(a) Notwithstanding other provisions of this part, including paragraph (b)(2) of this section, patient identifying information may be disclosed by the part 2 program or other lawful holder of part 2 data, for the purpose of conducting scientific research if the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer or their designee makes a determination that the recipient of the patient identifying information:

(1) If a HIPAA-covered entity or business associate, has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable; or

(2) If subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), either provides documentation that the researcher is in compliance with the requirements of the HHS regulations, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.101(b) and any successor regulations; or

(3) If both a HIPAA covered entity or business associate and subject to the HHS regulations regarding the protection of human subjects, has met the requirements of paragraphs (a)(1) and (2) of this section; and

(4) If neither a HIPAA covered entity or business associate or subject to the HHS regulations regarding the protection of human subjects, this section does not apply.

(b) Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section:

(1) Is fully bound by the regulations in this part and, if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the regulations in this part.

(2) Must not re-disclose patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under paragraph (c) of this section.

(3) May include part 2 data in research reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

(4) Must maintain and destroy patient identifying information in accordance with the security policies and procedures established under §2.16.

(5) Must retain records in compliance with applicable federal, state, and local record retention laws.

(c) Data linkages—(1) Researchers. Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section that requests linkages to data sets from a data repository(-ies) holding patient identifying information must:

(i) Have the request reviewed and approved by an Institutional Review Board (IRB) registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified. Upon request, the researcher may be required to provide evidence of the IRB approval of the research project that contains the data linkage component.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Data repositories. For purposes of this section, a data repository is fully bound by the provisions of part 2 upon receipt of the patient identifying data and must:

(i) After providing the researcher with the linked data, destroy or delete the linked data from its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under §2.16 Security for records.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Except as provided in paragraph (c) of this section, a researcher may not redisclose patient identifying information for data linkages purposes.