Rule2024-02544
Confidentiality of Substance Use Disorder (SUD) Patient Records
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
February 16, 2024
Effective
April 16, 2024
Issuing agencies
Health and Human Services Department
Abstract
The United States Department of Health and Human Services (HHS or "Department") is issuing this final rule to modify its regulations to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The Department is issuing this final rule after careful consideration of all public comments received in response to the notice of proposed rulemaking (NPRM) for the Confidentiality of Substance Use Disorder (SUD) Patient Records. This final rule also makes certain other modifications to increase alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to improve workability and decrease burden on programs, covered entities, and business associates.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 33 (Friday, February 16, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 33 (Friday, February 16, 2024)]
[Rules and Regulations]
[Pages 12472-12631]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-02544]
[[Page 12471]]
Vol. 89
Friday,
No. 33
February 16, 2024
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 2
Confidentiality of Substance Use Disorder (SUD) Patient Records; Final
Rule
��Federal Register / Vol. 89 , No. 33 / Friday, February 16, 2024 /
Rules and Regulations��
[[Page 12472]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
42 CFR Part 2
RIN 0945-AA16
Confidentiality of Substance Use Disorder (SUD) Patient Records
AGENCY: Office for Civil Rights, Office of the Secretary, Department of
Health and Human Services; Substance Abuse and Mental Health Services
Administration (SAMHSA), Department of Health and Human Services.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The United States Department of Health and Human Services (HHS
or ``Department'') is issuing this final rule to modify its regulations
to implement section 3221 of the Coronavirus Aid, Relief, and Economic
Security (CARES) Act. The Department is issuing this final rule after
careful consideration of all public comments received in response to
the notice of proposed rulemaking (NPRM) for the Confidentiality of
Substance Use Disorder (SUD) Patient Records. This final rule also
makes certain other modifications to increase alignment with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy
Rule to improve workability and decrease burden on programs, covered
entities, and business associates.
DATES:
Effective date: This final rule is effective on April 16, 2024.
Compliance date: Persons subject to this regulation must comply
with the applicable requirements of this final rule by February 16,
2026.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Purpose of Rulemaking and Issuance of Proposed Rule
B. Severability
C. Summary of the Major Provisions
D. Summary of the Costs and Benefits of the Major Provisions
II. Statutory and Regulatory Background
III. Overview of Public Comments
A. General Discussion of Comments
B. General Comments
1. General Support for the Proposed Rule
2. General Opposition to the Proposed Rule
IV. Analysis and Response to Public Comments and Final Modifications
A. Effective and Compliance Dates
B. Substantive Proposals and Responses to Comments
V. Regulatory Impact Analysis
A. Executive Orders 12866 and 13563 and Related Executive Orders
on Regulatory Review
1. Summary of the Final Rule
2. Need for the Final Rule
3. Response to Public Comment
4. Cost-Benefit Analysis
5. Consideration of Regulatory Alternatives
B. Regulatory Flexibility Act
C. Unfunded Mandates Reform Act
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized Burden Hours for 42 CFR
Part 2
2. Explanation of Estimated Capital Expenses for 42 CFR Part 2
Table of Acronyms
------------------------------------------------------------------------
Acronym Meaning
------------------------------------------------------------------------
ACO............................... Accountable Care Organization.
ADAMHA............................ Alcohol, Drug Abuse, and Mental
Health Administration
Reorganization Act.
ADT............................... Admit, Discharge, Transfer.
APCD.............................. All-Payer Claims Database.
BLS............................... Bureau of Labor Statistics.
CARES Act......................... Coronavirus Aid, Relief, and
Economic Security Act.
CBO............................... Community-based Organizations.
CFR............................... Code of Federal Regulations.
CHIP.............................. Children's Health Insurance Program.
CMP............................... Civil Money Penalty.
CMS............................... Centers for Medicare & Medicaid
Services.
COVID-19.......................... Coronavirus Disease 2019.
CSP............................... Cloud Service Provider.
DOJ............................... U.S. Department of Justice.
E.O............................... Executive Order.
EHR............................... Electronic Health Record.
ePHI.............................. Electronic Protected Health
Information.
FDA............................... Food and Drug Administration.
FOIA.............................. Freedom of Information Act.
FR................................ Federal Register.
GS................................ General Schedule.
Health IT......................... Health Information Technology.
HHS or Department................. U.S. Department of Health and Human
Services.
HIE............................... Health Information Exchange.
HIN............................... Health Information Network.
HIPAA............................. Health Insurance Portability and
Accountability Act of 1996.
HITECH Act........................ Health Information Technology for
Economic and Clinical Health Act of
2009.
HIV............................... Human Immunodeficiency Virus.
ICR............................... Information Collection Request.
IHS............................... Indian Health Service.
ISDEAA............................ Indian Self-Determination and
Education Assistance Act.
MAT............................... Medication Assisted Treatment.
MHPAEA............................ Mental Health Parity and Addiction
Equity Act.
MOUD.............................. Medications for Opioid Use Disorder.
MPCD.............................. Multi-Payer Claims Database.
NIST.............................. National Institute of Standards and
Technology.
NOAA.............................. National Oceanic and Atmospheric
Administration.
NPP............................... Notice of Privacy Practices.
NPRM.............................. Notice of Proposed Rulemaking.
[[Page 12473]]
N-SSATS........................... National Survey of Substance Abuse
Treatment Services.
OCR............................... Office for Civil Rights.
OIG............................... Office of the Inspector General.
OIRA.............................. Office of Information and Regulatory
Affairs.
OMB............................... Office of Management and Budget.
ONC............................... Office of the National Coordinator
for Health Information Technology.
OTP............................... Opioid Treatment Program.
PDMP.............................. Prescription Drug Monitoring
Program.
PHI............................... Protected Health Information.
PHSA.............................. Public Health Service Act.
PRA............................... Paperwork Reduction Act of 1995.
Pub. L............................ Public Law.
QSO............................... Qualified Service Organization.
QSOA.............................. Qualified Service Organization
Agreement.
RFA............................... Regulatory Flexibility Act.
RFI............................... Request for Information.
RIA............................... Regulatory Impact Analysis.
RPMS.............................. Resource and Patient Management
System.
SAMHSA............................ Substance Abuse and Mental Health
Services Administration.
SBA............................... Small Business Administration.
SUD............................... Substance Use Disorder.
TEDS.............................. Treatment Episode Data Set.
TEFCA............................. Trusted Exchange Framework and
Common Agreement.
TPO............................... Treatment, Payment, and/or Health
Care Operations.
U.S.C............................. United States Code.
USPHS............................. U.S. Public Health Service.
VA................................ U.S. Department of Veterans Affairs.
------------------------------------------------------------------------
I. Executive Summary
A. Purpose of Rulemaking and Issuance of Proposed Rule
On March 27, 2020, Congress enacted the Coronavirus Aid, Relief,
and Economic Security (CARES) Act, including section 3221 of the Act
\1\ entitled ``Confidentiality and Disclosure of Records Relating to
Substance Use Disorder.'' Section 3221 enacts statutory amendments to
section 290dd-2 of title 42 United States Code (42 U.S.C. 290dd-2).\2\
These amendments require the U.S. Department of Health and Human
Services (HHS or ``Department'') to increase the regulatory alignment
between title 42 of the Code of Federal Regulations (CFR) (42 CFR part
2 or ``part 2''),\3\ which includes privacy provisions that protect SUD
patient records, and key aspects of the Health Insurance Portability
and Accountability Act of 1996 (HIPAA) \4\ Privacy, Breach
Notification, and Enforcement regulations (``HIPAA regulations''),\5\
which govern the use and disclosure of protected health information
(PHI).\6\
---------------------------------------------------------------------------
\1\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
\2\ 42 U.S.C. 290dd-2.
\3\ For readability, the Department refers to specific sections
of 42 CFR part 2 using a shortened citation with the ``Sec. ''
symbol except where necessary to distinguish title 42 citations from
other CFR titles, such as title 45 CFR, and in footnotes where the
full reference is used.
\4\ Subtitle F of title II of HIPAA, Public Law 104-191, 110
Stat. 1936 (Aug. 21, 1996) added a new part C to title XI of the
Social Security Act (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 14,
1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C.
1320d-1320d-8)), as amended by the Health Information Technology for
Economic and Clinical Health (HITECH) Act of 2009, Public Law 111-5,
123 Stat. 226 (Feb. 17, 2009) (codified at 42 U.S.C. 139w-4(0)(2)),
enacted as title XIII of division A and title IV of division B of
the American Recovery and Reinvestment Act of 2009 (ARRA), Public
Law 111-5, 123 Stat. 226 (Feb. 17, 2009).
\5\ See the HIPAA Privacy Rule, 45 CFR parts 160 and 164,
subparts A and E; the HIPAA Security Rule, 45 CFR parts 160 and 164,
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E. Breach notification requirements were added by
the HITECH Act.
\6\ PHI is individually identifiable health information
maintained or transmitted by or on behalf of a HIPAA covered entity.
See 45 CFR 160.103 (definitions of ``Individually identifiable
health information'' and ``Protected health information'').
---------------------------------------------------------------------------
On December 2, 2022, the Department published a notice of proposed
rulemaking (NPRM) proposing to modify part 2 consistent with the
requirements of section 3221.\7\ In the NPRM, the Department proposed
to: (1) enhance restrictions against the use and disclosure of part 2
records \8\ in civil, criminal, administrative, and legislative
proceedings; (2) provide for civil enforcement authority, including the
imposition of civil money penalties (CMPs); (3) modify consent for uses
and disclosures of part 2 records for treatment, payment, and health
care operations (TPO) purposes; (4) impose breach notification
obligations; (5) incorporate some definitions from the HIPAA
regulations into part 2; (6) provide new patient rights to request
restrictions on uses and disclosures and obtain an accounting of
disclosures made with consent; (7) add a permission to disclose de-
identified records to public health authorities; and (8) address
concerns about potential unintended consequences for government
agencies that investigate part 2 programs due to the change in
enforcement authority and penalties for violations of part 2.
---------------------------------------------------------------------------
\7\ 87 FR 74216 (Dec. 2, 2022). The Department also proposed
modifications to the HIPAA Notice of Privacy Practices (NPP) in
January 2021 and April 2023. See Proposed Modifications to the HIPAA
Privacy Rule to Support, and Remove Barriers to, Coordinated Care
and Individual Engagement, 86 FR 6446 (Jan. 21, 2021) and HIPAA
Privacy Rule To Support Reproductive Health Care Privacy 88 FR 23506
(Apr. 17, 2023).
\8\ Within this rule the terms records and part 2 records are
used interchangeably to refer to information subject to part 2.
---------------------------------------------------------------------------
The 60-day public comment period for the proposed rule closed on
January 31, 2023, and the Department received approximately 220
comments in response to its proposal.\9\ After considering the public
comments, the Department is issuing this final rule that adopts many of
the proposals set forth
[[Page 12474]]
in the NPRM, with certain modifications based on the input received.
This final rule aligns certain part 2 requirements more closely with
requirements of the HIPAA regulations to improve the ability of
entities that are subject to part 2 to use and disclose part 2 records
and make other changes to part 2, as described in this preamble. We
believe this final rule implements the modifications required by the
CARES Act amendments to 42 U.S.C. 290dd-2 and will decrease burdens on
patients and providers, improve coordination of care and access to care
and treatment, and protect the confidentiality of treatment records.
---------------------------------------------------------------------------
\9\ The public comments are available at <a href="https://www.regulations.gov/docket/HHS-OCR-2022-0018/comments">https://www.regulations.gov/docket/HHS-OCR-2022-0018/comments</a>.
---------------------------------------------------------------------------
The provisions of the proposed rule and the public comments
received that were within the scope of the proposed rule are described
in more detail below in sections III and IV.
B. Severability
In this final rule, we adopt modifications to 42 CFR part 2 that
support a unified scheme of privacy protections for part 2 records.
While the unity and comprehensiveness of this scheme maximizes its
utility, we clarify that its constituent elements operate independently
to protect patient privacy. Were a provision of this regulation stayed
or invalidated by a reviewing court, the provisions that remain in
effect would continue to provide vital patient privacy protections. For
example, the essential part 2 provisions concerning such issues as
restrictions on use of part 2 records in criminal, civil, and
administrative proceedings and written consent requirements would
remain in effect even if certain other provisions, such as the
limitation on civil or criminal liability in Sec. 2.3(b), were no
longer in effect. Similarly, the provisions regulating different forms
of conduct under part 2 (e.g., use, disclosure, consent requirements)
each provide distinct benefits for patient privacy. Thus, we consider
the provisions adopted in this final rule to be severable, both
internally within this final rule and from the other provisions in part
2, and the Department's intent is to preserve the rule in its entirety,
and each independent provision of the rule, to the fullest extent
possible.
Accordingly, any provision of 42 CFR part 2 that is held to be
invalid or unenforceable by its terms, or as applied to any person or
circumstance, should be construed so as to give maximum effect to the
provision permitted by law, unless such holding is one of utter
invalidity or unenforceability, in which event the provision is
intended to be severable from this part and not affect the remainder
thereof or the application of the provision to other persons not
similarly situated or to other dissimilar circumstances.
C. Summary of the Major Provisions
After consideration of the public comments received in response to
the NPRM, the Department is issuing this final rule as follows: \10\
---------------------------------------------------------------------------
\10\ Additional revisions are not listed here because they are
not considered major. Generally, the proposals not listed make non-
substantive changes. These proposals are reviewable in section IV
and the amendatory language in the last section of the final rule
and include proposals to modify Sec. 2.17 (Undercover agents and
informants); Sec. 2.20 (Relationship to state laws); Sec. 2.21
(Relationship to Federal statutes protecting research subjects
against compulsory disclosure of their identity); and Sec. 2.34
(Uses and Disclosures to prevent multiple enrollments).
---------------------------------------------------------------------------
1. Section 2.1--Statutory Authority for Confidentiality of Substance
Use Disorder Patient Records
Finalizes Sec. 2.1 to more closely reflect the authority granted
in 42 U.S.C. 290dd-2(g), including with respect to court orders
authorizing the disclosure of records under 42 U.S.C. 290dd-2(b)(2)(C).
2. Section 2.2--Purpose and Effect
Finalizes paragraph (b) of Sec. 2.2 to compel disclosures to the
Secretary \11\ that are necessary for enforcement of this rule, using
language adapted from the HIPAA Privacy Rule at 45 CFR
164.502(a)(2)(ii). Finalizes a new paragraph (b)(3) that prohibits any
limits on a patient's right to request restrictions on use of records
for TPO or a covered entity's \12\ choice to obtain consent to use or
disclose records for TPO purposes as provided in the HIPAA Privacy
Rule. References ``use and disclosure'' in Sec. 2.2(a) and (b).
Removes reference to criminal penalty and finalizes new paragraph
(b)(3).
---------------------------------------------------------------------------
\11\ Unless otherwise stated, ``Secretary'' as used in this rule
refers to the Secretary of HHS.
\12\ Covered entities are health care providers who transmit
health information electronically in connection with any transaction
for which the Department has adopted an electronic transaction
standard, health plans, and health care clearinghouses. See 45 CFR
160.103 (definition of ``Covered entity'').
---------------------------------------------------------------------------
3. Section 2.3--Civil and Criminal Penalties for Violations
Finalizes the heading of this section as above. This section as
finalized now references the HIPAA enforcement authorities in the
Social Security Act at sections 1176 (civil enforcement, including the
culpability tiers established by the Health Information Technology for
Economic and Clinical Health (HITECH) Act of 2009) and 1177 (criminal
penalties),\13\ as implemented in the HIPAA Enforcement Rule.\14\
Paragraph (b) includes a limitation on civil or criminal liability
(``safe harbor'') under part 2 for investigative agencies that act with
reasonable diligence before making a demand for records in the course
of an investigation or prosecution of a part 2 program or person
holding the record, provided that certain conditions are met.\15\
Further modifies the ``reasonable diligence'' steps to mean taking all
of the following actions: searching for the practice or provider among
the SUD treatment facilities in SAMHSA's online treatment locator;
searching in a similar state database of treatment facilities where
available; checking a practice or program's website, where available,
or physical location; viewing the entity's Patient Notice or HIPAA NPP
if it is available; and taking all these steps within no more than 60
days before requesting records or placing an undercover agent or
informant. Updates language referring to enforcement, now set forth in
paragraph (c).
---------------------------------------------------------------------------
\13\ See Public Law 111-5, 123 Stat. 226 (Feb. 17, 2009).
Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939)
amended sections 1176 and 1177 of the Social Security Act (codified
at 42 U.S.C. 1320d-5 and 1320d-6) to add civil and criminal penalty
tiers for violations of the HIPAA Administrative Simplification
provisions.
\14\ See 45 CFR part 160 subparts C, D, and E.
\15\ Although this provision is not expressly required by the
CARES Act, it falls within the Department's general rulemaking
authority in 42 U.S.C. 290dd-2(g), and is needed to address the
logical consequences of the changes required by sec. 3221.
---------------------------------------------------------------------------
4. Section 2.4--Complaints of Noncompliance
Modifies the heading to refer to ``Complaints of noncompliance.''
Finalizes inclusion of requirements consistent with those applicable to
HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a
requirement for a part 2 program to establish a process to receive
complaints. Adds a new provision permitting patients to file complaints
with the Secretary in the same manner as under 45 CFR 160.306.
Finalizes a prohibition against taking adverse action against patients
who file complaints and a prohibition against requiring patients to
waive the right to file a complaint as a condition of providing
treatment, enrollment, payment, or eligibility for services.
5. Section 2.11--Definitions
Finalizes definitions of the following terms within this part
consistent with the NPRM: ``Breach,'' ``Business associate,'' ``Covered
entity,'' ``Health
[[Page 12475]]
care operations,'' ``HIPAA,'' ``HIPAA regulations,'' ``Informant,''
``Part 2 program director,'' ``Program,'' ``Payment,'' ``Person,''
``Public health authority,'' ``Records,'' ``Substance use disorder
(SUD),'' ``Third-party payer,'' ``Treating provider relationship,''
``Treatment,'' ``Unsecured protected health information,'' ``Unsecured
record,'' and ``Use.'' Adds a definition of ``Substance Use Disorder
(SUD) counseling notes'' on which input was requested in the NPRM. Adds
new definitions of ``Lawful holder'' and ``Personal representative.''
Adopts a revised definition of ``Intermediary,'' but with an exclusion
for part 2 programs, covered entities, and business associates.
Modifies definition of ``Investigative agency'' to reference state,
local, territorial, and Tribal investigative agencies. Modifies
definition of ``Patient identifying information'' to ensure consistency
with the de-identification standard incorporated into this final rule.
Modifies the proposed definition of ``Qualified Service Organization''
(QSO) to expressly include business associates as QSOs where the QSO
meets the definition of business associate for a covered entity that is
also a part 2 program.
6. Section 2.12--Applicability
Replaces ``Armed Forces'' with ``Uniformed Services'' in paragraphs
(b)(1) and (c)(2) of Sec. 2.12. Incorporates four statutory examples
of restrictions on the use or disclosure of part 2 records to initiate
or substantiate any criminal charges against a patient or to conduct
any criminal investigation of a patient. Adds language to qualify the
term ``Third-party payer'' with the phrase ``as defined in this part.''
Specifies that a part 2 program, covered entity, or business associate
\16\ that receives records based on a single consent for all future
uses and disclosures for TPO is not required to segregate or segment
such records. Revises paragraph (e)(4)(i) to clarify when a diagnosis
is not covered by part 2.
---------------------------------------------------------------------------
\16\ A business associate is a person, other than a workforce
member, that performs certain functions or activities for or on
behalf of a covered entity, or that provides certain services to a
covered entity involving the disclosure of PHI to the person. See 45
CFR 160.103 (definition of ``Business associate'').
---------------------------------------------------------------------------
7. Section 2.13--Confidentiality Restrictions and Safeguards
Finalizes the redesignation of Sec. 2.13(d) requiring a list of
disclosures as new Sec. 2.24 and modifies the text for clarity.
8. Section 2.14--Minor Patients
Finalizes the change of the verb ``judges'' to ``determines'' to
describe a part 2 program director's evaluation and decision that a
minor lacks decision making capacity.
9. Section 2.15--Patients Who Lack Capacity and Deceased Patients
Finalizes changes proposed in the NPRM. Changes the heading as
above. Replaces outdated terminology and clarifies that paragraph (a)
of this section refers to an adjudication by a court of a patient's
lack of capacity to make health care decisions while paragraph (b)
refers to a patient's lack of capacity to make health care decisions
without court adjudication. Clarifies consent for uses and disclosures
of records by personal representatives for patients who lack capacity
to make health care decisions in paragraph (a) and deceased patients in
paragraph (b)(2).
10. Section 2.16--Security for Records and Notification of Breaches
Finalizes changes proposed in the NPRM. Changes the heading as
above. Finalizes the de-identification provision to align with the
HIPAA Privacy Rule standard at 45 CFR 164.514. Creates an exception to
the requirement that part 2 programs and lawful holders create policies
and procedures to secure records that applies to family, friends, and
other informal caregivers who are lawful holders as defined in this
regulation. Applies the HITECH Act breach notification provisions \17\
that are currently implemented in the HIPAA Breach Notification Rule to
breaches of records by part 2 programs. Modifies the exemption for
lawful holders by exempting them from Sec. 2.16(a) instead of only
paragraph (a)(1).
---------------------------------------------------------------------------
\17\ Section 13400 of the HITECH Act (codified at 42 U.S.C.
17921) defined the term ``Breach''. Section 13402 of the HITECH Act
(codified at 42 U.S.C. 17932) enacted breach notification
provisions, discussed in detail below.
---------------------------------------------------------------------------
11. Section 2.19--Disposition of Records by Discontinued Programs
Finalizes an exception to clarify that these provisions do not
apply to transfers, retrocessions, and reassumptions of part 2 programs
pursuant to the Indian Self-Determination and Education Assistance Act
(ISDEAA), to facilitate the responsibilities set forth in 25 U.S.C.
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25
U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA
regulations. Updates the language to refer to ``non-electronic''
records and include ``paper'' records as an example of non-electronic
records.
12. Section 2.22--Notice to Patients of Federal Confidentiality
Requirements
Finalizes proposed changes to requirements for notice to patients
of Federal confidentiality requirements (hereinafter, ``Patient
Notice'') to address protections required by 42 U.S.C. 290dd-2, as
amended by section 3221 of the CARES Act. Modifies the statement of a
patient's right to discuss the notice with a designated contact person
by permitting the part 2 program to list an office rather than naming a
person. Further modifies the list of patient rights to include the
following: (1) a right to a list of disclosures by an intermediary for
the past 3 years as provided in Sec. 2.24 (moved from the consent
requirements in Sec. 2.31); and (2) a right to elect not to receive
any fundraising communications to fundraise for the benefit of the part
2 program. Further modifies the fundraising provision by replacing the
proposed requirement to obtain patient consent with a requirement to
provide individuals with the opportunity to opt out of receiving
fundraising communications, which more closely aligns with the HIPAA
regulations. Clarifies that a court order authorizing use or disclosure
must be accompanied by a subpoena or similar legal mandate compelling
disclosure.
13. Section 2.23--Patient Access and Restrictions on Use and Disclosure
Finalizes the heading as above. Adds the term ``disclosure'' to the
heading and body of this section to clarify that information obtained
by patient access to their record may not be used or disclosed for
purposes of a criminal charge or criminal investigation.
14. Section 2.24--Requirements for Intermediaries
Finalizes the retitling of the redesignated section that is moved
from Sec. 2.13(d) as above to clarify the responsibilities of
recipients of records received under a consent with a general
designation (other than part 2 programs, covered entities, and business
associates), such as research institutions, accountable care
organizations (ACOs), and care management organizations.
15. Section 2.25--Accounting of Disclosures
Finalizes this new section to implement 42 U.S.C. 290dd-2(b)(1)(B),
as amended by the section 3221 of the CARES Act, to add a right to an
[[Page 12476]]
accounting of all disclosures made with consent for up to three years
prior to the date the accounting is requested. A separate provision
applies to disclosures for TPO purposes made through an EHR. The
compliance date for Sec. 2.25 is tolled until the HIPAA Accounting of
Disclosures provision at 45 CFR 164.528 is revised to address
accounting for TPO disclosures made through an EHR.
16. Section 2.26--Right To Request Privacy Protection for Records
Finalizes this new section to implement 42 U.S.C. 290dd-2(b)(1)(B),
as amended by the section 3221 of the CARES Act, to incorporate into
part 2 the rights set forth in the HIPAA Privacy Rule at 45 CFR
164.522, including: (1) a patient right to request restrictions on
disclosures of records otherwise permitted for TPO purposes, and (2) a
patient right to obtain restrictions on disclosures to health plans for
services paid in full by the patient.
17. Subpart C--Uses and Disclosures With Patient Consent
Finalizes change to the heading of subpart C as above to reflect
changes made to the provisions of this subpart related to the consent
to use and disclose part 2 records, consistent with 42 U.S.C. 290dd-
2(b), as amended by the section 3221(b) of the CARES Act.
18. Section 2.31--Consent Requirements
Finalizes the proposed alignment of the content requirements for
part 2 written consent with the content requirements for a valid HIPAA
authorization and clarifies how recipients may be designated in a
consent to use and disclose part 2 records for TPO. Further modifies
the rule by replacing the proposed requirement to obtain consent for
fundraising with an opportunity for the patient to opt out. Adds
consent provisions for uses and disclosures of SUD counseling notes,
and adds an express requirement for separate consent for use and
disclosure of records in civil, criminal, administrative, or
legislative proceedings.
19. Section 2.32--Notice and Copy of Consent To Accompany Disclosure
Further modifies the proposed heading to read as above by inserting
``and copy of consent''. Finalizes the proposed alignment of the
content requirements for the required notice that accompanies a
disclosure of records (hereinafter ``Notice to Accompany Disclosure'')
with the requirements of 42 U.S.C. 290dd-2(b), as amended by section
3221(b) of the CARES Act. Further modifies this section by creating a
new requirement that each disclosure made with the patient's written
consent must be accompanied by a copy of the consent or a clear
explanation of the scope of the consent provided.
20. Section 2.33--Uses and Disclosures Permitted With Written Consent
Changes the heading as proposed, to read as above. Aligns this
provision with the statutory authority in 42 U.S.C. 290dd-2(b)(1), as
amended by section 3221(b) of the CARES Act. Replaces the provisions
requiring consent for uses and disclosures for payment and certain
health care operations with permission to use and disclose records for
TPO with a single consent given once for all such future uses and
disclosures (``TPO consent'') as permitted by the HIPAA regulations,
until such time as the patient revokes the consent in writing.
Finalizes proposed redisclosure permissions for three categories of
recipients of part 2 records pursuant to a written consent with some
additional modifications to limit the ability to redisclose part 2
records in accordance with HIPAA to covered entities and business
associates, as follows: (1) permits a covered entity or business
associate that receives part 2 records pursuant to a TPO consent to
redisclose the records in accordance with the HIPAA regulations, except
for certain proceedings against the patient; \18\ (2) permits a part 2
program that is not a covered entity to redisclose records received
pursuant to a TPO consent according to the consent; and (3) permits a
lawful holder that is not a covered entity or business associate to
redisclose part 2 records for payment and health care operations to its
contractors, subcontractors, or legal representatives as needed to
carry out the activities specified in the consent. Finalizes the
contracting requirements in paragraph (c) to exclude covered entities
and business associates because they are subject to HIPAA business
associate agreement requirements.
---------------------------------------------------------------------------
\18\ See 42 U.S.C. 290dd-2(b)(1)(B) and (c).
---------------------------------------------------------------------------
21. Section 2.35--Disclosures to Elements of the Criminal Justice
System Which Have Referred Patients
Finalizes the proposals to replace ``individuals'' with ``persons''
and clarifies that permitted redisclosures of information are from part
2 records.
22. Subpart D--Uses and Disclosures Without Patient Consent
Finalizes the proposal to change the heading of subpart D to
reflect changes made to the provisions of this subpart related to the
consent to use and disclose part 2 records, consistent with 42 U.S.C.
290dd-2 as amended by the CARES Act.
23. Section 2.51--Medical Emergencies
Finalizes the proposal to replace the term ``individual'' with the
term ``person'' in Sec. 2.51(c)(2).
24. Section 2.52--Scientific Research
Finalizes the proposed modifications to the heading as above to
reflect statutory language. The final rule further aligns with the
HIPAA Privacy Rule by replacing the requirements to render part 2 data
in research reports non-identifiable with the HIPAA Privacy Rule's de-
identification standard in 45 CFR 164.514.
25. Section 2.53--Management Audits, Financial Audits, and Program
Evaluation
Finalizes changes as proposed. Modifies the heading to reflect
statutory language. To support implementation of 42 U.S.C. 290dd-
2(b)(1), as amended by section 3221(b) of the CARES Act, adds a
provision to acknowledge the permission to use and disclose records for
health care operations purposes based on written consent of the patient
and the permission to redisclose such records as permitted by the HIPAA
Privacy Rule if the recipient is a part 2 program, covered entity, or
business associate.
26. Section 2.54--Disclosures for Public Health
Finalizes the proposed addition of this section to implement 42
U.S.C. 290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES
Act, to permit the disclosure of records without patient consent to
public health authorities provided that the records disclosed are de-
identified according to the standards established in section 45 CFR
164.514.
27. Subpart E--Court Orders Authorizing Use and Disclosure
Finalizes proposed modifications to the heading of subpart E as
above to reflect changes made to the provisions of this subpart related
to the uses and disclosure of part 2 records in proceedings consistent
with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by sections 3221(b)
and (e) of the CARES Act.
28. Section 2.62--Order Not Applicable to Records Disclosed Without
Consent to Researchers, Auditors, and Evaluators
Finalizes the proposed replacement of the term ``qualified
personnel'' with a
[[Page 12477]]
reference to the criteria that define such persons and adds a reference
to Sec. 2.53 as a technical edit.
29. Section 2.63--Confidential Communications
Finalizes proposed changes to paragraph (a)(3) of Sec. 2.63 to
expressly include civil, criminal, administrative, and legislative
proceedings as forums where the requirements for a court order under
this part would apply, to implement 42 U.S.C. 290dd-2(c), as amended by
section 3221(c) of the CARES Act.
30. Section 2.64--Procedures and Criteria for Orders Authorizing Uses
and Disclosures for Noncriminal Purposes
Finalizes proposed changes that expand the types of forums where
restrictions on use and disclosure of records in civil proceedings
against patients apply \19\ to expressly include administrative and
legislative proceedings and also restricts the use of testimony
conveying information in a record in civil proceedings against
patients, absent consent or a court order.
---------------------------------------------------------------------------
\19\ See 42 CFR part 2, subpart E.
---------------------------------------------------------------------------
31. Section 2.65--Procedures and Criteria for Orders Authorizing Use
and Disclosure of Records To Criminally Investigate or Prosecute
Patients
Finalizes changes as proposed. Modifies the heading as above.
Expands the types of forums where restrictions on uses and disclosure
of records in criminal proceedings against patients apply \20\ to
expressly include administrative and legislative proceedings and also
restricts the use of testimony conveying information in a part 2 record
in criminal proceedings against patients, absent consent or a court
order.
---------------------------------------------------------------------------
\20\ Id.
---------------------------------------------------------------------------
32. Section 2.66--Procedures and Criteria for Orders Authorizing Use
and Disclosure of Records To Investigate or Prosecute a Part 2 Program
or the Person Holding the Records
Finalizes changes as proposed and adds new changes. Modifies the
heading as above. Finalizes requirements for investigative agencies to
follow in the event that they discover in good faith that they received
part 2 records during an investigation or prosecution of a part 2
program or the person holding the records, in order to seek a court
order as required under Sec. 2.66. Adds a further modification to
provide that information from records obtained in violation of this
part cannot be used in an application for a court order to obtain such
records.
33. Section 2.67--Orders Authorizing the Use of Undercover Agents and
Informants To Investigate Employees or Agents of a Part 2 Program in
Connection With a Criminal Matter
Finalizes proposed criteria for issuance of a court order in
instances where an application is submitted after the placement of an
undercover agent or informant has already occurred, requiring an
investigative agency to satisfy the conditions at Sec. 2.3(b). Adds a
further modification to provide that information from records obtained
in violation of this part cannot be used in an application for a court
order to obtain such records.
34. Section 2.68--Report to the Secretary
Finalizes the proposed requirement for investigative agencies to
file annual reports about the instances in which they applied for a
court order after receipt of part 2 records or placement of an
undercover agent or informant as provided in Sec. Sec. 2.66(a)(3) and
2.67(c)(4).
35. General Changes To Use and Disclosure
Finalizes proposed changes to re-order ``disclosure and use'' to
``use and disclosure'' throughout the regulation consistent with their
usage in the HIPAA Privacy Rule which generally regulates the ``use and
disclosure'' of PHI and relies on the phrase as a term of art.\21\
Inserts ``use'' or ``disclose'' to reflect the scope of activity that
is the subject of the regulatory provision.
---------------------------------------------------------------------------
\21\ See, e.g., 45 CFR 164.502, Uses and disclosures of
protected health information: General rules.
---------------------------------------------------------------------------
D. Summary of the Costs and Benefits of the Major Provisions
This final rule is anticipated to have an annual effect on the
economy of $12,720,000 in the first year of the rule, followed by net
savings in years two through five, resulting in overall net cost
savings of $8,445,706 over five years. The Office of Management and
Budget (OMB) has determined that this proposed rule is a significant
regulatory action under section 3(f) of E.O. 12866, but not under
section 3(f)(1).
Accordingly, the Department has prepared a Regulatory Impact
Analysis (RIA) that presents the estimated costs and benefits of the
rule.
II. Statutory and Regulatory Background
Confidentiality of SUD Records
Congress enacted the first Federal confidentiality protections for
SUD records in section 333 of the Comprehensive Alcohol Abuse and
Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970.\22\
This statute authorized ``persons engaged in research on, or treatment
with respect to, alcohol abuse and alcoholism to protect the privacy of
individuals who [were] the subject of such research or treatment'' from
persons not connected with the conduct of the research or treatment by
withholding identifying information.
---------------------------------------------------------------------------
\22\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (Dec. 31,
1970) (codified at 42 U.S.C. 2688h).
---------------------------------------------------------------------------
Section 408 of the Drug Abuse Office and Treatment Act of 1972 \23\
applied confidentiality requirements to records relating to drug abuse
prevention authorized or assisted under any provision of the Act.
Section 408 permitted disclosure, with a patient's written consent, for
diagnosis or treatment by medical personnel and to government personnel
for obtaining patient benefits to which the patient is entitled. The
1972 Act also established exceptions to the consent requirement to
permit disclosures for bona fide medical emergencies; to qualified
personnel for conducting certain activities, such as scientific
research or financial audit or program evaluation, as long as the
patient is not identified in any reports; and as authorized by court
order granted after application showing good cause.\24\
---------------------------------------------------------------------------
\23\ See sec. 408, Public Law 92-255, 86 Stat. 65 (Mar. 21,
1972) (codified at 21 U.S.C. 1175). Section 408 also prohibited the
use of a covered record for use or initiation or substantiation of
criminal charges against a patient or investigation of a patient.
Section 408 provided for a fine in the amount of $500 for a first
offense violation, and not more than $5,000 for each subsequent
offense.
\24\ Id.
---------------------------------------------------------------------------
The Comprehensive Alcohol Abuse and Alcoholism Prevention,
Treatment, and Rehabilitation Act Amendments of 1974 \25\ expanded the
types of records protected by confidentiality restrictions to include
records relating to ``alcoholism,'' ``alcohol abuse'', and ``drug
abuse'' maintained in connection with any program or activity
conducted,
[[Page 12478]]
regulated, or directly or indirectly federally assisted by any United
States agency. The 1974 Act also permitted the disclosure of records
based on prior written patient consent only to the extent such
disclosures were allowed under Federal regulations. Additionally, the
1974 Act excluded the interchange of records within the Armed Forces or
components of the U.S. Department of Veterans Affairs (VA), then known
as the Veterans' Administration, from the confidentiality
restrictions.\26\
---------------------------------------------------------------------------
\25\ See sec. 101, title I, Public Law 93-282, 88 Stat. 126 (May
14, 1974) (codified at 42 U.S.C. 4541 note), providing that: ``This
title [enacting this section and sections 4542, 4553, 4576, and 4577
of this title, amending sections 242a, 4571, 4572, 4573, 4581, and
4582 of this title, and enacting provisions set out as notes under
sections 4581 and 4582 of this title] may be cited as the
`Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment,
and Rehabilitation Act Amendments of 1974'.''
\26\ See sec. 408, title I, Public Law 92-255, 86 Stat. 79 (Mar.
21, 1972) (originally codified at 21 U.S.C. 1175). See 21 U.S.C.
1175 note for complete statutory history.
---------------------------------------------------------------------------
In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health
Administration Reorganization Act (ADAMHA Reorganization Act) \27\
added section 543, Confidentiality of Records, to the Public Health
Service Act (PHSA) \28\ (``part 2 statute''), which narrowed the
grounds upon which a court could grant an order permitting disclosure
of such records from ``good cause'' (i.e., based on weighing the public
interest in the need for disclosure against the injury to the patient,
physician patient relationship, and treatment services) \29\ to ``the
need to avert a substantial risk of death or serious bodily harm.''
\30\ Congress also established criminal penalties for part 2 violations
under title 18 of the United States Code, Crimes and Criminal
Procedure.\31\ Finally, section 543 granted broad authority to the
Secretary of HHS to prescribe regulations to carry out the purposes of
section 543 and provide for safeguards and procedures, including
criteria for the issuance and scope of court orders to authorize
disclosure of SUD records, ``as in the judgment of the Secretary are
necessary or proper to effectuate the purposes of this section, to
prevent circumvention or evasion thereof, or to facilitate compliance
therewith.'' \32\
---------------------------------------------------------------------------
\27\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10,
1992) (codified at 42 U.S.C. 201 note).
\28\ Codified at 42 U.S.C. 290dd-2.
\29\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (Dec. 31,
1970).
\30\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10,
1992) (codified at 42 U.S.C. 201 note).
\31\ Id., adding sec. 543(b)(2)(C) to the PHSA.
\32\ Id., adding sec. 543(g) to the PHSA.
---------------------------------------------------------------------------
In 1975, the Department promulgated the first Federal regulations
implementing statutory SUD confidentiality provisions at 42 CFR part
2.\33\ In 1987, the Department published a final rule making
substantive changes to the scope of part 2 to clarify the regulations
and ease the burden of compliance by part 2 programs within the
parameters of the existing statutory restrictions.\34\ After the 1992
enactment of the ADAMHA Reorganization Act, the Department later
clarified the definition of ``program'' in a 1995 final rule to narrow
the scope of part 2 regulations pertaining to medical facilities to
cover identified units within general medical facilities which holds
themselves out as providing, and provide SUD treatment and medical
personnel or other staff in a general medical care facility whose
primary function is the provision of SUD diagnosis, treatment or
referral for treatment and who are identified as such providers.\35\
---------------------------------------------------------------------------
\33\ See 40 FR 27802 (July 1, 1975).
\34\ See 52 FR 21796 (June 9, 1987). See also Notice of Decision
to Develop Regulations, 45 FR 53 (Jan. 2, 1980) and (Aug. 25, 1983).
\35\ See 60 FR 22296 (May 5, 1995). See also 59 FR 42561 (Aug.
18, 1994) and 59 FR 45063 (Aug. 31, 1994). The ambiguity of the
definition of ``program'' was identified in United States v. Eide,
875 F. 2d 1429 (9th Cir. 1989) where the court held that the general
emergency room is a ``program'' as defined by the regulations.
---------------------------------------------------------------------------
HIPAA and the HITECH Act
In 1996, Congress enacted HIPAA,\36\ which included Administrative
Simplification provisions requiring the establishment of national
standards \37\ to protect the privacy and security of individuals' PHI
and establishing civil money and criminal penalties for violations of
the requirements, among other provisions.\38\ The Administrative
Simplification provisions and implementing regulations apply to covered
entities, which are health care providers who conduct covered health
care transactions electronically, health plans, and health care
clearinghouses.\39\ Certain provisions of the HIPAA regulations also
apply directly to ``business associates'' of covered entities.\40\
---------------------------------------------------------------------------
\36\ See Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
\37\ See the Administrative Simplification provisions of title
II, subtitle F, of HIPAA, supra note 4. See also sec. 264 of HIPAA
(codified at 42 U.S.C. 1320d-2 note). See also, Centers for Medicare
& Medicaid Services, ``HIPAA and Administrative Simplification''
(Sept. 6, 2023), <a href="https://www.cms.gov/about-cms/what-we-do/administrative-simplification/hipaa/statutes-regulations">https://www.cms.gov/about-cms/what-we-do/administrative-simplification/hipaa/statutes-regulations</a>.
\38\ See 42 U.S.C. 1320d-1-1320d-9. With respect to privacy
standards, Congress directed the Department to ``address at least
the following: (1) The rights that an individual who is a subject of
individually identifiable health information should have. (2) The
procedures that should be established for the exercise of such
rights. (3) The uses and disclosures of such information that should
be authorized or required.'' 42 U.S.C. 1320d-2 note.
\39\ See 42 U.S.C. 1320d-1 (applying Administrative
Simplification provisions to covered entities).
\40\ See ``Office for Civil Rights Fact Sheet on Direct
Liability of Business Associates under HIPAA'' (May 2019) for a
comprehensive list of requirements in the HIPAA regulations that
apply directly to business associates, <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html">https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html</a>.
---------------------------------------------------------------------------
The HIPAA Privacy Rule, including provisions implemented as a
result of the HITECH Act,\41\ regulates the use and disclosure of PHI
by covered entities and business associates, requires covered entities
to have safeguards in place to protect the privacy of PHI, and requires
covered entities to obtain the written authorization of an individual
to use and disclose the individual's PHI unless the use or disclosure
is otherwise required or permitted by the HIPAA Privacy Rule.\42\ The
HIPAA Privacy Rule includes several use and disclosure permissions that
are relevant to this NPRM, including the permissions for covered
entities to use and disclose PHI without written authorization from an
individual for TPO; \43\ to public health authorities for public health
purposes; \44\ and for research in the form of a limited data set \45\
or pursuant to a waiver of authorization by a Privacy Board or
Institutional Review Board.\46\ The HIPAA Privacy Rule also establishes
the rights of individuals with respect to their PHI, including the
rights to: receive adequate notice of a covered entity's privacy
practices; request restrictions of certain uses and disclosures; access
(i.e., to inspect and obtain a copy of) their PHI; request an amendment
of their PHI; and receive an accounting of certain disclosures of their
PHI.\47\ Finally, the HIPAA Privacy Rule specifies standards for de-
identification of PHI such that, when implemented, the information is
no longer individually identifiable health
[[Page 12479]]
information subject to the HIPAA regulations.\48\
---------------------------------------------------------------------------
\41\ The HITECH Act extended the applicability of certain HIPAA
Privacy Rule requirements and all of the HIPAA Security Rule
requirements to the business associates of covered entities;
required HIPAA covered entities and business associates to provide
for notification of breaches of unsecured PHI (implemented by the
HIPAA Breach Notification Rule); established new limitations on the
use and disclosure of PHI for marketing and fundraising purposes;
prohibited the sale of PHI; required consideration of whether a
limited data set can serve as the minimum necessary amount of
information for uses and disclosures of PHI; and expanded
individuals' rights to access electronic copies of their PHI in an
electronic health record (EHR), to receive an accounting of
disclosures of their PHI with respect to electronic PHI (ePHI), and
to request restrictions on certain disclosures of PHI to health
plans. In addition, subtitle D strengthened and expanded HIPAA's
enforcement provisions. See subtitle D of title XIII of the HITECH
Act, entitled ``Privacy'', for all provisions (codified in title 42
of U.S.C.).
\42\ See 45 CFR 164.502(a).
\43\ See 45 CFR 164.506.
\44\ See 45 CFR 164.512(b).
\45\ See 45 CFR 164.514(e)(1) through (4).
\46\ See 45 CFR 164.512(i).
\47\ See 45 CFR 164.520, 164.522, 164.524, 164.526 and 164.528.
\48\ See 45 CFR 164.514(a) through (c).
---------------------------------------------------------------------------
The HIPAA Security Rule, codified at 45 CFR parts 160 and 164,
subparts A and C, requires covered entities and their business
associates to implement administrative, physical, and technical
safeguards to protect electronic PHI (ePHI). Specifically, covered
entities and business associates must ensure the confidentiality,
integrity, and availability of all ePHI they create, receive, maintain,
or transmit; \49\ protect against reasonably anticipated threats or
hazards to the security or integrity of the information \50\ and
reasonably anticipated impermissible uses or disclosures; \51\ and
ensure compliance by their workforce.\52\
---------------------------------------------------------------------------
\49\ See 45 CFR 164.306(a)(1).
\50\ See 45 CFR 164.306(a)(2).
\51\ See 45 CFR 164.306(a)(3).
\52\ See 45 CFR 164.306(a)(4).
---------------------------------------------------------------------------
The HIPAA Breach Notification Rule, codified at 45 CFR parts 160
and 164, subparts A and D, implements HITECH Act requirements \53\ for
covered entities to provide notification to affected individuals, the
Secretary, and in some cases the media, following a ``breach'' of
unsecured PHI. The HIPAA Breach Notification Rule also requires a
covered entity's business associate that experiences a breach of
unsecured PHI to notify the covered entity of the breach. A breach is
the acquisition, access, use, or disclosure of PHI in a manner not
permitted by the HIPAA Privacy Rule that compromises the security or
privacy of ``unsecured'' PHI, subject to three exceptions: \54\ (1) the
unintentional acquisition, access, or use of PHI by a workforce member
or person acting under the authority of a covered entity or business
associate, if such acquisition, access, or use was made in good faith
and within the scope of authority; (2) the inadvertent disclosure of
PHI by a person authorized to access PHI at a covered entity or
business associate to another person authorized to access PHI at the
covered entity or business associate, or organized health care
arrangement in which the covered entity participates; and (3) the
covered entity or business associate making the disclosure has a good
faith belief that the unauthorized person to whom the impermissible
disclosure was made, would not reasonably have been able to retain the
information.
---------------------------------------------------------------------------
\53\ See sec. 13402 of the HITECH Act (codified at 42 U.S.C.
17932).
\54\ See 45 CFR 164.402, ``breach'', paragraph (1).
---------------------------------------------------------------------------
The HIPAA Breach Notification Rule provides that a covered entity
may rebut the presumption that such impermissible use or disclosure
constituted a breach by demonstrating that there is a low probability
that PHI has been compromised based on a risk assessment of at least
four required factors: (1) the nature and extent of the PHI involved,
including the types of identifiers and the likelihood of re-
identification; (2) the unauthorized person who used the PHI or to whom
the disclosure was made; (3) whether the PHI was actually acquired or
viewed; and (4) the extent to which the risk to the PHI has been
mitigated.\55\
---------------------------------------------------------------------------
\55\ Id. paragraph (2).
---------------------------------------------------------------------------
The HIPAA Enforcement Rule, codified at 45 CFR part 160 subparts C,
D, and E, includes standards and procedures relating to investigations
into complaints about noncompliance with the HIPAA regulation,
compliance reviews, the imposition of CMPs, and procedures for
hearings. The HIPAA Enforcement Rule states generally that the
Secretary will impose a CMP upon a covered entity or business associate
if the Secretary determines that the covered entity or business
associate violated a HIPAA Administrative Simplification provision.\56\
However, the HIPAA Enforcement Rule also provides for informal
resolution of potential noncompliance,\57\ which occurs through
voluntary compliance by the regulated entity, corrective action, or a
resolution agreement with the payment of a settlement amount to HHS
Office for Civil Rights (OCR).
---------------------------------------------------------------------------
\56\ Criminal penalties may be imposed by the Department of
Justice for certain violations under 42 U.S.C. 1320d-6.
\57\ See 45 CFR 160.304. See also 45 CFR 160.416 and 160.514.
---------------------------------------------------------------------------
The Department promulgated or modified key provisions of the HIPAA
regulations as part of the ``Modifications to the HIPAA Privacy,
Security, Enforcement, and Breach Notification Rules Under the Health
Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act, and Other Modifications to
the HIPAA Rules'' final rule (``2013 Omnibus Final Rule''),\58\ in
which the Department implemented applicable provisions of the HITECH
Act, among other modifications. For example, the Department
strengthened privacy and security protections for PHI, finalized breach
notification requirements, and enhanced enforcement by increasing
potential CMPs for violations, including establishing tiers of
penalties based on a covered entity's or business associate's level of
culpability.\59\
---------------------------------------------------------------------------
\58\ 78 FR 5566 (Jan. 25, 2013).
\59\ Id.
---------------------------------------------------------------------------
The Secretary of HHS delegated authority to OCR to make decisions
regarding the implementation and interpretation of the HIPAA Privacy,
Security, Breach Notification, and Enforcement regulations.\60\
---------------------------------------------------------------------------
\60\ See U.S. Dep't of Health and Human Servs., Office of the
Secretary, Office for Civil Rights; Statement of Delegation of
Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and
Human Servs., Office of the Secretary, Office for Civil Rights;
Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep't of
Health and Human Servs., Office of the Secretary, Statement of
Organization, Functions and Delegations of Authority, 81 FR 95622
(Dec. 28, 2016).
---------------------------------------------------------------------------
Earlier Efforts To Align Part 2 With the HIPAA Regulations
Prior to amendment by the CARES Act, 42 U.S.C. 290dd-2 provided
that records could be disclosed only with the patient's prior written
consent, with limited exceptions.\61\ The exceptions related to records
maintained by VA or the Armed Forces and, for example, disclosures for
continuity of care in emergency situations or between personnel who
have a need for the information in connection with their duties that
arise out of the provision of the diagnosis, treatment, or referral for
treatment of patients with SUD.\62\ The exceptions did not include, for
example, a disclosure of part 2 records by a part 2 program to a third-
party medical provider to treat a condition other than SUD absent an
emergency situation. Therefore, the current part 2 regulations require
prior written consent of the patient for most uses and disclosures of
part 2 records, including for non-emergency treatment purposes. In
contrast, the HIPAA Privacy Rule permits covered entities to use and
disclose an individual's PHI for TPO without the individual's HIPAA
authorization.\63\
---------------------------------------------------------------------------
\61\ The limited exceptions are codified in current regulation
at 42 CFR 2.12(c) and 42 CFR part 2, subpart D.
\62\ See 42 CFR 2.12(c)(3). These disclosures are limited to
communications within a part 2 program or between a part 2 program
and an entity having direct administrative control over the part 2
program.
\63\ See 45 CFR 164.501.
---------------------------------------------------------------------------
The Department has modified and clarified part 2 several times to
align certain provisions more closely with the HIPAA Privacy Rule,\64\
address changes in health information technology (health IT), and
provide greater flexibility for disclosures of patient identifying
information within the health care system, while continuing to protect
the confidentiality of part 2 records.\65\ For example, the Department
clarified in a 2017 final rule that the definition of ``patient
identifying information'' in
[[Page 12480]]
part 2 includes the individual identifiers listed in the HIPAA Privacy
Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not
already listed in the part 2 definition.\66\ The 2017 final rule also
revised Sec. 2.16 (Security for Records) to more closely align with
HIPAA and permitted the use of a consent that generally designates the
recipient of records rather than naming a specific person.\67\
---------------------------------------------------------------------------
\64\ See 85 FR 42986 (July 15, 2020) and 83 FR 239 (Jan. 3,
2018).
\65\ 82 FR 6052 (Jan. 18, 2017). See also 81 FR 6988 (Feb. 9,
2016).
\66\ See 82 FR 6052, 6064.
\67\ 82 FR 6052, 6054.
---------------------------------------------------------------------------
In 2018, the Department issued a final rule clarifying the
circumstances under which lawful holders and their legal
representatives, contractors, and subcontractors could use and disclose
part 2 records related to payment and health care operations in Sec.
2.33(b) and for audit or evaluation-related purposes. The Department
clarified that previously listed types of payment and health care
operations uses and disclosures under the lawful holder permission in
Sec. 2.33(b) were illustrative, and not definitive so as to be
included in regulatory text.\68\ The Department also acknowledged the
similarity of the list of activities to those included in the HIPAA
Privacy Rule definition of ``health care operations'' but declined to
fully incorporate that definition into part 2.\69\ The Department
specifically excluded care coordination and case management from the
list of payment and health care operations activities permitted without
prior written consent of the patient under part 2 based on a
determination that these activities are akin to treatment.
---------------------------------------------------------------------------
\68\ See 83 FR 239, 241-242.
\69\ Id. at 242.
---------------------------------------------------------------------------
In 2018 the Department also codified language for an abbreviated
Notice to Accompany Disclosure of part 2 records.\70\ Although the rule
retained the requirement that a patient must consent before a lawful
holder may redisclose part 2 records for treatment,\71\ the Department
explained that the purpose of the part 2 regulations is to ensure that
a patient receiving treatment for an SUD is not made more vulnerable by
reason of the availability of their patient records than an individual
with a SUD who does not seek treatment.\72\ The Department
simultaneously recognized the legitimate needs of lawful holders to
obtain payment and conduct health care operations as long as the core
protections of part 2 are maintained.\73\
---------------------------------------------------------------------------
\70\ 83 FR 239, 240. See also 82 FR 5485, 5487 (Jan. 18, 2017).
\71\ 83 FR 239, 242.
\72\ 82 FR 6052, 6053.
\73\ 83 FR 239, 242.
---------------------------------------------------------------------------
In a final rule published July 15, 2020,\74\ the Department
retained the requirement that programs obtain prior written consent
before disclosing part 2 records in the first instance (outside of
recognized exceptions). At the same time the Department reversed its
previous exclusion of care coordination and case management from the
list of payment and health care operations in Sec. 2.33(b) for which a
lawful holder may make further disclosures to its contractors,
subcontractors, and legal representatives.\75\ The Department based
this change on comments received on the proposed rule in 2019 and on
section 3221(d)(4) of the CARES Act, which incorporated the HIPAA
Privacy Rule definition of ``health care operations,'' including care
coordination and case management activities,\76\ into paragraph (k)(4)
of 42 U.S.C. 290dd-2.\77\ The July 2020 final rule also modified the
consent requirements in Sec. 2.31 by establishing special requirements
for written consent \78\ when the recipient of part 2 records is a
health information exchange (HIE) (as defined in 45 CFR 171.102 \79\).
In this final rule, the Department now finalizes a definition of the
term ``intermediary'' \80\ to further facilitate the exchange of part 2
records in new models of care, including those involving a research
institution providing treatment, an ACO, or a care coordination or care
management organization.\81\
---------------------------------------------------------------------------
\74\ 85 FR 42986. See also 84 FR 44568 (Aug. 26, 2019).
\75\ See 42 CFR 2.33(b).
\76\ See 45 CFR 164.501.
\77\ See 85 FR 42986, 43008-009. Sec. 3221(k)(4) expressed the
Sense of Congress that the Department should exclude paragraph
(6)(v) of 45 CFR 164.501 (relating to creating de-identified health
information or a limited data set, and fundraising for the benefit
of the covered entity) from the definition of ``health care
operations'' in applying the definition to these records.
\78\ See 85 FR 42986, 43006.
\79\ Id. See also 21st Century Cures Act: Interoperability,
Information Blocking, and the ONC Health IT Certification Program,
85 FR 25642 (May 1, 2020).
\80\ See 42 CFR 2.11, defining ``Intermediary'' as a person,
other than a program, covered entity, or business associate, who has
received records under a general designation in a written patient
consent to be disclosed to one or more of its member participants
for the treatment of the patient(s)--e.g., a health information
exchange, a research institution that is providing treatment, an
accountable care organization, or a care management organization.
\81\ U.S. Dep't of Health and Human Servs., ``Information
Related to Mental and Behavioral Health, including Opioid Overdose''
(Dec. 23, 2022), <a href="https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html">https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html</a>; U.S. Dep't of Health and
Human Servs., ``Does HIPAA permit health care providers to share
protected health information (PHI) about an individual with mental
illness with a third party that is not a health care provider for
continuity of care purposes? For example, can a health care provider
refer a patient experiencing homelessness to a social services
agency, such as a housing provider, when doing so may reveal that
the basis for eligibility is related to mental health?'' (Jan. 9,
2023), <a href="https://www.hhs.gov/hipaa/for-professionals/faq/3008/does-hipaa-permit-health-care-providers-share-phi-individual-mental-illness-third-party-not-health-care-provider-continuity-care-purposes/index.html">https://www.hhs.gov/hipaa/for-professionals/faq/3008/does-hipaa-permit-health-care-providers-share-phi-individual-mental-illness-third-party-not-health-care-provider-continuity-care-purposes/index.html</a>.
---------------------------------------------------------------------------
The Department again modified part 2 on December 14, 2020,\82\ by
amending the confidential communications section of Sec. 2.63(a)(2),
which enumerated a basis for a court order authorizing the use of a
record when ``the disclosure is necessary in connection with
investigation or prosecution of an extremely serious crime allegedly
committed by the patient.'' The December 2020 final rule removed the
phrase ``allegedly committed by the patient,'' explaining that the
phrase was included in previous rulemaking by error, and clarifying
that a court has the authority to permit disclosure of confidential
communications when the disclosure is necessary in connection with
investigation or prosecution of an extremely serious crime that was
allegedly committed by either a patient or an individual other than the
patient.
---------------------------------------------------------------------------
\82\ 85 FR 80626 (Dec. 14, 2020).
---------------------------------------------------------------------------
Section 3221 of the Coronavirus Aid, Relief, and Economic Security
(CARES) Act
On March 27, 2020, Congress enacted the CARES Act \83\ to provide
emergency assistance to individuals, families, and businesses affected
by the COVID-19 pandemic. Section 3221 of the CARES Act,
Confidentiality and Disclosure of Records Relating to Substance Use
Disorder, substantially amended 42 U.S.C. 290dd-2 to more closely align
Federal privacy standards applicable to part 2 records with the HIPAA
and HITECH Act privacy standards, breach notification standards, and
enforcement authorities that apply to PHI, among other modifications.
---------------------------------------------------------------------------
\83\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
Significant components of section 3221 are codified at 42 U.S.C.
290dd-2 as further detailed in this final rule.
---------------------------------------------------------------------------
The requirements in 42 U.S.C. 290dd-2(b), (c), and (f), as amended
by section 3221 of the CARES Act, with respect to patient consent and
redisclosures of SUD records, now align more closely with HIPAA Privacy
Rule provisions permitting uses and disclosures for TPO and establish
certain patient rights with respect to their part 2 records consistent
with provisions of the HITECH Act; restrict the use and disclosure of
part 2 records in legal proceedings; and set civil and criminal
penalties for
[[Page 12481]]
violations. Section 3221 also amended 42 U.S.C. 290dd-2(j) and (k) by
adding HITECH Act breach notification requirements and new terms and
definitions consistent with the HIPAA regulations and the HITECH Act,
respectively. Finally, section 3221 requires the Department to modify
the HIPAA NPP \84\ requirements at 45 CFR 164.520 so that covered
entities and part 2 programs provide notice to individuals regarding
privacy practices related to part 2 records, including individuals'
rights and uses and disclosures that are permitted or required without
authorization.
---------------------------------------------------------------------------
\84\ Section 3221(i) requires the Secretary to update 45 CFR
164.520, the HIPAA Privacy Rule requirements with respect to the
HIPAA NPP.
---------------------------------------------------------------------------
Paragraph (b) of section 3221 (Disclosures to Covered Entities
Consistent with HIPAA), adds a new paragraph (1) (Consent), to section
543 of the PHSA \85\ and expands the ability of covered entities,
business associates, and part 2 programs to use and disclose part 2
records for TPO. The text of section 3221(b) adding paragraph (1)(B) to
42 U.S.C. 290dd-2 states that once prior written consent of the patient
has been obtained, those contents may be used or disclosed by a covered
entity, business associate, or a program subject to 290dd-2 for the
purposes of TPO as permitted by the HIPAA regulations. Any disclosed
information may then be redisclosed in accordance with the HIPAA
regulations.
---------------------------------------------------------------------------
\85\ Paragraph (1) is codified at 42 U.S.C. 290dd-2(b).
---------------------------------------------------------------------------
To the extent that 42 U.S.C. 290dd-2(b)(1) now provides for a
general written patient consent covering all future uses and
disclosures for TPO ``as permitted by the HIPAA regulations,'' and
expressly permits the redisclosure of part 2 records received for TPO
``in accordance with the HIPAA regulations,'' the Department believes
this means the recipient redisclosing the records must be a covered
entity, business associate, or part 2 program that has received part 2
records under a TPO consent. The Department's proposals throughout this
final rule are premised on its reading of section 3221(b) as applying
to redisclosures of part 2 records by covered entities, business
associates, and part 2 programs, including those covered entities that
are part 2 programs.
In addition to the provisions of section 3221 described above,
paragraph (g) of section 3221, Antidiscrimination, adds a new provision
(i)(1) to 42 U.S.C. 290dd-2 to prohibit discrimination against an
individual based on their part 2 records in: (A) admission, access to,
or treatment for health care; (B) hiring, firing, or terms of
employment, or receipt of worker's compensation; (C) the sale, rental,
or continued rental of housing; (D) access to Federal, State, or local
courts; or (E) access to, approval of, or maintenance of social
services and benefits provided or funded by Federal, State, or local
governments.\86\ Further, the new paragraph (i)(2) prohibits
discrimination by any recipient of Federal funds against individuals
based on their part 2 records.\87\ As stated in the NPRM, the
Department intends to implement the CARES Act antidiscrimination
provisions in a separate rulemaking. However, we discuss below and
briefly respond to comments we received on the NPRM concerning
antidiscrimination and stigma issues.
---------------------------------------------------------------------------
\86\ See sec. 3221(g) of the CARES Act.
\87\ Id.
---------------------------------------------------------------------------
III. Overview of Public Comments
A. General Discussion of Comments
The Department received approximately 220 comments on the NPRM. By
a wide margin, most of the commenters represented organizations rather
than individuals (87 percent versus 13 percent). Professional and trade
associations, including medical professional associations, and patient,
provider, or other advocacy organizations were the most represented,
followed by organizations that could fall within multiple categories.
Other commenters included hospitals and health care systems, state and
local government agencies, health plans and managed care organizations,
health IT vendors, and unaffiliated individuals. Among the 27
individual commenters, nearly a third stated that they had current or
past experience as an SUD provider, health care administrator, or
health IT or legal professional.
The specific issue mentioned most frequently in comments was the
proposal to allow patients to sign a single consent form for all future
uses and disclosures of their SUD records for TPO purposes. This was
followed by the proposed consent requirements, regulatory definitions,
protections for patients in investigations and proceedings against
them, and requirements for intermediaries, in that order.
B. General Comments
Approximately 75 percent of commenters provided general views on
the NPRM covering multiple issues, including the need for better or
complete alignment with HIPAA, concerns about erosion of privacy and
the need for informed consent for disclosures, requests for
Departmental guidance, and requests to better fund SUD treatment
services and health IT technology for part 2 providers.
General Support for the Proposed Rule
Public comments showed strong general support for the NPRM, with
nearly half voicing clear support and nearly one-third expressing
support while offering suggestions for improvement. Comments in support
of the proposed rule stated that the proposed changes would improve
care coordination, support patient privacy, reduce data and information
gaps between patients and providers, reduce the stigma around SUD
treatment, and reduce costs.
A group of commenters supported the proposed changes but did not
view the proposals as sufficient--they sought more comprehensive
change, to essentially recreate a set of HIPAA standards for part 2
records.
General Opposition to the Proposed Rule
Some commenters that expressed opposition to the NPRM stressed the
importance of privacy and the need for informed consent regarding the
use and disclosure of SUD treatment information, particularly for the
use of records in investigations and proceedings against a patient.
Some SUD providers, medical professionals, trade associations, advocacy
organizations, a mental health provider, and nearly all individual
commenters urged the Department not to make changes to part 2, largely
to maintain the existing privacy protections. One advocacy organization
urged the Department to weigh the risk to patients of their data being
used without their permission and their potential loss of privacy
surrounding seeking treatment for SUD, against any potential benefits
provided for providers by the new rule.
IV. Analysis and Response to Public Comments and Final Modifications
The discussion below provides a section-by-section description of
the final rule and responds to comments received from the public in
response to the 2022 NPRM. As the Department discussed in the NPRM, the
CARES Act did not expressly require every proposal promulgated by the
Department. Some of the Department's proposals were proposed to align
the language of this regulation with that in the HIPAA Privacy Rule and
to clarify already-existing part 2 permissions or restrictions.
[[Page 12482]]
A. Effective and Compliance Dates
Proposed Rule
In the NPRM, the Department proposed to finalize an effective date
for a final rule that would occur 60 days after publication, and a
compliance date that would occur 22 months after the effective date.
Taken together, the two dates would give entities two years after
publication to finalize compliance measures. In the NPRM, we \88\
stated ``[e]ntities subject to a final rule would have until the
compliance date to establish and implement policies and practices to
achieve compliance.'' \89\ The Department proposed to provide the same
compliance date for both the proposed modifications to 45 CFR 164.520,
the HIPAA NPP provision, and the more extensive part 2 modifications.
---------------------------------------------------------------------------
\88\ In this final rule, ``we'' and ``our'' denote the
Department.
\89\ 87 FR 74216, 74218.
---------------------------------------------------------------------------
The HIPAA regulations generally require covered entities and
business associates to comply with new or modified standards or
implementation specifications no later than 180 days from the effective
date of any such standards or implementation specifications,\90\
whereas the part 2 regulation does not contain a standard compliance
period for regulatory changes.
---------------------------------------------------------------------------
\90\ See 45 CFR 160.105.
---------------------------------------------------------------------------
However, as we explained in the NPRM, the proposed compliance
period would allow part 2 programs to revise existing policies and
practices, complete other implementation requirements, and train their
workforce members on the changes, as well as minimize administrative
burdens on entities subject to the HIPAA Privacy Rule.
We requested comment on the adequacy of the 22-month compliance
period that follows the proposed effective date and any benefits or
unintended adverse consequences for entities or individuals of a
shorter or longer compliance period.
Comment
More than half of the commenters who addressed the timeline for
compliance, including several providers, health plans, professional
medical and trade associations, and HIE networks, expressed support or
opined that the proposed dates were feasible. Some of these commenters
believed changes could be implemented sooner. Several of these
supportive commenters offered the opinion that compliance deadlines
facilitate care coordination and therefore should not be unnecessarily
delayed, but that the Department should offer technical assistance
leading up to the compliance deadline to assist entities in
implementing these changes. Some commenters stated that the Department
should make clear that covered entities and part 2 programs who wish to
comply with new finalized provisions, such as permissively using and
disclosing SUD records for TPO or using the new authorization form with
a general designation, before the proposed timeline should be able to
do so voluntarily.
Several commenters opined that the compliance timeline should be
shortened. In general, these commenters stated that a shorter
compliance timeline would more quickly facilitate improved care
coordination for SUD patients and avoid extending the opioid crisis. A
few of these commenters suggested that the gap in time between the
effective date and compliance date would allow entities to ``choose''
whether to follow existing or revised regulations for a period of time,
and thus impede interoperability. Others in this group of commenters
suggested that the proposed compliance date was excessively long,
demonstrated a lack of urgency by the Department for improving SUD data
exchange and care for SUD patients, and would prolong the
``misalignment'' of privacy protections for different types of
information. One of these commenters recommended an alternative 12-
month timeline that would include the effective date with only 10
additional months for compliance. A few of these commenters further
encouraged the Department to clarify that entities wishing to implement
any regulatory changes before the proposed timelines could voluntarily
do so.
Response
We appreciate the comments and clarify here that persons who are
subject to the regulation and are able to voluntarily comply with
regulatory provisions finalized in this rulemaking may do so at any
time after the effective date. We also agree with the commenters who
emphasized the important role that this rule will play in improving
care coordination for patients experiencing addiction or other forms of
SUD, and we acknowledge their concerns about timely implementation. As
finalized, we believe the effective and compliance dates strike the
right balance between incentivizing entities to come into compliance in
a timely fashion, and granting them sufficient time to adjust policies,
procedures, and, in some cases, technology to support new or revised
regulations.
Comment
A few commenters expressed support for the proposed timelines but
requested clarification about whether new finalized provisions would
apply to records created prior to the compliance date of the final
rule. These commenters urged the Department to apply modified
requirements to part 2 records created prior to the compliance date of
the final rule to avoid the burdensome task of separating records and
applications for consent.
Response
The changes finalized in this rule will apply to records created
prior to the final rule. We agree with commenters who stated that
separating records by date of creation for differential treatment would
be unduly burdensome.
Comment
Slightly less than half of the commenters about this topic,
including medical associations, a technology vendor, HIE/HINs, state
and local agencies, health plans, and professional provider
organizations, suggested that the Department should either lengthen the
compliance timeline or finalize the proposed compliance date but delay
enforcement, or issue a compliance safe harbor beyond the compliance
date. For example, one commenter suggested that the Department
implement a two-year enforcement delay while a few other commenters
suggested a three-year enforcement delay or two-year phased enforcement
approach beyond the compliance date. Some commenters requested that the
Department spend the time tolled by the enforcement delay to issue
implementation guidance addressing the interaction of the Centers for
Medicare & Medicaid Services (CMS) Interoperability Rule,\91\ HIPAA
regulations, and 42 CFR part 2, or work with the IT vendor community to
address data segmentation approaches.
---------------------------------------------------------------------------
\91\ See 85 FR 25510 (May 1, 2020).
---------------------------------------------------------------------------
A few state and local agencies opined that the 22-month compliance
period following the effective date would not be adequate for
communication, training, implementation, and monitoring of extensive
SUD provider networks with varying delivery options. One of these
agencies cited as an example the state of California where the Medicaid
SUD service delivery system may include hundreds of county and
contracted providers such that the burden of audits, deficiency
findings, and corrective actions would be felt statewide. Another state
agency commented that its state needed more
[[Page 12483]]
time to develop a means to track TPO disclosures and recommended a 60-
month timeline after publication of the rule. Other alternative
timelines suggested by commenters included a recommendation by a dental
professional association to establish an effective date of no less than
one year after publication of the final rule, and a compliance date of
no less than one year after the effective date; an additional 12 months
beyond the proposed 22-month compliance timeline to better accommodate
new interoperability rules and a corresponding need by part 2 programs
to update technology; or a 34-month period following the 60-day
effective date period to grant part 2 programs greater time to
implement changes in practice related to the rule, as well as
additional time for questions and clarifications from the Department.
Commenters also suggested that an enforcement delay include a delay in
imposing civil monetary penalties or ``safe harbor'' protection for
part 2 programs, providers, business associates, and covered entities
acting in good faith.
Response
We disagree with commenters who suggested or recommended that the
Department delay enforcement of a final part 2 rule beyond the proposed
timeline. We also disagree that additional safe harbor protection for
the entities that would be regulated under this rule is necessary or
appropriate. Either an enforcement delay or an enforcement safe harbor
(that would effectively extend the compliance timeline) would frustrate
the timely implementation of the CARES Act amendments to meaningfully
improve the ability of impacted entities to coordinate care for
individuals experiencing SUD, as suggested by the many commenters who
either agreed with the proposed effective and compliance dates or
sought a shorter compliance timeline. The Department may provide
further guidance on the CMS Interoperability Rule in relation to data
segmentation issues, HIPAA, and part 2, but we do not believe that this
should delay finalization of the modifications to the part 2 rule or
compliance deadlines.
Comment
One commenter, a Tribal health board, recommended that Indian
Health Service (IHS) and Tribal facilities using the existing IHS
medical record system be exempted from compliance with part 2 until
such time as IHS modernizes its electronic health record (EHR) system,
projected for 2025. It further requested that SAMHSA issue guidance for
pharmacies utilizing and issuing electronic prescriptions through the
Resource and Patient Management System (RPMS) EHR system, and
associated redisclosures, in the context of an integrated pharmacy
system with the full RPMS EHR.
Response
The timeline finalized here is consistent with this request. As
explained, the two-month delay between publication and an effective
date combined with a 22-month compliance deadline beyond the effective
date grants entities two years after publication to comply. Absent
extenuating circumstances that cause the Department to require
compliance sooner, this final rule will require compliance no earlier
than third quarter of calendar year 2025.
Comment
A few commenters representing HIE networks expressed support for
the Department's proposal to toll the date by which part 2 programs
must comply with the proposed accounting of disclosures requirements at
Sec. 2.25 until the effective date of a final rule on a revised HIPAA
accounting of disclosures standard at 45 CFR 164.528 to ensure the
consistency with HIPAA.
Response
We appreciate these comments.
Comment
A few commenters recommended that the Department delay this rule in
its entirety until other proposed HIPAA regulations are finalized to
permit commenters to better assess interactions between the alignment
and to reduce administrative burden, such as reviewing multiple
proposed HIPAA NPP provisions.
Response
The Department is not finalizing the proposed HIPAA NPP provisions
in this final rule, but plans to do so in a future HIPAA final rule. We
intend to align compliance dates for any required changes to the HIPAA
NPP and part 2 Patient Notice to enable covered entities to make such
changes at the same time. We believe the two-year compliance timeline
following publication of this rule provides adequate time to assess
alignment implications between HIPAA and part 2 and adjust accordingly.
Final Dates
The final rule adopts the proposed effective date of 60 days after
publication of this final rule, and the proposed compliance date of 24
months after the publication of this final rule. We are also finalizing
the proposed accounting of disclosure provision at Sec. 2.25, but
tolling the effective and compliance dates for that provision until
such time as the Department finalizes a revised provision in HIPAA at
45 CFR 164.528.
B. Substantive Proposals and Responses to Comments
Section 2.1--Statutory Authority for Confidentiality of Substance Use
Disorder Patient Records
Proposed Rule
Section 2.1 describes the statutory authority vested in 42 U.S.C.
290dd-2(g) to prescribe implementing regulations. The Department
proposed to revise Sec. 2.1 to more closely align this section with
the statutory text of 42 U.S.C. 290dd-2(g) and subsection 290dd-
2(b)(2)(C) related to the issuance of court orders authorizing
disclosures of part 2 records.
Comment
A health plan commenter expressed support for this language
alignment and that the specific references to authorized disclosures
pursuant to court order will assist part 2 programs in their compliance
efforts. A state agency said that these changes to part 2 will affect
its Medicaid system and Prepaid Inpatient Health Plans. Compliance is
further required for State licensed narcotic treatment facilities and
residential alcohol and drug treatment facilities.
Response
We appreciate these comments.
Final Rule
The final rule adopts the proposed changes to this section without
further modification.
Section 2.2--Purpose and Effect
Proposed Rule
Section 2.2 establishes the purpose and effect of regulations
imposed in this part upon the use and disclosure of part 2 records. The
Department proposed to amend paragraph (b) of this section to reflect
that Sec. 2.2(b) compels disclosures to the Secretary that are
necessary for enforcement of this rule, using language adapted from the
HIPAA Privacy Rule at 45 CFR 164.502(a)(2)(ii). In the NPRM, the
Department stated that the regulations do not require use or disclosure
under any circumstance other than when disclosure is required by the
Secretary to investigate or determine a person's compliance with
[[Page 12484]]
this part.\92\ The Department also proposed to add a new paragraph
(b)(3) to this section to clarify that nothing in this rule should be
construed to limit a patient's right to request restrictions on use of
records for TPO or a covered entity's choice to obtain consent to use
or disclose records for TPO purposes as provided in the HIPAA Privacy
Rule. The Department specifically stated that the ``regulations in this
part are not intended to direct the manner in which substantive
functions such as research, treatment, and evaluation are carried
out.'' \93\
---------------------------------------------------------------------------
\92\ 87 FR 74216, 74226.
\93\ 87 FR 74216, 74274.
---------------------------------------------------------------------------
Comment
A commenter said that it is logical for disclosures to the
Secretary under Sec. 2.2 to be consistent with analogous disclosures
under HIPAA. Regarding the proposed modification to Sec. 2.2(b)(1) to
provide that the regulations generally do not require the use and
disclosure of part 2 records, except when disclosure is required by the
Secretary, another commenter said that it would be more logical and
appropriate to treat part 2 records as HIPAA-covered records. The
commenter believed that continued stigmatization of the diagnoses
treated by part 2 facilities is a barrier to treatment and creates a
two-tiered approach to use and disclosure that provides no meaningful
benefit to patients.
Response
We appreciate these comments and have finalized this section as
noted below. We believe our changes align part 2 more closely with
HIPAA while also acknowledging changes to 42 U.S.C 290dd-2, as amended
by section 3221 of the CARES Act, which continue to provide additional
protection for part 2 records, especially in legal proceedings against
a patient. This section is needed to prevent harm to patients from
stigma and discrimination consistent with the intent of part 2 and the
CARES Act, including newly added statutory antidiscrimination
requirements (42 U.S.C. 290dd-2(i)).
Comment
A SUD professional association discussed stigma and discrimination
to which SUD patients are subject and asked that any discussion of
proposed changes in the NPRM first begin with the context of why these
protections exist. Citing to Sec. 2.2(b)(2), the association noted
that there are a number of adverse impacts to which patients are
vulnerable including those related to: criminal justice, health care,
housing, life insurance coverage, loans, employment, licensure, and
other intentional or passive discrimination against patients. A
psychiatric hospital said that, under current Sec. 2.2(b)(2), the
purpose of the substance use disorder confidentiality protections is to
encourage care without fear of stigma-related adverse impacts, not to
block access to it for patients.
Response
We have long emphasized and agree with commenters that one primary
purpose of the part 2 regulations is to, as the 1987 rule stated,
ensure ``that an alcohol or drug abuse patient in a federally assisted
alcohol or drug abuse program is not made more vulnerable by reason of
the availability of his or her patient record than an individual who
has an alcohol or drug problem and who does not seek treatment.'' \94\
The final rule continues to emphasize, including in this section, that
most uses and disclosures allowed under part 2 are permissive and not
mandatory. The final rule adds that disclosure may be required ``when
disclosure is required by the Secretary to investigate or determine a
person's compliance with this part pursuant to Sec. 2.3(c).''
Likewise, a court order with a subpoena or similar legal mandate may
compel disclosure of part 2 records, as explained in Sec. 2.61, Legal
effect of order.\95\
---------------------------------------------------------------------------
\94\ 52 FR 21796, 21805.
\95\ Section 2.61(a) provides that court orders entered under
this subpart are ``unique'' and only issued to authorize a
disclosure or use, and not ``compel'' disclosure. It further
provides ``A subpoena or a similar legal mandate must be issued in
order to compel disclosure. This mandate may be entered at the same
time as and accompany an authorizing court order entered under the
regulations in this part.'' Under the HIPAA Privacy Rule, a
disclosure pursuant to such a court order, but without an
accompanying subpoena, would not constitute a disclosure required by
law as that term is defined at 45 CFR 164.103.
---------------------------------------------------------------------------
Comment
A commenter believed the Department's proposal to add a new
paragraph (b)(3) to Sec. 2.2 to provide that nothing in this part
shall be construed to limit a patient's right to request restrictions
on use of records for TPO or a covered entity's choice to obtain
consent to use or disclose records for TPO purposes as provided in the
HIPAA Privacy Rule appears consistent with patients' rights
requirements under HIPAA and is a logical clarification.
Response
We appreciate the comment on our proposed changes which are
finalized here.
Final Rule
The final rule adopts all changes to Sec. 2.2 as proposed, without
further modification.
Section 2.3--Civil and Criminal Penalties for Violations
Proposed Rule
Section 2.3 of 42 CFR part 2 currently requires that any person who
violates any provision of the part 2 regulations be criminally fined in
accordance with title 18 U.S.C. The Department proposed multiple
changes to this section to implement the new authority granted in
section 3221(f) of the CARES Act as applied in 42 U.S.C. 290dd-2(f) so
that sections 1176 and 1177 of the Social Security Act apply to a part
2 program for a violation of 42 CFR part 2 in the same manner as they
apply to a covered entity for a violation of part C of title XI of the
Social Security Act (HIPAA Administrative Simplification).
The Department proposed to replace title 18 criminal enforcement
with civil and criminal penalties under sections 1176 and 1177 of the
Social Security Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as
implemented in the HIPAA Enforcement Rule.\96\ The Department also
proposed to rename Sec. 2.3 as ``Civil and criminal penalties for
violations'' and reorganize Sec. 2.3 into paragraphs (a), (b), and
(c). Proposed Sec. 2.3(a) would incorporate the penalty provisions of
42 U.S.C. 290dd-2(f), which apply the civil and criminal penalties of
sections 1176 and 1177 of the Social Security Act, respectively, to
violations of part 2. Proposed changes and comments regarding
paragraphs (a), (b), and (c) are discussed below.
---------------------------------------------------------------------------
\96\ See 45 CFR part 160, subpart D (Imposition of Civil Money
Penalties).
---------------------------------------------------------------------------
Comment
We received comments concerning proposed revisions to Sec. 2.3(a).
A state agency requested clarification regarding the agencies
authorized to enforce Sec. 2.3. Given statutory changes made by the
CARES Act, the commenter asked that the Department clarify which
agencies are authorized to enforce part 2 pursuant to the proposed
provision. This commenter opined that section 1176 of the Social
Security Act authorizes the Secretary to impose penalties, the attorney
general of a state to bring a civil action for statutory damages in
certain circumstances, and OCR to use corrective action in cases where
the person did not know of the violation involved. The commenter asked
for confirmation that the Department is the Federal agency that is
[[Page 12485]]
authorized to enforce part 2 through civil penalties and further seeks
clarification regarding whether the Department will act through OCR,
SAMHSA, or another entity. The commenter also seeks clarification that
the authorized state enforcement agency is the office of the attorney
general. Additionally, section 1177 of the Social Security Act pertains
to criminal penalties for knowing violations, but does not identify the
specific agency charged with enforcement. The commenter seeks
confirmation that under the proposed rule, the Federal Department of
Justice (DOJ) has jurisdiction over enforcement of part 2 through
criminal penalties.
Response
We appreciate requests for clarification on enforcement of part 2
as proposed and now finalized in this rule. As we have noted in
previous rulemakings such as the ``HIPAA Administrative Simplification:
Enforcement'' final rule ``[u]nder sections 1176 and 1177 of the Act,
42 U.S.C. 1320d-5 and 6, these persons or organizations, collectively
referred to as `covered entities,' may be subject to CMPs and criminal
penalties for violations of the HIPAA regulations. HHS enforces the
CMPs under section 1176 of the Act, and [DOJ] enforces the criminal
penalties under section 1177 of the Act.'' \97\ As part of the HITECH
Act, state attorneys general may bring civil suits for violations of
the HIPAA Privacy and Security Rules on behalf of state residents.\98\
Under this final rule, alleged violators of part 2 are subject to the
same penalties as HIPAA covered entities through sections 1176 and 1177
of the Social Security Act. The CARES Act granted enforcement authority
to the Secretary for civil penalties and the Department will identify
the enforcing agency before the compliance date of this final rule.
---------------------------------------------------------------------------
\97\ 74 FR 56123, 56124 (Oct. 30, 2009). See also, U.S. Dep't of
Health and Human Servs., ``How OCR Enforces the HIPAA Privacy &
Security Rules'' (June 7, 2017), <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html</a>.
\98\ See U.S. Dep't of Health and Human Servs., ``State
Attorneys General'' (Dec. 21, 2017), <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html</a>.
---------------------------------------------------------------------------
Comment
A state agency said that its state strongly opposes what it
perceives as increasing the civil and criminal penalties described in
Sec. 2.3. Understanding the desire to ensure strong privacy
protections are in place and that sanctions are necessary, the agency
opined that the current enforcement framework is adequate and
increasing sanctions would be punitive rather than promoting
compliance. Punitive sanctions should be brought only against those
entities or individuals that failed to use due diligence and/or make
every reasonable attempt to protect against unauthorized disclosure.
Unintended unauthorized disclosures that result in no material patient
harm should be treated as that--unintended disclosures that cause de
minimis or no harm to patients. Increasing sanctions may have the
unintended consequence of part 2 programs not sharing patient records
even if the patient in fact desires disclosure.
Response
We appreciate this commenter's concerns about part 2 enforcement
and disagree that the sanctions for violations will be harsher than for
violations of the HIPAA regulations. We note that 42 U.S.C. 290dd-2(f),
as amended by section 3221(f) of the CARES Act, applies the provisions
of sections 1176 and 1177 of the Social Security Act to a violation of
42 CFR part 2 in the same manner as they apply to a violation of part C
of title XI of the Social Security Act. We are implementing these
requirements in this final rule. As of the compliance date for this
final rule, we anticipate taking a similar approach to addressing
noncompliance under part 2 as for violations of HIPAA, ranging from
voluntary compliance and corrective action to civil and criminal
penalties.\99\ Indeed, we are finalizing below Sec. 2.3(c) which
provides that the provisions of 45 CFR part 160, subparts C, D, and E,
shall apply to noncompliance with this part with respect to records in
the same manner as they apply to covered entities and business
associates for violations of 45 CFR parts 160 and 164 with respect to
PHI. As proposed, we are incorporating the entirety of 45 CFR part 160,
subpart D, which includes the mitigating factors in 45 CFR 160.408 and
the affirmative defenses in 45 CFR 160.410, to align part 2 enforcement
with the HIPAA Enforcement Rule.
---------------------------------------------------------------------------
\99\ See U.S. Dep't of Health and Human Servs., ``Enforcement
Process'' (Sept. 17, 2021), <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html</a>;
HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D, and E.
---------------------------------------------------------------------------
In contrast, prior to this final rule, all alleged part 2
violations were subject only to potential criminal penalties. Aligning
part 2 and HIPAA enforcement approaches should make the enforcement
process more straightforward for part 2 programs that are covered
entities because it offers the same mitigating factors for
consideration in enforcement, such as the number of individuals
affected by the violation; whether the violation caused physical,
financial, or reputational harm to the individual or jeopardized an
individual's ability to obtain health care, the size of the covered
entity or part 2 program; and whether the penalty would jeopardize the
covered entity or part 2 program's ability to continue doing business.
This alignment also affords part 2 programs, including those that are
covered entities, the same affirmative defenses to alleged
noncompliance and generally prohibits the imposition of a civil money
penalty for a violation that is not due to willful neglect and is
corrected within 30 days of discovery.
Final Rule
We are finalizing Sec. 2.3(a) to specify that under 42 U.S.C.
290dd-2(f), any person who violates any provision of this part shall be
subject to the applicable penalties under sections 1176 and 1177 of the
Social Security Act, 42 U.S.C. 1320d-5 and 1320d-6, as implemented in
the HIPAA Enforcement Rule.
Section 2.3(b) Limitation on Criminal or Civil Liability
Proposed Rule
As noted in the NPRM, after consultation with DOJ, the Department
proposed in Sec. 2.3(b) to create a limitation on civil or criminal
liability (``safe harbor'') for persons acting on behalf of
investigative agencies when, in the course of investigating or
prosecuting a part 2 program or other person holding part 2 records,
such agencies or persons unknowingly receive part 2 records without
first obtaining the requisite court order. The proposed safe harbor
applies only in instances where records are obtained for the purposes
of investigating a part 2 program or person holding the record, not a
patient. Further, investigative agencies would be required to follow
part 2 requirements for obtaining, using, and disclosing part 2 records
as part of an investigation or prosecution, including requirements
related to seeking a court order, filing protective orders, maintaining
security for records, and ensuring that records obtained in program
investigations are not used in legal actions against patients who are
the subjects of the records.
This safe harbor would be available for uses or disclosures
inconsistent with part 2 only when the person acting on behalf of an
investigative agency acted
[[Page 12486]]
with reasonable diligence to determine in advance whether part 2
applied to the records or part 2 program. Paragraph (b)(1) proposed to
clarify what constitutes reasonable diligence in determining whether
part 2 applies to a record or part 2 program before an investigative
agency makes an investigative demand or places an undercover agent with
the part 2 program or person holding the records. The Department
proposed specifically that reasonable diligence under this provision
would require acting within a reasonable period of time, but no more
than 60 days prior to, the request for records or placement of an
undercover agent or informant. As proposed, reasonable diligence would
include taking the following actions to determine whether a health care
practice or provider (where it is reasonable to believe that the
practice or provider provides SUD diagnostic, treatment, or referral
for treatment services) provides such services: (1) checking a
prescription drug monitoring program (PDMP) in the state where the
provider is located, if available and accessible to the agency under
state law; or (2) checking the website or physical location of the
provider.
In addition, Sec. 2.3(b) as proposed was intended to require an
investigative agency to meet any other applicable requirements within
part 2 for any use or disclosure of the records that occurred, or would
occur, after the investigative agency knew, or by exercising reasonable
diligence would have known, that it received part 2 records. The
Department also proposed amending Sec. Sec. 2.66 and 2.67 to be
consistent with and further implement these proposed changes in Sec.
2.3.
Comment
A state agency that regulates health facilities expressed concern
that statements made by HHS in the NPRM when describing the need for
the safe harbor provision for investigative agencies might bring its
authority to obtain part 2 records from health care facilities into
question. The commenter explains that the Department's justification
and interpretation of the need for a safe harbor provision could result
in licensed health care facilities refusing to provide it with access
to part 2 records until the state agency obtains a court order under
subpart E. While the commenter appreciated the clarification provided
by the Department in the NPRM (``[HHS] does not intend to modify the
applicability of Sec. 2.12 or Sec. 2.53 for investigative
agencies''), the commenter asked that Sec. 2.3(b) affirm that
investigative agencies will not be required to demonstrate due
diligence or obtain a court order if their access, use, and disclosure
of part 2 records is covered by another exception to part 2, such as
the audit and evaluation exception in Sec. 2.53.
An academic medical center advocated for a narrower definition of
``investigative agency'' than proposed and expressed concern about
applying the proposed limitation on liability to a broad category of
agencies. Several other commenters also addressed in their comments the
Department's proposed definition of ``investigative agency'' in Sec.
2.11, suggesting inclusion of state, Tribal, or local agencies in this
definition.
Response
We address comments on definitions below in Sec. 2.11, including
concerns about potential unintended adverse consequences of including
``supervisory'' agencies in the definition of ``investigative agency''.
We believe that the definition of ``investigative agency'', combined
with the safe harbor (and its reasonable diligence prerequisite) and
the annual reporting requirement, provides an appropriate check on
government access to records in the course of investigating a part 2
program or lawful holder in those situations where an agency discovers
it has unknowingly obtained part 2 records. The safe harbor option to
apply for a court order retroactively does not alter the criteria for a
court to grant the order, which includes a finding that other means of
obtaining the records were unavailable, would not be effective, or
would yield incomplete information. Here, we also clarify that we do
not intend, in Sec. 2.3(b), to override the existing authority of
investigative or oversight agencies to access records, without court
order, when permitted under another section of this regulation. Rather
than narrowing the definition, we also include, as some commenters
requested, local, territorial, and Tribal investigative agencies in the
final ``investigative agency'' definition because they have a role in
investigations of part 2 programs.
Comment
Some SUD policy organizations and other commenters suggested that
the Department should not include a safe harbor provision for
investigative agencies, as this is not required by the CARES Act and is
duplicative of existing protections such as qualified immunity.
According to these commenters, the CARES Act does not require a
limitation on civil or criminal liability for persons acting on behalf
of investigative agencies if they unknowingly receive part 2 records.
Additionally, this provision is deleterious to the confidentiality of
patients relying on part 2 protections of their records in seeking or
receiving SUD treatment, further eroding the trust necessary between
provider and patient for successful SUD treatment.
The commenters further addressed in their comments the reasonable
diligence steps proposed to identify whether a provider is a covered
part 2 program. Though the NPRM proposed that passing by a part 2
program to observe its operations or checking a PDMP is sufficient to
determine whether a provider offers SUD services, many SUD providers
are not required to share information with PDMPs, the commenters
assert. One commenter suggested that PDMPs do not contain any
information from part 2 programs that do not prescribe controlled
substances to patients. Under Sec. 2.36, opioid treatment programs
(OTPs) may report methadone dispensing information to PDMPs, but only
if the reporting is mandated by state law and authorized by a part 2-
compliant consent form. The commenters asserted that more accurate
verification methods exist, such as SAMHSA's online treatment locator
or state treatment databases. If such a safe harbor provision is
included, the standard for diligence must be made more explicit and
subject to more rigorous standards, according to these commenters.
A legal advocacy organization commented that the safe harbor
proposal fell outside the scope of the CARES Act and was an unnecessary
change. It further commented that despite disclosing that it consulted
with the DOJ, HHS failed to adequately explain why law enforcement
merits special consideration for protection from liability or why HHS
did not consult with civil rights organizations, legal and policy
advocates, providers, or patients. In addition, this commenter opined
that the proposed safe harbor provision had inadequate guardrails to
protect privacy because the Department proposed a very low standard of
reasonable diligence that the investigative agency would be required to
show and insufficient examples of actions an investigative agency must
take to identify whether a provider offered SUD treatment under part 2.
The commenter also remarked that checking a state's PDMP website should
not be sufficient to establish reasonable diligence since the majority
of part 2 programs do not report information to PDMPs, and similarly,
driving by a provider's physical location should not
[[Page 12487]]
be considered sufficient to establish reasonable diligence because many
SUD providers preserve their patients' privacy by avoiding overt street
signage or advertisements. This commenter suggested checking SAMHSA's
online treatment locator or the state oversight agency's list of
licensed and certified providers as better alternatives than those
proposed in the NPRM.
An HIE association expressed concern that if patients believe that
their information related to seeking SUD treatment or admitting
continued SUD while in treatment could be disclosed to an investigative
Federal Government agency, then they may forgo or stop receiving that
treatment. SUD treatment and the part 2 patient records are some of the
most sensitive pieces of a person's health record. The commenter
suggested that it is important for OCR and SAMHSA to engage with
patient advocacy organizations to understand the needs of patients to
protect that privacy and ensure treatment is not foregone due to a fear
of exposure. An individual commenter also recommended consultation by
the Department with SUD patients and former patients.
Another group of commenters claimed that the proposed rule's new
safe harbor provision in Sec. 2.3 was unnecessary, overly broad, and
was not required by the CARES Act. HHS should withdraw this proposed
change, these commenters stated, or at least should include more
accurate methods of how investigative agencies can determine a provider
offers SUD services (and thus may be subject to part 2) such as
consulting the SAMHSA online treatment locator.
An individual commenter viewed the proposed Sec. 2.3(b) changes as
stigmatizing because it would promote access to patients' records
against their interests by law enforcement. Another individual
commenter suggested the proposed safe harbor may create a chilling
effect, dissuading people from seeking the SUD care and other kinds of
health care, including prenatal care, that they need. One person in
recovery said that the proposal's language is vague and open-ended,
leaving room for interpretation and loopholes for fishing expeditions
by law enforcement through patient records. This commenter further
stated that while it is important that bad actor treatment centers or
providers are held accountable, the solution should not sacrifice
fundamental privacy rights of patients.
Another commenter recommended a bar against using the safe harbor
provision without inquiring directly with the provider about whether
part 2 applies. The organization has helped part 2 programs respond to
hundreds of law enforcement requests for SUD treatment records. Based
on its experience, many part 2 programs report that law enforcement
officials are not familiar with part 2 and do not listen to program
staff when they flag its requirements for law enforcement. The
commenter stated that part 2 program staff have even been arrested and
charged with obstruction for attempting to explain the Federal privacy
law as a result of this lack of knowledge by law enforcement.
A county government expressed opposition to the Department's
proposals in Sec. 2.3, and relatedly in Sec. Sec. 2.66 and 2.67.
According to this commenter, the Department should consider that once
information is received by an investigator, there is no way to undo the
knowledge learned even if records are destroyed as required in
Sec. Sec. 2.66 and 2.67. Thus, the commenter concluded, the Department
should not finalize the safe harbor.
Another county government, also expressing opposition to proposed
changes in Sec. Sec. 2.3 and 2.66, commented that it believes the
creation of a safe harbor for improper use or disclosure of part 2
records by investigative agencies is contrary to the ``fundamental
policy goals'' that support more stringent privacy protections for
substance use treatment records under 42 CFR part 2. This commenter
explained its view that patients remain fearful of legal repercussions
for engaging in substance use and will be discouraged from seeking
treatment if guardrails that protect information are lowered. This
commenter further opined that creating a safe harbor for investigative
agencies could have the unintended consequence of creating an incentive
for investigative agencies to design document requests to technically
meet the requirements of the safe harbor, with the hopes of providers
turning over part 2 records to which the investigative agency would not
otherwise have access. Furthermore, according to the commenter, the
contents of part 2 records could conceivably be used as a basis for
meeting the criteria for a court order to use or disclose these, or
other part 2 records, under Sec. 2.64. This commenter further
recommended that investigators not be permitted to retroactively seek a
court order to use or disclose part 2 record, and in no event should
investigative agencies be able to use information from part 2 records
that they did not have proper authority to receive as the basis for a
retroactive court order for use of disclosure of part 2 records.
Response
As noted above and in response to comments, this final rule no
longer considers the reasonable diligence requirement specific to the
safe harbor to be met by checking the applicable PDMP. Instead, this
rule in the regulatory text of Sec. 2.3 provides that ``reasonable
diligence'' means taking all of the following actions: searching for
the practice or provider among the SUD treatment facilities in SAMHSA's
online treatment locator; searching in a similar state database of
treatment facilities where available; checking a practice or program's
website, where available, or physical location; viewing the entity's
Patient Notice or HIPAA NPP if it is available; and taking all these
steps within no more than 60 days before requesting records or placing
an undercover agent or informant.
SAMHSA's online treatment locator,\100\ even if it does not include
every SUD provider or may include outdated information for some
providers, still is more inclusive than PDMPs. Generally, only SUD
providers who prescribe controlled substances submit data to PDMPs
while SAMHSA's online treatment locator also includes SUD providers who
do not prescribe controlled substances. Further, we believe that
requiring consultation of a PDMP by investigative agencies could
unnecessarily increase exposure of patient records that are contained
in a PDMP with the records of part 2 programs or lawful holders who are
under investigation. The inherent risk of an unnecessary disclosure of
patient records runs counter to the underlying intent to keep these
records confidential. Finally, the SAMHSA online treatment locator uses
existing Departmental resources and is readily available to the general
public at no cost.\101\
---------------------------------------------------------------------------
\100\ See Substance Abuse and Mental Health Servs. Admin.,
``<a href="http://FindTreatment.gov">FindTreatment.gov</a>,'' <a href="https://findtreatment.gov/">https://findtreatment.gov/</a>.
\101\ See Ned J. Presnall, Giulia Croce Butler, and Richard A.
Grucza, ``Consumer access to buprenorphine and methadone in
certified community behavioral health centers: A secret shopper
study,'' Journal of Substance Abuse Treatment (Apr. 29, 2022),
<a href="https://www.jsatjournal.com/article/S0740-5472">https://www.jsatjournal.com/article/S0740-5472</a>(22)00070-8/fulltext;
Cho-Hee Shrader, Ashly Westrick, Saskia R. Vos, et al.,
``Sociodemographic Correlates of Affordable Community Behavioral
Health Treatment Facility Availability in Florida: A Cross-Sectional
Study,'' The Journal of Behavioral Health Services & Research (Jan.
4, 2023), <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9812544/">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9812544/</a>.
---------------------------------------------------------------------------
As to the suggestion that checking state licensing information
would be a better indicator of a program's part 2 status, the
Department disagrees. Licensing may occur at the facility level,
[[Page 12488]]
or separately by occupational specialty, which would require an
investigative agency to scour several sources of information. Further,
the definition of part 2 program is broader than that of licensed SUD
treatment providers because it can include prevention programs, so the
pool of licensed provider is overly narrow and does not address the
requirements that a program ``hold itself out'' as providing SUD
services or that it is in receipt of Federal assistance.
Regarding comments that HHS did not consult with civil rights
organizations, legal and policy advocates, providers, or patients, we
note that we received and reviewed comments submitted by individuals
and advocacy and civil rights organizations as we are required to do as
part of the rulemaking process. We also consulted with DOJ and other
Federal agencies.
We also acknowledge and appreciate concerns among some individual
commenters that this provision may further stigmatize people seeking
SUD treatment. However, we believe the requirement to demonstrate
reasonable diligence to determine part 2 status in the safe harbor
along with the requirements in Sec. Sec. 2.66 and 2.67 that prohibit
use or disclosure of records against a patient in a criminal
investigation or prosecution or in an application for a court order to
obtain records for such purposes will help ensure and enhance patient
privacy consistent with the purpose and intent of part 2 and 42 U.S.C.
290dd-2 as amended by the CARES Act. We will monitor implementation and
take steps to address any unintended adverse consequences that may
follow, particularly for patients because they are not the intended
focus of these investigations.
The safe harbor is not required by the CARES Act; it is grounded in
the Secretary's general rulemaking authority for the confidentiality of
SUD patient records under 42 U.S.C. 290dd-2(g) and is necessary to
operationalize subpart E, particularly in the context of other health
care investigations. For example, investigative agencies may
inadvertently obtain records from part 2 programs in the course of
their investigations under other laws such as Medicaid fraud
regulations, Drug Enforcement Administration (DEA) regulations, and
HIPAA, where the applicability of part 2 (and the court order
requirement for program investigations) is not obvious. The safe harbor
provision facilitates a pathway to conduct the investigation under the
amended part 2 statute. Contrary to some views expressed by commenters,
it may be inappropriate for an investigative agency to directly discuss
with or contact the provider about whether part 2 applies because this
could apprise them of an investigation or potential use of an informant
under subpart E. In contrast, reliance on a publicly available
directory, a HIPAA NPP, or Patient Notice offers neutral sources to
alert agencies to the potential applicability of part 2.
Comment
A health care system commented that an investigative agency should
have ample and sufficient notice that it may receive or come into
contact with SUD records in the course of investigating or prosecuting
a part 2 program. However, depending on the requirements or standards
to be met, the commenter stated that it may be more expedient for an
investigating agency to rely on the safe harbor after it comes into
contact with part 2 records. As a result, investigative agencies might
intentionally bypass the requirement to obtain consent or a court order
and decide instead to avail themselves of the safe harbor after
disclosure. In addition, the commenter asserted that the good faith
standard could easily become diluted and might permit an investigator
to hide behind the safe harbor when their conduct is the result of
ignorance or an error in judgment. The commenter also expressed concern
that the good faith standard would allow for a spectrum of
interpretations and different courts may apply the standard
differently, leading to inconsistent results; as such, it would be
important for the Department to audit and monitor the use of the safe
harbor to ensure it is being used appropriately.
An individual commenter asserted that expanding the reach of the
CARES Act \102\ to create safe harbors for the criminal justice
communities for violations of part 2 is beyond the intent of Congress,
noting that the CARES Act does not require the creation of a limitation
on civil or criminal liability for persons acting on behalf of
investigative agencies if they unknowingly receive part 2 records. This
commenter expressed concern that creating a limitation on civil or
criminal liability under Sec. 2.3 of 42 CFR part 2 or a good faith
exception under the proposed new paragraph under Sec. 2.66(a)(3) of 42
CFR part 2 would ``encourage lax investigative actions on the part of
an investigative agency.'' The commenter believed that investigative
agencies should continue to be required to seek an authorization from a
court to use or disclose any records implicated by part 2 protections
because admonishing an investigative agency to cease using or
disclosing part 2 records after the fact would in practice give the
investigative agency license to screen and review part 2 records. This
commenter also said that the good faith standard of Sec. 2.66(a)(3)
would offer investigative agencies an ``excuse'' to receive and review
part 2 records. This commenter also asserted that Sec. Sec. 2.3 and
2.66(a)(3) and (b) should be eliminated from the final rule as not
required by the CARES Act and inconsistent with the confidentiality of
a patient relying on part 2 protections of their records in seeking or
receiving SUD treatment.
---------------------------------------------------------------------------
\102\ See sec. 3221(i)(1) of the CARES Act.
---------------------------------------------------------------------------
Another commenter argued that the limitation of liability would not
negatively affect a patient's access to SUD treatment but might
``influence the investigative agency to be cavalier in obtaining the
appropriate [consent or court order] if they are aware that its
liability will be limited.'' This commenter further opined that the
annual reporting to the Secretary could serve as an important way to
audit the use of the safe harbor this protection, and the limitation of
liability may support an investigative agency's ability to investigate
a program, which could increase the quality of care.
Response
We believe that some commenters misunderstand the process of
investigating a health care provider and we disagree that an
investigator would always know before seeking records that a provider
is subject to part 2. In many instances, an investigation is focused on
the use of public money such as Medicaid or Medicare claims and
reimbursement, and the focus is not on whether a provider is treating
SUDs. Regarding the good faith standard as we explain below, we believe
the phrase is generally understood to means acting consistent with both
the text and intent of the statute and part 2 regulations.
We believe that the operation of this provision is clear in the
event a finding of good faith is not met. First, a lack of good faith
could result in the imposition of HIPAA/HITECH Act penalties under 42
U.S.C. 290dd-2, as amended, if investigators are found to have acted in
bad faith in obtaining the part 2 records. Second, in Sec. Sec. 2.66
and 2.67, a finding of good faith is necessary to trigger the ability
of the agency to apply for a court order to use records that were
previously obtained.
We also disagree that this provision will encourage lax
investigative actions or prompt agencies to ``game'' the regulations to
improperly obtain
[[Page 12489]]
records. First, the manner in which agencies obtain records will be
considered by a court as part of the court order process. Second, while
the safe harbor operates as a limitation on civil and criminal
liability under 42 U.S.C. 290dd-2(f), it does not provide absolute
immunity under Federal or state law should an agency or person
knowingly obtain records improperly or under false pretenses. For
example, it would be improper to knowingly obtain records without
following the required procedures for the type of request, or under
false pretenses.
We agree with the sentiment that the reporting requirement in Sec.
2.68 will serve as a useful tool to help monitor the appropriateness of
investigative agencies' reliance on the regulatory safe harbor. We also
appreciate the view that facilitating appropriate investigations will
play an important role in ensuring the quality of care delivered by
part 2 programs.
Comment
An SUD provider said that this safe harbor essentially could
establish a loophole for investigative agencies to obtain part 2
records without following part 2 requirements, and thus adversely
affect patient privacy. This commenter believed that the proposed rule
attempted to justify the safe harbor by addressing the increased
liability due to added penalties for violations of part 2, the need to
prosecute bad actors, and public safety. However, this justification
was misplaced, according to this commenter, and the safe harbor might
only reduce important protections that limit investigative agencies'
ability to obtain protected records. By replacing the required elements
in place to protect the privacy of patients with a loosely defined
reasonable diligence standard, the proposed rule would only increase
the chances of investigative agencies unknowingly receiving part 2
records, according to this commenter. The proposed reasonable diligence
standard provides investigative agencies with two options to determine
part 2 application on a provider both of which the commenter views as
insufficient. Ultimately, these proposed reasonable diligence standards
can be easily bypassed as a way to obtain records without the requisite
requirements. The organization expressed the belief that if a
reasonable diligence standard remains in place, the Department should
impose more stringent requirements under this standard, such as
obtaining a copy of a provider's HIPAA NPP to determine part 2
applicability or comparable requirement.
Response
We acknowledge this commenter's concerns. As noted in this final
rule at Sec. 2.3, we are revising the proposed ``reasonable
diligence'' standard to mean taking all of the following actions:
searching for the practice or provider among the SUD treatment
facilities in SAMHSA's online treatment locator; searching in a similar
state database of treatment facilities where available; checking a
practice or program's website, where available, or its physical
location; viewing the entity's Patient Notice or HIPAA NPP if it is
available; and taking all these steps within no more than 60 days
before requesting records or placing an undercover agent or informant.
We are requiring these reasonable diligence steps to be taken in
response to commenters' concerns about the effects of the safe harbor
on patient privacy and their specific recommendations for strengthening
those steps. Importantly, an investigative agency could be subject to
penalties under the CARES Act enforcement provisions if it does not
take all of the steps in the required time frame as necessary to
qualify for the protection afforded by the safe harbor. Finally, as
discussed above, the reporting requirement to the Secretary will play
an important role in ensuring transparency. After this rule is
finalized, the Department intends to make use of such reports to
monitor compliance with these requirements and work to educate
patients, providers, investigative agencies and others about these
provisions.
Comment
An individual commenter expressed concern about what they
characterized as a broad swath of potential agencies that conduct
activities covered by the term ``investigation.'' The commenter opined
that the types of agencies that conduct investigations are broad and
many have repeatedly demonstrated their lack of prioritization of
patient privacy and personal rights. The commenter believed that the
Department outlines reasonable minimums including access controls,
requesting and maintaining the minimum data required, and taking the
most basic steps to determine if staff should or could access patient
data before doing so, as well as obtaining the legally required
permissions to lawfully receive such data. However, inability to follow
these most basic guidelines does not support reducing liability, the
commenter asserted, suggesting that the reasonable steps the Department
describes in Sec. 2.3 should be required for investigatory agencies to
receive any PHI or part 2 records or to deploy an informant.
An anonymous commenter alleged that parole officers in their state
frequently violate part 2 by making notes in an automated system
redisclosing part 2 information from community providers. Until there
is a regulatory and investigative agency invested in ensuring strict
adherence to this regulation, the commenter said the Department should
not ease up on the restrictions and access to SUD confidential
information.
Response
We acknowledge that a broad range of agencies is encompassed within
the definition of ``investigative agency,'' and they have varying
degrees of involvement with the provision of health care. The
prerequisites for accessing part 2 records for audit and evaluation
differ, intentionally, from the prerequisites for placing an informant
within a program, although both may involve investigative agency review
of part 2 records. The requirement to first obtain a court order before
records are sought in a criminal investigation or prosecution is a much
higher standard. While the safe harbor operates as a limitation on
civil and criminal liability for agencies that have acted in good
faith, it does not provide immunity under Federal or state law should
an investigative agency knowingly obtain records improperly or under
false pretenses. Further, this final rule establishes a right to file a
complaint with the Secretary for violations of part 2 by, among others,
lawful holders.
Comment
A medical professional association encouraged extending safe harbor
protections to part 2 programs, providers, business associates, and
covered entities acting in good faith for at least 34 months following
the 60-day effective date period (36 total months). According to the
commenter, this protection is essential to encourage providers to hold
themselves out as SUD providers and other entities to support part 2
programs, which will be especially important as the health care system
implements these new regulations. However, the commenter opposed the
proposed the safe harbor for investigative agencies as written.
According to this commenter, as written the proposed safe harbor could
reduce access to care if part 2 programs or providers feel more at risk
for acting in good faith than the investigative agencies that do not
provide patient care.
[[Page 12490]]
Response
As discussed in the proposed rule, the effective date of a final
rule will be 60 days after publication and the compliance date will be
24 months after the publication date. The Department acknowledges
concerns about compliance and may provide additional guidance after the
rule is finalized. We acknowledge requests by commenters to extend the
safe harbor beyond investigative agencies to covered entities, health
plans, HIEs/HINs, part 2 programs, APCDs, and others. However, we
decline to make these requested changes because Sec. 2.3 is
specifically intended to operate in tandem with Sec. Sec. 2.66 and
2.67 when investigative agencies unknowingly obtain part 2 records in
the course of investigating or prosecuting a part 2 program and, as a
result, fail to obtain the required court order in advance. We also
believe that covered entities and business associates that are likely
to receive part 2 records are routinely engaged in health care
activities and are more likely to be aware when they are receiving such
records.
Comment
A health IT vendor addressed our request for comment on whether to
expand the limitation on civil or criminal liability for persons acting
on behalf of investigative agencies to other entities. The commenter
requested clarification on how the Department defines ``unknowingly''
when considering whether a safe harbor should be created for SUD
providers that unknowingly hold part 2 records and unknowingly disclose
them in violation of part 2.
Response
We have not developed a formal definition of ``unknowingly;''
however, the safe harbor for investigative agencies addresses
situations where the recipient is unaware that records they have
obtained contain information subject to part 2 although the agency
first exercised reasonable diligence to determine if the disclosing
entity was a part 2 program. The reasonable diligence expected of an
SUD provider would be different in nature because such a provider
uniquely possesses the information necessary to evaluate whether it is
subject to this part, and consequently whether any patient records it
creates are also subject to this part. We think it is more likely that
the ``unknowing'' situation could occur when an entity other than a
part 2 program receives records without the Notice to Accompany
Disclosure and rediscloses them in violation of this part because it is
unaware that it possesses part 2 records. As we stated in the NPRM, we
believe this scenario is addressed by the HITECH penalty tiers, so we
are not expanding the safe harbor to other entities. Covered entities
and business associates that are likely to receive part 2 records are
routinely engaged in health care activities and are more likely to be
aware that they are receiving such records. Further, the HITECH penalty
tiers were designed to address privacy violations by covered entities
and business associates.
Comment
Many commenters argued that the proposed safe harbor provisions
should apply to entities beyond investigative agencies. The commenters
included a medical association, a state Medicaid agency, a managed care
organization, health care providers, HIEs, a state HIE association, and
other professional and trade associations. The range of entities for
which a safe harbor was recommended include the following: non-
investigative agencies; covered entities; business associates; other
SUD providers, facilities, and other providers generally who act in
good faith and use reasonable diligence to determine whether records
received/maintained are covered by part 2; health plans based on good
faith redisclosures that comply with the HIPAA Privacy rule but not
with the part 2 Rule; HIEs; SUD providers that are unaware of its
practice designation as a part 2 provider; state Medicaid agency
administering the Medicaid program; all payer claims databases (APCDs);
part 2 programs; and lawful holders who, in good faith, unknowingly
receive part 2 records and then unintentionally violate part 2 with
respect to those records.
A county government argued that amending Sec. 2.3 to contain a
safe harbor provision for providers would better serve the policy goals
of protecting patient privacy, while recognizing that health systems
are moving toward integrating substance use treatment with other health
conditions and behavioral health needs. Many part 2 programs provide
integrated substance use and mental health treatment, and include
providers who provide both mental health and substance use treatment or
work in collaboration with mental health treatment providers. In these
``dual diagnosis'' programs, mental health providers may over time
unknowingly generate and/or receive and possess records subject to part
2.
Another commenter, a professional association, urged that such a
safe harbor should remain in place until such time as there is an
operationally viable means of providing the Notice to Accompany
Disclosures of part 2 records in Sec. 2.32. It should apply to HIPAA
entities only if and to the extent that HHS does not, in the final
rule, permit these entities to integrate these records with their
existing patient records and treat the data as PHI which, the
association asserted is the best approach from both patient care and
operational perspectives.
Response
We acknowledge requests by commenters to extend the safe harbor
beyond investigative agencies to covered entities, health plans, HIEs/
HINs, part 2 programs, APCDs, and others. However, we decline to make
these requested changes because Sec. 2.3 is specifically intended to
operate in tandem with Sec. Sec. 2.66 and 2.67 when investigative
agencies unknowingly obtain part 2 records in the course of
investigating or prosecuting a part 2 program and, as a result, fail to
obtain the required court order in advance. By contrast, Sec. Sec.
2.12, 2.31, and 2.32, including the requirement in this final rule that
each disclosure made with the patient's written consent must be
accompanied by a notice and a copy of the consent or a clear
explanation of the scope of the consent, should be sufficient to inform
recipients of part 2 records of the applicability of part 2 in
circumstances that do not involve investigations or use of informants.
SUD providers, in particular, are obligated to know whether they
are subject to part 2. In the event of an enforcement action against a
lawful holder that involves an unknowing receipt or disclosure of part
2 records despite the lawful holder having exercised reasonable
diligence, the Department will consider the facts and circumstances and
make a determination as to whether the disclosure of part 2 records
warrants an enforcement action against the lawful holder. This would
include considering application of the ``did not know'' culpability
tier for such violations.\103\
---------------------------------------------------------------------------
\103\ See 45 CFR 160.404 (b)(2)(i) (the entity ``did not know
and, by exercising reasonable diligence, would not have known that
[they] violated such provision[.]''). See also Social Security Act,
sections 1176 and 1177.
---------------------------------------------------------------------------
Comment
A health information management association remarked that covered
entities, lawful holders, and other recipients of SUD PHI are obligated
to be aware of what information is being disclosed prior to disclosing
it. Law enforcement requests for information
[[Page 12491]]
should be clear to prevent inadvertent disclosures. According to the
commenter, a court order, subpoena, or patient ``authorization'' should
be necessary before obtaining SUD information. Under 45 CFR 164.512(e)
criteria required for a valid court order and/or subpoena protects the
SUD PHI. Disclosing SUD information before the correct protections are
in place could result in the SUD information becoming discoverable
through the Freedom of Information Act (FOIA).\104\ In addition, once
the information is disclosed the recipients cannot unsee or unknow the
information, nor are mechanisms in place to properly return or destroy
the information.
---------------------------------------------------------------------------
\104\ Public Law 89-487, 80 Stat. 250 (July 4, 1966) (originally
codified at 5 U.S.C. 1002; codified at 5 U.S.C. 552).
---------------------------------------------------------------------------
Response
Part 2, subpart E, requirements are distinct from the HIPAA Privacy
Rule requirements at 45 CFR 164.512(e). We agree that it is important
to engage with patients and patient organizations to ensure part 2
continues to bolster patient privacy and access to SUD treatment.
SAMHSA provides funding to support the Center of Excellence for
Protected Health Information Related to Behavioral Health \105\ which
does not provide legal advice but can help answer questions from
providers and family members about HIPAA, part 2, and other behavioral
health privacy requirements. The required report to the Secretary in
Sec. 2.68 will help the Department monitor investigations and
prosecutions involving part 2 records. While in theory FOIA or similar
state laws could apply to mistakenly released information, FOIA
includes several exemptions and exclusions that could apply to withhold
information from release in response to a request for such information,
including FOIA Exemptions 3 (requires the withholding of information
prohibited from disclosure by another Federal statute), 6 (protects
certain information about an individual when disclosure would
constitute a clearly unwarranted invasion of personal privacy), and 7
(protects certain records or information compiled for law enforcement
purposes).\106\ State health privacy laws or freedom of information
laws may contain similar exemptions.\107\
---------------------------------------------------------------------------
\105\ See The Ctr. of Excellence for Protected Health Info.,
``About COE PHI,'' <a href="https://coephi.org/about-coe-phi/">https://coephi.org/about-coe-phi/</a>.
\106\ 5 U.S.C. 552(b)(3), (b)(6) & (b)(7).
\107\ See, e.g., National Freedom of Info. Coal., ``State
Freedom of Information Laws,'' <a href="https://www.nfoic.org/state-freedom-of-information-laws/">https://www.nfoic.org/state-freedom-of-information-laws/</a> and Seyfarth Shaw LLP, ``50-State Survey of
Health Care Information Privacy Laws'' (July 15, 2021), <a href="https://www.seyfarth.com/news-insights/50-state-survey-of-health-care-information-privacy-laws.html">https://www.seyfarth.com/news-insights/50-state-survey-of-health-care-information-privacy-laws.html</a>.
---------------------------------------------------------------------------
Final Rule
We are finalizing Sec. 2.3(b) with the additional modifications
discussed above in response to public comments and reorganizing for
clarity. This final rule strengthens the safe harbor's proposed
reasonable diligence requirements in response to public comments that
the proposed steps would be insufficient and provides that all of the
specified actions must be initiated for the limitation on liability to
apply. We clarify here that if any of the actions taken results in
knowledge that a program or person holding records is subject to part
2, no further steps are required to further confirm that the program or
person holding records is subject to part 2.
Section 2.3(c) Applying the HIPAA Enforcement Rule to Part 2 Violations
Proposed Rule
Proposed Sec. 2.3(c) stated that the HIPAA Enforcement Rule shall
apply to violations of part 2 in the same manner as they apply to
covered entities and business associates for violations of part C of
title XI of the Social Security Act and its implementing regulations
with respect to PHI.<SUP>108 109</SUP>
---------------------------------------------------------------------------
\108\ See 45 CFR part 160, subpart C (Compliance and
Investigations), D (Imposition of Civil Money Penalties), and E
(Procedures for Hearings). See also sec. 13410 of the HITECH Act
(codified at 42 U.S.C. 17929).
\109\ This proposal would implement the required statutory
framework establishing that civil and criminal penalties apply to
violations of this part, as the Secretary exercises only civil
enforcement authority. The DOJ has authority to impose criminal
penalties where applicable. See 68 FR 18895, 18896 (Apr. 17, 2003).
---------------------------------------------------------------------------
Comment
A state agency stated its view that if Sec. 2.3(c) applies the
various sanctions of HIPAA to part 2 programs regardless of whether the
program is a HIPAA covered entity or business associate, the need to
retain QSOs for part 2 programs that are not covered entities seems to
be eliminated.
Response
We disagree that including this section obviates the need for QSOs,
which we discuss below in Sec. 2.11.
Final rule
We are finalizing Sec. 2.3(c) with modifications changing
references to ``violations'' to ``noncompliance.'' This minor change
recognizes that the provisions of the HIPAA Enforcement Rule address
not only penalties based on formal findings of violations but also many
other aspects of the enforcement process, including procedures for
receiving complaints and conducting investigations into alleged or
potential noncompliance, which could result in informal resolution
without a formal finding of a violation.
Section 2.4--Complaints of Noncompliance
Proposed Rule
The Department proposed to change the existing language of
paragraphs (a) and (b) of Sec. 2.4 which provide that reports of
violations of the part 2 regulations may be directed to the U.S.
Attorney for the judicial district in which the violation occurs and
reports of any violation by an OTP may be directed to the U.S. Attorney
and also to SAMHSA. Section 290dd-2(f) of 42 U.S.C., as amended by
section 3221(f) of the CARES Act, grants civil enforcement authority to
the Department, which currently exercises its HIPAA enforcement
authority under section 1176 of the Social Security Act in accordance
with the HIPAA Enforcement Rule. To implement these changes, the
Department proposed to re-title the heading to this section by
replacing ``Reports of violations'' with ``Complaints of
noncompliance,'' and to replace the existing provisions about directing
reports of part 2 violations to the U.S. Attorney's Office and to
SAMHSA with provisions about directing complaints of potential
violations to a part 2 program. The Department noted that SAMHSA
continues to oversee OTP accreditation and certification and therefore
may receive reports of alleged violations by OTPs of Federal opioid
treatment standards, including privacy and confidentiality
requirements.
The Department proposed to add Sec. 2.4(a) to require a part 2
program to have a process to receive complaints concerning a program's
compliance with the part 2 regulations. Proposed Sec. 2.4(b) provided
that a part 2 program may not intimidate, threaten, coerce,
discriminate against, or take other retaliatory action against any
patient for the exercise of any right established, or for participation
in any process provided for in part 2, including the filing of a
complaint. The Department also proposed to add Sec. 2.4(c) to prohibit
a part 2 program from requiring patients to waive their right to file a
complaint as a condition of the provision of treatment, payment,
enrollment, or eligibility for any program subject to part 2.
[[Page 12492]]
Comment
Commenters generally supported the Department's proposal to
establish a complaint process under Sec. 2.4 that aligns with HIPAA
and ensures part 2 programs would not retaliate against patients who
filed a complaint or condition treatment or receipt of services on a
patient's waiving any rights to file a complaint. Commenters advocated
for part 2 patients being protected against potential discrimination,
such as job loss, that may occur following improper disclosures of
their treatment records. They further suggested that this provision
aligns with the HIPAA Privacy Rule and thus will help to reduce
administrative burdens. For example, covered entities can use their
existing Privacy Offices and processes to oversee both part 2 and HIPAA
compliance. Commenters also believed that application of the HIPAA
Breach Notification Rule and the HIPAA Enforcement Rule will further
help to protect part 2 patients. Additionally, commenters supported the
inclusion of business associates and covered entities within the scope
of this section.
Response
We appreciate the comments for the proposed changes to align part 2
with HIPAA Privacy Rule provisions concerning complaints. Patients with
SUD continue to experience the effects of stigma and discrimination,
one reason why privacy protections as established in this regulation
remain important.\110\ We agree that aligning part 2 and HIPAA
requirements may reduce administrative burdens.
---------------------------------------------------------------------------
\110\ See, e.g., Lars Garpenhag, Disa Dahlman, ``Perceived
healthcare stigma among patients in opioid substitution treatment: a
qualitative study,'' Substance Abuse Treatment, Prevention, and
Policy (Oct. 26, 2021), <a href="https://pubmed.ncbi.nlm.nih.gov/34702338/">https://pubmed.ncbi.nlm.nih.gov/34702338/</a>;
Janet Zwick, Hannah Appleseth, Stephan Arndt, ``Stigma: how it
affects the substance use disorder patient,'' Substance Abuse
Treatment, Prevention, and Policy (July 27, 2020), <a href="https://pubmed.ncbi.nlm.nih.gov/32718328/">https://pubmed.ncbi.nlm.nih.gov/32718328/</a>; Richard Bottner, Christopher
Moriates and Matthew Stefanko, ``Stigma is killing people with
substance use disorders. Health care providers need to rid
themselves of it,'' STAT News (Oct. 2, 2020), <a href="https://www.statnews.com/2020/10/02/stigma-is-killing-people-with-substance-use-disorders-health-care-providers-need-to-rid-themselves-of-it/">https://www.statnews.com/2020/10/02/stigma-is-killing-people-with-substance-use-disorders-health-care-providers-need-to-rid-themselves-of-it/</a>.
---------------------------------------------------------------------------
Comment
One commenter expressed concern about enhanced penalties, which it
characterized as potentially punitive and best reserved for those who
fail to exercise due diligence. Such penalties may deter part 2
programs from sharing part 2 information, this commenter asserted.
Other commenters similarly noted what they viewed as potential
deterrent effects of penalties provided for in this regulation on
information sharing. A commenter urged reduced penalties for
unintentional disclosures by part 2 programs as they may require time
and assistance to comply with these regulations. Another commenter
urged that clinicians should not be held liable for unintentional
disclosures of part 2 records by part 2 programs which may need
additional time and technical assistance to comply with these updated
regulations in accordance with this regulation.
By contrast, another commenter urged strict enforcement of this
provision including penalties for both negligent and intentional
breaches. The commenter recommended enforcement by states' attorneys
general and a private right of action for complainants under part 2 if
states' attorneys general do not pursue enforcement.
Response
Existing part 2 language imposes a criminal penalty for
violations.\111\ Section 3221(f) of the CARES Act (codified at 42
U.S.C. 290dd-2(f)) requires the Department to apply the provisions of
sections 1176 and 1177 of the Social Security Act to a part 2 program
for a violation of 42 CFR part 2 in the same manner as they apply to a
covered entity for a violation of part C of title XI of the Social
Security Act. Accordingly, the Department proposed to replace title 18
U.S.C. criminal enforcement in the current regulation with civil and
criminal penalties under sections 1176 and 1177 of the Social Security
Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as implemented in the
HIPAA Enforcement Rule.\112\ Under the HIPAA Enforcement Rule, criminal
violations fall within the purview of DOJ. Historically, commenters
have noted that enforcement of penalties concerning alleged part 2
violations has been limited.\113\ By aligning part 2 requirements in
this final rule with current HIPAA provisions, part 2 programs now will
be subject to an enforcement approach that is consistent with that for
HIPAA-regulated health care providers, thereby reducing administrative
burdens for part 2 programs that are also HIPAA-covered entities. As
some commenters suggested, this will also enable staff within HIPAA and
part 2-regulated entities to more effectively collaborate given
additional alignment of part 2 and HIPAA regulatory provisions.
---------------------------------------------------------------------------
\111\ 42 CFR 2.3 (Criminal penalty for violation).
\112\ HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D,
and E.
\113\ See Kimberly Johnson, ``COVID-19: Isolating the Problems
in Privacy Protection for Individuals with Substance Use Disorder,''
University of Chicago Legal Forum (May 1, 2021), <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3837955">https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3837955</a>; Substance Abuse
and Mental Health Servs. Admin., ``Substance Abuse Confidentiality
Regulations; Frequently Asked Questions'' (July 24, 2023), <a href="https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs">https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs</a>.
---------------------------------------------------------------------------
Therefore, it is unlikely that part 2 programs will experience an
adverse impact beyond that which in general applies to covered entities
under HIPAA. As the Department has explained elsewhere, alleged
unintentional violations are often resolved with covered entities
through voluntary compliance or corrective action.\114\
---------------------------------------------------------------------------
\114\ See ``Enforcement Process,'' supra note 99; HIPAA
Enforcement Rule, 45 CFR part 160, subparts C, D, and E.
---------------------------------------------------------------------------
Knowing or intentional violations of HIPAA may be referred to DOJ
for a criminal investigation. As noted in the NPRM, criminal penalties
may be imposed by DOJ for certain violations under 42 U.S.C. 1320d-6.
After publication of this final rule, the Department may provide
additional guidance specific to part 2; however, we anticipate that
many entities now will be more comfortable appropriately sharing
information and developing plans to mitigate risks of part 2 and HIPAA
violations because the HIPAA and part 2 complaint provisions are now
better aligned.\115\
---------------------------------------------------------------------------
\115\ See U.S. Dep't of Health and Human Servs., ``Guidance on
Risk Analysis,'' (July 22, 2019), <a href="https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html">https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html</a>.
---------------------------------------------------------------------------
Section 1176 of the Social Security Act, (codified at 42 U.S.C.
1320d-5), also provides for enforcement by states' attorneys general in
the form of a civil action. The reference to this statutory provision
in Sec. 2.3 encompasses this avenue of enforcement.
Although the HIPAA and HITECH penalties do not provide a private
right of action for privacy violations, as discussed elsewhere in this
preamble, in this final rule we provide a right for a person to file a
complaint to the Secretary for an alleged violation by a part 2
program, covered entity, business associate, qualified service
organization, or other lawful holder of part 2 records. While a person
may file a complaint to the Secretary, part 2 programs also must
establish a process for the program to directly receive complaints. The
right to file a complaint directly with the Secretary for an alleged
violation is analogous to a similar provision within the HIPAA Privacy
Rule.\116\ Although
[[Page 12493]]
the right to file a complaint to the Secretary for an alleged violation
of part 2 was not included in the proposed text of Sec. 2.4, it was
included in the required statements for the Patient Notice. Adding the
language to Sec. 2.4 is a logical outgrowth of the NPRM and a response
to public comments received.
---------------------------------------------------------------------------
\116\ 45 CFR 160.306.
---------------------------------------------------------------------------
Comment
One commenter asked for a clarification of what is considered an
``adverse action'' for the purposes of this section. Other commenters
requested clarification from the Department that acting on a complaint
that was held in abeyance after a patient exercises their right to
withdraw consent would not be viewed as retaliation.
Response
In the NPRM the Department referred to a prohibition on ``taking
adverse action against patients who file complaints.'' This prohibition
is broadly similar to that which exists within HIPAA in 45 CFR 160.316
and 164.530. The Department has described ``adverse actions'' as those
that may constitute intimidation or retaliation, such as suspending
someone's participation in a program.\117\ We are not clear what the
commenter means in referring to taking action on a complaint that was
held in abeyance after a patient exercises their right to withdraw
consent not being viewed as retaliation. However, a complaint can be
withdrawn by the filer.\118\ Health care entities can likewise take
steps to investigate complaints internally and OCR has developed tools
and resources to support HIPAA compliance.\119\
---------------------------------------------------------------------------
\117\ 70 FR 20224, 20230 (Apr. 18, 2005); 71 FR 8389, 8399 (Feb.
16, 2006).
\118\ See U.S. Dep't of Health and Human Servs., ``Enforcement
Highlights'' (July 6, 2023), <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html</a>.
\119\ See U.S. Dep't of Health and Human Servs., ``HIPAA
Enforcement'' (July 25, 2017), <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html</a>.
---------------------------------------------------------------------------
Comment
Several commenters, including legal and SUD recovery advocacy
organizations, urged the Department to include in the final rule
provisions permitting a patient to complain directly to OCR or the
Secretary, paralleling provisions in HIPAA. Another commenter asked
about obligations of entities, such as medical licensing boards and
physician health programs, and how a patient would report alleged
violations by those entities.
Response
In response to public comments, we are adding a new provision to
Sec. 2.4 in this final rule to permit a person to file a complaint to
the Secretary for a violation of this part by, among others, a lawful
holder of part 2 records in the same manner as a person may file a
complaint under 45 CFR 160.203 for a HIPAA violation. Specifically, we
provide in Sec. 2.4(b) that ``[a] person may file a complaint to the
Secretary for a violation of this part by a part 2 program, covered
entity, business associate, qualified service organization, or other
lawful holder'' in the same manner as under HIPAA (45 CFR 160.306). By
making this change, we are aligning part 2 with HIPAA and ensuring an
adequate mechanism for review and disposition of complaints related to
alleged part 2 violations. We are also adding a regulatory definition
of lawful holder in this final rule at Sec. 2.11. The Department will
provide information about how to file complaints of alleged part 2
violations before the compliance date for the final rule.
Comment
A commenter asked whether the state, agency, or disclosing person
would be penalized for a violation that results in the impermissible
disclosure of records subject to HIPAA or part 2.
Response
Whether a party subject to part 2 is held accountable for a
particular violation will depend on the facts and circumstances of the
case. The Department has explained elsewhere that it will attempt to
resolve enforcement actions through voluntary compliance, corrective
action, and/or a resolution agreement, and we anticipate that applying
the HIPAA Enforcement Rule framework to part 2 will have similar
results.\120\ Further, lawful holders are prohibited from using and
disclosing records in proceedings against a patient absent written
consent or a court order. In the case of an improper disclosure by a
part 2 program employee, the part 2 program would likely be provided
with notice of an investigation and the investigator would review
whether the program had policies and procedures in place and whether
those were followed in its handling of the improper disclosure. An
entity's compliance officer can help ensure breaches are properly
investigated and reported to the Department,\121\ and has
responsibilities to develop and implement a compliance plan.
---------------------------------------------------------------------------
\120\ See ``How OCR Enforces the HIPAA Privacy & Security
Rules,'' supra note 97.
\121\ See ``What are the Duties of a HIPAA Compliance Officer?''
The HIPAA Journal, <a href="https://www.hipaajournal.com/duties-of-a-hipaa-compliance-officer/">https://www.hipaajournal.com/duties-of-a-hipaa-compliance-officer/</a>; U.S. Dep't of Health and Human Servs., ``The
HIPAA Privacy Rule'', <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/index.html">https://www.hhs.gov/hipaa/for-professionals/privacy/index.html</a>; U.S. Dep't of Health and Human Servs.,
``Submitting Notice of a Breach to the Secretary'' (Feb. 27, 2023),
<a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html</a>; U.S. Dep't of Health and Human Servs.,
``Training Materials'', <a href="https://www.hhs.gov/hipaa/for-professionals/training/index.html">https://www.hhs.gov/hipaa/for-professionals/training/index.html</a>.
---------------------------------------------------------------------------
Comment
A commenter asked for clarification that penalties would not be
concurrently imposed under both HIPAA and part 2 for the same alleged
violation(s).
Response
HIPAA and part 2 regulations stem from different statutory
authorities and are different compliance regulations. With the CARES
Act, Congress replaced the previous criminal penalties established for
part 2 violations with a civil and criminal penalty structure imported
from HITECH. Nothing in the CARES Act states that an entity that is
subject to both regulatory schemes shall be subject to only one
regulation or one regulation's penalties. Therefore, an entity
potentially remains subject to both regulations, including their
provisions on penalties for violations.
What penalties could or would be imposed by the Department in a
particular case, and under which statutes or regulations (HIPAA,
HITECH, part 2, other regulations), remains a fact-specific inquiry.
State law provisions also may apply concurrently with some part 2 and
HIPAA requirements.\122\ Additionally, some aspects of part 2 or HIPAA
violations may fall within the jurisdiction of other agencies such as
SAMHSA (which continues to oversee accreditation of OTPs).\123\
---------------------------------------------------------------------------
\122\ See The Off. of the Nat'l Coordinator for Health Info.
Techn. (ONC), ``HIPAA versus State Laws'' (Sept. 5, 2017), <a href="https://www.healthit.gov/topic/hipaa-versus-state-laws">https://www.healthit.gov/topic/hipaa-versus-state-laws</a>; Nat'l Ass'n of State
Mental Health Program Dirs., ``TAC Assessment Working Paper: 2016
Compilation of State Behavioral Health Patient Treatment Privacy and
Disclosure Laws and Regulations,'' (2016) <a href="https://www.nasmhpd.org/content/tac-assessment-working-paper-2016-compilation-state-behavioral-health-patient-treatment">https://www.nasmhpd.org/content/tac-assessment-working-paper-2016-compilation-state-behavioral-health-patient-treatment</a>.
\123\ See Substance Abuse and Mental Health Servs. Admin.,
``Certification of Opioid Treatment Programs (OTPs)'' (July 24,
2023), <a href="https://www.samhsa.gov/medications-substance-use-disorders/become-accredited-opioid-treatment-program">https://www.samhsa.gov/medications-substance-use-disorders/become-accredited-opioid-treatment-program</a>.
---------------------------------------------------------------------------
Comment
One commenter noted that some covered entities may not be part 2
[[Page 12494]]
providers and urged HHS to ease the burden on such programs. Another
urged that business associates be included within the scope of this
section.
Response
We provide in Sec. 2.4(b) that ``[a] person may file a complaint
to the Secretary for a violation of this part by a part 2 program,
covered entity, business associate, qualified service organization, or
other lawful holder in the same manner as a person may file a complaint
under 45 CFR 160.306 for a violation of the administrative
simplification provisions of the Health Insurance Portability and
Accountability Act (HIPAA) of 1996.'' Thus, covered entities and
business associates are included within the scope of this section. The
compliance burdens for covered entities of receiving part 2 complaints
can be minimized by using the same process they already have in place
for receiving HIPAA complaints.
Comment
Commenters provided their views as to which agency or agencies
should receive part 2-related complaints. One commenter requested that
the regulation expressly identify the agency(ies) authorized to receive
part 2 complaints from patients. The commenter suggested that
complaints made to part 2 programs by patients can raise conflict of
interest issues because the program is investigating its own or its
staff's alleged misconduct. The commenter further urged that the
regulation identify specific agencies, such as OCR and SAMHSA, and
state their obligation to investigate complaints received. Other
commenters urged that OCR, rather than part 2 programs, receive
complaints, that patients be permitted to complain directly of
violations to OCR or that the Department clarify the various roles of
OCR, SAMHSA, and other agencies. One commenter supported part 2
programs having a process to receive complaints but said these programs
are understaffed and underfunded so they would need additional
resources. A health system that is a part 2 program and a covered
entity also supported part 2 programs developing a process to receive
complaints. A county health department asked that Sec. 2.4 be amended
to include specific provisions about how and where patients can file
their complaints with the HHS Secretary and the roles of HHS components
in receiving and investigating complaints.
Response
In response to public comments, and as provided in the HIPAA
regulations, we are finalizing an additional modification to Sec. 2.4
that was not included in this section but was proposed as a required
statement of rights in the Patient Notice in Sec. 2.22(b)(1)(vi). The
intent of the enforcement provisions in Sec. 2.4 was to create a
process that mirrors that for HIPAA violations, but the Department
inadvertently omitted from its proposed changes to this section an
express right to complain to the Secretary. Analogous to 45 CFR
160.306, which permits the submission of complaints to the Secretary
alleging noncompliance by covered entities with the HIPAA Privacy
Rule,\124\ we are providing in this final rule a right for a person to
file a complaint to the Secretary for an alleged violation by a part 2
program, covered entity, business associate, qualified service
organization, and other lawful holder of part 2 records. Part 2
programs also must establish a process for the program to receive
complaints. A patient is not obliged to report an alleged violation
either to the Secretary or part 2 program but may report to either or
both. OCR has explained how HIPAA complaints are investigated, which
may be instructive, but is not dispositive of how part 2 complaints
will be handled.\125\ We believe our changes are a logical outgrowth of
the NPRM which provided an opportunity for public input and we are
making these changes in response to public comments received. We also
anticipate releasing information about the specific complaint process
after publication of this final rule.
---------------------------------------------------------------------------
\124\ See U.S. Dep't of Health and Human Servs., ``Federal
Register Notice of Addresses for Submission of HIPAA Health
Information Privacy Complaints'' (June 8, 2020), <a href="https://www.hhs.gov/guidance/document/federal-register-notice-addresses-submission-hipaa-health-information-privacy-complaints">https://www.hhs.gov/guidance/document/federal-register-notice-addresses-submission-hipaa-health-information-privacy-complaints</a>; U.S. Dep't
of Health and Human Servs., ``Filing a Complaint'' (Mar. 31, 2020),
<a href="https://www.hhs.gov/hipaa/filing-a-complaint/index.html">https://www.hhs.gov/hipaa/filing-a-complaint/index.html</a>.
\125\ See U.S. Dep't of Health and Human Servs., ``How to File a
Health Information Privacy or Security Complaint'' (Dec. 23, 2022),
<a href="https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html">https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html</a>.
---------------------------------------------------------------------------
Comment
A commenter urged that the complaint process reflect the needs of
those with limited English proficiency.
Response
Part 2 programs should be mindful that Federal civil rights laws
require certain entities, including recipients of Federal financial
assistance and public entities, to take appropriate steps. For
instance, such entities must take steps to ensure that communications
with individuals with disabilities are as effective as communications
with others, including by providing appropriate auxiliary aids and
services where necessary.\126\ In addition, recipients of Federal
financial assistance must take reasonable steps to ensure meaningful
access to their programs and activities for individuals with limited
English proficiency, including through language assistance services
when necessary.\127\ The Department stated in the 2017 Part 2 Final
Rule that materials such as consent forms ``should be written clearly
so that the patient can easily understand the form.'' \128\ The
Department further stated that it ``encourages part 2 programs to be
sensitive to the cultural and linguistic composition of their patient
population when considering whether the consent form should also be
provided in a language(s) other than English (e.g., Spanish).'' \129\
Consistent with these legal requirements, the Department strongly
encourages development of Sec. 2.4 materials that are clear and
reflect the needs of a program's patient population.
---------------------------------------------------------------------------
\126\ See e.g., U.S. Dep't of Health and Human Servs.,
``Effective Communication for Persons Who Are Deaf or Hard of
Hearing'' (June 16, 2017), <a href="https://www.hhs.gov/civil-rights/for-individuals/disability/effective-communication/index.html">https://www.hhs.gov/civil-rights/for-individuals/disability/effective-communication/index.html</a>; U.S.
Dep't of Health and Human Servs., ``Section 1557: Ensuring Effective
Communication with and Accessibility for Individuals with
Disabilities'' (Aug. 25, 2016), <a href="https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-disability/index.html">https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-disability/index.html</a>.
\127\ See U.S. Dep't of Health and Human Servs., ``Guidance to
Federal Financial Assistance Recipients Regarding Title VI
Prohibition Against National Origin Discrimination Affecting Limited
English Proficient Persons'' (July 26, 2013), <a href="https://www.hhs.gov/civil-rights/for-individuals/special-topics/limited-english-proficiency/guidance-federal-financial-assistance-recipients-title-vi/index.html">https://www.hhs.gov/civil-rights/for-individuals/special-topics/limited-english-proficiency/guidance-federal-financial-assistance-recipients-title-vi/index.html</a>; U.S. Dep't of Health and Human Servs., ``Section
1557: Ensuring Meaningful Access for Individuals with Limited
English Proficiency'' (Aug. 25, 2016), <a href="https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-limited-english-proficiency/index.html">https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-limited-english-proficiency/index.html</a>.
\128\ 82 FR 6052, 6077.
\129\ Id.
---------------------------------------------------------------------------
Comment
Another commenter remarked that some covered entities may need
technical assistance from the Department to establish complaint
processes under this section.
Response
The Department has existing materials to support compliance with
HIPAA and part 2.\130\ SAMHSA supports a Center of Excellence for
Protected Health Information Related to Behavioral Health that may
provide educational
[[Page 12495]]
materials and technical assistance to providers, patients, family
members, and others.\131\ The Department will consider what additional
guidance, technical assistance, and engagement on these issues may be
helpful for covered entities and the public after this regulation is
finalized.
---------------------------------------------------------------------------
\130\ See ``How OCR Enforces the HIPAA Privacy & Security
Rules,'' supra note 97; ``Substance Abuse Confidentiality
Regulations; Frequently Asked Questions,'' supra note 113.
\131\ See ``About COE PHI,'' supra note 105.
---------------------------------------------------------------------------
Comment
Other commenters emphasized that the Department may need additional
funding and staff adequate to receive and investigate complaints and
enforce these provisions. Another commenter similarly suggested that
part 2 programs may need more resources to develop a complaint process,
describing this as a ``substantial burden'' given part 2 program staff
and funding challenges.
Response
With respect to the burden on programs to develop a complaint
process, we believe that the two-year compliance timeline will provide
programs with sufficient time to plan for complaint management. We have
accounted for the burden associated with complaints in the RIA. The
Department has requested that Congress provide additional funding to
support part 2 compliance, enforcement, and other activities.\132\ OCR,
SAMHSA, CMS, and the Office of the National Coordinator for Health
Information Technology (ONC) have and will continue to collaborate to
support EHRs and health IT within the behavioral health space.\133\
---------------------------------------------------------------------------
\132\ See U.S. Dep't of Health and Human Servs., ``Department of
Health and Human Services, Fiscal Year 2024,'' FY 2024 Budget
Justification, General Department Management, Office for Civil
Rights, at 255, <a href="https://www.hhs.gov/sites/default/files/fy-2024-gdm-cj.pdf">https://www.hhs.gov/sites/default/files/fy-2024-gdm-cj.pdf</a>.
\133\ Id. See also, The Off. of the Nat'l Coordinator for Health
Info. Tech. (ONC), ``Behavioral Health,'' <a href="https://www.healthit.gov/topic/behavioral-health">https://www.healthit.gov/topic/behavioral-health</a>.
---------------------------------------------------------------------------
Comment
Another commenter believed that programs may need time and support
to adapt their information technology and EHRs, and urged SAMHSA to
work with ONC to support such efforts.
Response
The Department has estimated the cost to the Department to
implement this final rule and enforce part 2 and has included that in
the RIA. It has also requested additional funding to support
compliance, enforcement, and other activities.\134\ The number of part
2 programs in relation to HIPAA covered entities and business
associates is very small, so the costs will not rise to the same level
as for HIPAA implementation efforts. OCR, SAMHSA, CMS, and ONC have
collaborated and will continue to collaborate to support EHRs and
health IT within the behavioral health space.\135\
---------------------------------------------------------------------------
\134\ See ``Department of Health and Human Services, Fiscal Year
2024,'' supra note 132.
\135\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------
Final Rule
We are finalizing this section as proposed in the NPRM and further
modifying it by adding a new paragraph that provides a patient right to
file a complaint directly with the Secretary for violations of part 2
by programs, covered entities, business associates, qualified service
organizations, and other lawful holders.
As noted in the NPRM, these changes to Sec. 2.4 will align part 2
with HIPAA Privacy Rule provisions concerning complaints. Section
2.4(a) is consistent with the administrative requirements in 45 CFR
164.530(d) (Standard: Complaints to the covered entity). Proposed Sec.
2.4(c) would align with the HIPAA Privacy Rule provision at 45 CFR
164.530(g) (Standard: Refraining from intimidating or retaliatory
acts). The proposed Sec. 2.4(d) would be consistent with the HIPAA
Privacy Rule provision at 45 CFR 164.530(h) (Standard: Waiver of
rights). Thus, part 2 programs that are also covered entities already
have these administrative requirements in place, but programs that are
not covered entities would need to adopt new policies and procedures.
Section 2.11--Definitions
Proposed Rule
Section 2.11 includes definitions for key regulatory terms in 42
CFR part 2. The Department proposed to add thirteen defined regulatory
terms and modify the definitions of ten existing terms. Nine of the new
regulatory definitions proposed for incorporation into part 2 were
required by section 3221(d) of the CARES Act: ``Breach,'' ``Business
associate,'' ``Covered entity,'' ``Health care operations,'' ``HIPAA
regulations,'' ``Payment,'' ``Public health authority,'' ``Treatment,''
and ``Unsecured protected health information.'' In each case, 42 U.S.C.
290dd-2(k), as amended by section 3221(d), requires that each term
``has the same meaning given such term for purposes of the HIPAA
regulations.'' \136\
---------------------------------------------------------------------------
\136\ Section 3221(k) para. 5 incorporates the term HIPAA
regulations and reads: ``The term `HIPAA regulations' has the same
meaning given such term for purposes of parts 160 and 164 of title
45, Code of Federal Regulations.''
---------------------------------------------------------------------------
Other proposed new or modified definitions included: ``Informant,''
``Intermediary,'' ``Investigative agency,'' ``Part 2 program
director,'' ``Patient,'' ``Person,'' ``Program,'' ``Qualified service
organization,'' ``Records,'' ``Third-party payer,'' ``Treating provider
relationship,'' ``Unsecured record,'' and ``Use.'' Some of these terms
and definitions were proposed by either referencing existing HIPAA
regulatory terms in 45 CFR parts 160 and 164 in part based on changes
required by the CARES Act. We also proposed changes for clarity and
consistency in usage between the HIPAA and part 2 regulations and to
operationalize other changes proposed in the NPRM.
In addition, the Department discussed three definitions--for
``Lawful holder,'' ``Personal representative,'' and ``SUD counseling
notes''--in requests for comments. The Department proposed each
definition because it believed the definitions improve alignment of
this regulation with HIPAA and support implementation efforts.
Further, we are finalizing a modified definition of ``Patient
identifying information'' as an outgrowth of changes to the standard
for de-identification of records in Sec. Sec. 2.16, 2.52, and 2.54
that are being finalized in response to comments in the NPRM.
General Comment
Several commenters, including large provider organizations, health
systems, and an employee benefits association, expressed general
support for the Department's approach to aligning the definitions for
terms that would appear in both HIPAA and part 2. One large provider
organization specifically commented that alignment of definitions
within HIPAA and part 2 would reduce administrative burden for covered
entities and part 2 providers by eliminating inconsistent terminology,
duplicative policies (including overlapping workforce training
requirements), and regulatory risk due to misinterpretation. An
academic medical center recommended that the Department compare and
incorporate any HIPAA definition, in their entirety, as applicable to
part 2 programs which are also HIPAA covered entities.
General Response
We appreciate the comments. The Department undertook a careful
analysis of definitions that, if incorporated, would result in the
further alignment of this regulation with HIPAA, or that are required
to operationalize required amendments to the regulations. Responses to
specific comments about each proposed definition are discussed below.
[[Page 12496]]
Breach
Section 290dd-2(k), as added by the CARES Act, required the
Department to adopt the term ``breach'' in part 2 by reference to the
definition in 45 CFR 164.402 of the HIPAA Breach Notification Rule.
HIPAA defines ``breach'' as ``the acquisition, access, use, or
disclosure of protected health information in a manner not permitted
under subpart E which compromises the security or privacy of the
protected health information.'' HIPAA also describes the circumstances
that are considered a ``breach'' and explains that a breach is presumed
to have occurred when an ``acquisition, access, use, or disclosure'' of
PHI occurs in a manner not permitted under the HIPAA Privacy Rule
unless a risk assessment shows a low probability that health
information has been compromised.\137\ To implement section 290dd-2(j)
added by section 3221(h) of the CARES Act, which requires notification
in case of a breach of part 2 records, we reference and incorporate the
HIPAA breach notification provisions.
---------------------------------------------------------------------------
\137\ U.S. Dep't of Health and Human Servs., ``Breach
Notification Rule'' (July 26, 2013), <a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html</a>.
---------------------------------------------------------------------------
Comment
One legal services commenter requested clarification on the term
``breach'' and suggested that the Department amend the definition to
expressly refer to the misuse of records in a manner not permitted
under 42 CFR part 2 and that compromises the security or privacy of the
part 2 record, instead of referring to PHI. A medical professionals
association questioned whether the term ``breach'' could properly be
applied to lawful holders, but this comment and other comments related
to the application of breach notification provisions to lawful holders
are addressed in the description of comments for Sec. 2.16.
Response
We understand the request to expressly refer to part 2 records
instead of PHI, but as explained above, we are applying the statutory
definition that adopts the definition of ``breach'' in this regulation
by reference to the HIPAA provision. We believe the discussion above
makes clear that the definition should be applied to records under part
2 instead of PHI under HIPAA, and we further clarify that breach
includes use and disclosure of part 2 records in a manner that is not
permitted by part 2.
Final Rule
The final rule adopts the proposed definition of ``breach'' without
modification.
Business Associate
Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to
adopt the same meaning of ``business associate'' as is used in the
HIPAA regulations by incorporating the HIPAA definition codified at 45
CFR 160.103. Within HIPAA, a ``business associate'' generally describes
a person who, for or on behalf of a covered entity and other than a
workforce member of the covered entity, creates, receives, maintains,
or transmits PHI for a function or activity regulated by HIPAA, or who
provides services to the covered entity involving the disclosure of PHI
from the covered entity or from another business associate of the
covered entity to the person.\138\
---------------------------------------------------------------------------
\138\ U.S. Dep't of Health and Human Servs., ``Business
Associates'' (May 24, 2019), <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html">https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html</a>.
---------------------------------------------------------------------------
Comment
The Department received only supportive comments for its proposed
adoption of the term ``business associate'' into part 2 and the
proposed definition, as described above. In contrast, many commenters
expressed concern about the Department's proposal to incorporate
business associates into the definition of ``Qualified service
organization'' or how business associates relate to the proposed term
``Intermediary,'' and those comments are discussed in applicable
definitional sections below.
Response
We appreciate the comments.
Final Rule
The final rule adopts the proposed definition of ``business
associate'' without modification.
Covered Entity
Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to
adopt the same meaning of the term ``Covered entity'' as is used in the
HIPAA regulations by incorporating the HIPAA definition codified at 45
CFR 160.103. Within HIPAA a ``covered entity'' means: (1) a health
plan; (2) a health care clearinghouse; or (3) a health care provider
who transmits any health information in electronic form in connection
with a transaction covered by subchapter C of HIPAA, Administrative
Data Standards and Related Requirements.
Comment
A large hospital system commented that it supported the inclusion
of ``health plan'' as part of the definition of ``covered entity''
asserting that it would allow for more consistent sharing of
information with its own health plan and for certain redisclosures of
part 2 records in alignment with HIPAA.
Response
The HIPAA definition of ``covered entity'' has long included health
plans. However, to the extent that the commenter may be referring to
the narrowed definition of ``third party payer,'' which excludes health
plans because they are already incorporated within the HIPAA definition
of covered entities, we agree that the change could have the effec
[…truncated; see source link]Indexed from Federal Register on February 16, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.