45 CFR Document 2020-14675

Confidentiality of Substance Use Disorder Patient Records

April 14, 2021

CFR

AGENCY:

Substance Abuse and Mental Health Services Administration (SAMHSA), U.S. Department of Health and Human Services (HHS).

ACTION:

Final rule.

SUMMARY:

This final rule makes changes to the Department of Health and Human Services' (HHS) regulations governing the Confidentiality of Substance Use Disorder Patient Records. These changes were prompted by the need to continue aligning the regulations with advances in the U.S. health care delivery system, while retaining important privacy protections for individuals seeking treatment for substance use disorders (SUDs). SAMHSA strives to facilitate information exchange for safe and effective SUD care, while addressing the legitimate privacy concerns of patients seeking treatment for a SUD. Within the constraints of the authorizing statute, these changes are also an effort to make the regulations more understandable and less burdensome.

DATES:

This final rule is effective August 14, 2020.

FOR FURTHER INFORMATION CONTACT:

Ms. Deepa Avula, (240) 276-2542.

SUPPLEMENTARY INFORMATION:

I. Background

II. Summary of the Major Provisions

III. Overview of Public Comments

IV. Final Modifications to 42 CFR Part 2 and Discussion of Public Comments

A. General Comments on the Proposed Rule

1. General Feedback on the Proposed Rule

a. General Support for the Proposed Rule

b. General Opposition for the Proposed Rule

c. General Request for Clarification and Guidance Related to Part 2

2. General Comments on Realigning the Part 2 Rule to the HIPAA Privacy Rule

B. Definitions (§ 2.11)

C. Applicability (§ 2.12)

D. Consent Requirements (§ 2.31)

E. Prohibition on Re-Disclosure (§ 2.32)

F. Disclosures Permitted With Written Consent (§ 2.33)

G. Disclosures To Prevent Multiple Enrollments (§ 2.34)

H. Disclosures to Prescription Drug Monitoring Programs (§ 2.36)

I. Medical Emergencies (§ 2.51)

J. Research (§ 2.52)

K. Audit and Evaluation (§ 2.53)

L. Orders Authorizing the Use of Undercover Agents and Informants (§ 2.67)

V. Collection of Information Requirements

VI. Regulatory Impact Analysis

A. Statement of Need

B. Overall Impact

C. Alternatives Considered

D. Conclusion

Acronyms

ADAMHA Alcohol, Drug Abuse, and Mental Health Administration

CEHRT Certified Electronic Health Record Technology

CFR Code of Federal Regulations

DEA Drug Enforcement Agency

DOJ Department of Justice

DS4P Data Segmentation for Privacy

EHR Electronic Health Record

FAX Facsimile

FDA Food and Drug Administration

FEMA Federal Emergency Management Agency

FHIR Fast Healthcare Interoperability Resources

FR Federal Register

HHS Department of Health and Human Services

HIPAA Health Insurance Portability and Accountability Act of 1996

HIE Health Information Exchange

HIN Health Information Network

IHS Indian Health Service

MAT Medication-Assisted Treatment

NPRM Notice of Proposed Rulemaking

ONC Office of the National Coordinator for Health Information Technology

OTP Opioid Treatment Program

OUD Opioid Use Disorder

PDMP Prescription Drug Monitoring Program

QIO Quality Improvement Organization

TPO Treatment, Payment, and Health Care Operations

SAMHSA Substance Abuse and Mental Health Services Administration

SNPRM Supplemental Notice of Proposed Rulemaking

SUD Substance Use Disorder

U.S.C. United States Code

I. Background

The Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR part 2) implement section 543 of the Public Health Service Act, 42 U.S.C. 290dd-2. The regulations were originally issued to ensure the confidentiality of patient records for the treatment of substance use disorder, at a time when there was no broader privacy and data security standard for protecting health care data. Under the regulations, a “substance use disorder” is a defined term, which refers to a cluster of cognitive, behavioral, and physiological symptoms indicating that an individual continues using a substance, despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. For the purposes of part 2, this definition does not include tobacco or caffeine use.

The regulations were first promulgated as a final rule in 1975 (40 FR 27802) and amended thereafter in 1987 (52 FR 21796) and 1995 (60 FR 22296). On February 9, 2016, SAMHSA published a notice of proposed rulemaking (NPRM) (81 FR 6988) (the “2016 proposed rule”), inviting comment on proposals to update the regulations, to reflect the development of integrated health care models and the growing use of electronic platforms to exchange patient information, as well as the new laws and regulations implemented since 1975, that more broadly protect patient data. At the same time, consistent with the authorizing statute, we (note that throughout this final rule, “we” refers to SAMHSA) wished to preserve the confidentiality protections that part 2 establishes for patient identifying information originating from covered programs, because persons with SUDs may encounter significant discrimination or experience other negative consequences if their information is improperly disclosed.

In response to public comments, on January 18, 2017, SAMHSA published a final rule (82 FR 6052) (the “2017 final rule”), providing for greater flexibility in disclosing patient identifying information within the health care system, while continuing to protect the confidentiality of SUD patient records. SAMHSA concurrently issued a supplemental notice of proposed rulemaking (SNPRM) (82 FR 5485) (the “2017 proposed rule”) to solicit public comment on additional proposals. In response to public comments, SAMHSA subsequently published a final rule on January 3, 2018 (83 FR 239) (the “2018 final rule”) that provided greater clarity regarding payment, health care operations, and audit or evaluation-related disclosures, and provided language for an abbreviated prohibition on re-disclosure notice.

In both the 2017 and 2018 final rules, SAMHSA signaled its intent to continue to monitor implementation of 42 CFR part 2, and to explore potential future rulemaking to better address the complexities of health information technology, patient privacy, and interoperability, within the constraints of the statute. The emergence of the opioid crisis, with its catastrophic impact on individuals, families, and caregivers, and corresponding clinical and safety challenges for providers, has highlighted the need for thoughtful updates to 42 CFR part 2. The laws and regulations governing the confidentiality of substance abuse records were originally written out of concern for the potential for misuse of those records against patients in treatment for a SUD, thereby undermining trust and leading individuals with SUDs not to seek treatment. As observed in the 1983 proposed rule, the purpose of 42 CFR part 2 is to ensure that patients receiving treatment for a SUD in a part 2 program “are not made more vulnerable to investigation or prosecution because of their association with a treatment program than they would be if they had not sought treatment” (48 FR 38763).

In recent years, the devastating consequences of the opioid crisis have resulted in an unprecedented spike in overdose deaths related to both prescription and illegal opioids including heroin and fentanyl,^[1] as well as correspondingly greater pressures on the SUD treatment system, and heightened demand for SUD treatment services.^[2] On August 26, 2019, SAMHSA published a Notice of Proposed Rulemaking (NPRM) (84 FR 44568) that proposed changes to the part 2 regulations that SAMHSA believed would better align with the needs of individuals with SUD and of those who treat these patients in need, and help facilitate the provision of well-coordinated care, while ensuring appropriate confidentiality protection for persons in treatment through part 2 programs.

SAMHSA requested public input of the proposed changes during a 60-day public comment period.

After consideration of the public comments received in response to the NPRM, SAMHSA is issuing this final rule substantially as proposed, with one caveat. On March 27, 2020, President Trump signed the Coronavirus Aid, Relief and Economic Security Act (“CARES Act”) into law (Pub. L. 116-136). The CARES Act was enacted to provide emergency assistance to individuals, families and businesses affected by the COVID-19 pandemic; to support the U.S. health care system; and to make emergency appropriations to the Executive Branch. Section 3221 of the CARES Act, Confidentiality and Disclosure of Records Relating to Substance Use Disorder, substantially amended several sections of the part 2 authorizing statute; specifically, sections 42 U.S.C. 290dd-2(b), (c) and (f), which specify requirements for patient consent, restrict the use of records in legal proceedings, and set penalties for violations of the statute, respectively.^[3] The CARES Act provides far greater flexibility for patients and health care providers to share SUD records than presently allowed under 42 U.S.C. 290dd-2. Most notably, some sections in the new statute seek to align the part 2 confidentiality standards more closely with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The CARES Act requires HHS to update its regulations to implement these new statutory changes; therefore, HHS intends to publish a new NPRM and subsequently to issue a new final implementing rulemaking for the CARES Act in the future. Because both Congress and SAMHSA have sought to address many of the same barriers to information sharing by patients and among health care providers, we expect that the CARES Act implementing regulations will further modify several of the amendments adopted in this final rule.

The statutory timeline in § 3221 prevents the part 2-related provisions of the CARES Act from taking effect before March 27, 2021. In the interim, we believe that this final rule makes important changes that can help safeguard the health and outcomes of individuals with SUD, and specifically takes important first steps toward the greater flexibility for information sharing envisioned by Congress in its passage of § 3221 of the CARES Act. Thus, several of the regulatory amendments in this final rule will serve as interim and transitional standards, until regulations conforming to the CARES Act legislation can be promulgated.

II. Summary of the Major Provisions

Proposed modifications to 42 CFR part 2 were published as an NPRM on August 26, 2019 (84 FR 44568). After consideration of the public comments received in response to the NPRM, SAMHSA is issuing this final rule as follows:

Definitions (§ 2.11) revises the definition of “Records” to create an exception so that information conveyed orally by a part 2 program to a non-part 2 provider for treatment purposes with consent of the patient does not become a record subject to part 2 regulations merely because that part 2 information is reduced to writing by that non-part 2 provider.

Applicability (§ 2.12) revises the regulatory text to state that the recording of information about an SUD and its treatment by a non-part 2 provider does not, by itself, render a medical record subject to the restrictions of 42 CFR part 2, provided that the non-part 2 provider segregates any specific SUD records received from a part 2 program (either directly, or through another lawful holder).

Consent requirements (§ 2.31) revises consent requirements to allow patients to consent to the disclosure of their information to a wide range of entities without naming a specific individual to receive this information on behalf of a given entity, and includes special instructions applicable to consents for disclosure of information to information exchanges and research institutions. The final rule provides additional guidance, with regard to consent for disclosures for the purpose of care coordination and case management.

Prohibition on redisclosure (§ 2.32) revises the prohibition on redisclosure notices to clarify that non-part 2 providers do not need to redact information in a non-part 2 record regarding SUD and allows re-disclosure if expressly permitted by written consent of the patient or permitted under part 2 regulations.

Disclosures permitted with written consent (§ 2.33) expressly allows disclosure to specified entities and individuals for 18 types of payment and health care operational activities, including the 17 proposed activities and the addition of disclosures for the purpose of care coordination and case management.

Disclosures to prevent multiple enrollments (§ 2.34) revises disclosure requirements to allow non-opioid treatment providers with a treating provider relationship to access central registries.

Disclosures to Prescription Drug Monitoring Programs (§ 2.36) creates new permissions to allow opioid treatment programs (OTPs) to disclose dispensing and prescribing data, as required by applicable state law, to prescription drug monitoring programs (PDMPs), subject to patient consent.

Medical Emergencies (§ 2.51) authorizes disclosures of patient information to another part 2 program or other SUD treatment provider during State or Federally-declared natural and major disasters.

Research (§ 2.52) permits research disclosures of part 2 patient data by a HIPAA covered entity to individuals and organizations who are neither HIPAA covered entities, nor subject to the Common Rule, for the purpose of conducting scientific research. The revised § 2.52 better aligns the requirements of part 2, the Common Rule, and the Privacy Rule around the conduct of research on human subjects, and seeks to streamline duplicative requirements for research disclosures under part 2 and the Privacy Rule in some instances. This final rule also revises § 2.52 to permit research disclosures to recipients who are covered by Food and Drug Administration (FDA) regulations for the protection of human subjects in clinical investigations (at 21 CFR parts 50 and 56).

Audit and evaluation (§ 2.53) clarifies that federal, state and local governmental agencies and third-party payers may conduct audits and evaluations to identify needed actions at the agency or payer level to improve care; that audits and evaluations may include reviews of appropriateness of medical care, medical necessity, and utilization of services; and that auditors may include quality assurance organizations as well as entities with direct administrative control over a part 2 program or lawful holder. Section 2.53 also updates language related to quality improvement organizations (QIOs), and allows for patient identifying information to be disclosed to federal, state, or local government agencies, and to their contractors, subcontractors, and legal representatives for audit and evaluations required by statute or regulation.

Orders authorizing use of undercover agents and informants (§ 2.67) amends the period for court-ordered placement of an undercover agent and informant within a part 2 program to 12 months and clarifies that the 12-month time period starts when an undercover agent or informant is placed in the part 2 program.

Use of Personal Devices and Accounts

This final rule preamble also provides guidance on how employees, volunteers and trainees of part 2 facilities should handle communications using personal devices and accounts, especially in relation to § 2.19 concerning disposition of records by discontinued programs. In § 2.11, the current regulation defines “Records” to include information relating to a patient that could include email and texts. In § 2.19, the regulation codifies the requirements for disposition of records from a discontinued part 2 program. These requirements state that records which are electronic must be “sanitized” within one year of the discontinuation of the part 2 program. This sanitization must render the patient identifying information non-retrievable in accordance with § 2.16 (security for records). Read together, current §§ 2.11, 2.16, and 2.19 could be interpreted to mean that, if an individual working in a part 2 program receives a text or email from a patient on his or her personal phone which he or she does not use in the regular course of employment in the part 2 program, and this part 2 program is discontinued, then the personal device may need to be sanitized. Depending on the policies and procedures of the part 2 program, this sanitization may render the device no longer useable to that individual. SAMHSA clarifies that this interpretation is not the intent of the regulations.

Although SAMHSA does not encourage patient communication through personal email and cell phones, we recognize that patients may make contact through the personal device or account of an employee (or volunteer or trainee) of a part 2 program, even if the employee (or volunteer or trainee) does not use such device or account in the regular course of their employment in the part 2 program. In such instances, SAMHSA wishes neither to convey that these devices become part of the part 2 record, nor that, if the part 2 program is discontinued, these devices must be sanitized. Instead, SAMHSA clarifies that, in the case that patient contact is made through an employee's (or volunteer's or trainee's) personal email or cell phone account which he or she does not use in the regular course of business for that part 2 program, the employee should immediately delete this information from his or her personal account and only respond via an authorized channel provided by the part 2 program, unless responding directly from the employee's account is required in order to protect the best interest of the patient.^[4] If the email or text contains patient identifying information, the employee should forward this information to such authorized channel and then delete the email or text from any personal account. These authorized channels are then subject to the normal standards of sanitization under §§ 2.16 and 2.19 and any other applicable federal and state laws. SAMHSA believes that this process will both protect the employee's personal property and the confidentiality of the patient's records if the patient makes such unauthorized contact.

Following the proposed rule, SAMHSA received the following comments on its guidance concerning how employees, volunteers and trainees of part 2 facilities should handle communications using personal devices and accounts.

Public Comments

Many commenters supported the clarification on sanitizing personal devices. A few commenters noted that while this change will require education and monitoring, the clarification is important and valuable for part 2 programs to properly handle patient communication. Some commenters also noted that this clarification reduces burden for providers in rural areas where communication on authorized channels may not always be available.

SAMHSA Response

We appreciate comments in support of this clarification.

Public Comments

Some commenters had additional questions regarding the use of personal devices. One commenter requested guidance pertaining to the sanitizing of any other devices synchronized (“synced”) to personal accounts. A few commenters requested clarification as to whether deleting content from a personal account contravenes any state record retention requirements. One commenter requested clarification that this guidance applies only to personal devices, not professional devices from which EHRs are accessed. One commenter requested that “incidental” communication be defined more clearly. One commenter suggested that the rise of personal devices and changing nature of communication with patients may warrant greater consideration from SAMHSA in future rulemaking.

SAMHSA Response

We appreciate questions from commenters to further clarify the use of personal devices. Providers should ensure that any patient communication accessible from synced devices is deleted from each device. Additionally, if a patient communication is contained solely on a personal device, providers should ensure that the communication is forwarded to and stored within an authorized channel prior to deleting the communication from the personal device. Providers concerned about state record retention requirements may include a note that the information has been forwarded to and stored within an authorized channel and deleted in compliance with 42 CFR part 2; however, this rule does not preempt more restrictive state record retention requirements Given that the definition of what constitutes incidental communication varies for providers in different settings (e.g., rural), we decline to further define the phrase at this time. We appreciate the suggestion to further consider personal devices and will continue monitoring the issue.

The other sections in 42 CFR part 2 that are not referenced above are not addressed in this final rule nor were they discussed in the NPRM because SAMHSA is maintaining their content substantively unchanged from the 2017 and 2018 final rules.

III. Overview of Public Comments Received

SAMHSA received 684 public comment submissions on the proposed rule from medical and behavioral health care providers; combined medical/behavioral health care providers; third-party payers; privacy/consumer advocates; medical health care provider associations; behavioral health care provider associations; accrediting organizations; researchers; individuals (with no stated affiliation); attorneys (with no stated affiliation); health information technology (HIT) vendors; and state/local governments. The comments ranged from general support or opposition to the proposed provisions, to specific questions or comments regarding the proposed rules.

Some comments were outside the scope of or inconsistent with SAMHSA's legal authority regarding the confidentiality of SUD patient records. Likewise, other comments did not pertain to specific proposals made by SAMHSA in the NPRM. In some instances, commenters raised policy or operational issues that are best addressed through sub-regulatory guidance that SAMHSA will consider issuing subsequent to this final rule. Consequently, SAMHSA did not address these comments in this final rule.

IV. Final Modifications to 42 CFR Part 2 and Discussion of Public Comments

In this section of the final rule, SAMHSA explains the finalized revisions to the part 2 regulations and responds to public comments received. If a 42 CFR part 2 section is not addressed below, it is because SAMHSA did not propose changes to that part 2 provision and this final rule maintains the existing language in that section.

A. General Comments on the Proposed Rule

1. General Feedback on the Proposed Rule

Consistent with general comments about alignment of this regulation with HIPAA, SAMHSA has modified the definition of “records” (§ 2.11) and the applicability section (§ 2.12) to facilitate the disclosure of records from part 2 programs to non-part 2 providers for treatment purposes, while allowing the non-part 2 providers to engage in their own clinical encounters and record-keeping without fear that those activities will be subject to part 2. In addition, SAMHSA has offered revised guidance concerning the part 2 consent requirements (§ 2.31), in order to more explicitly allow patients to consent to disclosure of their records for the purpose of care coordination. As discussed below, SAMHSA is also modifying the regulatory text in § 2.33(b), to include disclosures for the purpose of care coordination and case management to the list of permitted activities. All these revisions will have the effect of more closely aligning confidentiality standards under part 2 with the HIPAA privacy rule.

As previously noted, on March 27, 2020, the President signed the CARES Act into law, and § 3221 of the CARES Act makes a significant modification to the authorizing statute for part 2, with the aim of realigning the part 2 rules more strongly with the HIPAA privacy rule. HHS anticipates releasing a new proposed rule within the next 12 months to implement § 3221 of the CARES Act. In the meantime, several of the regulatory amendments in this final rule will serve as transitional standards, until regulations fully conforming to the CARES Act legislation can be promulgated.

B. Definitions (§ 2.11)

SAMHSA is finalizing this section as proposed.

In the current regulation, “Records” is defined to mean “any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient.” In the 2017 final rule, SAMHSA noted that some commenters expressed confusion regarding what is considered unrecorded information (82 FR 6068); we, therefore, added parenthetical examples in an effort to clarify. But with the exception of these parenthetical examples, the basic definition for “records” under part 2 has remained the same since the 1987 final rule.

In section III.B. of the proposed rule [84 FR 44571] on “Applicability” (at § 2.12), SAMHSA discussed a proposed change to the restriction on disclosures under part 2, which would serve to clarify some record-keeping activities of non-part 2 providers that fall outside the scope of 42 CFR part 2. As explained in section III.B., the change was needed to facilitate communication and coordination between part 2 programs and non-part 2 providers, and to ensure that appropriate communications were not hampered by fear among non-part 2 providers of inadvertently violating part 2, as a result of receiving and reading a protected SUD patient record and then providing care to the patient.

SAMHSA proposed to make a conforming amendment to the § 2.11 definition of “records,” [84 FR 44571] by adding, at the end of the first sentence of the definition, the phrase, “provided, however, that information conveyed orally by a part 2 program to a non-part 2 provider for treatment purposes with the consent of the patient does not become a record subject to this part in the possession of the non-part 2 provider merely because that information is reduced to writing by that non-part 2 provider. Records otherwise transmitted by a part 2 program to a non-part 2 provider retain their characteristic as a “record” subject to this part in the possession of the non-part 2 provider, but may be segregated by that provider.”

The effect of the proposed amendment was to incorporate a very limited exception to the definition of “records,” such that a non-part 2 provider who orally receives information from a protected SUD record from a part 2 program may subsequently engage in an independent conversation with her patient, informed by her discussion with the part 2 provider, and record SUD information received from the part 2 program or the patient, without fear that her own records thereafter would become covered by part 2. The intent of this change was to better facilitate coordination of care between non-part 2 providers and part 2 programs, and to resolve lingering confusion among non-part 2 providers about when and how they can capture SUD patient care information in their own records, without fear of those records being subject to the confidentiality requirements of part 2.

The comments we received on the proposed amendments to § 2.11, and our responses, are provided below.

Public Comments

Many commenters supported the proposed change to the definition of records, saying that it would provide clarification as to which records are subject to part 2 protections; enable providers to take account of the entirety of a patient's health needs when determining a treatment plan; improve care coordination, especially among those with multiple medical concerns; better integrate primary and behavioral care for SUD patients; enhance patient safety; and potentially incentivize clinicians to treat patients with SUD. One commenter said the proposed definition of a record may be the most beneficial proposal in the rule, and noted that SAMHSA retains in its proposals the necessary protections against redisclosure by downstream recipients of part 2 records absent explicit patient consent. Another commenter expressed a desire to have more flexibility for care coordination across their delivery system for SUD patients, and observed that any changes to the definition of records requires balancing the need for increased protection for SUD treatment information with the need for access to care coordination.

SAMHSA Response

We thank the commenters for their support and reflections.

Public Comments

Several commenters supported the proposal but asked that SAMHSA expand the proposal beyond information conveyed orally to cover other forms of communications, including secure clinical messages (such as a secure web portal), which are common ways for providers to share information. One commenter said it would be confusing to allow orally communicated information to be covered under HIPAA while the same information conveyed via text would retain part 2 requirements. Other commenters said that imparting the oral requirement fails to appreciate workflow; that secure messaging is just as critical for patient safety; and that if information is received through electronic means, such as a Health Information Exchange, it should not become a record subject to part 2 if the non-part 2 provider includes it in his/her record.

A few commenters recommended that SAMHSA remove the word “orally” altogether from the proposed definition of records, to enable non-part 2 providers to document critical information received from a program regardless of the manner and mode in which it is provided. A few commenters suggested that non-part 2 providers should be allowed to document information such as medications if that information constitutes redisclosure with other providers for treatment purposes, without penalty hinging on whether the information is conveyed orally or by other means.

One commenter asked for clarification on the difference between the terms, “record,” “part 2 record,” and “part 2-covered record.” The commenter said these terms are not defined. Likewise, another commenter said confusion remains about what constitutes a part 2 record and recommended that SAMHSA engage with stakeholders to inform future guidance that clarifies ambiguity.

SAMHSA Response

SAMHSA appreciates these comments. Although the term “records” is defined under § 2.11, the expressions “part 2 record” and “part 2-covered record” are not defined in the regulation. Broadly speaking, “part 2 record” and “part-2 covered record” both refer to an SUD patient record which is subject to the requirements of part 2, by virtue of originating from a part 2 program. In order to address any confusion in the patient and provider communities, SAMHSA is considering guidance and opportunities for educational outreach, in connection with §§ 2.11 and 2.12 specifically and the new part 2 rule more broadly.

Public Comments

One commenter said it was not clear whether certain facilities, like health centers, would benefit from the changes in §§ 2.11 and 2.12.

SAMHSA Response

SAMHSA appreciates this comment. SAMHSA will monitor the implementation of revised §§ 2.11 and 2.12 in the field, and will consider further guidance on the impact of the revisions to §§ 2.11 and 2.12, including with regard to disclosures by part 2 programs made to non-part 2 health centers.

Public Comments

One commenter appreciated the attempt to bring 42 CFR part 2 into alignment with other privacy rules but said there is still more work to be done to align with HIPAA and across agencies. The commenter said a paper-based workflow point of view is outdated and runs counter to burden-reduction efforts.

SAMHSA Response

SAMHSA appreciates these comments. SAMHSA will consider further revisions to the part 2 regulations in the future, particularly to implement § 3221 of the CARES Act. Several of the related CARES Act provisions will likely have the effect of more strongly aligning part 2 confidentiality standards with the HIPAA privacy rule.

Public Comments

A few commenters said that despite SAMHSA's statement that it does not intend to permit wholesale transcription of the patient's part 2 records into the primary care record, the proposed change may lead to that outcome, especially given the availability of text-to-speech technology applications. One commenter said SAMHSA had provided no parameters on what is permissible beyond the term “clinical purpose,” which could result in inappropriate and broad sharing of extensive and potentially damaging information, exposing SUD patients to legal prosecution and discrimination. Another commenter said that if SAMHSA finalizes the proposed amendment to § 2.11, it should include limits on the quantity of information to be transcribed, a clear prohibition on the use of text-to-speech technology for the purposes of this provision, and a requirement that the primary care practitioner counsel the patient on the privacy implications of consenting to such a disclosure, including the ways that HIPAA is less protective of patient privacy than part 2 or applicable state privacy laws.

One commenter applauded SAMHSA's inclusion of language in the preamble addressing the possibility that a non-part 2 provider might transcribe extensively from a part 2 record without having a clinical purpose for doing so and the agency's explicit statement that this is not the intent of the proposal. The commenter urged SAMHSA to incorporate this concept into regulatory text so that non-part 2 providers and other lawful holders are on notice that the intent behind SAMHSA's revised definition of “records” is to facilitate a treatment discussion between a non-part 2 provider and a patient and not a loophole to circumvent patient privacy and consent. The commenter urged that both §§ 2.11 and 2.12 reference this principle, and asked that § 2.11 specifically note that oral communications from part 2 providers to payers or other third parties are not to be used as the basis of the creation of separate record streams for patients. The commenter also said that SAMHSA should make clear in regulations that its intent behind the revisions to §§ 2.11 and 2.12 is to promote a clinical purpose, such as to allow a treatment note based on a direct clinical encounter with the patient. Short of this clarification, the commenter said SAMHSA should not revise the definition of records to exclude oral communications.

Another commenter suggested that SAMHSA provide sub-regulatory guidance and narrative examples that illustrate acceptable practices regarding the extent of transcription and/or documentation permitted from this change.

SAMHSA Response

As we explained above, the effect of the revision in § 2.11 is to incorporate a very limited exception to the definition of “records,” such that a non-part 2 provider who orally receives a protected SUD information from a part 2 program may subsequently engage in an independent conversation with her patient, informed by her discussion with the part 2 provider, and record SUD information received from the part 2 program or the patient, without fear that her own records for that patient thereafter would become covered by part 2. This provision will not immunize the misconduct of a non-part 2 provider who engages in the wholesale transcription of a received SUD patient record, without her own direct patient encounter and without clinical purpose.

SAMHSA will consider issuing future guidance on acceptable practices regarding the extent of transcription and/or documentation permitted under §§ 2.11 and 2.12 if we find it is necessary.

Public Comments

One commenter said the proposed revisions to the definition of “records” and “applicability” are vague and do not provide any meaningful or clear guidance on what can be added to a medical record without triggering the requirements of 42 CFR part 2. Another commenter asked for clarification as to whether part 2 redisclosure limitations apply when a treating non-part 2 provider reviews the part 2 program record, transcribes information from that record which has been validly shared pursuant to patient consent, and then inserts it into his or her own treatment record. The commenter asked SAMHSA to confirm that doing so would avoid application of part 2 to the treating provider's record and to broaden the exception to permit portions, summaries, or other extractions from the record to be redisclosed without consent.

SAMHSA Response

As discussed above, the preamble and revisions to §§ 2.11 and 2.12 speak with specificity to the circumstances in which a non-part 2 provider can receive and hold a treatment record from a part 2 program, while nevertheless being able to create her own patient records without fear that these will become covered by part 2. Taken together, the effect of the revisions to §§ 2.11 and 2.12 is to allow a part 2 program to make a disclosure, with the patient's consent, to the recipient non-part 2 provider. In turn, the non-part 2 provider can then carry out her own encounter with the patient, and create her own patient record, which will not fall under the coverage of part 2. Again, segregation of any received SUD record may be used by a non-part 2 provider to ensure that her own created records can be distinguished and will therefore not become subject to part 2.

Consistent with the foregoing explanation, SAMHSA believes that the revised §§ 2.11 and 2.12 strike the appropriate balance in describing how part 2 will apply in these situations.

Public Comments

One commenter asked whether patient SUD treatment information obtained and then recorded by a part 2 program from a non-part 2 provider could be exempt or outside the definition for a part 2 record.

SAMHSA Response

No, that information would still receive part 2 protection. There is nothing in the final rule that modifies the basic definition of “records” under § 2.11, as this applies to a part 2 program. Section 2.11 states, in pertinent part, that “Records means any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient.”

C. Applicability (§ 2.12)

SAMHSA is finalizing this section as proposed.

In the 1987 final rule, SAMHSA broadly established that the restrictions on disclosure under 42 CFR part 2 would apply to any alcohol and drug abuse information obtained by a federally assisted alcohol or drug abuse program. As explained in 1987, by limiting the applicability of 42 CFR part 2 to specialized programs—that is, to those programs that hold themselves out as providing and which actually provide alcohol or drug abuse diagnosis, treatment, and referral for treatment—the aim was to simplify the administration of the regulations, but without significantly affecting the incentive to seek treatment provided by the confidentiality protections. Limiting the applicability of 42 CFR part 2 to specialized programs was intended to lessen the adverse economic impact of the regulations on a substantial number of facilities which provide SUD care only as incident to the provision of general medical care. The exclusion of hospital emergency departments and general medical or surgical wards from coverage was not seen as a significant deterrent to patients seeking assistance for alcohol and drug abuse. SAMHSA's experience in the more than 30 years since 1987 has been consistent with this expectation.

The 2017 final rule elaborated on this policy, by establishing that the disclosure restrictions on SUD patient records would extend to individuals or entities who receive such records either from a part 2 program or from another lawful holder. See 42 CFR 2.12(d)(2)(i)(C). As explained in the 2017 final rule, a “lawful holder” of patient identifying information is an individual or entity who has received such information as the result of a part 2-compliant patient consent, or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations (82 FR 6068). Thus, the effect of the 2017 rule was to expand the scope of application for part 2 confidentiality, by ensuring that records initially created by a part 2 program would remain protected under 42 CFR part 2 throughout a chain of subsequent re-disclosures, even into the hands of a downstream recipient not itself a part 2 program. The reason for the 2017 change was, once again, to avoid any deterrent effect on patients seeking specialized SUD care through part 2 treatment programs, by virtue of the patient records from those programs losing their part 2 confidentiality protection following a disclosure downstream to other “lawful holder” recipients of those records (81 FR 6997).

Although that policy was established in the 2017 final rule, specifically in § 2.12(d)(2)(i)(C), there remains some confusion within the provider community about what information collected by non-part 2 entities is (or is not) covered by the part 2 restrictions on re-disclosure. When SAMHSA expanded the reach of the Applicability provision in 2017, the intent was not to change the policy established in the 1987 rulemaking, nor to make the records of non-part 2 entities (such as some primary care providers) directly subject to 42 CFR part 2, simply because information about SUD status and treatment might be included in those records. Rather, the intent underlying the 2017 provision was to clarify the applicability of 42 CFR part 2 in a targeted manner, so that records initially created under the protection of part 2 would continue to be protected following disclosure to downstream recipients. In doing so, SAMHSA sought to encourage individuals to enter into SUD treatment through part 2 programs, by strengthening the confidentiality protection for records that originate from those programs. Implicit in SAMHSA rulemaking since 1987 has been the pursuit of a balance of policy interests: On the one hand, consistent with the Congressionally stated purpose of the drug abuse confidentiality statute, to encourage entry into SUD treatment by ensuring that the records of treatment through a part 2 program would not be publicly disclosed, and on the other hand, to reduce the adverse impact of part 2 burdens on general medical care providers and facilities and on patient care.

In the wake of the nation's opioid epidemic and continuing trends related to alcohol use disorder and cannabis use disorder, it has become increasingly important for primary care providers and general medical facilities not covered by 42 CFR part 2 to be able to carry out treatment and health care operations that sometimes involve creating new records that mention SUD status and care. Such records and activities are not covered by 42 CFR part 2. However, coordination of care between part 2 programs and non-part 2 providers would involve the disclosure of SUD records and information by the former to the latter. Under the current 42 CFR part 2 regulation, such disclosures of records by a part 2 program to a non-part 2 provider do not render all subsequent records on SUD caretaking activity undertaken by the non-part 2 provider subject to the part 2 regulation. For example, when a non-part 2 provider is directly treating her own patient, and creates a record based on her own patient contact that includes SUD information, then that record is not covered by part 2.

Nevertheless, SAMHSA recognizes that there may be significant confusion or misunderstanding as to the applicability of part 2 rules to non-part 2 providers. This results in increased burden on non-part 2 providers, and the potential for impaired coordination of care for patients, which could be life threatening, for example, if an affected patient has an opioid use disorder. Although the existing text of 42 CFR 2.12 (d)(2)(i)(C) on Applicability does not compel these results, SAMHSA's experience in recent years has demonstrated the need for clearer regulatory language, to better delineate the records of non-part 2 entities which are not covered by the 42 CFR part 2 rules.

Based on the above considerations, SAMHSA proposed to add a new § 2.12(d)(2)(ii), to better clarify that a non-part 2 treating provider's act of recording information about a SUD and its treatment would not make that record subject to 42 CFR part 2. SUD records received by that non-part 2 entity from a part 2 program are subject to part 2 restrictions on redisclosure of part 2 information by lawful holders, including redisclosures by non-part 2 providers. However, the records created by the non-part 2 provider in its direct patient encounter(s) would not be subject to part 2, unless the records received from the part 2 program are incorporated into such records. Segregation or segmentation of any part 2 records previously received from a part 2 program can be used to ensure that new records (e.g., a treatment note based on a direct clinical encounter with the patient) created by non-part 2 providers during their own patient encounters would not become subject to the part 2 rules.

SAMHSA believed that this addition will further clarify the 2017 revisions, by affirming that the independent record-keeping activities of non-part 2-covered entities remain outside the coverage of 42 CFR part 2, despite such providers' (segregated) possession, as lawful holders, of part 2-covered records. The part 2 disclosure restrictions only apply to SUD patient records originating with part 2 providers. Such part 2 originating records are subject to the part 2 limitations on use and disclosure as they move through the hands of other “lawful holders” and part 2 programs. Even where part 2 does not apply to a patient record created by a non-part 2 provider following a direct patient encounter, that record will nevertheless be subject to the HIPAA Privacy Rule.

One means by which non-part 2 treating providers could benefit from the above proposal would be through the segregated storage of part 2-covered SUD records received from a part 2 program or other lawful holder. In the context of a paper record received from a part 2 program, the proposed requirement could be met by the “segregation” or “holding apart” of these records; in the context of electronic records from a part 2 program, the proposed requirement could be met by logical “segmentation” of the record in the electronic health record (EHR) system in which it is held. As under the current rule, when a non-part 2 entity receives a protected SUD record from a part 2 program or other lawful holder, the received record is subject to the heightened confidentiality requirements under part 2. “Segregating” the received record, whether by segmenting it or otherwise labeling or holding it apart, would allow the recipient entity to identify and keep track of a record that requires heightened protection.

Under both the proposed and the current text of part 2, the lawful holder recipient entity remains subject to part 2 re-disclosure restrictions with regard to the part 2 record, whether or not the recipient entity is able to segregate it. But “segregating” allows the recipient entity both to keep track of the part 2 records, and readily distinguish them from all the other patient records that the entity holds which are not subject to part 2 protection. As mentioned above, “segregating” the part 2 record may involve physically holding apart any part 2-covered records from the recipient's other records, which would be quite feasible in the case of a received paper record or an email attachment containing such data. Alternately, “segregating” can involve electronic solutions, such as segmenting an electronic SUD patient record received from a part 2 program by use of electronic privacy and security tags such as those in an EHR platform leveraging the HL7 Data Segmentation for Privacy (DS4P) standard, in which segmentation is carried out electronically based on the standards of DS4P architecture (discussed further below). Either of these methods for “segregating” part 2 covered records is a satisfactory way for the recipient entity to keep track of them, and to distinguish them from all the other patient records that the entity holds which are not subject to part 2 protection. We note that “segregating” a received part 2 record does not require the use of a separate server for holding the received part 2 records. We do not intend this rule to result in the creation of separate servers or health IT systems for part 2 documents. Our policy is intended to be consistent with existing technical workflows for data aggregation, storage, and exchange.

One concern that the proposed provision raises is the possibility that a non-part 2 provider might transcribe extensively from a part 2 record without having a clinical purpose for doing so. This, however, is not the intent of the provision. Briefly, the intent is to allow a non-part 2 provider to receive SUD information about a patient from a part 2 program, and then to engage in a treatment discussion with that patient, informed by that information, and then be able to create her own treatment records including SUD content, without the latter becoming covered by part 2. This level of flexibility is needed in order to improve coordination of care efforts, and to save lives. It is not SAMHSA's intent to encourage a non-part 2 provider to abuse the rules, by transcribing extensively from a conversation with a part 2 program or from a received part 2 record when creating her own records, without having a clinical purpose for doing so. Our intent is to expressly permit an avenue of communication, with patient consent, between a part 2 program and non-part 2 provider to facilitate better coordination of care, without automatically triggering application of the rule to the independent records of non-part 2 providers.

In the 2017 final rule, SAMHSA responded to several public comments about data segmentation issues connected to 42 CFR part 2. We acknowledged then that although significant challenges exist for data segmentation of SUD records within some current EHR systems, SAMHSA has led the development of use-case discussions related to the technical implementation of the DS4P standard and recently contributed to the development of the Fast Healthcare Interoperability Resources (FHIR) implementation guide for Consent2Share.^[5] We believe that the existing health IT standards which enable data tagging and data segmentation and which support the SAMHSA Consent2Share tool are important to help advance the needs of part 2 providers and providers across the care continuum. SAMHSA recognizes and encourages the further development of DS4P standards, and the adoption by developers and vendors of EHR systems that meet those standards. The final revisions at § 2.12 do not, however, impose on non-part 2 entities any new requirement for data segmentation as a practice, nor do they establish any new standards or requirements for EHR technology. SAMHSA considered including, in the proposed rule, the policy option of defining “segmented” and “segmentation” under 42 CFR part 2, in order to offer greater clarity about what these terms mean under the rule. Segmentation involves technical capabilities and implementation for tagging and consent management, as well as technical specifications to accurately effect disclosure or non-disclosure of data based on federal, state, and local jurisdictions privacy restrictions and patient consent. This requires both technical specifications as well as supporting policies and governance for the treatment of sensitive data that is tagged. The latter is essential for effective segmentation, and segmentation is not achievable solely via adoption of a specific standard, nor is part 2 the only applicable use case for segmentation. For these reasons, we decided not to define segmentation for the purposes of this rulemaking, as such a definition might have unforeseen technical ramifications for EHR and HIE systems implementation in the future. In addition, SAMHSA believes this policy should be flexible, to allow providers with different operational standards and capabilities to implement the policy with regard to segregation or segmentation in the least burdensome way to their practices, while still maintaining confidentiality of patient records subject to part 2. Nevertheless, using health IT to support data tagging and data segmentation for privacy and consent management is one path that a provider could use to support their effort to meet part 2 requirements, including those described in the proposed rule.

In addition to the proposed revision to 42 CFR 2.12(d) above, SAMHSA proposed conforming changes to the regulatory text of several other sections of 42 CFR 2.12, to provide further clarification of the applicability of part 2 restrictions on patient records.

In § 2.12(a), SAMHSA proposed to change the text to reflect that the restrictions on disclosure apply to “any records,” rather than to “any information, whether recorded or not.” We also proposed a conforming change to § 2.12(a)(ii), to indicate that the restrictions of this part apply to any records which “contain drug abuse information obtained . . .” or “contain alcohol abuse information obtained . . . .” Taken together, these changes are congruent with the amendment to § 2.12(d) and help to make it clear that part 2 applies to “records” (as defined under § 2.11).

In § 2.12(e)(3), SAMHSA proposed to change the text to reflect that the restrictions on disclosure apply to the recipients “of part 2-covered records,” rather than to the recipients “of information.” This proposed change is congruent with the proposed amendment to § 2.12(d) and would help to make explicit that downstream restrictions on re-disclosure by non-Part 2 entities are tied to protected records which originate from a part 2 program in the first instance. SAMHSA believes that this proposed conforming change is important, because it would further establish that the re-disclosure burden for non-part 2 entities as lawful holders ties specifically to the protected records that they receive from a part 2 program, and not to any other records that the non-part 2 entity creates by itself, regardless of whether the latter might include some SUD-related content.

In § 2.12(e)(4), SAMHSA likewise proposed a conforming change to the text, by adding language to reflect that a diagnosis prepared by a part 2 program for a patient who is neither treated by nor admitted to that program, nor referred for care elsewhere, is nevertheless covered by the regulations in this part. The change to the regulatory text is for clarity, to ensure that this section could not be misread as applying directly to the activities of a non-part 2 entity or provider.

Similarly, and congruent with the above conforming changes, SAMHSA also proposed to modify the definition of “Records” in § 2.11 as discussed in Section III.A. above and to modify and streamline the language in § 2.32 as discussed in Section III.D. below. Readers are referred to those sections of the proposed rule for specifics on those proposals and the rationales for such proposed policies.

As discussed above, we believe both the preamble and revisions to §§ 2.11 and 2.12 speak with specificity to the circumstances in which a non-part-2 provider can receive and hold a treatment record from a part 2 program, while nevertheless being able to create her own subsequent patient records without fear that these will become covered by part 2. Notably, there is nothing in the final rule that would cause an entire record to be “enveloped in part 2,” any more so than is the case now. Again, the effect of the revisions to §§ 2.11 and 2.12 is to allow the part 2 program to make a disclosure, with the patient's consent, to the recipient non-part 2 provider. In turn, the non-part 2 provider can then carry out her own encounter with the patient, and create her own patient record, which will not fall under the coverage of part 2. Segregation of any received SUD record may be used by a non-part 2 provider to ensure that her own created records can be distinguished, and will therefore not become subject to part 2.

Taken together, SAMHSA believes that the revised §§ 2.11 and 2.12 strike the appropriate balance in describing how part 2 will apply in these situations. SAMHSA is considering future guidance to clarify the requirements of §§ 2.11 and 2.12 for providers, and SAMHSA will continue to collaborate with other federal agencies in regard to technology implementation and standard-setting that touches on part 2 records.

Public Comments

One commenter stated opposition to any limitations on how, when or how much SUD information the non-part 2 provider can document within its own record, even when that information is transcribed from a received record from a part 2 program. This commenter stated that the preamble implies that, in order for part 2 not to apply, the non-part 2 provider needs to document the SUD information as part of a direct clinical patient encounter and upon reviewing it with the patient first, as opposed to directly copying from a record received from a part 2 program. The commenter stated that for appropriate care, non-part 2 providers should be able to document SUD information for safe patient care without the information becoming subject to 42 CFR part 2, regardless of how a part 2 program originally provides the information, or whether information is independently discussed with the patient during a visit.

SAMHSA Response

SAMHSA believes that the revisions to §§ 2.11 and 2.12 offer the appropriate fix for allowing a limited transfer of information between part 2 programs and non-part 2 providers, subject to patient consent, in order to facilitate better coordination of care. As discussed below, SAMHSA is also modifying the regulatory text in § 2.33(b), to add disclosures for the purpose of care coordination and case management to the list of permitted activities. Other forms of communication between lawful holders of part 2 records are also permitted under the part 2 regulations with patient consent, consistent with the enabling statute. The revisions to §§ 2.11 and 2.12 reflect a balance of interests between ensuring robust privacy protection for part 2 program treatment records, while also pursuing patient safety, reduction of adverse events, and better coordination of care for persons with SUD. SAMHSA will continue to consider opportunities for further re-alignment of part 2 requirements for the disclosure of SUD records for treatment, payment and health care operations in the future, to the extent permissible under the part 2 enabling statute and consistent with § 3221 of the CARES Act.

Public Comments

One commenter asked if the process of using the capabilities of certified electronic health record technology (CEHRT) to electronically “copy” a medication item, a problem or a medication allergy from the received part 2 document as an external list to the internal list maintained by the non-part 2 provider's CEHRT is considered “transcription.” This commenter asked that we include an example discussing a form of transcription that is permitted that does not violate the handling of a part 2 record received by a non-part 2 provider.

Likewise, another commenter specifically recommended that we revise the proposed regulations to allow health systems/providers using an integrated EHR to include the following in the patient's EHR without the patient's consent: Part 2 SUD in the integrated common problem list; Part 2 SUD treatment/post treatment medications on the integrated common medications list; medication allergies found during Part 2 SUD treatment/post treatment encounters on the integrated common medication allergy list; and an exception to obtaining a patient's consent to share this information for health systems/providers who use an integrated EHR.

SAMHSA Response

Currently, a part 2 program may make a disclosure with the patient's consent to a non-part 2 provider. Taken together, the effect of the revisions to §§ 2.11 and 2.12 is to clarify that the non-part 2 provider can then discuss that information in her own encounter with the patient, and create her own patient record that includes SUD information which will not be subject to part 2. The recipient non-part 2 provider is permitted but not required to segregate the received part 2 record (in whatever medium is relevant), as a way to ensure that her own subsequent record-keeping activity can be distinguished. These general principles continue to apply, regardless of whether the recipient non-part 2 provider is using a CEHRT [certified electronic health record technology ]or whether the recipient non-part 2 provider and the part 2 program exchange their communications through a common, integrated EHR platform.

SAMHSA believes that revised §§ 2.11 and 2.12 strike the right balance of interests between ensuring robust privacy protection for part 2 program treatment records, while also promoting patient safety, reduction of adverse events, and better coordination of care for persons with SUD. SAMHSA will continue to consider future guidance and refinement to the part 2 rules, and will continue to work with ONC to support and implement health IT policies consistent with the part 2 rules.

Public Comments

Many commenters asked for further clarification from SAMHSA in determining which records and providers are subject to part 2 requirements. Commenters specifically asked for definitions as to what “holding oneself out as providing” entails. Other commenters noted that, in the current healthcare environment and its emphasis on integrated care, providers are likely to apply the Part 2 requirements to more treatment settings and providers than required, creating excess compliance burden. Some commenters also noted that it is hard to imagine a scenario in which part 2 would prevent a specialist for any other chronic disease from supporting a treatment team without subjecting the entire team to unwieldy regulations. Commenters also stated that further clarification of the definition of a part 2 program could help patients choose which type of providers—and, consequently, confidentiality protections—they should seek.

One commenter recommended that SAMHSA clarify that Medication-Assisted Treatment (MAT) services and their associated workflows provided as part of a general medical facility do not meet the definition of a part 2 program, as long as the providers rendering the MAT services do not do so as their primary function within the facility. This commenter also recommended that SAMHSA clarify that any education or outreach (including posting notices, advertising and informing patients) about the availability of MAT services at a general medical facility, including Indian Health Service (IHS) and tribal facilities, would not change its status as a non-part 2 provider.

SAMHSA Response

SAMHSA appreciates these comments. Although outside the scope of the current rulemaking, SAMHSA will consider issuing guidance in the future to further clarify when a general medical facility is subject to the part 2 regulations.

Public Comments

A few commenters asked us to provide further guidance to clarify how health plans may similarly communicate with non-part 2 providers without subjecting their own records to part 2. Commenters asked if the proposed change applies to other lawful holders, specifically health plans.

SAMHSA Response

The revisions in § 2.12 establish that SUD treatment records created by a non-part 2 provider will not be covered by part 2, unless any SUD record previously received from a part 2 program is incorporated into such records. Under § 2.12, segregation of the received record can be used by non-part 2 providers to ensure that their own created patient records can be distinguished from the received record, and thus will not become covered by part 2.

The revisions in § 2.12 do not address the direct disclosure made by a health plan to a non-part 2 provider. In general, the broader part 2 framework concerning disclosures made by health plans as “lawful holders” continue to apply. SAMHSA will consider issuing future guidance to clarify the application of part 2 to disclosures of SUD records by health plans.

Public Comments

One commenter suggested that rather than modifying § 2.12 in order to facilitate disclosures by part 2 programs to non-part 2 providers in support of care coordination, it would instead be more effective under § 2.33 to add care coordination to the list of payment and operations activities for which a disclosure may be made with patient consent.

SAMHSA Response

SAMHSA believes that the current revisions to § 2.12 create an appropriate and limited pathway for part 2 programs to disclose SUD records to non-part 2 providers, and then to allow non-part 2 providers to create their own treatment records based on subsequent clinical encounters with their patients. However, as we explain below under § 2.33, SAMHSA has decided to modify the regulatory text in § 2.33(b), by adding disclosures for the purpose of care coordination and case management to the list of permitted activities under that section.

Public Comments

One commenter specifically recommended that SAMHSA clarify that systems that permit secure communication between patients, their permitted designates and non-part 2 caregivers may be used by part 2 caregivers that are employed by the same healthcare organization, or that use the same implementation of the secure communications system. This commenter also asked us to exempt communications between part 2 providers and non-part 2 healthcare providers that are actively engaged in the care of the same patient, but are not employed by the same healthcare organization. This commenter also asked that we specify that part 2 providers performing hospital consultation work may communicate with non-part 2 providers within the same organization without generating a part 2 covered record.

SAMHSA Response

Communications between patients, part 2 programs, and non-part 2 providers through patient portals and integrated EHR platforms can present an array of challenges and scenarios for patient consent under part 2. The current rulemaking does not attempt to address or resolve all such situations, nor does it change the status quo of how part 2 applies in many such situations.

We thank the commenter for its support.

Public Comments

One commenter asked for clarification on whether there is a distinction (or conversely, an ambiguity) between what constitutes the legally recognized medical record, versus shared information that is structured and record-like. In other words, at what threshold of structure and formality of conveyance does “information” become “record?”

SAMHSA Response

SAMHSA does not draw any distinction between “records” as defined under § 2.11, versus “shared information that is structured and record-like.” Per the regulatory text of § 2.11, a “record” is defined as “any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient.”

D. Consent Requirements (§ 2.31)

SAMHSA is finalizing this section as proposed, and adding further guidance concerning the application of § 2.31 to disclosures for the coordination of care, as outlined below.

In the 2017 final rule, SAMHSA made several changes to the consent requirements at § 2.31, to facilitate the sharing of information within the health care context, while ensuring the patient is fully informed and the necessary confidentiality protections are in place. Among those changes, SAMHSA amended the written consent requirements regarding identification of the individuals and entities to whom disclosures of protected information may be made (82 FR 6077). Specifically, SAMHSA adopted a framework for disclosures to entities that made several distinctions between recipients that have a treating provider relationship with the patient and recipients that do not. Under the current rules at § 2.31(a)(4), if the recipient entity does not have a treating provider relationship with the patient whose information is being disclosed and is not a third-party payer, such as an entity that facilitates the exchange of health care information or research institutions, the written consent must include the name of the entity and one of the following: The name(s) of an individual participant(s); the name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or a general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed. As stated in the 2017 final rule, SAMHSA wants to ensure that patient identifying information is only disclosed to those individuals and entities on the health care team with a need to know this sensitive information (82 FR 6084). SAMHSA, accordingly, limited the ability to use a general designation in the `to whom' section of the consent requirements to those individuals or entities with a treating provider relationship to the patient at issue.

Since the 2017 final rule was published, SAMHSA has learned that some patients with SUDs would like part 2 programs to disclose their protected information to entities for reasons including eligibility determinations and seeking non-medical services or benefits from governmental and non-governmental entities (e.g., social security benefits, local sober living or halfway house programs). Because these entities lack a treating provider relationship with the patient, the current rules preclude them from being designated by name to receive the information, unless they are third-party payers, or the patient knows the identity of the specific individual who would receive the information on behalf of the benefit program or service provider. In addition, many of these entities may not be able to identify a specific employee to receive application information, and instead are likely to encourage patients to contact them or apply online, such that information is submitted to the organization rather than to a specific person. SAMHSA has heard that many patients have encountered frustration and delays in applying for and receiving services and benefits from, and in authorizing part 2 providers to release their information to, entities providing such services and benefits, by virtue of the inability to designate these entities by organization name only on the written consent for disclosure of part 2 information.

We also understand that the requirement to include an individual's name could make it more burdensome for part 2 programs or lawful holders to facilitate a patient's specific consent to share their information with a contractor or subcontractor that performs care coordination or case management activities on behalf of the program or lawful holder. It is not SAMHSA's intent to limit patients' ability to consent to the disclosure of their own information or create barriers to care coordination. We wish, rather, to empower patients to consent to the release and use of their health information in whatever way they choose, consistent with statutory and regulatory protections designed to ensure the integrity of the consent process.

Therefore, in this final rule, SAMHSA is amending the current regulations to clarify when patients may consent to disclosures of part 2 information to organizations without a treating provider relationship. In particular, SAMHSA has amended § 2.31(a)(4)(i), which previously required a written consent to include the names of individual(s) to whom a disclosure is to be made. The amended section inserts the words “or the name(s) of the entity(-ies)” to that section, so that a written consent must include the name(s) of the individual(s) or entity(-ies) to whom or to which a disclosure is to be made. SAMHSA believes that this language aligns more closely with the wording of the regulation before the January 2017 final rule changes, and would alleviate problems caused by the inability to designate by name an individual recipient at an entity. For example, if a patient wants a part 2 program to disclose impairment information to the Social Security Administration for a determination of benefits, such patient would only need to authorize this agency on the “to whom” section of the consent form, rather than identify a specific individual at the agency to receive such information. In addition, in response to the many comments requesting that SAMHSA provide more flexibility throughout the rule to facilitate care coordination and case management, the change at § 42 CFR 2.31(a)(4)(i) will also make it easier for patients to consent to the disclosure of their information for the purposes of care coordination and case management, including to contracted organizations of lawful holders, by naming such organizations on the consent form.

SAMHSA has removed old § 2.31(a)(4)(ii) and (iii)(A), and redesignated old § 2.31(a)(4)(iii)(B) as § 2.31(a)(4)(ii) in the final rule. SAMHSA has also amended the newly redesignated § 2.31(a)(4)(ii), so that it applies only to entities that facilitate the exchange of health information (e.g., health information exchanges (HIEs)) or research institutions. The section establishes that, if the recipient entity is an entity that facilitates the exchange of health information or is a research institution, the consent must include the name of the entity and one of the following: (1) The name(s) of an individual or entity participant(s); or (2) a general designation of an individual or entity participant(s) or class of participants, limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed. We have also made conforming amendments to §§ 2.12(d)(2)(a) and 2.13(d). The revised language of 2.31(a)(4) does continue to permit patient consent to disclosures to third-party payers based on naming the recipient entity, without specifying an individual recipient at that entity.

At this time, we do not believe this exclusion to be overbroad. As stated above, newly finalized language in § 2.31(a)(4)(ii) continues to allow patients to use a general designation in consenting to disclose their records to organizations that facilitate the exchange of health information. Specifically, if a recipient entity facilitates the exchange of health information or is a research institution, a written consent must include the name(s) of the entity and either the name of the individual or entity participants, or a general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed (e.g., “my treating providers”). We will, however, consider this suggestion in the future if we find the current language to be limiting to patients.

E. Prohibition on Re-Disclosure (§ 2.32)

SAMHSA is finalizing this section as proposed.

In the 2017 final rule, SAMHSA clarified that the disclosure restrictions on SUD patient records would extend to individuals or entities who receive such records either from a part 2 program or from another lawful holder. We further emphasized this clarification in the notice requirements in § 2.32 in the 2017 final rule. Under § 2.32, each disclosure made with a patient's consent must contain a written statement notifying the recipient of the applicability of 42 CFR part 2 to any re-disclosure of the protected record. In the 2017 final rule, SAMHSA noted that the prohibition on redisclosure provision only applied to information from the record that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a SUD by a part 2-covered provider. The prohibition still allowed other health-related information shared by the part 2 program to be re-disclosed, if permissible under the applicable law (82 FR 6089).

SAMHSA has since heard from the provider community that this section of the regulation prompted downstream, non-part 2 providers to manually redact portions of their disclosure data files that identify a patient as having or having had a SUD. This activity is operationally burdensome and not the intent of the 2017 final rule. As noted in Section IV.C. above, SAMHSA has proposed to modify § 2.12 to clarify that the recording of information about an SUD and its treatment by a non-part 2 provider is permitted and not subject to part 2, and that the non-part 2 provider may segregate or segment any patient record previously received from a part 2 program to ensure that she can distinguish them from her own patient records created following clinical encounters. Therefore, a downstream non-part 2 provider would not need to redact SUD information in its own records in an effort to comply with part 2, provided that any outside patient record previously received from a part 2 program or other lawful holder is segregated or segmented.

To ensure that downstream non-part 2 providers are aware that they do not need to redact information in their files if they have means of identifying the part 2-covered data (e.g., by segregating or segmenting the files received from the part 2 program), SAMHSA proposed to modify and streamline the notice language in § 2.32(a)(1) to remove the superfluous language that has contributed to confusion regarding the restrictions on re-disclosures (84 FR 44574). Specifically, we proposed to remove “information in” and “that identifies a patient as having or having had a SUD either directly, by reference to publicly available information, or through verification of such identification by another person,” from the current notice language established in the regulation. Additionally, SAMHSA added language to specifically state that only the part 2 record is subject to the prohibition on re-disclosure in § 2.32, unless further disclosure either is expressly permitted by written consent of the individual whose information is being disclosed in the record or is otherwise permitted by 42 CFR part 2 (84 FR 44574).

As stated in the 2017 final rule, while the statute may not be explicit with regard to all provisions in 42 CFR part 2, the statute directs the Secretary to provide for such safeguards and procedures as, in the judgment of the Secretary, are necessary or proper to effectuate the purposes of this statute, to prevent circumvention or evasion thereof, or to facilitate compliance therewith (82 FR 6089). At this time, SAMHSA believes that § 2.32 is still necessary, on balance, to appropriately protect the confidentiality of patients.

We do anticipate making further revisions to part 2 in the future, in order to implement the relevant provisions of the CARES Act, and we will review the status of § 2.32 in any future rulemaking.

Public Comments

One commenter recommended that SAMHSA add notice language to § 2.32, to reinforce that the non-part 2 provider/entity has received the part 2-protected SUD information for the permissible purpose of improving service delivery for the patient, and that although unauthorized redisclosure of part 2-protected information is prohibited, this information should be used as intended for the permissible purpose.

SAMHSA Response

The final rule at § 2.32 does not specify particular purposes for which part 2 protected records must be used, once the patient consents to such use. We believe it is best to empower patients to specify the terms for a limited disclosure, rather than adding compulsory requirements for the use of disclosed records, which might be confusing and could cause providers to limit the disclosure of important information intended to be conveyed by the patient.

F. Disclosures Permitted With Written Consent (§ 2.33)

In response to comments received on the proposed rule and the CARES Act provision incorporating into 42 U.S.C. 290dd-2 the HIPAA Privacy Rule definition of health care operations, which includes care coordination and case management activities, SAMHSA is modifying this section of the rule from what was proposed, to add care coordination and case management as an example of an activity for which a lawful holder may make a further disclosure to its contractors, subcontractors and/or legal representatives, in support of health care payment or operations. In order to avoid confusion about the extent of § 2.33(b), SAMHSA has also deleted from the regulatory text the statement that “Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are not permitted under this section.”

While we did not specifically propose to include care coordination and case management in the list of activities under § 2.33(b), the NPRM addressed the issue of how to facilitate these types of services, and we received public comments on this point. More recently, Congress passed the CARES Act, which expressly permits disclosure of Part 2 information for these very purposes. To the extent that there may be a concern that we did not formally and specifically solicit public comment on listing care coordination and case management in § 2.33(b), we believe that further notice and comment on this matter is unnecessary. The Department's statements in the NPRM elicited comments on this issue, and the subsequent passage of the CARES Act would otherwise effectuate § 2.33(b) of this final rule starting March 27, 2021. Additionally, permitting disclosures under § 2.33(b) for case management and care coordination services in this final rule will have the effect of granting providers, part 2 programs and lawful holders more time in which to establish processes for carrying out these essential services in accordance with the requirements of this final rule and the CARES Act provisions. Therefore, the Department finds good cause to forego notice and comment on whether care coordination and case management activities should be included in the illustrative list of permissible payment and health care operations activities under 2.33(b). 5 U.S.C. 553(b)(B)(an agency is exempt from the notice and comment requirements of the Administrative Procedure Act if the agency “for good cause finds . . . notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest”).

In the 2018 final rule (83 FR 241), SAMHSA clarified at § 2.33(b), the scope and requirements for permitted disclosures by a lawful holder to contractors, subcontractors, and legal representatives, for the purpose of payment and certain health care operations. In the 2017 proposed rule, SAMHSA proposed to include in the regulatory text a list of 17 specific types of permitted categories of payment and health care operations (82 FR 5487).

Based on the numerous comments received requesting additions or clarifications to the list, as well as concerns that the changes occurring in the health care payment and delivery system could rapidly render any list of activities included in the regulatory text outdated, SAMHSA decided not to include the list of 17 activities in the regulation text in the 2018 final rule, and, instead, decided to include a list of the types of permitted activities in the preamble of the 2018 final rule. SAMHSA stated in the 2018 final rule that we included this list of activities in the preamble in order to make clear that it is an illustrative rather than exhaustive list of the types of payment and health care operations activities that would be acceptable to SAMHSA (83 FR 241). By removing the list from the regulatory text, SAMHSA intended for other appropriate payment and health care operations activities to be permitted under § 2.33 as the health care system continues to evolve.

Since the 2018 final rule was published, SAMHSA has learned that including an illustrative list of permissible activities in the preamble rather than in the text of the regulation did not fully clarify the circumstances under which part 2 information could be further disclosed under § 2.33. Specifically, stakeholders may have believed that a particular activity was not permissible unless explicitly identified within the regulatory text. Therefore, to clear up any remaining confusion, SAMHSA proposed to amend § 2.33(b) to expressly include the illustrative list of permissible activities that was contained in the preamble of the 2018 final rule (83 FR 243). It is important to note, as was noted in the preamble to the 2018 final rule, that this list is illustrative rather than exhaustive.

Specifically, SAMHSA proposed to add the following examples of permissible activities that SAMHSA considers to be payment and health care operations activities to § 2.33(b):

Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
Patient safety activities;
Activities pertaining to:

○ The training of student trainees and health care professionals;

○ The assessment of practitioner competencies;

○ The assessment of provider and/or health plan performance; and/or

○ Training of non-health care professionals;

Accreditation, certification, licensing, or credentialing activities;
Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and/or ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
Third-party liability coverage;
Activities related to addressing fraud, waste and/or abuse; Conducting or arranging for medical review, legal services, and/or auditing functions;
Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;
Business management and/or general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
Resolution of internal grievances;
The sale, transfer, merger, consolidation, or dissolution of an organization;
Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
Risk adjusting amounts due based on enrollee health status and demographic characteristics; and
Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.

To further clarify that the list is not exhaustive, SAMHSA also proposed to add “other payment/health care operations activities not expressly prohibited” in this provision to the end of the list. SAMHSA also again clarified in the preamble to the proposed rule (84 FR 44575) that § 2.33(b) was not intended to cover disclosures to contractors, subcontractors, and legal representatives for the purposes of care coordination or case management, and disclosures to carry out such purposes were not permitted under this section. We noted that this policy differs from the HIPAA Privacy Rule, under which `health care operations' encompasses such activities as case management and care coordination. SAMHSA previously emphasized the importance of maintaining patient choice in disclosing information to health care providers with whom they will have direct contact (83 FR 243). We stated in the proposed rule that although § 2.33(b) does not cover disclosures for the purpose of care coordination or case management, such disclosures may nevertheless be made under other provisions of §§ 2.31 and 2.33. Additionally, we noted that several of the proposals to revise other sections of part 2 in this rulemaking would help to facilitate coordination of care, as under § 2.12 (Applicability). However, as discussed above, due to recent CARES Act amendments as well as public comments, SAMHSA has decided to include care coordination and case management in the illustrative list of examples of payment and health care operations activities for which disclosures may be made under § 2.33(b).

At this time, we note that this rule provides transitional regulations until such time as implementing regulations for § 3221 of the CARES Act come into effect. In future rulemaking, we will consider further revisions to § 2.33, as needed to implement relevant provisions under the CARES Act.

Under § 2.33(b), disclosures to a lawful holder's contractors, subcontractors and legal representatives for payment and health care operations must be limited to that information which is necessary to carry out the stated purpose of the disclosure. This provision helps to ensure that information is not shared more broadly than the purposes for which the patient consents. Thus, disclosures for any of the activities under § 2.33(b) must be limited to that minimal amount of information that is truly necessary to carry out the purpose of the specific health care and payment operations activity intended. Likewise, under § 2.13(a), information disclosed under the part 2 regulations must be limited to that information which is necessary to carry out the purpose of the disclosure. To comply with § 2.13, we have previously stated that part 2 programs and lawful holders disclosing information under § 2.33(b) should ensure that the purpose section of the consent form is consistent with the role of or services provided by the contractor or subcontractor (e.g. “payment and health care operations”) (83 FR 244).

At this time, we note that this rule provides transitional regulations until such time as implementing regulations for § 3221 of the CARES Act come into effect. In future rulemaking, we will consider making further revisions to § 2.33, consistent with the CARES Act.

Public Comments

A few commenters requested additional clarity on the types of activities that are permitted. Commenters suggested expanding the list and providing examples of permitted activities, as well as describing expectations for activities that are not on the list. One commenter suggested that, rather than listing the 17 activities, the language “unless explicitly prohibited” would provide more clarity. A few commenters said SAMHSA should be clearer that the list is not all-inclusive.

Many commenters objected to the exclusion of care coordination and case management under § 2.33(b) and asked SAMHSA to align its policy with the HIPAA privacy rule by including these activities in the definition of health care operations, or to otherwise allow care coordination and case management to be included in the list of permitted activities. A few commenters specifically noted that SAMHSA has the authority under 42 U.S.C. 290dd-2 to enact this change. One commenter suggested these activities be reclassified as health coaching or other legitimate health plan operational activities in order to ensure the appropriate coordination of care, while another urged SAMHSA to adopt a specific care coordination exception to the consent requirement.

Commenters gave many reasons for objecting to the exclusion of care coordination and case management from the list of permitted activities. Some commenters said the current policy is harmful to individuals with SUDs because it increases the risk of negative drug interactions, medical errors, overdose, or death; creates delays in care or in the receipt of MAT; and maintains and reinforces the stigma of SUD. Other commenters stated that disallowing care coordination and case management from the list of permitted activities is inconsistent with best practices and incompatible with the way health care is delivered today, hindering the ability to provide comprehensive, integrated, coordinated care that decreases emergency room and inpatient services. Commenters emphasized that optimal, safe care requires access to a patient's entire treatment history and current medications. Some commenters said that the current policy prevents insurers, Medicaid agencies, administrators, peer support organizations, and providers from making a more meaningful personal care impact and creates more difficulty in helping patients obtain better health outcomes.

A few commenters said the current rule causes confusion and administrative burden for providers as well as health plans that have difficulty obtaining written consent from enrollees, patients who must sign multiple consent forms, and other parties involved with the provision of health care. A few commenters also emphasized that the current policy is misaligned with HIPAA and that allowing for care coordination and case management under § 2.33(b) would ease administrative burden for entities subject to both part 2 and HIPAA. Another commenter said it would avoid the “slippery slope” of possibly expanding the proposed part 2 applicability changes to other non-part 2 lawful holders and for purposes beyond TPO. A few commenters also said that established definitions of “care coordination” and “case management” do not refer to treatment, diagnosis and referral, but instead refer to more operational, or management-based activities.

Several commenters emphasized potential benefits of including care coordination and case management in the list of permitted activities, such as increasing access to integrated, whole-person care; improving treatment adherence and outcomes; enabling managed care organizations to more easily provide valuable supports to their beneficiaries with SUD; avoiding duplicative prescriptions; facilitating communication with appropriate community-based organizations; alleviating complex consent requirements; and lowering overall health care costs. Another commenter said that recovery should be coordinated to address self-care practices, family, housing, employment, transportation, education, clinical treatment for mental disorders and SUDs, services and supports, primary healthcare, dental care, complementary and alternative services, faith, spirituality, creativity, social networks, and community participation.

One commenter said that SAMHSA has offered no legal or policy basis for this unique definition and handling of care coordination and case management for SUDs. A few commenters felt that part 2 limits or prohibits sharing of SUD records for critical care coordination activities while allowing it for less essential payment and health care operations. One commenter emphasized that SUD treatment providers must be treated equally—or with parity—to other health care providers. Others observed that changing the current policy would be consistent with the proposal's goals of improving appropriate information flow and integrated care and is philosophically aligned with CMS' and HHS' broader efforts to create a more integrated and efficient care delivery system.

SAMHSA Response

SAMHSA understands and acknowledges the commenters' concerns. SAMHSA recognizes that care coordination activities have numerous benefits described by the commenters, including the ability to protect patient safety, improve quality of care, and lower costs. SAMHSA also recognizes, consistent with commenter feedback, that many activities involving care coordination and case management are operational in nature, and distinguishable from the direct disclosure of a treatment record from one provider (e.g., a part 2 program) to another (e.g., a non-part 2 primary care physician) for the purpose of treatment and diagnosis.

Several commenters offered ideas for topics that future regulations or guidance could address, including phone screenings; new care models; the use of digitized voice consent; and a templated, plain language part 2 record consent form that could be used to better standardize disclosures, provided in an electronic format that would allow populated data to be easily integrated into information management systems.

SAMHSA Response

We thank the commenters for their suggestions and will consider these ideas for future guidance.

G. Disclosures To Prevent Multiple Enrollments (§ 2.34)

SAMHSA is finalizing this section as proposed.

In the 2017 final rule, SAMHSA modernized § 2.34 by updating terminology and revising corresponding definitions. Section 2.34 permits, with consent, disclosure of patient records to a withdrawal management or maintenance treatment program within 200 miles of a part 2 program. After considering comments, we retained the specificity of “200 miles” to prevent multiple enrollments that could result in patients receiving multiple streams of SUD treatment medications, which in turn may increase the likelihood of an adverse event or of diversion (82 FR 6094).

Central registries, defined in § 2.11, do not exist in all states, and the defining parameters for the operation of the registries vary somewhat across states and across part 2 programs. However, in the context of the opioid epidemic, recent experience has demonstrated that it is important for all providers who work with SUD patients, including non-opioid treatment program (non-OTP) providers, to have access to the information in the central registries, for the purpose of helping prevent duplicative patient enrollment for opioid use disorder treatment. Access to central registry information is also needed by non-OTP providers to fully inform their decisions when considering appropriate prescription drugs, including opioids, for their patients.

Methadone is a long-acting opioid used to treat opioid use disorders and for pain that, when used at levels higher than recommended for an individual patient, can lead to low blood pressure, decreased pulse, decreased respiration, seizures, coma, or even death. When used as a part of a supervised MAT program, methadone is a safe and effective treatment for SUD, including opioid use disorder (OUD). Methadone is a long-acting opioid, subject to accumulation when its metabolism is inhibited. Its effects may be potentiated by certain other drugs with which it may have pharmacodynamic interactions, so the medication is specifically tailored to each individual patient and must be used exactly as prescribed. Exceeding the specific dosing can lead to dangerous side effects and potential overdose. Other medications, including other SUD treatments, such as buprenorphine, as well as other medication including other opioids, benzodiazepines, HIV medications, certain antipsychotics and anti-depressants, also have the potential to interact dangerously with methadone.

Buprenorphine products are also long-acting opioid formulations approved by FDA for treatment of opioid use disorder, subject to limitations, which can be dispensed at OTPs, and in outpatient settings. While buprenorphine is demonstrated to exhibit a ceiling effect on respiratory depression in persons with opioid tolerance, it has significant opioid effects in those without tolerance which can contribute to adverse events including opioid overdose. Both of these long acting opioids (methadone and buprenorphine) have potential drug interactions with other medications that could lead to adverse events, including drug toxicity and opioid overdose.

These realities underscore the reason it is important for a prescriber to check central registries, when possible, to assure that it is appropriate to prescribe the contemplated opioid therapies for a particular individual. The ability to query a central registry regarding any duplicative enrollment in similar treatment can also be crucial to effective care, and to ensuring patient safety. Similarly, to avoid opioid-related adverse events, it is imperative that prescribing clinicians be aware of any opioid therapy that may be in current use by a patient prior to making further medication prescribing decisions.

Under the current language of § 2.34(a), a part 2 program may seek a written patient consent in order to disclose treatment records to a central registry. In turn, the recipient central registry may only disclose patient contact information for the purpose of preventing multiple enrollments under § 2.34(b). Currently, under § 2.34(c), the central registry may only disclose when asked by a “member program” whether an identified patient is enrolled in another member program.

One commenter recommended that SAMHSA utilize existing health information exchanges or networks to coordinate queries to central registries.

A few commenters recommended that SAMHSA establish minimum standards for central registries and require OTP participation in a central registry. These commenters noted that while the proposed changes will improve care coordination and patient safety, the lack of standardization and wide variation across central registries creates challenges for all providers treating patients with SUD. Some of these commenters stated that they were not aware of any central registries in their area even though they were aware of OTPs providing SUD services and requested that SAMHSA reconsider the role of central registries.

SAMHSA Response

We will consider these suggestions and continue to assess opportunities to improve the operational efficiency and efficacy of central registries.

H. Disclosures to Prescription Drug Monitoring Programs (§ 2.36)

SAMHSA is finalizing this section as proposed.

A prescription drug monitoring program (PDMP) is a statewide electronic database that collects, analyzes, and makes available prescription data on controlled substances prescribed by practitioners and non-hospital pharmacies.^[6] Forty-nine states, St. Louis County, Missouri ^[7] and the District of Columbia have legislatively mandated the creation of PDMPs. Most states had developed their own PDMP prior to the current opioid crisis; however, few prescribers accessed them.^[8] As opioid use disorder rates, overdoses and deaths increased significantly since 1999, the majority of states began requiring health professionals to check the state's PDMP ^[9] before prescribing controlled substances to patients. Currently, 41 states require physicians to use their state's PDMP to analyze prescription history prior to writing a prescription for opioids or other controlled substances.^[10] Studies have shown that states that have implemented such a requirement have seen declines in overall opioid prescribing, drug-related hospitalizations, and overdose deaths.^[11]

Most PDMPs track prescription drug information on Schedule II-V controlled medications. Pharmacies must submit the prescription data required by their state's PDMP, depending on the state's statutory requirements. More robust PDMP programs have been associated with greater reductions in prescription opioid overdoses.^[12] As noted above, this data allows providers to ensure that a patient is not receiving multiple prescriptions and to enhance patient care and patient safety.

Presently, OTPs are not required to report methadone or buprenorphine dispensing to their states' PDMP. In our 2011 guidance letter, SAMHSA encouraged OTP staff to access PDMPs, but stated that OTPs could not disclose patient identifying information to a PDMP unless an exception applies, consistent with the federal confidentiality requirements.^[13] SAMHSA no longer believes this policy is advisable in light of the current public health crisis arising from opioid use, misuse, and abuse. In the past 10 years, there has been a substantial increase in prescription drug misuse, admissions to substance use facilities, emergency department visits and opioid-related deaths.^[14] The omission of OTP data from a PDMP can lead to potentially dangerous adverse events for patients who may receive duplicate or potentially contraindicated prescriptions as part of medical care outside of an OTP, thereby placing them at risk for adverse events, including possible overdose or even fatal drug interactions.

SAMHSA believes that permitting part 2 programs, including OTPs, and lawful holders to enroll in PDMPs and submit the dispensing data for controlled substances required by states currently for other prescribed, controlled substances would allow for greater patient safety, better patient treatment, and better care coordination among the patient's providers. Therefore, SAMHSA proposed to add a new section § 2.36, permitting part 2 programs, OTPs and other lawful holders to report the required data to their respective state PDMPs when dispensing medications with written consent from the patient whose identifying information will be disclosed prior to making such reports. This update is consistent with the proposal under § 2.34(c) to allow non-OTPs to query central registries to prevent duplicate enrollment.

SAMHSA acknowledges that the proposed provision may raise concerns about law enforcement access to PDMPs, particularly in those states in which PDMPs are operated by a law enforcement agency. However, individuals are not limited to OTPs when seeking OUD treatment. Prescriptions written for OUD opioid pharmacotherapy by non-OTP providers are already recorded in the state PDMP. By implication, PDMPs operated by law enforcement agencies are already receiving some patient data related to SUD treatment. Although the current proposal might expand that practice, it would not create it. And because the disclosure of SUD patient records by OTPs would be made contingent on written patient consent, any negative impact on patient confidentiality seems likely to be small. By contrast, the omission from PDMPs of dispensing and prescribing data from OTPs presents serious safety risks for SUD patients. While the reporting of patient data to a PDMP by an OTP would make it possible for law enforcement, prescribers, and pharmacies with access to a PDMP to determine that a specific patient had received services at a specific OTP, law enforcement would still require a court order meeting the requirements of § 2.65 to access the covered records of that patient or any other patient served at the OTP. SAMHSA believes that allowing for OTP reporting to PDMPs further enhances PDMPs as a tool to help prevent prescription drug misuse and opioid overdose, while providing more complete and accurate data. In turn, more robust PDMP data is imperative for prescribers and providers to make better and more accurate patient care decisions while increasing patient safety and assuring appropriate care.

Several commenters requested SAMHSA to provide further clarification to states to legally permit OTPs to enroll in PDMPs in instances where doing so may currently contravene state PDMP laws or where state PDMP laws do not currently support OTP reporting.

Some of these commenters noted that state PDMP capabilities vary and some systems have more robust information than others. These commenters encouraged SAMHSA to work with states to facilitate PDMPs that can accommodate the proposed changes.

A couple commenters requested clarification on the patient consent process given the changing nature of PDMP capabilities. One commenter expressed concern that a patient's willingness to consent may change if the components or capabilities of a PDMP also change, and this should be taken into consideration in the proposed changes.

One commenter requested clarification for states as they work to modernize PDMPs, and expressed concern about unfunded costs to states to operationalize PDMPs for the type of reporting in the proposed changes.

A few commenters requested clarification on whether consent to disclose to PDMPs would be a separate consent or if it could be added to existing patient consent documentation. Some of these commenters also requested clarification on the level of specificity required if a patient requests a list of entities per § 2.31. A couple of commenters requested clarification as to whether additional consent is required regarding redisclosure and the sharing of part 2 information to each PDMP registered end user. One commenter requested clarification on the decision to support OTP disclosures to PDMPs but not for the purposes of care coordination or case management under § 2.33.

SAMHSA Response

SAMHSA acknowledges concerns about the use of PDMP data for occupational health decisions. It is not the intention of SAMHSA to permit the use of SUD information in pre-employment occupational health examinations, although SAMHSA does not have the statutory authority to control how states choose to utilize the data captured within their PDMPs. We note, however, that pursuant to § 2.13(a), patient records subject to the part 2 regulations may be disclosed or used only as permitted by the regulations and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority. While many state PDMPs require information solely upon dispensing, some state PDMP laws require prescribers to enter information at the point of prescribing and our language reflects the variation in these laws.

Under 42 CFR 2.52, part 2 programs are permitted to disclose patient identifying information for research, without patient consent, under limited circumstances. In the 2017 Final Rule, SAMHSA made several changes to the research exception at § 2.52, including permitting the disclosure of data by lawful holders (as well as by part 2 programs) to qualified personnel for the purpose of conducting scientific research.

As stated in the 2019 proposed rule (84 FR 44577), § 2.52 allows the disclosure of patient identifying information for research purposes without patient consent, if the recipient of the patient identifying information is a HIPAA-covered entity or business associate, and has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i) or the recipient is subject to the HHS regulations regarding the protection of human subjects under the Common Rule. (45 CFR part 46).

Regulations at §§ 2.53(a), (b), and (c) describe the circumstances under which specified individuals and entities may access patient identifying information in the course of an audit or evaluation. Section 2.53(a) governs the disclosure of patient identifying information for audits and evaluations that do not involve the downloading, forwarding, copying, or removing of records from the premises of a part 2 program or other lawful holder. In these instances, information may be disclosed to individuals and entities who agree in writing to comply with the limitations on disclosure and use in § 2.53(d) and who perform the audit or evaluation on behalf of one of the following: A federal, state, or local governmental agency that provides financial assistance to or is authorized to regulate a part 2 program or other lawful holder; an individual or entity which provides financial assistance to a part 2 program or other lawful holder; a third-party payer covering patients in a part 2 program; or a quality improvement organization (QIO) performing certain types of reviews. The regulations permit disclosure to contractors, subcontractors, or legal representatives performing audits and evaluations on behalf of certain individuals, entities, third-party payers, and QIOs described directly above. At § 2.53(a)(2), the regulations also allow part 2 programs or other lawful holders to determine that other individuals and entities are qualified to conduct an audit or evaluation of the part 2 program or other lawful holder. In these instances, patient information may be disclosed during an on-premises review of records, as long as the individuals and entities agree in writing to comply with the limitations on disclosure and use in § 2.53(d).

Section 2.53(b) of the regulation governs the copying, removing, downloading, or forwarding of patient records in connection with an audit or evaluation performed on behalf of government agencies, individuals, and entities described in 42 CFR 2.53(b)(2), which are identical to the agencies, individuals, and entities described in § 2.53(a)(1) above. In these audits, records containing patient identifying information may be copied or removed from the premises of a part 2 program or other lawful holder, or downloaded or forwarded to another electronic system or device from the part 2 program's or other lawful holder's electronic records, by an individual or entity who agrees to the records maintenance standards and disclosure limitations outlined in § 2.53(b)(1)(i) through (iii).

Additionally, patient identifying information may be disclosed to individuals and entities who conduct Medicare, Medicaid, or CHIP audits or evaluations as set forth in § 2.53(c).

SAMHSA understands there is confusion about § 2.53 as it applies to several specific situations, and therefore proposed to make the following changes to the regulations to improve clarity about what is permissible under these sections. SAMHSA also proposed to update part 2 regulatory language related to quality improvement organizations (QIO) to align with 42 CFR 476.1. Specifically, we proposed to replace references to “utilization or quality control review” with the term “QIO review,” which is defined in 42 CFR 476.1 as a review performed in fulfillment of a contract with CMS, either by the QIO or its subcontractors.

First, some stakeholders have voiced frustration that part 2 programs have been unwilling or unable to disclose patient records that may be needed by federal, state, and local agencies, to better serve and protect patients with SUD. For example, a state Medicaid Agency or state or local health department may need to know about specific types of challenges faced by patients receiving opioid therapy treatment, such as co-occurring medical or psychiatric conditions, or social and economic factors that impede treatment or recovery. An agency may need this kind of information to recommend or mandate improved medical care approaches; to target limited resources more effectively to care for patients; or to adjust specific Medicaid or other program policies or processes related to payment or coverage to facilitate adequate coverage and payment. Government agencies may also wish to know how many patients test positive for a new and harmful illicit drug, and how part 2 programs are actually treating those patients, as an input to agency decisions aimed at improving quality of care. For example, agencies may wish to modify requirements for part 2 programs, educate or provide additional oversight of part 2 providers, and/or update corresponding payment or coverage policies. Third-party payers covering patients in a part 2 program may have similar objectives for obtaining part 2 information.

Current regulations allow part 2 programs to share information for the purposes described above in two ways, using either de-identified or identifiable information. Only SUD records containing patient identifying information are subject to part 2 protections, and therefore a part 2 program or other lawful holder may share non-identifiable information with government agencies (federal, state and local) for many types of activities.

SAMHSA encourages the use of de-identified or non-identifiable information whenever possible. However, it may be time consuming, labor intensive, or technologically difficult for part 2 programs to create, and for government agencies to obtain quickly, data that does not contain part 2 identifying information. It may be too cumbersome or cost prohibitive for part 2 programs to provide the kind of data necessary in a de-identified format. It also may be challenging for part 2 programs to provide information quickly in more urgent situations, without potentially diverting resources away from patient care.

Patient identifying information may also be used to help agencies and third-party payers improve care in certain circumstances. Under current regulations at § 2.53(a) and (b), federal, state, and local government agencies that have the authority to regulate or that provide financial assistance to part 2 programs, and third-party payers with covered patients in part 2 programs, may receive patient identifying information in the course of conducting audits or evaluations. Additionally, patient identifying information may be disclosed to individuals and entities to conduct Medicare, Medicaid, or CHIP audits or evaluations under § 2.53(c). Thus, a Medicaid agency may evaluate the part 2 providers that participate in its Medicaid program; a state health department may audit the facilities it licenses pursuant to its regulatory authority; and a health plan may review part 2 programs that serve its enrollees.

The current regulations do not define audit and evaluation, nor do they direct the manner in which evaluations are carried out, as noted by § 2.2(b)(2). Nevertheless, we stated in the proposed rule that we believe that the concept of audit or evaluation is not restricted to reviews that examine individual part 2 program performance. We specifically said they may also include periodic reviews of part 2 programs to determine if there are any needed actions at an agency level to improve care and outcomes across the individual part 2 programs the agency regulates or supports financially. Likewise, we noted that audits or evaluations may include reviews to determine if there are needed actions at a health plan level to improve care and outcomes for covered patients in part 2 programs. In other words, audits or evaluations may be conducted with a goal to identify additional steps agencies or third-party payers should be taking to support the part 2 programs and their patients. This includes reviews that allow agencies or third-party payer entities to identify larger trends across part 2 programs, in order to respond to emerging areas of need in ways that improve part 2 program performance and patient outcomes.

SAMHSA proposed to clarify that under § 2.53, government agencies and third-party payer entities would be permitted to obtain part 2 records without written patient consent to periodically conduct audits or evaluations for purposes such as identifying agency or health plan actions or policy changes aimed at improving care and outcomes for part 2 patients (e.g., provider education, recommending or requiring improved health care approaches); targeting limited resources more effectively to better care for patients; or adjusting specific Medicaid or other insurance components to facilitate adequate coverage and payment. These agencies and third-party payers are required to abide by the restrictions on disclosure and other relevant confidentiality requirements outlined in § 2.53. Additionally, SAMHSA stated in the proposed rule that it did not believe it was generally necessary to conduct these types of audits or evaluations on a routine or ongoing basis. Rather, we stated that we would generally expect that they would be performed periodically, unless they are required by applicable law or other compelling circumstances exist, such as unique cases in which an oversight agency determines there is a need for ongoing review. We also stated that information disclosed for the purpose of a program audit or evaluation may not be used to directly provide or support care coordination. As stated previously (83 FR 243), SAMHSA believes it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact. Agencies or health plans could, for example, use information from the aggregated results of part 2 program evaluations to determine that a new benefit or payment category is needed in order to facilitate better care coordination.

The preamble to the 2017 final rule noted that the authorizing statute for part 2 does not provide a general exception to the consent requirement for disclosure of SUD records for the purpose of sharing records with public health officials (82 FR 6079). Furthermore, the preamble also noted that SAMHSA does not have the statutory authority to authorize routine disclosure of part 2 information for public health purposes (82 FR 6079). In the 2019 proposed rule, SAMHSA emphasized that audits or evaluations using aggregated data for such purposes described above are distinct from a broader public health exception. Specifically, under current regulations, part 2 programs may share information with the agencies that have the authority to regulate or provide financial support to the part 2 program, in order to safeguard or improve the care and outcomes for current and future patients in those programs, or to ensure the integrity of the funding program and the appropriate use of financial support by the part 2 program. A broader public health exception would conceivably enable part 2 programs to share identifiable information with any public health agency, regardless of its relationship with the part 2 program, for many types of purposes (e.g., preventative efforts aimed at a wider population).

To clarify allowable program evaluation activities using patient identifying information, SAMHSA proposed several changes to § 2.53. First, SAMHSA proposed to redesignate current § 2.53(c) and (d) as § 2.53(e) and (f), respectively, and insert a new § 2.53(c) titled: “Activities Included.” Proposed new paragraph § 2.53(c)(1) specified that audits or evaluations may include periodic activities to identify actions that an agency or third-party payer entity can make, such as changing its policies or procedures to improve patient care and outcomes across part 2 programs; targeting limited resources more effectively; or determining the need for adjustments to payment policies for the care of patients with SUD. This change was intended to clarify that disclosures of patient records by a part 2 program to an agency or third-party payer entity are permitted for these purposes without patient consent, pursuant to this section.

Second, SAMHSA noted in the proposed rule (84 FR 44579) that it has received feedback that stakeholders are unclear about whether § 2.53 allows federal, state, and local government agencies and third-party payers to have access to patient information for activities related to reviews of appropriateness of medical care, medical necessity, and utilization of services. As described above, the current regulations allow information to be disclosed to certain federal, state, and local governmental agencies and third-party payers for audit or evaluation purposes, as long as they agree to specific restrictions outlined in the regulations to limit disclosure or use of the records and preserve patient confidentiality. While neither the statute nor the regulations define audit or evaluation, we stated that these terms should and do include audits or evaluations to review whether patients are receiving appropriate services in the appropriate setting. Assessing whether a part 2 program provides appropriate care is a necessary part of any comprehensive part 2 program audit or evaluation. Government agencies may be charged with conducting such reviews for licensing or certification purposes or to ensure compliance with federal or state laws, as may private not-for-profit entities granted authority under the applicable statutes or regulations to carry out such work in lieu of the agencies. Third-party payers also have a stake in the programmatic integrity, as well as the clinical quality, of the part 2 programs that serve the patients they cover. Therefore, SAMHSA proposed to insert a new § 2.53(c)(2) that clarifies audit and evaluations under this section may include, but are not limited to, reviews of appropriateness of medical care, medical necessity, and utilization of services. Stakeholders were also referred to § 2.33, which allows disclosure of information for payment and/or health care operations activities with a patient's consent.

Third, we explained that stakeholders have expressed confusion about whether part 2 programs may disclose information for audit or evaluation purposes to the larger health care organizations in which they operate. For example, Medicare Conditions of Participation regulations at 42 CFR 482.21 require individual hospitals to conduct quality assessment and performance improvement (QAPI) programs that reflect the complexity of each hospital's organization and services, and which involve all hospital departments and services. QAPI programs are ongoing, hospital-wide, data-driven efforts that focus on addressing high-risk, high-volume or problem prone areas that affect health outcomes, patient safety, or quality of care.

As we noted in the proposed rule (84 FR 44580), the part 2 regulations provide ample leeway for part 2 programs to share information within their larger health care organizations for these and other types of evaluations. Under § 2.53(a)(2), part 2 programs may determine that individuals or entities within their health care organizations are qualified to conduct audits and evaluations and may share information pursuant to such reviews. Additionally, § 2.12(c)(3) states that, “The restrictions on disclosure in the regulations in this part do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are:

(i) Within a part 2 program; or

(ii) Between a part 2 program and an entity that has direct administrative control over the program.” The phrase “direct administrative control” refers to the situation in which a substance use disorder unit is a component of a larger behavioral health program or of a general health program.

In order to eliminate any remaining misunderstanding, however, SAMHSA proposed to expand the regulatory language to explicitly clarify that this type of information sharing is permitted under the regulations. Specifically, we proposed to add language to § 2.53(a)(2) to state that, “Auditors may include any non-part 2 entity that has direct administrative control over the part 2 program or lawful holder.” Additionally. SAMHSA proposed to include similar language in new subsection (b)(2)(iii). We stated that we believed that the proposed changes will help to clarify that in these situations, identifiable patient diagnosis or treatment information can be shared with personnel from an entity with direct administrative control over the part 2 program, where those persons, in connection with their audit or evaluation duties, need to know the information.

Fourth, while the regulations at § 2.53(a)(1)(ii) and (b)(2)(ii) specifically delineate that information may be disclosed to quality improvement organizations, these provisions do not explicitly include other types of entities that are responsible for quality assurance. For example, the regulations for audit and evaluation do not describe entities, such as health care organization accrediting or certification bodies, that may need to review patient records to evaluate whether a part 2 program meets quality and safety standards. To ensure that stakeholders understand that disclosure to these types of organizations is permitted, SAMHSA proposed to insert a new § 2.53(d) stating, “Quality Assurance Entities Included. Entities conducting audits or evaluations in accordance with § 2.53(a) and (b) may include accreditation or similar types of organizations focused on quality assurance.”

Additionally, at the time the NPRM was published, SAMHSA understood that some federal, state, and local government agencies face challenges in meeting statutory or regulatory mandates that require them to conduct audits or evaluations involving part 2 information. For example, the Centers for Medicare & Medicaid Services conducts risk adjustment and data validation in connection with the risk adjustment program it is required to operate in accordance with section 1343 of the Patient Protection and Affordable Care Act, 42 U.S.C. 18063 and implementing regulations. Under risk adjustment data validation, health insurance issuers are lawful holders of part 2 identifying information and may be required to provide it to CMS or its contractors. Therefore, SAMHSA proposed to insert a new § 2.53(g) to permit patient identifying information to be disclosed to federal, state, and local government agencies, as well as their contractors, subcontractors, and legal representatives of such agencies, in the course of conducting audits or evaluations mandated by statute or regulation, if those audits or evaluations cannot be carried out using de-identified information.

In addition to these changes, SAMHSA proposed to update language related to quality improvement organizations. At § 2.53(a)(1)(ii) and (b)(2)(ii), it proposed to amend the language to align it with 42 CFR 476.1. Specifically, SAMHSA proposed to replace references to “utilization or quality control review” with the term “QIO review.”

The comments we received on the proposed amendments to § 2.53 and our responses are provided below.

Public Comments About the Proposals for Audit and Evaluation in General

Comments on SAMHSA's Proposals To Clarify Permitted Activities of Government Agencies and Third-Party Payers (§ 2.53 (c)(1))

In response to comments discussed above, we are finalizing this section with changes. We are removing the word “periodically” from § 2.53(c)(1) and amending the language of § 2.53(c)(1)(ii) and (iii) to help clarify that our intent is to help government agencies and third-party payers as they seek to enhance the care and treatment of patients with SUD. Additionally, we are amending the wording in § 2.53(c)(1)(i) to replace the phrase “across part 2 programs” with the phrase “to improve care and outcomes for patients with SUDs who are treated by part 2 programs.”

Public Comments on SAMHSA's Proposal To Clarify Activities Related to Appropriateness of Care, Medical Necessity, and Utilization of Services (§ 2.53(c)(2))

Public Comments

A few commenters supported the proposal, stating that it will support quality improvement and cost containment efforts on the part of third-party payers and resolve ambiguity, and describing it as an essential component that should be retained in final regulations. One commenter stated their understanding that the NPRM is aimed at clarifying which activities fall within the terms “audit and evaluation” and does not necessarily expand or increase the activities already allowed.

SAMHSA Response

We thank the commenters for their support.

Public Comments

Several commenters opposed or expressed concerns about the proposed change. A few commenters said it could jeopardize individual patient insurance coverage, benefits, and access to care; give third-party payers a more defined or interfering role in treatment decisions; and subject patients to criminalization or stigma. One commenter noted they saw no enforcement measures in place to protect patients. Another commenter suggested that the permitted activities could arguably be accomplished through health care operations activities already permitted under § 2.33(b), following patient consent. Other commenters said the proposal exceeded the part 2 authorizing statute and raised concerns about the security of the information, believing that somehow the information would become available to fraudulent individuals marketing the latest SUD miracle cure to patients and families. One commenter said that care coordination should be added to the list of permitted audit and evaluation activities which would involve communication for similar, if not even more beneficial, purposes.

SAMHSA Response

SAMHSA Response

We thank the commenter for their support. While the part 2 authorizing statute includes an exception to the consent requirement for the purposes of conducting management and financial audits and program evaluations, it does not include such an exception for any type of mandated reporting or disclosure.

Public Comments

One commenter said the proposed rule change exceeds the authority in 42 U.S.C. 290dd-2 and should be removed. Another commenter expressed concern that the section would act as a catch-all for government agencies and their contractors, subcontractors, and legal representatives to have access to any information that they determine necessary if the state statute mandates the disclosure. The commenter believed this would give the government access to any information that it deems necessary, including managed care companies working as government contractors delivering care to state members. The commenter described the proposal as inconsistent with other portions of the regulations, without providing any specific details, and suggested that SAMHSA should further review the potential implications of this section.

SAMHSA Response

The audit and evaluation exception codified at 42 U.S.C. 290dd-2(B) permits disclosure for a wide range of audit and evaluation activities. We believe that the proposal to permit audit and evaluation by government agencies that are mandated by law is consistent with the authorizing statute and current § 2.53(a) and (b). Furthermore, redesignated § 2.53(f) reiterates that patient identifying information may only be used to carry out the purpose of the audit and evaluation. Moreover, § 2.13(a) prohibits the disclosure or use of patient identifying information in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority. Therefore, we are finalizing § 2.53(g) as proposed.

Public Comments on SAMHSA's Proposal Related To Updating QIO Language

Public Comments

One commenter supported SAMHSA's proposed rule change to align part 2 with current QIO regulations.

SAMHSA Response

We thank the commenter for their support, and we are finalizing our amendments to § 2.53 relating to QIOs as proposed.

L. Orders Authorizing the Use of Undercover Agents and Informants (§ 2.67)

SAMHSA is finalizing this section as proposed.

Under the 1975 final rule, the placement of undercover agents or informants in a part 2 program was largely prohibited, other than as specifically authorized by a court order for the purpose of investigating a part 2 program, or its agents or employees, for allegations of serious criminal misconduct. At the time the 1975 final rule was promulgated, it was noted that, although the use of undercover agents and informants in treatment programs was ordinarily to be avoided, there occasionally arise circumstances where their use may be justified (42 FR 27809). More narrowly, it was noted that the authorizing statute, by itself, did not forbid the use of undercover agents or informants, and that the express statutory prohibition against direct disclosure of patient records is nevertheless subject to the power of the courts to authorize such disclosures under 42 U.S.C. 290dd-2(b)(2)(C). Building on these statutory considerations, it was concluded that the power to regulate the placement of undercover agents and informants is limited, and that the importance of criminal investigation of part 2 programs offers a legitimate policy basis for allowing the placement of undercover agents or informants in such programs, given a showing of good cause in specific instances. As explained in the preamble to the 1975 final rule, experience has demonstrated that medical personnel, no matter how credentialed, can engage in the illicit sale of drugs on a large scale, and that the use of undercover agents and informants is normally the only effective means of securing evidence sufficient to support a successful prosecution in such instances. Based on over 40 years of experience since then, SAMHSA believes it is still the case that medical personnel sometimes engage in the illicit sale or transfer of drugs, and that a process for authorizing undercover agents is important to ensure the safety of patients in these part 2 programs.

Under the 1975 final rule, a 60-day time limitation with regard to the placement of undercover agents and informants in a part 2 program was imposed, with the opportunity for an applicant to seek an extension of the court order, for a total of up to 180 days (42 FR 27821). In the 1987 final rule, that period of placement for undercover agents and informants pursuant to a court order was extended to 6 months. This policy limitation was codified at § 2.67(d)(2).

Based on consultation with DOJ, the current policy is burdensome on, and overly restrictive of, some ongoing investigations of part 2 programs. Specifically, DOJ has stated that a typical undercover operation can often last longer than 6 months, and that 12 months is a more realistic timeframe for such operations. Therefore, SAMHSA proposed to amend § 2.67(d)(2), to extend the period for court-ordered placement of an undercover agent or informant to 12 months, while authorizing courts to further extend a period of placement through a new court order (84 FR 55481).

In addition, DOJ has stated that the current regulation text is ambiguous regarding when the current 6-month, or, as finalized, 12-month period, should start and stop, in determining whether a court-order period of placement has elapsed. SAMHSA considered multiple policy options regarding the tolling of the time period for an undercover placement. We considered having the time period begin on the date of the issuance of the court order. Alternatively, SAMHSA also considered having the time period begin on the date of placement of the undercover agent or informant. In consultations with DOJ, SAMHSA has found that there is often a lag of time between the court order and the placement of the agent or informant, for many reasons. Therefore, starting the time period when the court order is issued could significantly curtail the length of time an agent or informant can be undercover at a part 2 program. Furthermore, starting the time period based on date of placement of the agent or informant would provide greater clarity and predictability to law enforcement about exactly how long an agent or informant is allowed to be in the field, since the agent or informant is aware of the date his or her placement began, but may not be aware of the date of the court order. Thus, SAMHSA proposed to amend § 2.67(d)(2), to clarify that the proposed 12-month time period starts when an undercover agent or informant is placed in the part 2 program (84 FR 55481).

The comments we received on the proposed amendments to § 2.67 and our responses are provided below.

Public Comments

Some commenters opposed the presence of undercover officers and informants in part 2 programs for any length of time, citing privacy concerns, treatment deterrence, ethical violations, and a violation of constitutional rights. Some commenters specifically stated this proposal would perpetuate stigma. One commenter noted that officers should not be allowed in part 2 programs without proper behavioral health training.

SAMHSA Response

The authorizing statute (42 U.S.C. 290dd-2) and the regulations promulgated thereunder (42 CFR part 2) contain various safeguards to ensure that court orders authorizing the use of undercover agents and informants are not misused. For example, there must be an application citing certain good cause criteria, a court order noting the good cause, and notice provided to the director of the program. Furthermore, no information obtained by an undercover agent or informant placed in a part 2 program under the court order may be used to investigate or prosecute any patient in connection with a criminal matter (42 CFR 2.67(d)). Thus, we believe the regulations strike the appropriate balance between protecting patients from criminal activities by employees of part 2 programs and safeguarding the confidentiality and rights of these same patients.

Public Comments

A few commenters noted that this proposal is particularly concerning given the simultaneous proposal by SAMHSA (at 84 FR 44568) to remove “allegedly committed by the patient” from § 2.63 of the regulations. These commenters argued that, coupled together, the changes would allow the regulations to become a tool of prosecution and not recovery.

SAMHSA Response

As noted above, the authorizing statute (42 U.S.C. 290dd-2) and the regulations promulgated thereunder (42 CFR part 2) contain various safeguards against misuse of these provisions. Further, § 2.13(a) of the regulations specifically provide that “[t]he patient records subject to the regulations in this part may be disclosed or used only as permitted by the regulations in this part and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority. Any disclosure made under the regulations in this part must be limited to that information which is necessary to carry out the purpose of the disclosure.” Thus, we believe that these changes will serve to protect patients from crimes committed in part 2 programs while still safeguarding their confidentiality.

Public Comments

Many commenters disagreed with extending the length of placement of a court-order for an undercover agent or informant from 6 to 12 months, stating that this proposal does not purport to improve care coordination or patient safety. These commenters believe that this proposal may be interpreted by patients and providers as evidence that they are not safe in SUD treatment and may further deter treatment, stating that, given the current nationwide opioid crisis, it is important that SAMHSA strike an appropriate balance and promote greater access to comprehensive and coordinated SUD treatment. Commenters also requested additional details or examples regarding why 12 months is necessary for placement, arguing that there is no evidence that the current policy is encumbering ongoing investigations of part 2 programs or that allowing undercover agents in part 2 programs would address the causes of the opioid crisis. Some commenters noted that this proposal is particularly harmful to individuals living in areas that are already heavily policed.

SAMHSA Response

We disagree that this proposal does not improve patient safety. As noted above, the intent of the regulations is to protect patients, and the regulations at § 2.13(a) provide safeguards to ensure that “[t]he patient records subject to the regulations in this part may be disclosed or used only as permitted by the regulations in this part and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority.” In some situations, in order to build a case of wrong-doing in a part 2 program or by an employee in such a program, evidence must be collected for more than 6 months. We believe that 12 months appropriately strikes a balance between ensuring the necessary time for informants and safeguarding the confidentiality of patients.

V. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995 (PRA), agencies are generally required to provide a 30-day notice in the Federal Register and solicit public comment before a collection of information requirement can be approved by the Office of Management and Budget (OMB) for review and approval. Currently, the information collection is approved under OMB Control No. 0930-0092. In order to fairly evaluate whether changes to an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that SAMHSA solicit comment on the following issues: (a) Whether the information collection is necessary and useful to carry out the proper functions of the agency; (b) The accuracy of the agency's estimate of the information collection burden; (c) The quality, utility, and clarity of the information to be collected; and (d) recommendations to minimize the information collection burden on the affected public, including automated collection techniques. We solicited public comment in the proposed rule on each of the required issues under section 3506(c)(2)(A) of the PRA for the following information collection requirements (84 FR 44581 through 44584).

Under the PRA, the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section are to be considered in rule making. SAMHSA explicitly sought, and considered, public comment on our assumptions as they relate to the PRA requirements summarized in this section.

This final rule includes changes to information collection requirements, that is, reporting, recordkeeping or third-party disclosure requirements, as defined under the PRA (5 CFR part 1320). Some of the provisions involve changes from the information collections set out in the previous regulations. Below, SAMHSA briefly discusses each finalized proposal and whether each includes changes to information collection requirements.

In section IV.B. of this final rule, SAMHSA is finalizing its proposal to modify the existing definition of “Records” in § 2.11 to conform with other finalized revisions in this final rule. See section IV.B. for further information about this finalized proposal. SAMHSA does not believe this finalized proposal will result in any change in collection of information requirements since unrecorded information is, by its nature, not collected.

In section IV.C. of this final rule, SAMHSA is finalizing amendments to § 2.12 to clarify in that section that non-part 2 entities may record SUD treatment about a patient in its own records without triggering part 2 provided that such providers are able to differentiate their records from those received from a part 2 program and part 2 records received from lawful holders. See section IV.C. for further information about this finalized proposal. As stated in that section, SAMHSA is finalizing new regulatory text to clarify existing policies; thus, SAMHSA is not finalizing any changes to any collection of information requirements. Furthermore, we believe that the clarification represents standard practice in many, if not all, part 2 programs and among other lawful holders. That is, non-part 2 entities are already either segregating or segmenting any SUD records received from a part 2 program or deciding not to do so, based on their standard operations. This finalized proposal will merely clarify that if the non-part 2 entity does, in fact, segregate or segment these records, the recording of information about a SUD and its treatment by a non-part 2 entity does not by itself render a medical record subject to the restrictions of 42 CFR part 2. Thus, SAMHSA does not believe this finalized proposal results in any changes in collection of information requirements.

In section IV.D. of this final rule, SAMHSA is finalizing amendments to § 2.31, to allow patients to consent to disclosure of their information to entities, without naming the specific individual receiving this information on behalf of a given entity. See section IV.D. for further information about this finalized proposal. This finalized proposal may result in providers needing to update their standard consent forms to allow for certain disclosures to such entities; that additional burden is discussed in the Regulatory Impact Analysis, below. SAMHSA believes this finalized proposal may result in part 2 program disclosing more information to certain entities. We discuss this additional burden, in total, with the additional collection of information requirements that may result from the finalized proposals in sections IV.J., and IV.K, below. This amendment is also anticipated to decrease burden on patients by removing barriers to sharing their own information in order to receive benefits, services, or treatment, but we do not have the data to quantify this reduction.

In section IV.E. of this final rule, SAMHSA is finalizing modifications to the language in § 2.32(a)(1), to remove the superfluous language that has contributed to confusion regarding the restrictions on re-disclosure. See section IV.E. for further information about this finalized proposal. Since part 2 providers are already required, upon disclosure, to provide a written statement notifying the recipient of the applicability of 42 CFR part 2 to any re-disclosure of the protected record, consistent with the prior revisions to part 2, including the 2017 final rule (82 FR 6106), SAMHSA does not believe this finalized modification of the language results in any changes in collection of information requirements.

In section IV.F. of this final rule, SAMHSA is finalizing with modification its proposal to specify in regulatory text an illustrative list of 17 permitted activities for the purpose of disclosures under § 2.33. SAMHSA is modifying the list of permitted activities to add to § 2.33 that disclosures for care coordination and case management, and disclosures for other payment and/or health care operations activities not expressly prohibited under this provision, are also permitted. See section IV.F. for further information about this finalized proposal. As noted in that section, SAMHSA has previously stated that most of these activities are permitted (83 FR 241); this language will only further clarify the previously finalized policy. Moreover with regard to the addition of care coordination and case management activities to § 2.33, SAMHSA does not believe that this finalized modification of the language will result in providers seeking additional consents to disclosure in the future, nor in any additional burden for providers with regard to documenting consents. Therefore, SAMHSA does not believe this finalized proposal results in any changes in collection of information requirements.

In section IV.G. of this final rule, SAMHSA is finalizing provisions to expand the scope of § 2.34(d) to make non-OTP providers with a treating provider relationship eligible to query a central registry with their patient's consent to determine whether a patient is already receiving treatment through a member program to prevent duplicative enrollments and prescriptions for methadone or buprenorphine, as well as to prevent any adverse effects with other prescribed medications. See section IV.G. for further information about this finalized proposal. Based on SAMHSA's research, the policies and procedures governing central registries vary widely by each state; in fact, many states do not have central registries in place. Because of this lack of information, it is not possible to estimate either the number of additional queries which central registries may receive as a result of this finalized proposal or the time or effort required to answer these queries. Therefore, it is difficult to estimate any additional collection of information requirements which may result from this finalized proposal. Instead, SAMHSA requested that central registries and providers that would query central registries provide comments on any additional information collection requirements this finalized proposal would cause and any resulting burden. SAMHSA did not receive any comments that would improve estimates of this burden. However, this provision removes barriers and expands eligibility, without requiring non-OTP providers to query the central registry.

In section IV.H. of this final rule, SAMHSA is finalizing its proposal to add a new § 2.36 permitting part 2 programs to report any data for controlled substances dispensed or prescribed to patients to PDMPs, as required by the applicable state law. See section III.G. for further information about this finalized proposal. SAMHSA anticipates that this finalized proposal may result in additional burden for part 2 programs choosing to report to PDMPs in two ways. If a part 2 program chooses to report to a PDMP, the program will need to update its consent forms to request consent for disclosure to PDMPs. That burden is discussed in the Regulatory Impact Analysis, below. The second part of the finalized proposal permits part 2 programs to report any data for controlled substances dispensed to patients to PDMPs, as required by the applicable state law. To estimate the additional collection of information requirements associated with this finalized proposal, SAMHSA used the average number of opiate treatment admissions from SAMHSA's 2014-2016 Treatment Episode Data Set (TEDS) as the estimate of the number of clients treated on an annual basis by part 2 programs (531,965). Although not all programs would need to report this information under state law or may choose to do so, SAMHSA has used this number to be conservative and comprehensive of any future burden if states require reporting in the future. TEDS “comprises data that are routinely collected by States in monitoring their individual substance abuse treatment systems. In general, facilities reporting TEDS data are those that receive State alcohol and/or drug agency funds (including Federal Block Grant funds) for the provision of substance abuse treatment.” ^[17] Although TEDS does not represent all of the admissions to part 2 programs, as reporting varies by state, SAMHSA believes it represents the vast majority of admissions. Conservatively, we assumed that each of these clients would consent to the re-disclosure of their information to PDMPs and would be dispensed medication required to be reported to a PDMP. SAMHSA assumes that part 2 programs, based on other state and federal requirements, already are required to query PDMP databases; therefore, SAMHSA does not include registration and infrastructure costs in this estimate. For example, several states require medical directors of OTPs to query their respective state PDMPs at minimum intervals, including IN, MN, MI, ND, NC, RI, TN, VT, WA, and WV.^[18] Based on discussions with providers, SAMHSA also estimates that, in addition to an initial update to the PDMP database for existing patients, the PDMP database would typically need to be accessed and updated quarterly for each patient, on average. Likewise, based on discussion with providers, SAMHSA believes accessing and reporting to the database would take approximately 2 minutes per patient, resulting in a total annual burden of 8 minutes (4 database accesses/updates × 2 minutes per access/update) or 0.133 hours annually per patient. For the labor costs associated with this activity, SAMHSA used the average wage rate of $24.01 ^[19] per hour for substance abuse, behavioral disorder, and mental health counselors (multiplied by two to account for benefits and overhead costs) to estimate a total burden in year 1 for the initial update of the PDMP database of $851,498 (531,965 clients × 2 minutes (0.033 hours) per access/update × $48.02/hour) and an annual burden in each year of $3,405,992 (531,965 clients × 0.133 hours × $48.02/hour). Therefore, we estimate that this finalized proposal will result in an additional cost of $4,085,489 ($851,498 + $3,405,992), as reflected in Table 1, below.

In section IV.I. of this final rule, SAMHSA is finalizing an addition to § 2.51 to allow disclosure of patient information during natural and major disasters. See section IV.I. for further information about this finalized proposal. Because this finalized proposal by its very nature does not require additional consent requirements or other paperwork, SAMHSA does not believe it will result in any changes in collection of information requirements. Providers, under their own policies and procedures or other laws, may need to keep track of the disclosures made, which, could require additional paperwork. Such requirements, however, are not discussed in this rule, nor does SAMHSA have any way of estimating them, as policies and procedures may vary across providers.

In section IV.J., and section IV.K. of this final rule, SAMHSA is finalizing changes with modifications to amend §§ 2.52 and 2.53 to allow or clarify the ability to make certain disclosures without patient consent. First, in section IV.J. of this final rule, SAMHSA is finalizing to modify the text of § 2.52(a) in order to allow research disclosures of part 2 data from a HIPAA-covered entity or business associate to individuals and organizations who are neither HIPA-covered entities, nor subject to the Common Rule, provided that any such data will be disclosed in accordance with the HIPAA Privacy Rule. See section IV.J. for further information about this finalized proposal. Second, SAMHSA is clarifying allowed disclosures for audit and evaluation purposes under § 2.53 for activities undertaken by a federal, state, or local governmental agency or third-party payer to identify needed actions to improve the delivery of care, to manage resources effectively to care for patients, and/or to determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD. SAMHSA is also finalizing language to clarify that (1) audits and evaluations may include reviews of appropriateness of medical care, medical necessity, and utilization of services; (2) part 2 programs may disclose information, without consent, to non-part 2 entities that have direct administrative control over such part 2 programs; and (3) entities conducting audits or evaluations in accordance with § 2.53(a) and (b) may include accreditation or similar types of organizations focused on quality assurance. Further, SAMHSA is finalizing the proposal under § 2.53(g) to permit patient identifying information to be disclosed to government agencies in the course of conducting audits or evaluations mandated by statute or regulation, if those audits or evaluations cannot be carried out using de-identified information. Finally, SAMHSA is finalizing updates to language related to QIOs. See section IV.K. for further information about these finalized proposals. As stated in that section, SAMHSA believes that the regulations already permit audits and evaluations for reviews of appropriateness of medical care, medical necessity, and utilization of services. Likewise, SAMHSA also believes that the current regulations permit disclosure to a non-part 2 entity with direct administrative control over a part 2 program and to accreditation and similar organizations. Therefore, although SAMHSA is finalizing language to clarify any confusion that may exist, it believes that these activities are already permitted and that they will not, therefore, result in any new collection of information requirements or any other burden. It also believes updating the QIO language will not create new collection of information requirements or increase burden. As noted above, SAMHSA is also finalizing a provision to clarify that patient identifying information may be disclosed to government agencies and third-party payers to identify needed actions at the agency or payer level, although we are removing the expectation that these reviews would take place periodically due to ambiguity about that term and to avoid interfering with currently-established audit schedules. We are not revising our burden estimates as a result of this modification because the frequency of these reviews is unaffected by the change. Additionally, SAMHSA is adopting a new provision to allow patient identifying information to be shared with government agencies in the course of conducting audits or evaluations mandated by statute or regulation, if those audits and evaluations cannot be carried out using de-identified information. In section IV.D of this final rule, SAMHSA is also finalizing a proposal to allow disclosure to entities with patient consent. SAMHSA believes that the finalized proposals in sections IV.D., J, and K, may result in additional collection of information requirements, as part 2 programs may be asked to disclose information to agencies and entities as a result. Although SAMHSA is not able to anticipate the increase in these disclosures, to estimate the potential cost, we first estimated the number of potentially impacted part 2 programs based on the anticipated number of requests for a disclosure in a calendar year. SAMHSA used the average number of substance abuse treatment admissions from SAMHSA's 2014-2016 TEDS (1,658,732) as the number of patients treated annually by part 2 programs. SAMHSA then estimated that part 2 programs would need to disclose an average of 15 percent of these records (248,810) as a result of these finalized proposals. We then estimated that 10 percent or 24,881 (248,810 × 10%) of impacted records would be held by part 2 programs who would use paper records to comply with these requests for disclosure reports while the remaining 90% or 223,929 (248,810 × 90%) would use a health IT system. For part 2 programs using paper records, SAMHSA expects that a staff member would need to gather and aggregate the information from paper records, and manually track disclosures; for those part 2 programs with a health IT system, we expect records and tracking information would be available within the system.

SAMHSA assumed medical record technicians would be the staff with the primary responsibility for compiling the information for a list of disclosures from both paper records and health IT systems. The average hourly rate for medical record and health information technicians is $22.40.^[20] In order to account for benefits and overhead costs associated with staff time, we multiplied the hourly wage rate by two for a total average hourly wage rate of $44.80. Absent any existing information on the amount of time associated with producing a list of disclosures, SAMHSA assumed it would take a medical record technician 4 hours, on average, to produce the information from paper records at a cost of $179.20 (4 hours × $44.80/hour) and 0.25 hours, on average, to produce information from a health IT system at a cost of $11.20 (0.25 hours × $44.80/hour). Finally, SAMHSA assumes that agencies will request that these disclosures be made on secure, online databases, and would not require notification via email or first class mail, thus resulting in no additional cost to transmit this information. Based on these assumptions, SAMHSA estimates that this finalized proposal will result in an additional cost of $6,966,680 {(24,881 requests × $179.20 per request) + (223,929 requests × $11.20 per request)}, as reflected in Table 1, below.

In section IV.L. of this final rule, SAMHSA is finalizing amendments to § 2.67 to extend the period for court-ordered placement of an undercover agent or informant to 12 months, while authorizing courts to further extend a period of placement through a new court order. In that section, SAMHSA is also finalizing changes to explicitly state when the 12- month period begins to run. See section IV.L. for further information about this finalized proposal. The requirements of the Paperwork Reduction Act do not apply “During the conduct of a Federal criminal investigation or prosecution, or during the disposition of a particular criminal matter” (5 CFR 1320.4(a)(1)), or to information collections by the federal judiciary or state courts (5 CFR 1320.3(a)).^[21]

Below, SAMHSA summarizes the estimated cost of the change in collection of information requirements discussed above. Along with publication of this rule, SAMHSA will submit the information collection revisions associated with this rule to the Office of Management and Budget for approval. After receiving a final action, SAMHSA swill publish a notice in the Federal Register to inform the public.

Table 1: Annualized Burden Estimates
	Annual number of respondents	Responses per respondent	Total responses	Hours per response	Total hourly burden	Hourly wage cost	Total hourly cost
§ 2.36	531,965	5	2,659,825	0.033	88,661	$48.02	$4,257,491
§§ 2.31, 2.52, 2.53 (Paper Records)	24,881	1	24,881	4	99,524	44.80	4,458,675
§§ 2.31, 2.52, 2.53 (Health IT Systems)	223,929	1	223,929	0.25	55,982	44.80	2,508,005
Total	780,775		2,908,633		244,167		11,224,171

VI. Regulatory Impact Analysis

A. Statement of Need

This final rule is necessary to update the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 to respond to the emergence of the opioid crisis, with its catastrophic impact on patients and corresponding clinical and safety challenges for providers. The goal of this final rule is to clarify existing requirements in 42 CFR part 2 and reduce barriers to information sharing to ensure appropriate care and patient safety.

As noted in the tables below, SAMHSA believes that the finalized policies in this final rule will result in some near-term non-recurring and annual recurring financial burdens. We have weighed these potential burdens against the potential benefits, and believe, on balance, the potential benefits outweigh any potential costs. Specifically, the finalized proposals in this rule are meant to allow providers to better understand the needs of their patients by clarifying the requirements under part 2 and to break down barriers to information sharing among part 2 programs and other providers. SAMHSA believes this information sharing would benefit patients because both part 2 programs and other providers would be able to more fully understand the patient's health history and avoid dangerous and even lethal adverse drug events. In addition, these finalized proposals are also intended to protect and empower patients by giving them more control over their consent and control of their records, for example, by allowing them to consent to disclosure to entities, should they so choose. Furthermore, in drafting these finalized proposals, SAMHSA was cognizant of privacy concerns and specifically drafted these finalized proposals to protect the privacy of patients; for example, the finalized proposal regarding OTP provider disclosure to PDMPs requires the consent of the patient. SAMHSA believes that increasing patient safety and the empowerment of patients will lead to better health outcomes, therefore balancing any burdens discussed below and any remaining privacy concerns.

B. Overall Impact

SAMHSA has examined the impacts of this final rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999), the Congressional Review Act (5 U.S.C. 804(2)), and Executive Order 13771 (Reducing and Controlling Regulatory Costs). Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Section 3(f) of Executive Order 12866 defines a “significant regulatory action” as an action that is likely to result in a rule: (1) Having an annual effect on the economy of $100 million or more in any 1 year, or adversely and materially affecting a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local or tribal governments or communities (also referred to as “economically significant”); (2) creating a serious inconsistency or otherwise interfering with an action taken or planned by another agency; (3) materially altering the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raising novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order. We have a conducted a regulatory impact analysis for this rule, which we present here.

As discussed in the regulatory impact analysis, we believe this final rule meets the necessary is a de-regulatory action because it eliminates some of the burdens of, and barriers to, SUD treatment record-keeping previously imposed by 42 CFR part 2. The goal of this final rule is to improve the coordination of care for persons with SUD by reducing administrative burdens related to maintenance of disclosures and patient records for downstream, non-part 2 providers. By facilitating care coordination in this way, we anticipate primary care and general medical providers will be more able and more willing to coordinate care for their patients with SUD, and by extension, that quality of care and safety outcomes in the context of the opioids epidemic will improve. This final rule also seeks to facilitate appropriate maintenance of SUD patient records and communications, as by clarifying that the rule for disclosing SUD treatment records in a “medical emergency” can also apply in natural and major disaster situations. Here again, the goal is de-regulatory, and will reduce the administrative burden for providers in disclosing SUD treatment records in appropriate situations, while also improving care coordination, access to care, and safety during medical emergencies. While we are unable to quantify the benefits related to access and quality of care as well as improved safety and health outcomes for patients with SUD, we believe them to be substantial and to outweigh any additional regulatory burden or economic impacts that may result from the policies finalized in this rule.

The RFA requires agencies to analyze options for regulatory relief of small businesses. For purposes of the RFA, small entities include small businesses (including independent contractors), nonprofit organizations, and small governmental jurisdictions. Individuals and states are not included in the definition of a small entity. The final rule will allow patients to consent to disclosure of their information to entities; permit part 2 programs to report data for controlled substances dispensed to patients to PDMPs with patient consent; and allow part 2 programs to comply with disclosure requests from federal, state, or local governmental agencies, third-party payers and researchers. These finalized proposals will result in additional reporting burden as well as near-term non-recurring and annual recurring regulatory impacts to part 2 programs. As shown in Table 2 and as discussed in the Collection of Information Requirements (Section V), we estimate the average cost impact per substance abuse treatment admission for staff training, updates to consent forms, and disclosures to agencies will be $4.32 in year 1 ($7,168,135 ÷ 1,658,732 patients) and $4.20 in years 2 through 10 ($6,966,680 ÷ 1,658,732 patients). For opiate treatment patients, we also estimate the average cost impact for disclosure to PDMPs to be $8.00 per patient in year 1 ($4,257,491 ÷ 531,965 patients) and $6.40 in years 2 through 10 ($3,405,992 ÷ 531,965 patients). When this is added to the costs for staff training, updates to consent forms, and disclosures to agencies, the aggregate cost impact per opiate treatment admission is $12.32 in year 1 and $10.60 in years 2 through 10. While we are unable to determine how many part 2 programs qualify as small businesses based on the minimum threshold for small business size of $38.5 million (https://www.sba.gov/federal-contracting/contracting-guide/size-standards), we believe that on a per-patient basis, this final rule will not significantly affect part 2 treatment programs of any size. SAMHSA has not prepared an analysis for the RFA because it has determined, and the Secretary certifies, that this final rule does not have a significant economic impact on a substantial number of small entities.

As further described in section V., above, when estimating the total costs associated with changes to the 42 CFR part 2 regulations, SAMHSA estimated costs related to collection of information for the finalized changes to §§ 2.31, 2.52, 2.53, and (new) 2.36. In addition, we estimate that there may be additional burden related to updating consent forms as a result of the finalized proposals in §§ 2.31 and (new) 2.36. In section IV.D. of this final rule, SAMHSA is finalizing its proposal to amend § 2.31 to allow patients to consent to disclosure of their information to entities, without naming the specific individual receiving this information on behalf of a given entity. In section IV.H. of this final rule, SAMHSA is finalizing its proposal to add a new § 2.36, permitting part 2 programs to report to PDMPs; patients must consent to disclosure before this reporting can occur. See sections IV.D. and IV.H. for further information about these finalized proposals. These finalized proposals may result in providers needing to update their standard consent forms to allow for certain disclosures. As stated in the 2016 proposed rule (81 FR 7009 through 7010), based from a 2008 study from the Mayo Clinic Health Care Systems,^[22] the reported cost to update authorization forms was $0.10 per patient. Adjusted for inflation,^[23] costs associated with updating the patient consent forms in 2019 would be $0.12 per patient (2018 dollars). SAMHSA used the average number of substance abuse treatment admissions from SAMHSA's 2014-2016 TEDS (1,658,732) as an estimate of the number of clients treated on an annual basis by part 2 programs. Therefore, the total cost burden associated with updating the consent forms to reflect the updated 42 CFR part 2 regulations is estimated to be a one-time cost of $199,048 (1,658,732 * $0.12), as reflected in Table 2, below. Further, the finalized proposal to amend § 2.31 is likely to result in a decrease in the number of consents to disclosures that patients must make, due to the ability to consent to entities without naming a specific individual. Because of a lack of data regarding the number of consents patients have made to multiple individuals within the same entity which would become duplicative as a result of the finalized amendment, we are unable to quantify the reduction in burden related to the expected reduction in the number of required consents.

In prior proposed rules (e.g., 81 FR 7009), SAMHSA estimated one hour of training per staff to achieve proficiency in the 42 CFR part 2 regulations. SAMHSA assumes that training associated with the new requirements discussed in this final rule can be accomplished within the existing one hour of training; therefore, we are not finalizing any additional costs for training counseling staff.

With regard to training materials, SAMHSA will assume responsibility for updating and distributing training materials in year 1 at no cost to part 2 programs. A 2017 study by the Association for Talent Development determined the average time to develop training materials for one hour of classroom instruction is 38 hours.^[24] Because we assume that SAMHSA will be updating rather than developing training materials, we estimate the time for training development to be one-half that of developing new materials, or 19 hours and would be performed by an instructor with experience in healthcare at the average wage rate of $63.34 per hour for a health specialty teacher ^[25] and multiplied the average wage rate by 2 in order to account for benefits and overhead costs. Based on these assumptions, the updating of training materials is estimated to cost $2,407 (19 hours × $126.68/hour). SAMHSA estimates that the updates to consent forms (§§ 2.31 and 2.36) will be one-time costs the first year the final rule will be in effect and will not carry forward into future years. Staff training costs other than those associated with updating training materials are assumed to be ongoing annual costs to part 2 programs, also beginning in the first year that the final rule is in effect. Costs associated with disclosing information to PDMPs (§ 2.36) and agencies (§ 2.53) are assumed to be ongoing annual costs to part 2 programs.

Public Comments

A few commenters expressed their belief that SAMHSA has underestimated the associated training time required for staff to achieve proficiency with the proposed policies. However, these commenters did not suggest a specific alternative estimate.

SAMHSA Response

We believe that the finalized policies do not substantively add requirements for counseling staff, but are instead modifications, revisions, and clarifications to existing requirements. Therefore, we believe the previously approved estimate of one hour is still appropriate and are not making any updates as a result of the comments received.

In section III.L. of this final rule, SAMHSA is finalizing amendments to § 2.67 to extend the period for court-ordered placement of an undercover agent or informant to 12 months, while authorizing courts to further extend a period of placement through a new court order. In that section, SAMHSA is also finalizing changes to explicitly state when the 12- month period begins to run. See section III.L. for further information about this finalized proposal. Since the requirements for seeking this court order will be the same, and the finalized proposal will merely be extending the time of the court order, SAMHSA does not believe this finalized proposal results in any additional regulatory burden.

Based on the above, SAMHSA estimates in the first year that the final rule will be in effect, the costs associated with the finalized updates to 42 CFR part 2 will be $11,425,625 as shown in Table 2. In years 2 through 10, SAMHSA estimates that costs will be $10,372,672. Over the 10-year period of 2020-2029, the total undiscounted cost of the finalized changes will be $104,779,677 in 2018 dollars. As shown in Table 3, when future costs are discounted at 3 percent or 7 percent per year, the total costs become approximately $89.5 million or $73.8 million, respectively. These costs are presented in the tables below.

Table 2—Total Cost of 42 CFR Part 2 Revisions
Year	Disclosure to PDMPs	Staff training costs	Updates to consent forms	Disclosures to agencies	Total costs
2020	$4,257,491	$2,407	$199,048	$6,966,680	$11,425,625
2021	3,405,992	0	0	6,966,680	10,372,672
2022	3,405,992	0	0	6,966,680	10,372,672
2023	3,405,992	0	0	6,966,680	10,372,672
2024	3,405,992	0	0	6,966,680	10,372,672
2025	3,405,992	0	0	6,966,680	10,372,672
2026	3,405,992	0	0	6,966,680	10,372,672
2027	3,405,992	0	0	6,966,680	10,372,672
2028	3,405,992	0	0	6,966,680	10,372,672
2029	3,405,992	0	0	6,966,680	10,372,672
Total	34,911,423	2,407	199,048	69,666,800	104,779,677

Table 3—Total Cost of 42 CFR Part 2 Revisions—Annual Discounting
Year	Total costs	Total cost with 3% discounting	Total cost with 7% discounting
2020	$11,425,625	$11,092,840	$10,678,154
2021	10,372,672	9,777,239	9,059,894
2022	10,372,672	9,492,465	8,467,190
2023	10,372,672	9,215,985	7,913,262
2024	10,372,672	8,947,558	7,395,572
2025	10,372,672	8,686,950	6,911,750
2026	10,372,672	8,433,932	6,459,579
2027	10,372,672	8,188,283	6,036,990
2028	10,372,672	7,949,790	5,642,047
2029	10,372,672	7,718,242	5,272,941
Total	104,779,677	89,503,284	73,837,379

We estimated the total annual cost of this rule to be $10,372,672, ignoring initial transition costs (such as training in the first year). In the Paperwork Reduction Act section, we also estimated that the number of clients treated annually by a Part 2 program to be 1,658,732. Thus, the cost and benefits would break even if the average benefit were $6.25 per year per client (even if the benefit accrued to providers or others, rather than directly the client). Based on public comments received from affected providers, organizations and entities that this rule will be burden reducing, a deregulatory description seems reasonable. In addition, we note that the estimated costs of this rule come after the first year from disclosure to PDMPs and new disclosures to agencies. However, this rule removes regulatory barriers to those disclosures. It does not require those disclosures.

Because disclosure to PDMPs is permitted, but not required, by this rule, we assume that such disclosures will only be made when providers (and/or states) have decided that the benefits of that disclosure outweigh the costs. Similarly, this final rule permits new disclosures to agencies, including for audit or research purposes, but does not itself require them. As described above, the rule contains other deregulatory provisions that we have not quantified, such as treatment records from non-Part 2 providers not being covered by Part 2, clarifying sanitation procedures, reducing restrictions on disclosure to organizations with patient consent, and reducing burden/barriers in emergency situations and for research. Thus, this rule is an Executive Order 13771 deregulatory action.

C. Alternatives Considered

In drafting this final rule, SAMHSA considered potential policy alternatives and, when possible, finalized the least burdensome alternatives. For example, in section IV.C. of this final rule, we considered finalizing, specifically, the technological and operational requirements required for segmenting records but decided to allow providers more latitude to define their best practices, understanding that specific requirements could pose more burden, specifically to small and rural providers. In section IV.D. of this final rule, SAMHSA also considered only allowing patients to allow disclosure to state, federal, and local government entities that provide benefits. Instead, however, it decided to finalize to allow patients to more broadly specify disclosure to entities, so that patients can more widely control their information. On balance, SAMHSA believes that the finalized proposals in this rule most appropriately balance the often-competing interests of burden, privacy, and patient safety.

D. Conclusion

SAMHSA finalized amendments to 42 CFR part 2. With respect to our finalized proposals to revise the regulations, SAMHSA does not believe that the finalized proposals will have a significant impact. As discussed above, we are not preparing an analysis for the RFA because SAMHSA has determined, and the Secretary certifies, that this final rule will not have a significant economic impact on a substantial number of small entities. SAMHSA is not preparing an analysis for section 1102(b) of the RFA because it has determined, and the Secretary certifies, that this final rule will not have a significant impact on the operations of a substantial number of small rural hospitals. In addition, SAMHSA does not believe this final rule imposes substantial direct effects on (1) states, including subdivisions thereof, (2) the relationship between the federal government and the states, or (3) the distribution of power and responsibilities among the various levels of government. Therefore, the requirements of Executive Order 13132 on federalism would not be applicable.

SAMHSA shares the commenters' concerns regarding documentation burden and workflow, however the revised part 2 rule does not involve any update to DS4P standards, and does not impose any requirement for providers to use compliant EHR systems. The revised part 2 rule also does not require non-part 2 providers to segregate any records received from a part 2 program. For these reasons, there is no increased burden to providers under this rule associated with DS4P standards. Any future update to DS4P standards, and any hypothetical burden therefrom, is outside the scope of the current rulemaking. If this issue is addressed through future rulemaking, we may revisit these concerns at that time.

In accordance with the provisions of Executive Order 12866, this final rule has been reviewed by the Office of Management and Budget. Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the Office of Information and Regulatory Affairs designated this rule as not a major rule, as defined by 5 U.S.C. 804(2).

List of Subjects in 42 CFR Part 2

Alcohol abuse
Alcoholism
Drug abuse
Grant programs—health
Health records
Privacy
Reporting and recordkeeping requirements

For the reasons set forth in the preamble, the Department of Health and Human Services amends 42 CFR part 2 as follows:

PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

1. The authority citation for part 2 continues to read as follows:

Authority: 42 U.S.C. 290dd-2.

2. Amend § 2.11 by revising the definition of “Records” to read as follows:

§ 2.11

Definitions.

Records means any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts), provided, however, that information conveyed orally by a part 2 program to a non-part 2 provider for treatment purposes with the consent of the patient does not become a record subject to this Part in the possession of the non-part 2 provider merely because that information is reduced to writing by that non-part 2 provider. Records otherwise transmitted by a part 2 program to a non-part 2 provider retain their characteristic as records in the hands of the non-part 2 provider, but may be segregated by that provider. For the purpose of the regulations in this part, records include both paper and electronic records.

3. Amend § 2.12 by—

a. Revising paragraphs (a)(1) introductory text and (a)(1)(ii);

b. In paragraph (d)(2)(i)(A) by removing the reference “§ 2.31(a)(4)(iii)(A)” and adding in its place the reference “§ 2.31(a)(4)(i)”;

c. Adding paragraph (d)(2)(ii); and

d. Revising paragraph (e)(3) and paragraph (e)(4) introductory text.

The revisions and additions read as follows:

§ 2.12

Applicability.

(a) * * *

(1) Restrictions on disclosure. The restrictions on disclosure in the regulations in this part apply to any records which:

(ii) Contain drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 program), or contain alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment.

(d) * * *

(2) * * *

(ii) Notwithstanding paragraph (d)(2)(i)(C) of this section, a non-part 2 treating provider may record information about a substance use disorder (SUD) and its treatment that identifies a patient. This is permitted and does not constitute a record that has been re-disclosed under part 2, provided that any SUD records received from a part 2 program or other lawful holder are segregated or segmented. The act of recording information about a SUD and its treatment does not by itself render a medical record which is created by a non-part 2 treating provider subject to the restrictions of this part 2.

(e) * * *

(3) Information to which restrictions are applicable. Whether a restriction applies to the use or disclosure of a record affects the type of records which may be disclosed. The restrictions on disclosure apply to any part 2-covered records which would identify a specified patient as having or having had a substance use disorder. The restriction on use of part 2 records to bring criminal charges against a patient for a crime applies to any records obtained by the part 2 program for the purpose of diagnosis, treatment, or referral for treatment of patients with substance use disorders. (Restrictions on use and disclosure apply to recipients of part 2 records under paragraph (d) of this section.)

(4) How type of diagnosis affects coverage. These regulations cover any record reflecting a diagnosis identifying a patient as having or having had a substance use disorder which is initially prepared by a part 2 provider in connection with the treatment or referral for treatment of a patient with a substance use disorder. A diagnosis prepared by a part 2 provider for the purpose of treatment or referral for treatment, but which is not so used, is covered by the regulations in this part. The following are not covered by the regulations in this part:

4. Amend § 2.13 by revising paragraphs (d) introductory text, (d)(2) introductory text, and (d)(3) to read as follows:

§ 2.13

Confidentiality restrictions and safeguards

(d) List of disclosures. Upon request, patients who have consented to disclose their patient identifying information using a general designation pursuant to § 2.31(a)(4)(ii)(B) must be provided a list of entities to which their information has been disclosed pursuant to the general designation.

(2) Under this paragraph (d), the entity named on the consent form that discloses information pursuant to a patient's general designation (the entity that serves as an intermediary, as described in § 2.31(a)(4)(ii)(B)) must:

(3) The part 2 program is not responsible for compliance with this paragraph (d); the entity that serves as an intermediary, as described in § 2.31(a)(4)(ii)(B), is responsible for compliance with the requirement.

5. Amend § 2.31 by revising paragraph (a)(4) to read as follows:

§ 2.31

Consent requirements.

(a) * * *

(4)(i) General requirement for designating recipients. The name(s) of the individual(s) or the name(s) of the entity(-ies) to which a disclosure is to be made.

(ii) Special instructions for entities that facilitate the exchange of health information and research institutions. Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity facilitates the exchange of health information or is a research institution, a written consent must include the name(s) of the entity(-ies) and

(A) The name(s) of individual or entity participant(s); or

(B) A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed. When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13(d)).

6. Amend § 2.32 by revising paragraph (a)(1) to read as follows:

§ 2.32

Prohibition on re-disclosure.

(a) * * *

(1) This record which has been disclosed to you is protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of this record unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed in this record or, is otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see § 2.31). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65; or

7. Amend § 2.33 by revising paragraph (b) to read as follows:

§ 2.33

Disclosures permitted with written consent.

(b) If a patient consents to a disclosure of their records under § 2.31 for payment or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or health care operations on behalf of such lawful holder. In accordance with § 2.13(a), disclosures under this section must be limited to that information which is necessary to carry out the stated purpose of the disclosure. Examples of permissible payment or health care operations activities under this section include:

(1) Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing, and/or related health care data processing;

(2) Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);

(3) Patient safety activities;

(4) Activities pertaining to:

(i) The training of student trainees and health care professionals;

(ii) The assessment of practitioner competencies;

(iii) The assessment of provider or health plan performance; and/or

(iv) Training of non-health care professionals;

(5) Accreditation, certification, licensing, or credentialing activities;

(6) Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and/or ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;

(7) Third-party liability coverage;

(8) Activities related to addressing fraud, waste and/or abuse;

(9) Conducting or arranging for medical review, legal services, and/or auditing functions;

(10) Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;

(11) Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;

(12) Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;

(13) Resolution of internal grievances;

(14) The sale, transfer, merger, consolidation, or dissolution of an organization;

(15) Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(16) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(17) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(18) Care coordination and/or case management services in support of payment or health care operations; and/or

(19) Other payment/health care operations activities not expressly prohibited in this provision.

8. Amend § 2.34 by—

a. Revising paragraph (b);

b. Redesignating paragraph (d) as paragraph (e); and

c. Adding a new paragraph (d).

The revision and addition read as follows:

§ 2.34

Disclosures to prevent multiple enrollments.

(b) Use of information limited to prevention of multiple enrollments. A central registry and any withdrawal management or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not re-disclose or use patient identifying information for any purpose other than the prevention of multiple enrollments or to ensure appropriate coordinated care with a treating provider that is not a part 2 program unless authorized by a court order under subpart E of this part.

(d) Permitted disclosure by a central registry to a non-member treating provider, to prevent a multiple enrollment. When, for the purpose of preventing multiple program enrollments or duplicative prescriptions, or to inform prescriber decision making regarding prescribing of opioid medication(s) or other prescribed substances, a provider with a treating provider relationship that is not a member program asks a central registry if an identified patient is enrolled in a member program, the registry may disclose:

(1) The name, address, and telephone number of the member program(s) in which the patient is enrolled;

(2) Type and dosage of any medication for substance use disorder being administered or prescribed to the patient by the member program(s); and

(3) Relevant dates of any such administration or prescription. The central registry and non-member program treating prescriber may communicate as necessary to verify that no error has been made and to prevent or eliminate any multiple enrollments or improper prescribing.

9. Add § 2.36 to subpart C to read as follows:

§ 2.36

Disclosures to prescription drug monitoring programs.

A part 2 program or other lawful holder is permitted to report any SUD medication prescribed or dispensed by the part 2 program to the applicable state prescription drug monitoring program if required by applicable state law. A part 2 program or other lawful holder must obtain patient consent to a disclosure of records to a prescription drug monitoring program under § 2.31 prior to reporting of such information.

10. Amend § 2.51 by revising paragraph (a) to read as follows:

§ 2.51

Medical emergencies.

(a) General rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel to the extent necessary to:

(1) Meet a bona fide medical emergency in which the patient's prior written consent cannot be obtained; or

(2) Meet a bona fide medical emergency in which a part 2 program is closed and unable to provide services or obtain the prior written consent of the patient, during a temporary state of emergency declared by a state or federal authority as the result of a natural or major disaster, until such time that the part 2 program resumes operations.

11. Amend § 2.52 by revising paragraph (a) to read as follows:

§ 2.52

Research.

(a) Notwithstanding other provisions of this part, including paragraph (b)(2) of this section, patient identifying information may be disclosed for the purposes of the recipient conducting scientific research if:

(1) The individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer or their designee, of a part 2 program or other lawful holder of part 2 data, makes a determination that the recipient of the patient identifying information is:

(i) A HIPAA-covered entity or business associate that has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable;

(ii) Subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), and provides documentation either that the researcher is in compliance with the requirements of 45 CFR part 46, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.104) or any successor regulations;

(iii) Subject to the FDA regulations regarding the protection of human subjects (21 CFR parts 50 and 56) and provides documentation that the research is in compliance with the requirements of the FDA regulations, including the requirements related to informed consent or an exception to, or waiver of, consent (21 CFR part 50) and any successor regulations; or

(iv) Any combination of a HIPAA covered entity or business associate, and/or subject to the HHS regulations regarding the protection of human subjects, and/or subject to the FDA regulations regarding the protection of human subjects; and has met the requirements of paragraph (a)(1)(i), (ii) (iii), and/or (iv) of this section, as applicable.

(2) The part 2 program or other lawful holder of part 2 data is a HIPAA covered entity or business associate, and the disclosure is made in accordance with the HIPAA Privacy Rule requirements at 45 CFR 164.512(i).

(3) If neither paragraph (a)(1) or (2) of this section apply to the receiving or disclosing party, this section does not apply.

12. Amend § 2.53:

a. In paragraph (a) introductory text by removing the reference to “paragraph (d)” and adding in its place “paragraph (f)”;

b. By revising paragraph (a)(1)(ii);

c. By adding paragraphs (a)(1)(iii);

d. In paragraph (b)(1)(iii) by removing the reference to “paragraph (d)” and adding in its place “paragraph (f)”;

e. By revising paragraph (b)(2)(ii);

f. By adding paragraph (b)(2)(iii)

g. By redesignating paragraphs (c) and (d) as paragraphs (e) and (f), respectively;

h. By adding new paragraphs (c) and (d);

i. In newly redesignated paragraph (e)(1) introductory text, by removing the reference “paragraph (c)” and adding in its place the reference “paragraph (e)”;

j. In newly redesignated paragraph (e)(1)(iii), by removing the reference “paragraph (d)” and adding in its place the reference “paragraph (f)”;

k. In newly redesignated paragraph (e)(3)(ii)(F), by removing the reference “paragraph (c)(1)” and adding in its place the reference “paragraph (e)(1)”;

l. In newly redesignated paragraphs (e)(4) and (5), by removing the reference “paragraph (c)(2)” and adding in its place the reference “paragraph (e)(2)”;

m. In newly redesignated paragraph (e)(6), by removing the reference “paragraph (c)” and adding in its place the reference “paragraph (e)”;

n. In newly designated paragraph (f), by removing the reference “paragraph (c)” and adding in its place “paragraph (e)”;

o. Adding paragraph (g).

The revisions and additions read as follows:

§ 2.53

Audit and evaluation.

(a) * * *

(1) * * *

(ii) Any individual or entity which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a QIO review, or the contractors, subcontractors, or legal representatives of such individual, entity, or quality improvement organization.

(iii) An entity with direct administrative control over the part 2 program or lawful holder.

(b) * * *

(1) * * *

(2) * * *

(iii) An entity with direct administrative control over the part 2 program or lawful holder.

(1) Activities undertaken by a federal, state, or local governmental agency, or a third-party payer entity, in order to:

(i) Identify actions the agency or third-party payer entity can make, such as changes to its policies or procedures, to improve care and outcomes for patients with SUDs who are treated by part 2 programs;

(ii) Ensure that resources are managed effectively to care for patients; or

(iii) Determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD.

(2) Reviews of appropriateness of medical care, medical necessity, and utilization of services.

(d) Quality assurance entities included. Entities conducting audits or evaluations in accordance with paragraphs (a) and (b) of this section may include accreditation or similar types of organizations focused on quality assurance.

(g) Audits and evaluations mandated by statute or regulation. Patient identifying information may be disclosed to federal, state, or local government agencies, and the contractors, subcontractors, and legal representatives of such agencies, in the course of conducting audits or evaluations mandated by statute or regulation, if those audits or evaluations cannot be carried out using deidentified information.

13. Amend § 2.67 by revising paragraph (d)(2) to read as follows:

§ 2.67

Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

(d) * * *

(2) Limit the total period of the placement to twelve months, starting on the date that the undercover agent or informant is placed on site within the program. The placement of an undercover agent or informant must end after 12 months, unless a new court order is issued to extend the period of placement;

Dated: June 22, 2020.

Elinore F. McCance-Katz,

Assistant Secretary for Mental Health and Substance Use, Substance Abuse and Mental Health Services Administration.

Approved: July 1, 2020.

Alex M. Azar II,

Secretary, Department of Health and Human Services.

Footnotes

1. Mortality statistics published by the Centers for Disease Control and Prevention reflected a spike in the rate of opioid-related overdose deaths during the period from 2013-2017. See https://www.cdc.gov/mmwr/volumes/67/wr/mm675152e1.htm?s_cid=mm675152e1_w. More recent data from the State Unintentional Drug Overdose Reporting System (SUDORS), showed that opioid-involved overdose deaths in 25 states slightly decreased from July-December 2017 to January-June 2018. However, even in that time period, increases in illicitly-manufactured fentanyl overdose deaths involving multiple drugs almost negated decreases in fentanyl analog deaths and prescription opioid-involved overdose deaths. See https://www.cdc.gov/mmwr/volumes/68/wr/mm6834a2.htm).

Back to Citation

2. With regard to heightened demand for, and pressures upon, SUD treatment services in the opioid epidemic, see for example, “HHS Acting Secretary Declares Public Health Emergency to Address National Opioid Crisis,” Department of Health and Human Services, October 26, 2017 (at https://www.hhs.gov/about/news/2017/10/26/hhs-acting-secretary-declares-public-health-emergency-address-national-opioid-crisis.html); “Today's Heroin Epidemic: More People at Risk, More Drugs Abused,” Centers for Disease Control and Prevention, July 7, 2015 (at https://www.cdc.gov/vitalsigns/heroin/).

Back to Citation

3. Section 3221 of the CARES Act also added several new provisions to the Part 2 authorizing statute, codified at 42 U.S.C. 290dd-2(i), (j), and (k), regarding antidiscrimination, notification of breach and definitions, respectively.

Back to Citation

4. When the circumstances requiring a response from the employee's account due to the best interest of the patient have ended or otherwise permit, the messages should be forwarded to an authorized channel (if containing patient identifying information) and deleted.

Back to Citation

5. “Consent2Share FHIR Profile Design.docx” can be accessed at https://gforge.hl7.org/gf/project/cbcc/frs/.

Back to Citation

6. SAMHSA's Center for the Application of Prevention Technologies; Using Prescription Drug Monitoring Program Data to Support Prevention Planning. Available at: https://www.samhsa.gov/capt/sites/default/files/resources/pdmp-overview.pdf.

Back to Citation

7. Former Missouri Gov. Greitens ordered the creation of a statewide PDMP in July 2017, but state lawmakers have not yet authorized funding for the program. St. Louis County started its own PDMP in April 2017, which covers nearly 80 percent (28 counties and 6 cities) of Missouri physicians and pharmacists.

Back to Citation

8. Brandeis University Prescription Drug Monitoring Program Training and Technical Assistance Center. Available at: http://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.

Back to Citation

9. Pew Charitable Trusts and National Alliance for State Model Drug Laws. Available at: https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2017/12/29/in-opioid-epidemic-states-intensify-prescription-drug-monitoring.

Back to Citation

10. Pew Charitable Trusts. When are Prescribers Required to Use Prescription Drug Monitoring Programs? January 24, 2018. Available at: https://www.pewtrusts.org/en/research-and-analysis/datavisualizations/2018/when-are-prescribers-required-to-use-prescription-drug-monitoring-programs.

Back to Citation

11. Brandeis University Prescription Drug Monitoring Program Training and Technical Assistance Center. Available at: http://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.

Back to Citation

12. Pew Charitable Trusts. When are Prescribers Required to Use Prescription Drug Monitoring Programs? January 24, 2018. Available at: Available at: https://www.pewtrusts.org/en/research-and-analysis/datavisualizations/2018/when-are-prescribers-requiredd-to-use-prescription-drug-monitoring-programs.

Back to Citation

13. Clark HW. Dear Colleague letter. September 27, 2011. Available at: https://www.samhsa.gov/sites/default/files/programs_campaigns/medication_assisted/dear_colleague_letters/2011-colleague-letter-state-prescription-drug-monitoring-programs.pdf.

Back to Citation

14. SAMHSA. In Brief: Prescription Drug Monitoring Programs: A Guide For Healthcare Providers. Volume 10, Issue 1 (Winter 2017). Available at: https://store.samhsa.gov/system/files/sma16-4997.pdf.

Back to Citation

15. The Federal Emergency Management Agency (FEMA) notes that the President can declare a major disaster for any natural event, regardless of cause, that is determined to have caused damage of such severity that it is beyond the combined capabilities of state and local governments to respond. https://www.fema.gov/disaster-declaration-process.

Back to Citation

16. The Common Rule governs research conducted or supported (i.e., funded) by the 16 departments and agencies that issued the Common Rule.

Back to Citation

17. https://wwwdasis.samhsa.gov/webt/information.htm.

Back to Citation

18. https://www.pdmpassist.org/pdf/Resources/Use%20of%20PDMP%20data%20by%20opioid%20treatment%20programs.pdf.

Back to Citation

19. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, May 2019, Substance Abuse, Behavioral Disorder, and Mental Health Counselors, Standard Occupations Classification code (21-1018) [www.bls.gov/oes/current/oes_nat.htm].

Back to Citation

20. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, May 2019, Medical Dosimetrists, Medical Records Specialists, and Health Technologists and Technicians, All Other, Standard Occupations Classification code (29-2098) [www.bls.gov/oes/current/oes_nat.htm].

Back to Citation

21. Except, for this latter case, in the rare circumstance that those information collections are conducted or sponsored by an executive branch department (5 CFR 1320.3(a)).

Back to Citation

22. Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs and patient perceptions of privacy safeguards at Mayo Clinic. Joint Commission Journal on Quality and Patient Safety, 34(1), 27-35.

Back to Citation

23. https://www.bls.gov/cpi/tables/supplemental-files/historical-cpi-u-201905.pdf.

Back to Citation

24. https://www.td.org/insights/how-long-does-it-take-to-develop-one-hour-of-training-updated-for-2017.

Back to Citation

25. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, May 2019, Health Specialty Teachers, Postsecondary, Standard Occupations Classification code (25-1071) [www.bls.gov/oes/current/oes_nat.htm].

Back to Citation

[FR Doc. 2020-14675 Filed 7-13-20; 11:15 am]

BILLING CODE 4162-20-P

Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

Carry the law offline, wherever you go.
Download CFR, USC, rules, and state law to your mobile device.

AGENCY:

ACTION:

SUMMARY:

DATES:

FOR FURTHER INFORMATION CONTACT:

SUPPLEMENTARY INFORMATION:

Table of Contents

Acronyms

I. Background

II. Summary of the Major Provisions

Use of Personal Devices and Accounts

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

III. Overview of Public Comments Received

IV. Final Modifications to 42 CFR Part 2 and Discussion of Public Comments

A. General Comments on the Proposed Rule

1. General Feedback on the Proposed Rule

a. General Support for the Proposed Rule

Public Comments

SAMHSA Response

b. General Opposition to the Proposed Rule

Public Comments

SAMHSA Response

c. General Request for Clarification and Guidance Related to Part 2

Public Comments

SAMHSA Response

2. General Comments on Realigning the Part 2 Rule to the HIPAA Privacy Rule

Public Comments

SAMHSA Response

B. Definitions (§ 2.11)

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

C. Applicability (§ 2.12)

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments

SAMHSA Response

Public Comments