intermediaries. These proposed
modifications are discussed separately below.
Investigative agency. The Department proposes to create a new
definition for ``investigative agency'' to describe those government
agencies with responsibilities for investigating and prosecuting Part 2
programs and persons holding Part 2 records, such that they would be
required to comply with subpart E when seeking to use or disclose
records against a Part 2 program or lawful holder. In conjunction with
proposed changes to subpart E pertaining to use and disclosure of
records by law enforcement, the Department proposes to define an
investigative agency as ``A state or federal administrative,
regulatory, supervisory, investigative, law enforcement, or
prosecutorial agency having jurisdiction over the activities of a part
2 program or other person holding part 2 records.'' By creating a
definition of investigative agency, the Department does not intend to
change the applicability of Sec. 2.53 or subpart E, but only to
establish a limitation on liability for such agencies in certain
circumstances when a court order is otherwise required by these
regulations.
Part 2 program director. Within the definition of ``part 2 program
director,'' the Department proposes to replace the first instance of
the term ``individual'' with the term ``natural person'' and the other
instances of the term ``individual'' with the term ``person'' as used
in the HIPAA Rules and discussed below.
Patient. The Department proposes to add language to the existing
definition to clarify that when the HIPAA regulations apply to Part 2
records, a patient is an individual as that term is defined in the
HIPAA regulations.
Payment. The Department proposes to adopt the same definition for
this term as in the HIPAA Rules. This proposal would implement the new
paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the
CARES Act, requiring the term in this part be given the same meaning of
the term for the purposes of the HIPAA regulations.
Person. The term ``person'' is currently defined as ``an
individual, partnership, corporation, federal, state or local
government agency, or any other legal entity, (also referred to as
``individual or entity'').'' Thus, the current Part 2 regulation uses
the term ``individual'' in reference to someone who is not the patient
and therefore not the subject of the Part 2 record. In contrast, the
HIPAA Rules at 45 CFR 160.103 define the term ``individual'' to refer
to the subject of PHI, and ``person'' to refer to ``a natural person,
trust or estate, partnership, corporation, professional association or
corporation, or other entity, public or private.'' To further the
alignment of Part 2 and the
[[Page 74230]]
HIPAA Rules and provide clarity for programs and entities that must
comply with both sets of requirements, the Department proposes to
replace the Part 2 definition of ``person'' with the HIPAA definition
in 45 CFR 160.103. As an extension of this clarification, the
Department also proposes to replace the term ``individual'' with
``patient'' when the regulation refers to someone who is the subject of
Part 2 records, to use the term ``person'' when it refers to someone
who is not the subject of the records at issue, and to modify the
definition of ``patient'' in Part 2 to include an ``individual'' as
that term is used in the HIPAA Rules. The Department believes that this
combination of modifications would promote the understanding of both
Part 2 and the HIPAA Rules and requests comment on whether this or
other approaches would provide more clarity.
Program. Within the definition of ``program,'' the Department
proposes to replace the term ``individual or entity'' with the term
``person'' as is used in the HIPAA Rules and discussed above.
Public health authority. The Department proposes to adopt the same
meaning for this term as in the Privacy Rule. This proposal would
implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section
3221(d) of the CARES Act, requiring the term in this part be given the
same meaning of the term for the purposes of the HIPAA regulations.
Qualified service organization. The Department proposes to modify
the definition of Qualified service organization (QSO) by adding HIPAA
business associates to the regulatory text to clarify that they are
QSOs in circumstances when Part 2 records also meet the definition of
PHI (i.e., when a Part 2 program is also a covered entity). The
Department believes this proposal would facilitate the implementation
of the CARES Act with respect to disclosures to QSOs. The HIPAA Rules
generally permit disclosures from a covered entity to a person who
meets the definition of a business associate (i.e., a person who works
on behalf of or provides services to the covered entity) \122\ without
individual authorization, when based on a business associate agreement
that incorporates certain protections.\123\ Similarly, the use and
disclosure restrictions of this part do not apply to the communications
between a Part 2 program and QSO when the information is needed by the
QSO to provide services to the Part 2 program. This definition is
proposed in conjunction with a proposal to modify Sec. 2.12,
Applicability, to clarify that QSOs also use Part 2 records received
from programs to work ``on behalf of'' the program.
---------------------------------------------------------------------------
\122\ See 45 CFR 160.103 (definition of ``Business associate'').
\123\ See, e.g., 45 CFR 164.504(e).
---------------------------------------------------------------------------
The Department also proposes a wording change to replace the phrase
``individual or entity'' with the term ``person'' as now proposed to
comport with the HIPAA meaning of the term.
Records. The definition of records specifies the scope of
information that Part 2 protects. The Department proposes to remove the
last sentence of the definition as unnecessary.\124\ In the five
decades since the promulgation of the Part 2 regulation, health
information technology has become widely adopted and it is evident that
records include both paper and electronic formats. The Department does
not intend to change the meaning or understanding of records with this
proposed modification, but only to streamline the description.
---------------------------------------------------------------------------
\124\ The last sentence reads ``For the purpose of the
regulations in this part, records include both paper and electronic
records.'' 42 CFR 2.11 (definition of ``Record'').
---------------------------------------------------------------------------
The Department offers clarification here about how the definition
of Part 2 records operates in relation to the HIPAA definitions of PHI,
designated record set, and psychotherapy notes.
These issues are most pertinent with respect to the right
individuals have to access their records under the HIPAA Rules, as
explained below (Part 2 does not contain a parallel patient right of
access to records).
Generally, the HIPAA Privacy Rule gives individuals the right to
access all of their PHI in a designated record set.\125\ A designated
record set is a group of records maintained by or for a covered entity
that are a provider's medical and billing records, a health plan's
enrollment, payment, claims adjudication, and case or medical
management record systems, and any other records used, in whole or in
part, by or for the covered entity to make decisions about
individuals.\126\ A covered entity's Part 2 records usually fall into
these categories, and thus are part of the designated record set. This
is true when a Part 2 program is a covered entity, as well as when a
covered entity receives Part 2 records but is not a Part 2 program. In
the latter situation, the Part 2 records become PHI when they are
received by or for the covered entity, and part of a designated record
set. As such, they are subject to the Privacy Rule's right of access
requirements.
---------------------------------------------------------------------------
\125\ See 45 CFR 164.524.
\126\ See 45 CFR 164.501 (definition of ``Designated record
set'').
---------------------------------------------------------------------------
However, the Privacy Rule right of access excludes psychotherapy
notes.\127\ If SUD treatment is provided by a mental health
professional that is a Part 2 program and a covered entity, and the
provider creates notes of counseling sessions that are kept separate
from the individual's medical record, those notes would be
psychotherapy notes as well as Part 2 records. In this case, the
individual would not have a Privacy Rule right of access to those
records, but a provider may voluntarily provide access upon request by
the individual patient. Additionally, psychotherapy notes created by a
Part 2 program that is a covered entity could only be disclosed with a
separate written authorization or consent.
---------------------------------------------------------------------------
\127\ See 45 CFR 164.524(a)(1)(i); see also 45 CFR 164.501
(definition of ``Psychotherapy notes'').
---------------------------------------------------------------------------
The Department is considering whether to create a new definition
similar to psychotherapy notes that is specific to the notes of SUD
counseling sessions by a Part 2 program professional. Such notes would
be Part 2 records, but could not be disclosed based on a general
consent for TPO. They could only be disclosed with a separate written
consent that is not combined with a consent to disclose any other type
of health information. The Department solicits comments on the benefits
and burdens of creating such additional privacy protection for SUD
counseling notes that are maintained primarily for use by the
originator of the notes, similar to psychotherapy notes as defined in
the Privacy Rule. Under consideration is a definition such as this:
SUD counseling notes means notes recorded (in any medium) by a Part
2 program provider who is a SUD or mental health professional
documenting or analyzing the contents of conversation during a private
counseling session or a group, joint, or family counseling session and
that are separated from the rest of the patient's record. SUD
counseling notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies
of treatment furnished, results of clinical tests, and any summary of
the following items: Diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.
As with psychotherapy notes under the Privacy Rule, the separate
consent requirement, if adopted, would not apply to SUD counseling
notes in the following situations:
1. Use by the originator of the SUD counseling notes for treatment;
[[Page 74231]]
2. Use or disclosure by the program for its own training programs
in which students, trainees, or practitioners in SUD treatment learn
under supervision to practice or improve their skills in group, joint,
family, or individual counseling;
3. For the program to defend itself in a legal action or other
proceeding brought by the patient;
4. Required for the reporting of child abuse or neglect;
5. Required by law;
6. Required for oversight of the originator of the SUD counseling
notes;
7. To a coroner or medical examiner for the purpose of identifying
a deceased person, determining a cause of death, or other duties as
authorized by law; or
8. When necessary to lessen a serious and imminent threat to the
health or safety of a person or the public and is to a person or
persons reasonably able to prevent or lessen the threat, including the
target of the threat.
Third-party payer. The term third-party payer refers to an entity
with a contractual obligation to pay for a patient's Part 2 services
and includes some health plans, which by definition are covered
entities. The current regulation, at Sec. 2.12, limits disclosures by
third-party payers to a shorter list of purposes than the Privacy Rule
allows for health plans. The Department proposes to exclude covered
entities from the definition of third-party payer to facilitate
implementation of 42 U.S.C. 290dd-2(b)(1)(B), as amended by section
3221(b) of the CARES Act, which enacted a permission for certain
recipients of Part 2 records to redisclose them according to the HIPAA
standards. The result of this proposed change would be that the current
Part 2 disclosure restrictions continue to apply to a narrower set of
entities, such as grant-funded programs. The Department believes that
this approach would carry out the intent of the CARES Act, while
preserving the privacy protections that apply to payers that are not
covered entities. The Department also proposes a wording change to
replace the phrase ``individual or entity'' with the term ``person'' as
now proposed to comport with the HIPAA meaning of the term.
The Department welcomes comments on the number and type of third-
party payers that would not be considered health plans.
Treating provider relationship. The Department proposes to modify
the Part 2 definition of ``treating provider relationship'' by
replacing the phase ``individual or entity'' with ``person,'' in
accordance with the proposed changes to the definition of ``person''
described above.
Treatment. The Department proposes to modify the Part 2 definition
of ``treatment'' by adopting the Privacy Rule definition by reference.
This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-
2, added by section 3221(d) of the CARES Act, requiring that the term
in this part be given the same meaning of the term for the purposes of
the HIPAA regulations. By replacing the existing language, the
Department does not intend to change the scope of activities that
constitute treatment. Thus, it remains true, as provided in the prior
definition, that treatment includes the care of a patient suffering
from an SUD, a condition which is identified as having been caused by
the SUD, or both, in order to reduce or eliminate the adverse effects
upon the patient.
Unsecured protected health information. The Department proposes to
adopt the same meaning of this term as used in the HIPAA Rules. This
proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2,
added by section 3221(d) of the CARES Act, requiring that the term in
this part be given the same meaning as the term in the purposes of the
HIPAA regulations.
Unsecured record. To align with the definition of ``unsecured
protected health information'' at 45 CFR 164.402, the Department
proposes to apply a similar concept to records, as defined in this
part. Thus, an unsecured record would be one that is not rendered
unusable, unreadable, or indecipherable to unauthorized persons through
the use of a technology or methodology specified by the Secretary in
the guidance issued under Public Law 111-5, 13402(h)(2).\128\ The
Department believes this proposal is necessary to implement the newly
required breach notification standards for Part 2 records and requests
comment on this approach.
---------------------------------------------------------------------------
\128\ See the Guidance to Render Unsecured Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized
Individuals at <a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html</a>.
---------------------------------------------------------------------------
Use. The Department proposes to add a definition for this term that
is consistent with that in the HIPAA Rules at 45 CFR 160.103, and as
the term is applied to the conduct of proceedings specified in statute
at 42 U.S.C. 290dd-2(c). The Department believes this proposal is
necessary to more fully align this part with the HIPAA Rules use of the
language ``use and disclosure'', as well as make clear, where
applicable, that many of the activities regulated by this part involve
not only disclosures but internal uses of Part 2 records by programs or
recipients of Part 2 records. The Department also proposes this
definition to make clear that in this part, the term ``use'' has a
secondary meaning in accordance with the statutory requirements at 42
U.S.C. 290dd-2(c) for ``use'' of records in proceedings. The Department
discusses in greater detail the addition of the term ``use'' to
specific provisions throughout this NPRM, and in particular, in
connection to Sec. 2.12 below.
Sec. 2.12--Applicability
Section 2.12 includes five provisions outlining the scope of the
rule's requirements. Paragraph (a) of Sec. 2.12 describes which
records are protected and describes the restrictions on use and
disclosure of Part 2 records; paragraph (b) outlines what constitutes
federal assistance for purposes of the regulation's applicability;
paragraph (c) specifies exceptions for certain disclosures; paragraph
(d) provides restrictions that apply to: (1) any recipient of Part 2
records, and (2) third-party payers and administrators; and paragraph
(e) details the types of records and diagnoses to which the
restrictions in this regulation apply.
The Department proposes to amend the Part 2 regulation in paragraph
(c)(2) of Sec. 2.12, which excludes from Part 2 requirements certain
interchanges of information within the Armed Forces and between the
Armed Forces and the Department of Veterans Affairs, by replacing
``Armed Forces'' with ``Uniformed Services.'' This change would align
the regulatory text with the statutory language at 42 U.S.C. 290dd-
2(e). The change also would create consistency with the Department's
proposal to expand the Privacy Rule permission for covered entities, at
45 CFR 164.512(k), to use or disclose the PHI of Armed Services
personnel when deemed necessary by certain military command authorities
to all Uniformed Services, which would then include the U.S. Public
Health Service (USPHS) and the National Oceanic and Atmospheric
Administration (NOAA) Commissioned Corps.\129\ As the Department noted
in that NPRM to modify the Privacy Rule, the USPHS and NOAA
Commissioned Corps share responsibility with the Armed Services for
certain critical missions, support military readiness and maintain
medical fitness for deployment in response to urgent and emergency
public health crises, and maintain fitness for deployment onto
[[Page 74232]]
U.S. Coast Guard manned aircraft and shipboard missions. Because this
Part 2 proposal with respect to the Uniformed Services is consistent
with the underlying statute, the Department does not believe the
modification will change how SUD treatment records are treated for
USPHS and NOAA Commissioned Corps personnel, but requests comment on
this assumption.
---------------------------------------------------------------------------
\129\ See proposed 45 CFR 164.512(k) at 85 FR 6446, 6487.
---------------------------------------------------------------------------
The Department also proposes to add the term ``use'' to paragraphs
(a)(1), (c)(3), (c)(4), and (d)(2) of this section, and the term
``disclosure'' to paragraphs (a)(2) and (d)(1), to make clear that as
amended by CARES Act section 3221(b), these provisions include both
uses and disclosures that are restricted by Part 2. The Department also
proposes to add ``use'' to the second sentence of paragraph (e)(3).
Historically, the Part 2 regulation associated ``use'' with the
initiation of legal proceedings against a patient and associated
``disclosure'' with sharing records to an external entity. In contrast,
the Privacy Rule applies the term ``use'' to refer to internal use of
health information within an entity, such as access by staff members.
With this understanding, a Part 2 record could be both used and
disclosed for purposes related to the provision of health care, but
also for the purposes such as the initiation of a legal proceeding. To
align Part 2 with the Privacy Rule, the Department proposes to adopt
the ``use and disclosure'' terminology throughout the regulation when
both actions could apply. The Department requests comment on this
approach.
The Department also proposes in paragraph (d)(1) of Sec. 2.12 to
expand the restrictions on the use of records as evidence in criminal
proceedings against the patient by incorporating the four prohibited
actions specified in 42 U.S.C. 290dd-2(c), as amended by the CARES Act,
and expanding the regulatory prohibition to cover civil,
administrative, or legislative proceedings in addition to criminal
proceedings.\130\ Absent patient consent or a court order, the proposed
prohibitions are: (1) the introduction into evidence of a record or
testimony in any criminal prosecution or civil action before a Federal
or State court, (2) reliance on the record or testimony to form part of
the record for decision or otherwise be taken into account in any
proceeding before a Federal, State, or local agency, (3) the use of
such record or testimony by any Federal, State, or local agency for a
law enforcement purpose or to conduct any law enforcement
investigation, and (4) the use of such record or testimony in any
application for a warrant.
---------------------------------------------------------------------------
\130\ Administrative agencies may issue subpoenas pursuant to
their authority to investigate matters and several statutes
authorize the use of administrative subpoenas in criminal
investigations. For example, these may be cases involving health
care fraud, child abuse, Secret Service protection, controlled
substance cases, inspector general investigations, and tracking
unregistered sex offenders. See Administrative Subpoenas in Criminal
Investigations: A Brief Legal Analysis, <a href="http://EveryCRSReport.com">EveryCRSReport.com</a>,
University of North Texas Libraries Government Documents Department,
(December 19, 2012), <a href="https://www.everycrsreport.com/reports/RL33321.html">https://www.everycrsreport.com/reports/RL33321.html</a>.
Legislative investigations may also be conducted in furtherance
of the functions of Congress or state legislative bodies. See
``What, Exactly, Does Congress Have the Authority To Investigate?''
Molo Lamken, LLP 2018, https://www.mololamken.com/knowledge-What-
Exactly-Does-Congress-Have-the-Authority-To-
Investigate#:~:text=While%20Congress%20can%20investigate%20conduct,ot
herwise%20initiate%20a%20criminal%20prosecution.
---------------------------------------------------------------------------
The proposed narrowing of the definition of third-party payer in
Sec. 2.11 would exclude covered entity health plans from the limits on
redisclosure of Part 2 records in paragraph (d)(2) of Sec. 2.12. To
clarify the modified scope of this paragraph, the Department proposes
to insert qualifying language in Sec. 2.12(d)(2) to refer to third-
party payers, ``as defined in this part.'' This approach implements the
CARES Act changes in a manner that preserves the existing redisclosure
limitations for any third-party payers that are not covered entities.
The Department seeks comment and data on the number and types of third-
party payers, as defined in the proposed rule, to which the
redisclosure limitations would continue to apply. The Department
especially seeks comment on how this provision would apply to grant-
funded programs.
The Department proposes to conform paragraph (e)(3) of Sec. 2.12
to 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES
Act, by expanding the restrictions on the use of Part 2 records in
criminal proceedings against the patient to expressly include
disclosures of Part 2 records \131\ and to add civil and administrative
proceedings as additional types of forums where use and disclosure of
Part 2 records is prohibited, absent written patient consent or a court
order. Additionally, the Department proposes to clarify the language in
subparagraph (e)(4)(i) of Sec. 2.12, which excludes from Part 2 those
diagnoses of SUD that are created solely to be used as evidence in a
legal proceeding. The proposed change would narrow the exclusion to
diagnoses of SUD made ``on behalf of and at the request of a law
enforcement agency or official or a court of competent jurisdiction''
to be used as evidence ``in legal proceedings.'' The Department
believes the proposed clarification would tighten the nexus between a
law enforcement or judicial request for the diagnosis and the use or
disclosure of the SUD diagnosis based on that request, and requests
comment on this approach.
---------------------------------------------------------------------------
\131\ The Department proposes to add ``disclosures'' to secs.
2.17(b) and 2.67(d)(3) for the same reason.
---------------------------------------------------------------------------
The Department proposes to substitute the term ``person'' for the
term ``entity'' and the phrase ``individuals and entities'' in Sec.
2.12(d)(2)(i)(B) and (C), respectively. As discussed above in relation
to Sec. 2.11, Definitions, the Department does not intend this to be a
substantive change, but rather an alignment with the term as it is
defined in the Privacy Rule at 45 CFR 160.103.
Sec. 2.13--Confidentiality Restrictions and Safeguards
The current provisions of this section apply confidentiality
restrictions and safeguards to how Part 2 records may be ``disclosed
and used'' in this part, and specifically provide that Part 2 records
may not be disclosed or used in any civil, criminal, administrative, or
legislative proceedings. The current provisions also provide that
unconditional compliance with the part is required by programs and
lawful holders and restrict the ability of programs to acknowledge the
presence of patients at certain facilities.
To more accurately describe how the regulations of this part apply
to the activities of programs after the amendment of 42 U.S.C. 290dd-2
by section 3221 of the CARES Act, and to align the language throughout
this section with language in the Privacy Rule, the Department proposes
to modify paragraphs (a) and (b) of this section by replacing the
phrase ``disclosed or used'' with ``used or disclosed'', and in
paragraph (a), adding the term ``use'' in front of the term
``disclosure.'' The Department proposes to add the term ``use'' in
paragraph (a) of this section because sections 3221(b) and (e) of the
CARES Act amends key provisions of 42 U.S.C. 290dd-2 so that
confidentiality restrictions and safeguards apply to both uses and
disclosures.
Paragraph (d) of Sec. 2.13, List of disclosures, includes a
requirement for intermediaries to provide patients with a list of
entities to which an intermediary, such as a health information
exchange (HIE), has disclosed the patient's identifying information
pursuant to a general designation. The Department proposes to remove
Sec. 2.13(d) and redesignate the content as Sec. 2.24, change the
heading to
[[Page 74233]]
Requirements for Intermediaries, and in Sec. 2.11 create a regulatory
definition of the term ``intermediary,'' as discussed above. The
Department's proposal to redesignate Sec. 2.13(d) as 2.24 would move
the section toward the end of Subpart B--General Provisions, to be
grouped with the newly proposed Sec. Sec. 2.25 and 2.26 about patient
rights and disclosure. The Department's proposed change to the heading
is intended to distinguish the right to a list of disclosures made by
intermediaries from the proposed new right to an accounting of
disclosures made by a part 2 program.
In addition to these proposed structural changes, the Department
also proposes wording changes to paragraphs (a) through (c) of Sec.
2.13 to clarify who is subject to the restrictions and safeguards with
respect to Part 2 records. The Department solicits comment on the
extent to which Part 2 programs look to the HIPAA Security Rule as a
guide for safeguarding Part 2 electronic records. The Department also
requests comment on whether it should modify Part 2 to apply the same
or similar safeguards requirements to electronic Part 2 records as the
Security Rule applies to ePHI or whether other safeguards should be
applied to electronic Part 2 records.
Sec. 2.14--Minor Patients
Current Sec. 2.14 establishes the consent requirements for the
disclosure of records of minor patients. To align the description of
these requirements with 42 U.S.C. 290dd-2(b), as amended by section
3221(b) of the CARES Act, and to align the language of this provision
with the Privacy Rule, the Department proposes to add the term ``use''
in paragraphs (a) and (b) to clarify that requirements related to
consent given by minor patients would apply to both uses and
disclosures of records. For example, as amended by section 3221(b) of
the CARES Act, 42 U.S.C. 290dd-2(b)(1)(A) and (B) require a program or
covered entity to obtain the appropriate consent, as determined by this
section, to use or disclose the Part 2 records of the minor, and to use
or disclose the same records for TPO purposes in accordance with the
Privacy Rule. Subsection (c) of this section addresses when a minor's
application for treatment may be disclosed to the minor's parents. The
Department proposes to change the verb ``judges'' to ``determines'' to
describe a program director's evaluation and decision that a minor
lacks decision making capacity that could trigger a disclosure to the
patient's parents. This change is intended to distinguish between the
evaluation by a program director about patient decision making capacity
and an adjudication of incompetence made by a court, which is addressed
in Sec. 2.15. The Department also proposes a technical edit to Sec.
2.14(c)(1) to correct a typographical error from ``youthor'' to ``youth
or.''
The Department also proposes to substitute the term ``person'' for
the term ``individual'' in Sec. 2.14(b)(1), (b)(2), (c), (c)(1), and
(c)(2), respectively. As discussed above in relation to Sec. 2.11,
Definitions, the Department does not intend this to be a substantive
change, but rather an alignment with the term as it is defined in the
Privacy Rule at 45 CFR 160.103.
Sec. 2.15--Patients Who Lack Capacity and Deceased Patients (Proposed
Heading)
Section 2.15 of 42 CFR part 2 addresses who may consent to a
disclosure of records when a patient lacks capacity to make health care
decisions or is deceased. The Department proposes to replace the
outdated term ``incompetent'' and refer instead to patients who lack
capacity to make health care decisions. This modification is not
intended as a substantive change, but would replace a term that may be
considered derogatory. The rule clearly distinguishes between
situations involving an adjudication and those without adjudication.
Consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) of the
CARES Act, the Department proposes to clarify, by referring to the
``use'' of records in addition to disclosures of records in paragraphs
(a)(2) and (b), that confidentiality requirements related to the
records of patients who lack the capacity to make health care decisions
and deceased patients apply to both uses and disclosures. The
Department also proposes to substitute the term ``person'' for the term
``individual'' as discussed above in relation to Sec. 2.11,
Definitions. The Department further proposes to clarify that paragraph
(a) of this section refers to lack of capacity to make health care
decisions as adjudicated by a court while paragraph (b) refers to lack
of capacity to make health care decisions that is not adjudicated, and
to add health plans to the list of entities to which a program may
disclose records without consent to obtain payment during a period when
the patient has an unadjudicated inability to make decisions. Finally,
the Department proposes in paragraphs (b)(1) and (b)(2) of this section
to clearly identify that the restriction on the ability to use or
disclose patient identifying information applies to the Part 2 program.
Sec. 2.16--Security for Records and Notification of Breaches (Proposed
Heading)
Section 2.16, Security for records, currently includes a set of
requirements for securing records. Specifically, Sec. 2.16(a) requires
a Part 2 program or other lawful holder of patient identifying
information to maintain formal policies and procedures to protect
against unauthorized uses and disclosures of such information, and to
protect the security of this information. Sections 2.16(a)(1)-(2) set
forth minimum requirements for what these policies and procedures must
address with respect to paper and electronic records, respectively,
including, for example, transfers of records, maintaining records in a
secure location, and appropriate destruction of records. Section
2.16(a)(1)(v) requires part 2 programs to implement formal policies and
procedures to address removing patient identifying information to
render it non-identifiable in a manner that creates a low risk of re-
identification.
The Department proposes to change the requirements in Sec. 2.16(a)
to more closely align them with the Privacy Rule de-identification
standard. Specifically, the Department proposes to modify Sec.
2.16(a)(1)(v) (for paper records) and Sec. 2.16(a)(2)(iv) (for
electronic records), as follows: ``Rendering patient identifying
information de-identified in accordance with the requirements of the
Privacy Rule at 45 CFR 164.514(b), such that there is no reasonable
basis to believe that the information can be used to identify a patient
as having or having had a substance use disorder.'' The Department
requests comment on the extent to which Part 2 programs render patient
identifying information de-identified under Sec. 2.16(a)(1)(v) and
Sec. 2.16(a)(2)(iv) in a manner that differs from the Privacy Rule de-
identification standard, such that conforming the Part 2 requirements
to the Privacy Rule standard would create unintended adverse
consequences for Part 2 programs or patients. In addition, the
Department requests comment on examples of situations in which Part 2
programs or covered entities render Part 2 information not readily
identifiable but the information is not de-identified in accordance
with the Privacy Rule.
The Department's proposals would increase the alignment of
regulatory requirements for Part 2 with the Privacy Rule \132\ and
Breach Notification Rule.\133\ The same public policy
[[Page 74234]]
objectives of the Breach Notification Rule as applied to covered
entities would be furthered by establishing analogous requirements for
Part 2 programs, namely: (1) greater accountability for Part 2 programs
through requirements to maintain written policies and procedures to
address breaches and document actions taken in response to a breach;
(2) enhanced oversight and public awareness through notification of the
Secretary, affected patients, and in some cases the media; (3) greater
protection of patients through obligations to mitigate harm to affected
patients resulting from a breach; and (4) improved measures to prevent
future breaches as Part 2 programs timely resolve the causes of a
breach of records.
---------------------------------------------------------------------------
\132\ 45 CFR part 164 subparts A and E.
\133\ 45 CFR part 164 subpart D.
---------------------------------------------------------------------------
The Department proposes to modify the heading of Sec. 2.16 to add
``and notification of breaches'' and add a new paragraph Sec. 2.16(b)
to require Part 2 programs to establish and implement policies and
procedures for notification of breaches of unsecured part 2 records,
consistent with the requirements of 45 CFR parts 160 and 164, subpart
D, as mandated by section 3221(h) of the CARES Act. In the event of a
breach, Part 2 programs would be required to notify the Secretary,
affected patients, and in some cases the media, consistent with the
Breach Notification Rule.
Section 2.16 applies security requirements for Part 2 records to
both Part 2 programs and ``lawful holders.'' The term ``lawful holder''
is enshrined in several Part 2 regulatory provisions \134\ but not
defined in regulation. Generally, the term refers to ``an individual or
entity who has received such information as the result of a part 2-
compliant consent (with a prohibition on redisclosure) or as a result
of one of the exceptions to the consent requirements in the statute or
implementing regulations and, therefore, is bound by 42 CFR part 2.''
\135\
---------------------------------------------------------------------------
\134\ See, e.g., 42 CFR 2.31, 2.33, 2.52, and 2.53.
\135\ See 82 FR 6052, 6068. See also 81 FR 6988, 6997.
---------------------------------------------------------------------------
However, the Department believes that the requirements of this
section do not currently apply uniformly across all persons who receive
Part 2 records pursuant to consent and therefore qualify as ``lawful
holders'', such that a failure to have ``formal policies and
procedures'' or to ``protect'' against threats would result in the
imposition of civil or criminal penalties. The Department does not
propose to expand the existing scope of persons who are liable for
noncompliance with requirements that are applicable only to Part 2
programs and lawful holders. Instead, due to the variety of persons
that could receive Part 2 records based on a valid written Part 2
consent, the Department would determine the extent of the duty and
ability of a particular person to ``reasonably protect against
unauthorized uses'' and against ``reasonably anticipated threats or
hazards'' based on the facts and circumstances.
The Department requests comment on its assumptions, and examples of
persons who are lawful holders under the existing regulation, but who
may not be appropriately held liable for compliance with the
administrative requirements for protecting Part 2 records they have
received (e.g., policies and procedures to protect against unauthorized
use or disclosure) or providing breach notification, such as a
patient's family members. The Department also requests comment on
whether it would be helpful to create a regulatory definition of
``lawful holder'' and what persons such definition should
encompass.\136\
---------------------------------------------------------------------------
\136\ For example, in the Consideration of Regulatory
Alternatives section of this NPRM, the Department describes the
entities it considered expressly including in a definition that
would be codified in regulatory text, including covered entities,
business associates, qualified service organizations, and others.
---------------------------------------------------------------------------
The Department further requests public comment regarding the
estimated burden of notification, potential regulatory flexibilities
for Part 2 programs to minimize burdens during their initial
implementation of the policies and procedures required by the breach
notification proposal, and the characteristics of programs to which any
suggested flexibilities should apply. In addition, the Department
welcomes comments from Part 2 programs that are not covered entities on
whether they look to the Security Rule generally for guidance on
protecting electronic Part 2 records or otherwise voluntarily attempt
to follow the requirements of the Security Rule. For any programs that
may do so, the Department requests comment on what their experience has
been, including any implementation costs.
Sec. 2.17--Undercover Agents and Informants
The current provision prohibits, absent court order, a Part 2
program from knowingly employing or enrolling a patient as an
undercover agent and restricts the use of information obtained by an
undercover agency in any criminal investigation against any patient. To
fully implement 42 U.S.C. 290dd-2(c)(3), as amended by section 3221(e)
of the CARES Act, The Department proposes to add ``or disclosed''
behind ``used'' in this section so that the use and disclosure of Part
2 records is prohibited by this section pursuant to the statutory
authority.
Sec. 2.19--Disposition of Records by Discontinued Programs
Current Sec. 2.19 requires a Part 2 program to remove patient
identifying information or destroy the records when a program
discontinues services or is acquired by another program, unless patient
consent is obtained or another law requires retention of the records.
The Department proposes to create a third exception to this general
requirement to clarify that these provisions do not apply to transfers,
retrocessions, and reassumptions of Part 2 programs pursuant to the
Indian Self-Determination and Education Assistance Act (ISDEAA), in
order to facilitate the responsibilities set forth in 25 U.S.C.
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. Sec. 5324(e), 25 U.S.C. 5330,
25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA
regulations. For example, in the event the Department needs to take
over operations of a such a program on short notice, the program
records would remain intact, permitting the Department to ensure
continuation of services. Without this provision, program records would
be destroyed if patient consent is unavailable at the time services are
transferred to the Department, which could occur without sufficient
opportunity to seek consent from all current or former patients. The
Department also proposes wording changes to improve readability and
modernize the regulation, such as by referring to ``non-electronic''
records instead of ``paper'' records, and structural changes to the
numbering of paragraphs.
Sec. 2.20--Relationship to State Laws
Current Sec. 2.20 establishes the relationship of state laws to
Part 2 and provides that Part 2 does not preempt the field of law which
it covers to the exclusion of all applicable state laws, but that no
state law may either authorize or compel a disclosure prohibited by
Part 2. The Department proposes to add the term ``use'' to Sec. 2.20
to clarify that this section applies to both uses and disclosures under
Part 2 and state law. The Department believes this proposal is
consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) CARES
Act, which imposes requirements related to the use and disclosure of
Part 2 records.
[[Page 74235]]
Records subject to regulation by Part 2 frequently are also subject
to regulation by various state laws. For example, similar to Part 2,
state laws impose restrictions to varying degree on uses and
disclosures of records related to SUD \137\ (and often other issues
commonly considered sensitive, such as reproductive health, HIV, or
serious mental illness).\138\ The Department assumes that, to the
extent state laws address SUD records, Part 2 programs generally are
able to comply with Part 2 and state law. The Department requests
comment on this assumption and examples of any circumstances in which a
state law compels a use or disclosure that is prohibited by Part 2,
such that Part 2 preempts such state law.
---------------------------------------------------------------------------
\137\ See e.g., Mich. Comp. Laws Sec. Sec. 333.6111 (expressly
excluding SUD records from an emergency medical service as
restricted); and NJ Rev. Stat. Sec. 26:2B-20 (2013) (requiring
records to be confidential except by proper judicial order whether
connected to pending judicial proceedings or otherwise).
\138\ See e.g., MO Rev. Stat. Sec. 191.731 (requiring SUD
records of certain pregnant women remain confidential).
---------------------------------------------------------------------------
Sec. 2.21--Relationship to Federal Statutes Protecting Research
Subjects Against Compulsory Disclosure of Their Identity
The current language of Sec. 2.21 recognizes the potential for
concurrent coverage of certain federal laws that regulate patient
identifying information. The Department proposes to reorder
``disclosure and use'' to read ``use and disclosure'' to better align
the wording of this section with language used in the Privacy Rule.
Sec. 2.22--Notice to Patients of Federal Confidentiality Requirements;
and 45 CFR 164.520--Notice of Privacy Practices for Protected Health
Information
Section 3221(i) of the CARES Act directs the Secretary to modify or
``update'' the HIPAA NPP requirements at 45 CFR 164.520 \139\ to
specify new requirements for covered entities and Part 2 programs with
respect to Part 2 records that are PHI (i.e., records of SUD treatment
by a Part 2 program that are transmitted or maintained by or for
covered entities). The CARES Act notice requirements would therefore
apply to entities that are subject to both Part 2 and HIPAA, which
include covered entities that are Part 2 programs as well as covered
entities that receive Part 2 records from a Part 2 program.
---------------------------------------------------------------------------
\139\ Section 3221(i) requires the Department to consult with
legal, clinical, privacy and civil rights experts. The Department
has completed this consultation as part of its internal review
process with the identified experts.
---------------------------------------------------------------------------
The Privacy Rule, at 45 CFR 164.520, establishes an individual
right to receive an NPP, written in plain language, providing adequate
notice of a covered entity's privacy practices and obligations with
respect to individuals' PHI. Health care clearinghouses, correctional
institutions that are covered entities, and certain group health plans
\140\ are excepted from the requirement, but other covered health plans
and covered health care providers that maintain a direct treatment
relationship \141\ with an individual must provide the individual with
adequate notice about how the covered entity may use and disclose the
individual's PHI, as well as the individual's rights and the covered
entity's obligations with respect to the individual's PHI.
---------------------------------------------------------------------------
\140\ See 45 CFR 164.520(a)(2) and (a)(3).
\141\ See 45 CFR 164.501 (definitions of ``Direct treatment
relationship'' and ``Indirect treatment relationship).
---------------------------------------------------------------------------
To implement section 3221(i)(2) of the CARES Act, the Department
proposes to modify both the Patient Notice requirements at Sec. 2.22
and the NPP requirements at 45 CFR 164.520 to provide notice
requirements for all Part 2 records. While the CARES Act only expressly
requires the modification of the NPP requirements at 45 CFR 164.520,
the Department proposes to also modify the Part 2 Patient Notice at
Sec. 2.22 to align more closely with the NPP requirements. The
proposal to modify Sec. 2.22 would ensure that patients of Part 2
programs that are not covered by HIPAA are afforded as much notice and
transparency as is provided to individuals in the NPP. Accordingly, the
Department proposes to modify Sec. 2.22 pursuant to the Secretary's
authority under 42 U.S.C. 290dd-2(g) to prescribe regulations to carry
out the purposes of that section.
The Department also believes there is a statutory mandate to modify
the NPP requirements for some HIPAA covered entities that are not Part
2 programs, namely, those covered entities that receive and maintain
Part 2 records, and thus are obligated to comply with certain Part 2
requirements with respect to such records. Covered entities that
receive and maintain Part 2 records would need to add a provision to
their NPP that references the restrictions on use and disclosure of
Part 2 records in civil, criminal, administrative, and legislative
proceedings against the individual. The current NPP requirements would
continue to apply, without change, to covered entities that do not
receive or maintain Part 2 records. The proposed changes to Sec. 2.22,
notice of federal confidentiality requirements, for Part 2 programs
that are not covered entities, followed by proposed changes to 45 CFR
164.520 for covered entities that are dually subject to HIPAA and Part
2, and for other covered entities that receive and maintain Part 2
records, are described below.
Consistent with the requirements of section 3221(i)(2) of the CARES
Act, the Department proposes to revise the Patient Notice at Sec. 2.22
of this part, and to update NPP requirements using plain language that
is easily understandable and parallel to changes proposed in the NPRM
modifying the Privacy Rule published on January 21, 2021.\142\ The
Department specifically requests comment from legal, clinical, privacy,
and civil rights experts on whether the below proposals achieve this
goal.
---------------------------------------------------------------------------
\142\ See Proposed Modifications to the HIPAA Privacy Rule to
Support, and Remove Barriers to, Coordinated Care and Individual
Engagement, 86 FR 6446.
---------------------------------------------------------------------------
1. Modifying the Sec. 2.22 Patient Notice
Because the HIPAA Rules and Part 2 cover different, but often
overlapping, sets of regulated entities, and because the NPP currently
offers more robust notice requirements than the Patient Notice, the
Department proposes to modify Sec. 2.22 to provide the same
information to individuals under the Privacy Rule as to patients of
Part 2 programs. The Department's proposed modifications to the Patient
Notice would also restructure it to substantially mirror the structure
of the NPP. As discussed below, instead of the Patient Notice
containing elements described as a ``summary'' of the federal law that
applies to protect Part 2 records, the Patient Notice would address the
same key elements of the HIPAA NPP such as a required Header, Uses and
Disclosures, Individual Rights, and Duties of Part 2 Programs. As
further discussed below, the Department proposes to add to the Patient
Notice key features of the NPP, such as explaining to patients that
they may file a complaint when they believe their privacy rights have
been violated, and that they have the right to revoke their consent for
Part 2 programs to disclose records in certain circumstances. The
Department believes this approach would best implement the intent of
Congress to apply NPP protections to these records and requests comment
on this approach, including any burdens associated with this approach.
Part 2 programs should be mindful that federal civil rights laws
require certain entities, including recipients of federal financial
assistance and public
[[Page 74236]]
entities, to take appropriate steps to ensure that communications with
individuals with disabilities are as effective as communications with
others, including by providing appropriate auxiliary aids and services
where necessary.\143\ In addition, recipients of federal financial
assistance must take reasonable steps to ensure meaningful access to
their programs and activities for individuals with limited English
proficiency, including through language assistance services when
necessary.\144\
---------------------------------------------------------------------------
\143\ See 45 CFR 92.102 (Section 1557 of the Affordable Care
Act); 45 CFR 84.4(b), 84.52(a), (c), (d) (Section 504 of the
Rehabilitation Act of 1973); 28 CFR 35.160(a)-(b) (Title II of the
Americans with Disabilities Act).
\144\ See 45 CFR 92.101 (Section 1557 of the Affordable Care
Act); 45 CFR 80.3(b) (Title VI of the Civil Rights Act of 1964).
---------------------------------------------------------------------------
Section 2.22, Notice to patients of federal confidentiality
requirements, requires a Part 2 program, at the time of admitting a
patient to the program,\145\ to give written notice of and summarize
the federal law and regulations that protect the confidentiality of SUD
records. Section 2.22(b) requires that the notice include five
elements: (1) a general description of the limited circumstances in
which a Part 2 program may share information that would identify the
patient as having or having had a SUD; (2) a statement informing the
patient that violation of the federal law and regulations is a crime
and contact information for the appropriate authorities; (3) a
statement that information related to a patient's commission of a crime
on the premises is not protected as confidential; (4) a statement that
reports of suspected child abuse and neglect made under state law to
appropriate state or local authorities are not protected; and (5) a
citation to the federal law and regulations. Finally, Sec. 2.22 gives
the option to a Part 2 program to include information about applicable
state law and its own local policies. Although Sec. 2.22 does not
expressly apply to covered entities and PHI, any covered entity that
uses or discloses Part 2 SUD records would be subject to the notice
requirements of Sec. 2.22 in addition to the NPP requirements in 45
CFR 164.520. Conversely, Part 2 programs that are not covered entities
and not subject to HIPAA would only be obligated to comply with Sec.
2.22.
---------------------------------------------------------------------------
\145\ In the event a patient lacks capacity at the time of
admission, 42 CFR 2.22(a) alternatively requires that such notice be
given as soon as the patient attains capacity.
---------------------------------------------------------------------------
The Department proposes to modify Sec. 2.22 by incorporating most
of the notice requirements in the HIPAA NPP at 45 CFR 164.520, and then
excluding those that are non-applicable or pose special privacy risks,
and separately addressing certain provisions that have special
requirements or differences between application to covered entities and
part 2 programs as specified in 42 U.S.C. 290dd-2, as amended by the
CARES Act. The Department proposes the following with respect to the
Patient Notice at Sec. 2.22.
Header. The Department proposes to require Part 2 programs to
include a header in the Patient Notice. The header would be nearly
identical to the header required in the NPP (and as proposed for
amendment above) at 45 CFR 164.520(b)(1)(i) \146\ except where
necessary to distinguish components of the notice not applicable to 42
CFR part 2. For example, the Patient Notice that would be provided
pursuant to this part would not include notice that patients could
exercise the right to get copies of records at limited costs or in some
cases, free of charge, nor would it provide notice that patients could
inspect or get copies of records under HIPAA.
---------------------------------------------------------------------------
\146\ The Department proposed to modify the NPP header in a
separate Privacy Rule NPRM, as described at 86 FR 6446, 6485. The
proposed regulatory text herein reflects the changes proposed in the
earlier NPRM, as well as new proposed changes.
---------------------------------------------------------------------------
Uses and Disclosures. The Department proposes to require a Part 2
program to include in the Patient Notice descriptions of uses and
disclosures that are permitted for TPO, permitted without written
consent, or will only be made with written consent. Consistent with the
current set of NPP requirement for covered entities, the Department
proposes to add a requirement that a covered entity that creates or
maintains Part 2 records include sufficient detail in its Patient
Notice to place the patient on notice of the uses and disclosures that
are permitted or required. Although the Department believes section
3221(k)(4) of the CARES Act--stating that certain de-identification and
fundraising activities should be excluded from the definition of health
care operations--has no legal effect as a Sense of Congress, the
Department believes it prudent to propose new Sec. 2.22(b)(1)(iii).
This proposal would require that a program provide notice to patients
that the program must obtain written consent before it may use or
disclose records for fundraising on behalf of the program. This new
notice requirement is consistent with a newly proposed consent
requirement at Sec. 2.31(a)(5) in which a program must obtain a
patient's permission for such uses and disclosures.
Before proposing the approach above, the Department first
considered whether to propose a consent requirement for both de-
identification and fundraising and whether to structure it as an opt-in
or an opt-out. The Department believes that an opt-in requirement would
afford patients a greater amount of control over their records and best
fulfill patients' expectations about how their Part 2 information would
be protected. However, the Department believes that requiring patient
consent for de-identification activities would be inconsistent with the
new permission to disclose de-identified information for public health
purposes as provided in section 3221(c) of the CARES Act. Such a
requirement also would create a barrier to de-identification that may
negatively affect patient privacy by increasing permissible but
unnecessary uses and disclosures of identifiable Part 2 records in
circumstances when de-identified records would serve the intended
purpose. As noted above, the Department believes uses and disclosures
for fundraising warrant this added privacy protection, consistent with
congressional intent as expressed in the Sense of Congress.
Individual Rights. The Department proposes to require that a Part 2
program include in the Patient Notice statements of patients' rights
with respect to Part 2 records. The structure would mirror the
statements of rights required in the NPP for covered entities and PHI
but, based on amended 42 U.S.C. 290dd-2, would include:
<bullet> Right to request restrictions of disclosures made with
prior consent for purposes of TPO, as provided in 42 U.S.C. 290dd-
2(b)(1)(C) and when a Part 2 program must agree to a request.
<bullet> Right to request and obtain restrictions of disclosures of
Part 2 records to the patient's health plan for those services for
which the patient has paid in full, in the same manner as 45 CFR
164.522 applies to restrictions of disclosures of PHI.
<bullet> Right to an accounting of disclosures of electronic Part 2
records for the past 3 years, as provided in 42 U.S.C. 290dd-2(b)(1)(B)
and right to an accounting of disclosures of Part 2 records that
mirrors the right in the Privacy Rule at 45 CFR 164.528.
<bullet> Right to obtain an electronic or non-electronic copy of
the notice from the program upon request.
<bullet> Right to discuss the notice with a designated contact
person identified by the program pursuant to paragraph 45 CFR
164.520(b)(1)(vii).
Part 2 program's duties. The Department proposes to incorporate
into the Patient Notice statements describing
[[Page 74237]]
the duties of Part 2 programs with respect to Part 2 records that
parallel the statements of duties of covered entities required in the
NPP with respect to PHI. Although this change is not required by 42
U.S.C. 290dd-2, the statement of duties would put patients on notice of
the obligations of Part 2 programs to maintain the privacy and security
of Part 2 records, abide by the terms of the Patient Notice, and inform
patients that it may change the terms of a Patient Notice. The Patient
Notice also would include a statement of the new duty under 42 U.S.C.
290dd-2(j) to notify affected patients following a breach of Part 2
records.
Complaints. The Department proposes to require that a Part 2
program inform patients, in the Patient Notice, that the patients may
complain to the Part 2 program and Secretary when they believe their
privacy rights have been violated, as well as a brief description of
how the patient may file the complaint and a statement that the patient
will not be retaliated against for filing a complaint. These statements
would support the implementation of the CARES Act enforcement
provisions, which apply the civil enforcement provisions of section
1176 of the Social Security Act to violations of 42 U.S.C. 290dd-
2.\147\
---------------------------------------------------------------------------
\147\ See 42 U.S.C. 290dd-2(f) and 42 U.S.C. 1320d-5.
---------------------------------------------------------------------------
Contact and Effective Date. The Department proposes to require that
the Patient Notice provide the name or title, telephone number, and
email address of a person a patient may contact for further information
about the Part 2 Notice, and information about the date the Patient
Notice takes effect. These provisions would parallel requirements for
the NPP.
Optional Elements. The Department proposes to incorporate into the
Patient Notice the optional elements of an NPP, which a Part 2 program
could include in its Patient Notice. This provision permits a program
that elects to place more limits on its uses or disclosures than
required by Part 2 to describe its more limited uses or disclosures in
its notice, provided that the program may not include in its notice a
limitation affecting its ability to make a use or disclosure that is
required by law or permitted to be made for emergency treatment.
Revisions to the Patient Notice. The Department proposes to require
that a Part 2 program must promptly revise and distribute its Patient
Notice when there has been a material change and provide that, except
when required by law, such material change may not be implemented prior
to the effective date of the Patient Notice. These provisions would
parallel requirements for the NPP.
Implementation Specifications. The Department proposes to require
that a Part 2 program provide the Patient Notice to anyone who requests
it and provide it to a patient not later than the date of the first
service delivery, including where first service is delivered
electronically, after the compliance date for the Patient Notice. This
provision also would require that the Patient Notice be provided as
soon as reasonably practicable after emergency treatment. Finally, if
the Part 2 program has a physical delivery site, the Patient Notice
would have to be posted in a clear and prominent location at the
delivery site where a patient would be able to read the notice in a
manner that does not identify the patient as receiving SUD treatment,
and the Patient Notice would need to be included on a program's
website, if it has one. These provisions would parallel the
requirements for provision of the NPP by covered health care
providers.\148\
---------------------------------------------------------------------------
\148\ See 45 CFR 164.520(c)(2)(i)(A), (c)(2)(i)(B),
(c)(2)(iii)(B). See also proposed amendments to this section in the
NPRM to Modify the Privacy Rule to Support, and Remove Barriers to,
Coordinated Care and Individual Engagement, 86 FR 6446.
---------------------------------------------------------------------------
The Department requests comment on each Patient Notice proposal,
including information on how incorporating NPP elements into the
Patient Notice requirements would increase or alleviate burdens for
Part 2 programs.
2. Modifying 45 CFR 164.520
Applying the NPP requirements to certain entities. Section
3221(i)(2) of the CARES Act requires the Department to update the NPP
to provide notice of privacy practices with respect to Part 2 records
being created or maintained by ``covered entities and entities creating
or maintaining the records described in subsection (a)'' (referring to
section 543(a) of the PHSA, 42 U.S.C. 290dd-2(a), specifying and
defining Part 2 records). The Department proposes all of the following
changes to 45 CFR 164.520 to update it in accordance with the CARES Act
and to ensure adequate notice is given to patients who are the subject
of these records.
The Department proposes to modify 45 CFR 164.520(a) by adding a new
paragraph (2) to expressly apply the NPP provisions to covered entities
using and disclosing Part 2 records. The proposed change would further
align the Patient Notice requirements for Part 2 records with NPP
requirements with respect to PHI.
The Department also proposes to remove paragraph (3) of 45 CFR
164.520(a), Exception for inmates. The Department no longer believes it
is appropriate to withhold notice from an incarcerated individual with
respect to their health information privacy rights and a covered
entity's practices. When the Department finalized the exception, it
stated ``[n]o person, including a current or former inmate, has the
right to notice of such a covered entity's privacy practices'' seeming
to distinguish correctional facilities that are covered entities from
other covered entities. The Department is unable to discern a safety or
security risk associated with providing inmates notice concerning the
covered entity correctional institute's privacy practices for PHI. This
proposal would ensure that regulated entities provide an NPP to inmates
consistent with what is provided to other individuals and retains the
limitation on the right of access due to security concerns.
Content of Notice requirements apply to all covered entities,
including those that are also subject to Part 2. The Department
proposes to amend the required Header at 45 CFR 164.520(b)(1) to
specifically reference covered entities maintaining or receiving Part 2
records. In addition, the proposed regulatory text at 45 CFR
164.520(b)(1)(i) reflects the changes to 45 CFR 164.520 previously
proposed in the NPRM to Modify the Privacy Rule to Support, and Remove
Barriers to, Coordinated Care and Individual Engagement, published in
2021.\149\ Further, in 45 CFR 164.520(b)(1)(i) and in Sec. 2.22, the
Department proposes to change the word ``Medical'' to ``Health'' to
refer to the type of information covered by the NPP. This change is not
intended to modify substantive requirements, but instead is proposed to
more accurately reflect and clarify that the information covered by the
notice is not limited to the information a covered entity places in an
individual's medical record.
---------------------------------------------------------------------------
\149\ See 86 FR 6446.
---------------------------------------------------------------------------
Description of Uses and Disclosures. Section 3221(i)(2)(B) of the
CARES Act requires the updated NPP for Part 2 records to include
descriptions for every purpose for which the covered entity is
permitted or required to use or disclose PHI without the patient's
written authorization, ``as required by subsection (b)(2) of such
section 164.520.'' However, 45 CFR 164.520(b)(2) sets out optional
elements for the NPP and does not address uses or disclosures that are
permitted or required without the individual's authorization.
Therefore, the
[[Page 74238]]
Department believes that the drafters of the CARES Act provision
intended to refer instead to 45 CFR 164.520(b)(1)(ii), which requires
that the NPP include descriptions of Uses and Disclosures, including a
description of each use or disclosure that is permitted or required
without the individual's written authorization.\150\
---------------------------------------------------------------------------
\150\ See 45 CFR 164.520(b)(ii)(A)-(D).
---------------------------------------------------------------------------
The Department proposes to add to the description in 45 CFR
164.520(b)(1)(ii)(C) and (D) the language ``such as 42 CFR part 2'' to
ensure that covered entities understand their specific obligation to
address restrictions placed on the use and disclosure of Part 2
records.
Section 164.520(b)(1)(iii) includes requirements for Separate
statements for certain uses or disclosures. In the introductory
paragraph of this sub-section, the Department proposes to add ``or
(B)'' to include sub-paragraph (B) in the list of descriptions that
require a separate statement to describe TPO uses and disclosures under
45 CFR 164.520(b)(1)(ii)(A) or those made without authorization under
45 CFR 164.520(b)(1)(ii)(B). The Department also proposes to add new
sub-paragraph (D) providing notice that Part 2 records or testimony
relaying the content of such records shall not be used or disclosed in
certain proceedings against the individual without written consent or
court order, and new sub-paragraph (E) providing notice that if a
covered entity that is a Part 2 program intends to engage in activities
addressed in the Sense of Congress in section 3221(k)(4) of the CARES
Act,\151\ the program must first obtain the patient's express written
consent. This provision would support the implementation of 42 U.S.C.
290dd-2(c).
---------------------------------------------------------------------------
\151\ Section 3221(k)(4) expresses the Sense of Congress that
creating de-identified health information, a limited data set, and
fundraising for the benefit of a covered entity should be excluded
from the definition of health care operations as applied to the use
and disclosure of Part 2 records.
---------------------------------------------------------------------------
Statement of Rights. Section 3221(i)(2)(A) of the CARES Act
requires the NPP for Part 2 records to include a statement of the
patient's rights with respect to PHI and how the individual may
exercise such rights as required by 45 CFR 164.520(b)(1)(iv). The
statement must address the rights of patients who self-pay (i.e., cash
or other payment not billed to a third-party payer or health plan).
Current 45 CFR 164.520(b)(1)(iv) requires a covered entity to
include in its NPP a statement of an individual's rights with respect
to PHI. To implement the CARES Act requirements related to a Statement
of Rights, the Department proposes to revise 45 CFR
164.520(b)(1)(iv)(C), to require a covered entity, when providing
notice about the right of access, to include notice about the right to
inspect and obtain a copy of PHI, the right to do so at limited cost or
free of charge, and the right to direct a covered health care provider
to transmit an electronic copy of PHI in an electronic health record to
a third party. The Department also proposes to add a new Sec.
164.520(b)(1)(iv)(G) to require a covered entity to provide notice of
the right to discuss the NPP with a designated contact person
identified by the covered entity. These changes are made to reflect the
changes to the NPP provisions proposed by the Department in the NPRM to
Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated
Care and Individual Engagement.\152\
---------------------------------------------------------------------------
\152\ See 86 FR 6446.
---------------------------------------------------------------------------
Covered entity's duties. The Department proposes, at 45 CFR
164.520(b)(1)(v)(A), to remove the second reference to ``protected
health information'' to expand the requirement that a covered entity
provide individuals with notice of the covered entity's legal duties
and privacy practices to information beyond that of PHI (i.e., to Part
2 records). The Department proposes to modify 45 CFR
164.520(b)(1)(v)(C), a provision that addresses a covered entity's
right to change the terms of its NPP, to simplify the text, remove the
reference to the administrative requirements of the Privacy Rule (i.e.,
so that it also applies to Part 2), and insert a limitation that any
new terms must not be material or contrary to law.
Other proposed updates to the NPP. The Department proposes other
changes to conform the NPP requirements at 45 CFR 164.520 to changes
required by the CARES Act. For example, the Department proposes to
modify 45 CFR 164.520(b)(1)(iii) to address the Sense of Congress
expressed at 42 U.S.C. 290dd-2(k)(4). Although the Sense of Congress
does not give legal effect to the exclusion of fundraising and the
creation of de-identified health information and limited data sets as
permissible disclosures under ``health care operations'', the
Department believes that fundraising is far enough outside an
individual's reasonable expectation of how their Part 2 records will be
used or disclosed that entities should obtain written consent. This
means that the NPP provision at 45 CFR 164.520(b)(1)(iii) would still
give notice to individuals that a covered entity may use or disclose
the individual's PHI for fundraising with an option to opt out of such
communications. However, in the case of a covered entity that is also a
Part 2 program, it would also provide notice that a covered entity may
use or disclose the individual's Part 2 records for fundraising on
behalf of the covered entity only with the written consent of the
individual. The Department also proposes to incorporate changes
proposed to the NPP requirements in the NPRM to Modify the Privacy Rule
to Support, and Remove Barriers to, Coordinated Care and Individual
Engagement.\153\ These proposals include adding a requirement, at 45
CFR 164.520(b)(1)(vii), that a covered entity's NPP include the email
address for a designated person who would be available to answer
questions about the covered entity's privacy practices; adding a
permission for a covered entity to provide information, in its NPP,
concerning the right to direct copies of PHI to third parties when the
PHI is not in an EHR and the ability to request the transmission using
an authorization; and removing the existing requirement for a covered
entity to obtain a written acknowledgement of receipt of the NPP.
Finally, the Department proposes a new paragraph at 45 CFR
164.520(d)(4) to prohibit construing the permissions for OHCAs to
disclose PHI between participants as negating obligations related to
Part 2 records.
---------------------------------------------------------------------------
\153\ Id.
---------------------------------------------------------------------------
The Department is mindful of the compliance burden imposed on all
entities due to NPP requirements. The Department carefully considered
how to accomplish the CARES Act mandate to update the NPP and believes
that the proposed changes to 45 CFR 164.520 implements the statutory
requirement to inform individuals in a manner that places the least
burden on regulated entities. The Department requests comment on this
assumption.
Sec. 2.23--Patient Access and Restrictions on Use and Disclosure
(Proposed Heading)
The Department proposes to add the term ``disclosure'' to the
heading of this section and throughout paragraphs (a) and (b) to
clarify that a patient is not required to provide written consent or
authorization in order to access their own Part 2 records. The
Department proposes additional wording changes to this section to
improve readability and to replace the word ``information'' to
``records,'' which more accurately describes the scope of the
information to which the regulation applies.
[[Page 74239]]
Sec. 2.24--Requirements for Intermediaries (Redesignated and Proposed
Heading)
Under Sec. 2.13(d), a patient has a right to request a list of
disclosures made by an intermediary; the intermediary must provide the
patient with information regarding disclosures made within the past two
years. As described above in Sec. Sec. 2.11 Definitions and 2.13
Confidentiality restrictions and safeguards, the Department proposes to
remove paragraph (d) of Sec. 2.13 and redesignate it as Sec. 2.24;
change the subheading from Lists of disclosures to a heading titled
Requirements for intermediaries; and in Sec. 2.11 create a regulatory
definition of the term ``intermediary''. The Department proposes
modifications to clarify the newly designated Sec. 2.24 without
intending to change the obligations of intermediaries, other than the
time period covered by the list of disclosures.
Specifically, the Department proposes to replace the description of
intermediaries with a new regulatory definition and to move the
statement of responsibility for complying with the applicable
requirements from the end of the provision to the beginning. The intent
is to clarify what types of entities would be considered
intermediaries--e.g., HIEs, research institutions, accountable care
organizations, and care management organizations--and their
responsibilities for providing patients with a list of disclosures made
to member or participant treating providers. An intermediary may be a
business associate when a Part 2 program is also a covered entity under
HIPAA; in such situations, the intermediary would be subject to
requirements of intermediaries as well as those for business
associates. The Department proposes to extend the period covered by a
list of disclosures from two years to three years to align with the new
right to an accounting of disclosures as proposed in Sec. 2.25(b) for
disclosures made for purposes of treatment, payment, and health care
operations, discussed below. The Department also proposes modifications
to the redesignated section to improve clarity and understanding
without intending any substantive change.
Sec. 2.25--Accounting of Disclosures (Proposed Heading)
Except for disclosures made by intermediaries, the existing Part 2
regulation does not include a right for patients to obtain an
accounting of disclosures of Part 2 records.\154\ Section 290dd-
2(b)(1)(B) of 42 U.S.C., as amended by section 3221(b) of the CARES
Act, applies section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c),
Accounting of Certain Protected Health Information Disclosures Required
if Covered Entity Uses Electronic Health Record, to Part 2 disclosures
for TPO with prior written consent. Therefore, the Department proposes
to add a new Sec. 2.25, Accounting of disclosures, to establish the
patient's right to receive, upon request, an accounting of disclosures
of Part 2 records made with written consent for up to three years prior
to the date the accounting is requested.
---------------------------------------------------------------------------
\154\ 42 CFR 2.13(d) (specifying List of Disclosures requirement
applicable to intermediaries).
---------------------------------------------------------------------------
This proposal would apply to the individual right to an accounting
of disclosures in the HITECH Act.\155\ The first paragraph of the
section, (a), would generally require an accounti
[…truncated; see source link]Indexed from Federal Register on December 2, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.