Confidentiality of Substance Use Disorder (SUD) Patient Records

AGENCY:

Office for Civil Rights (OCR), Office of the Secretary, Department of Health and Human Services; Substance Abuse and Mental Health Services Administration (SAMHSA), Department of Health and Human Services.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The Department of Health and Human Services (HHS or “the Department”) is issuing this notice of proposed rulemaking (NPRM) to solicit public comment on its proposal to modify its regulations to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

DATES:

Comments due on or before January 31, 2023.

ADDRESSES:

Written comments may be submitted through any of the methods specified below. Please do not submit duplicate comments.

• Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA16. Follow the instructions at http://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF).

• Regular, Express, or Overnight Mail: You may mail written comments (one original and two copies) to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: SUD Patient Records, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

Inspection of Public Comments: All comments received by the accepted methods and due date specified above may be posted without change to content to http://www.regulations.gov, which may include personal information provided about the commenter, and such posting may occur after the closing of the comment period. However, the Department may redact certain content from comments before posting, including threatening language, hate speech, profanity, graphic images, or individually identifiable information about a third-party individual other than the commenter.

Because of the large number of public comments normally received on Federal Register documents, OCR is not able to provide individual acknowledgments of receipt.

Please allow sufficient time for mailed comments to be received timely in the event of delivery or security delays.

Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted. In addition, comments that are labeled as confidential business information or whose disclosure to the public is restricted by statute will not be accepted.

Docket: For complete access to background documents or posted comments, go to http://www.regulations.gov and search for Docket ID number HHS-OCR-0945-AA16.

FOR FURTHER INFORMATION CONTACT:

Lester Coffer at (800) 368-1019 or (800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION:

The discussion below includes an Executive Summary and overview describing the need for the proposed rules, a description of the statutory and regulatory background of the proposed rules, a section-by-section description of the proposed modifications, and the impact statement and other required regulatory analyses. The Department solicits public comment on all aspects of the proposed rules. Persons interested in commenting on the provisions of the proposed rules can assist the Department by preceding discussion of any particular provision or topic with a citation to the section of the proposed rule being discussed.

Table of Contents

I. Executive Summary

A. Overview

B. Effective and Compliance Dates

C. Summary of Major Proposals

II. Background and Need for Proposed Rule

A. Statutory and Regulatory Background

B. Earlier Efforts To Align Part 2 With the HIPAA Rules

C. Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act

III. Section-by-Section Description of Proposed Amendments to 42 CFR Part 2

A. § 2.1—Statutory Authority for Confidentiality of Substance Use Disorder Patient Records

B. § 2.2—Purpose and Effect

C. § 2.3—Civil and Criminal Penalties for Violations (Proposed Heading)

D. § 2.4—Complaints of Violations (Proposed Heading)

E. § 2.11—Definitions

F. § 2.12—Applicability

G. § 2.13—Confidentiality Restrictions and Safeguards

H. § 2.14—Minor Patients

I. § 2.15—Patients Who Lack Capacity and Deceased Patients (Proposed Heading)

J. § 2.16—Security for Records and Notification of Breaches (Proposed Heading)

K. § 2.17—Undercover Agents and Informants

L. § 2.19—Disposition of Records by Discontinued Programs

M. § 2.20—Relationship to State Laws

N. § 2.21—Relationship to Federal Statutes Protecting Research Subjects Against Compulsory Disclosure of Their Identity

O. § 2.22— Notice to Patients of Federal Confidentiality Requirements; and 45 CFR 164.520—Notice of Privacy Practices for Protected Health information

P. § 2.23 —Patient Access and Restrictions on Use and Disclosure (Proposed Heading)

Q. § 2.24—Requirements for Intermediaries (Redesignated and Proposed Heading)

R. § 2.25—Accounting of Disclosures (Proposed Heading)

S. § 2.26—Right To Request Privacy Protection for Records (proposed Heading)

T. Subpart C—Uses and Disclosures With Patient Consent (Proposed Heading)

U. § 2.31—Consent Requirements

V. § 2.32—Notice To Accompany Disclosure (Proposed Heading)

W. § 2.33—Uses and Disclosures Permitted With Written Consent (Proposed Heading)

X. § 2.34 —Uses and Disclosures To Prevent Multiple Enrollments (Proposed Heading)

Y. § 2.35—Disclosures to Elements of the Criminal Justice System Which Have Referred Patients

Z. Subpart D—Uses and Disclosures Without Patient Consent (Proposed Heading)

AA. § 2.51—Medical Emergencies

BB. § 2.52—Scientific Research (Proposed Heading)

CC. § 2.53—Management Audits, Financial Audits, and Program Evaluation (Proposed Heading)

DD. § 2.54—Disclosures for Public Health (Proposed Heading)

EE. Subpart E—Court Orders Authorizing Use and Disclosure (Proposed Heading)

FF. § 2.61—Legal Effect of Order

GG. § 2.62— Order Not Applicable to Records Disclosed Without Consent to Researchers, Auditors and Evaluators

HH. § 2.63—Confidential Communications

II. § 2.64—Procedures and Criteria for Orders Authorizing Uses and Disclosures for Noncriminal Purposes (Proposed Heading)

JJ. § 2.65—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Criminally Investigate or Prosecute Patients (Proposed Heading)

KK. § 2.66—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or Person Holding the Records (Proposed Heading)

LL. § 2.67—Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter

MM. § 2.68—Report to the Secretary (Proposed Heading)

IV. Request for Comments

V. Public Participation

VI. Regulatory Impact Analysis

A. Executive Orders 12866 and 13563 and Related Executive Orders on Regulatory Review

1. Summary of the Proposed Rule

2. Need for the Proposed Rule

3. Cost-Benefit Analysis

4. Consideration of Regulatory Alternatives

5. Request for Comments on Costs and Benefits

B. Regulatory Flexibility Act

C. Unfunded Mandates Reform Act

D. Executive Order 13132—Federalism

E. Assessment of Federal Regulation and Policies on Families

F. Paperwork Reduction Act of 1995

1. Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2

2. Explanation of Estimated Capital Expenses for 42 CFR Part 2

3. Explanation of Estimated Annualized Burden Hours for 45 CFR 164.520

Executive Summary

Overview

In this Notice of Proposed Rulemaking (NPRM), the Department proposes to modify certain provisions of part 2 of title 42 of the Code of Federal Regulations (42 CFR part 2 or “Part 2”) to implement statutory amendments to section 290dd-2 of title 42 United States Code (42 U.S.C. 290dd-2) enacted in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Part 2 currently imposes different requirements for substance use disorder (SUD) treatment records protected by Part 2 (“Part 2 records”) than the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”) apply to protected health information (PHI). The statutory and regulatory schemes apply to different types of entities and create dual obligations and compliance challenges for HIPAA covered entities and business associates that maintain PHI and Part 2 records, and thus are subject to both sets of rules. Treatment providers have also expressed concerns that they lack access to complete information when treating patients. Section 290dd-2, as amended by section 3221 of the CARES Act, aligns certain Part 2 requirements more closely to requirements of the HIPAA Rules to improve the ability of entities that are subject to Part 2 to use and disclose Part 2 records and makes other changes to Part 2, as described in this preamble.

Paragraphs (b), (c), and (f) of section 290dd-2, as amended by section 3221 of the CARES Act, contain modified or new requirements for patient consent and redisclosure of Part 2 records; new rights to obtain an accounting of disclosures made with consent and to request restrictions on disclosures; greater restrictions against the use and disclosure of records in civil, criminal, administrative, and legislative proceedings against patients; and new civil money penalties (CMPs) for violations of Part 2. Paragraphs (i), (j), and (k) of section 290dd-2, as amended by section 3221 of the CARES Act, add new requirements to prohibit discrimination, impose breach notification obligations, and incorporate definitions from the HIPAA Rules into Part 2. Finally, section 3221(i) of the CARES Act requires the Department to update its Notice of Privacy Practices (NPP) requirements in the HIPAA Privacy Rule (“Privacy Rule”) at 45 CFR 164.520 to address uses and disclosures of Part 2 records and individual rights with respect to those records. This NPRM contains proposals to implement the CARES Act provisions relating to health information privacy; the Department intends to develop a separate rulemaking to implement the CARES Act antidiscrimination prohibitions.

In addition to changes mandated by the CARES Act, the Department proposes to address concerns about potential unintended consequences for government agencies of the change in enforcement authority and penalties for violations of Part 2. Specifically, the Department proposes to create a limitation on liability for agencies and persons acting on their behalf, that investigate and prosecute Part 2 programs (to be defined as “investigative agencies”) and unknowingly receive records subject to Part 2 before applying for the requisite court order, provided they first exercise reasonable diligence by attempting to determine if the targeted provider is a Part 2 program. The proposal would permit investigative agencies to seek a court order after obtaining records in such situations. An additional proposal would require agencies using this safe harbor to report annually to the Secretary.

Effective and Compliance Dates

The proposed effective date of a final rule would be 60 days after publication and the compliance date would be 22 months after the effective date. Entities subject to a final rule would have until the compliance date to establish and implement policies and practices to achieve compliance.

Part 2 does not contain a standard compliance period for changes to the regulations; however, the HIPAA Rules generally require covered entities and business associates to comply with new or modified standards or implementation specifications no later than 180 days from the effective date of any such standards or implementation specifications, except as otherwise provided ( e.g., in a specific rulemaking). While the proposed rule would make only minor modifications to the Privacy Rule, the Department proposes to provide the same, substantial compliance period for both the proposed modifications to 45 CFR 164.520 and the more extensive Part 2 modifications. Accordingly, the Department would begin enforcement of the new and revised standards, in both regulations, 24 months after publication of a final rule. This compliance period would allow Part 2 programs to revise existing policies and practices, complete other implementation requirements, and train their workforce members on the changes, as well as minimize administrative burdens on entities subject to the Privacy Rule.

The Department requests comment on whether the 22-month compliance period is an appropriate length of time for entities subject to a final rule to come into compliance and any benefits or unintended adverse consequences for entities or individuals of a shorter or longer compliance period.

Additionally, for the proposed accounting of disclosures requirements, the Department proposes to toll the compliance date for Part 2 programs until the effective date of a final rule on the HIPAA accounting of disclosures standard, 45 CFR 164.528. This would ensure that Part 2 programs do not incur new compliance obligations before covered entities and business associates under the Privacy Rule are obligated to comply.

Summary of Major Proposals

The Department proposes the following changes to 42 CFR part 2 that revise, delete, replace, or add sections to implement statutory requirements enacted pursuant to section 3221 of the CARES Act. The Department also proposes to amend 42 CFR part 2 to reflect applicable standards in the HIPAA Rules, reflect language used in the HIPAA Rules, align regulatory text with statutory spelling, and improve clarity or readability. Additionally, the Department proposes to modify the NPP requirements in 45 CFR 164.520 consistent with section 3221(i) of the CARES Act.

This section summarizes major proposals in this NPRM. Additional proposed revisions are not listed here because they are not considered major. All proposed changes are discussed in detail in section III of this NPRM:

1. § 2.1—Statutory authority for confidentiality of substance use disorder patient records.

Revise § 2.1 to more closely reflect the authority granted in 42 U.S.C. 290dd-2(g), especially with respect to court orders authorizing the disclosure of records.

2. § 2.2—Purpose and effect.

Amend paragraph (b) of § 2.2 to reflect that § 2.3(b) compels disclosures to the Secretary that are necessary for enforcement of this rule, using language adapted from the Privacy Rule at 45 CFR 164.502(a)(2)(ii). Add a new paragraph (b)(3) to this section to prohibit any limits on a patient's right to request restrictions on use of records for treatment, payment, or health care operations (TPO) or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the Privacy Rule.

3. § 2.3—Civil and criminal penalties for violations (proposed heading).

Amend the heading and replace title 18 U.S.C. enforcement with references to the HIPAA enforcement authorities in the Social Security Act at sections 1176 (civil enforcement, including the CMP tiers established by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009) and 1177 (criminal penalties), as implemented in the Enforcement Rule. Create a limitation on civil or criminal liability under Part 2 for investigative agencies that act with reasonable diligence before making a demand for records in the course of an investigation or prosecution of a Part 2 program or person holding the record, provided that certain conditions are met.

4. § 2.4—Complaints of violations (proposed heading).

Amend the heading and insert requirements consistent with those applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a requirement to establish a process for the Part 2 program to receive complaints, a prohibition against taking adverse action against patients who file complaints, and a prohibition against requiring individuals to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.

5. § 2.11—Definitions.

Add new terms and definitions to align with the following statutory and regulatory HIPAA terms: Breach, Business associate, Covered entity, Health care operations, HIPAA, HIPAA regulations, Payment, Person, Public health authority, Treatment, Unsecured protected health information, and Use. Create new defined terms Intermediary, Investigative agency, and Unsecured record, and modify the definitions of Informant, Part 2 program director, Patient, Program, Records, Third-party payer, Treating provider relationship, and Qualified service organization.

6. § 2.12—Applicability.

Replace “Armed Forces” with “Uniformed Services” in paragraph (c)(2) of § 2.12. Incorporate four statutory examples of restrictions on the use or disclosure of Part 2 records to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient. Add language to qualify the term third-party payer with the phrase “as defined in this part.” Revise paragraph (e)(4)(i) to clarify when a diagnosis is not covered by Part 2.

7. § 2.13—Confidentiality restrictions and safeguards.

Redesignate § 2.13(d) requiring a list of disclosures as new § 2.24 and modify the text for clarity. Amend the heading to distinguish the right to a list of disclosures made by intermediaries from the proposed new right to an accounting of disclosures made by a Part 2 program.

8. § 2.14—Minor patients.

Change the verb “judges” to “determines” to describe a program director's evaluation and decision that a minor lacks decision making capacity.

9. § 2.15—Patients who lack capacity and deceased patients (proposed heading).

Replace outdated language, clarify that paragraph (a) of this section refers to an adjudication by a court of a patient's lack of capacity to make health care decisions while paragraph (b) refers to a patient's lack of capacity to make health care decisions without court adjudication, and add health plans to the list of entities to which a program may disclose records without consent.

10. § 2.16—Security for records and notification of breaches (proposed heading).

Apply the HITECH Act breach notification provisions that are currently implemented in the Breach Notification Rule to breaches of records by Part 2 programs and retitle the provision to include breach notification to implement CARES Act provisions. Modify the provision to refer to the Privacy Rule de-identification standard at 45 CFR 164.514.

11. § 2.19—Disposition of records by discontinued programs.

Add an exception to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of Part 2 programs pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), in order to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. Modernize the language to refer to “non-electronic” records and include “paper” records as an example of non-electronic records.

12. § 2.22—Notice to patients of federal confidentiality requirements.

Modify the Part 2 confidentiality notice requirements (hereinafter, “Patient Notice”) to align with the NPP and address protections required by 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES Act, for entities that create or maintain Part 2 records.

13. § 2.23—Patient access and restrictions on use and disclosure (proposed heading).

Add the term “disclosure” to the heading and body of this section to clarify that information obtained by patient access to their record may not be used or disclosed for purposes of a criminal charge or criminal investigation.

14. § 2.24—Requirements for intermediaries (redesignated and proposed heading).

Retitle the redesignated section (to be moved from § 2.13(d)) as “Requirements for intermediaries” to clarify the responsibilities of recipients of records received under a consent with a general designation, such as health information exchanges, research institutions, accountable care organizations, and care management organizations.

15. § 2.25—Accounting of disclosures (proposed heading).

Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act right to an accounting of certain disclosures of records for up to three years prior to the date the accounting is requested and add a right to an accounting of disclosures of records that mirrors the standard in the Privacy Rule at 45 CFR 164.528.

16. § 2.26—Right to request privacy protection for records (proposed heading).

Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act rights implemented in the Privacy Rule at 45 CFR 164.522, namely: (1) a patient right to request restrictions on disclosures of records otherwise permitted for TPO purposes, and (2) a patient right to obtain restrictions on disclosures to health plans for services paid in full by the patient.

17. Subpart C—Uses and Disclosures With Patient Consent (proposed heading).

Change the heading of subpart C to “Uses and Disclosures With Patient Consent” to reflect changes made to the provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2(b), as amended by the section 3221(b) of the CARES Act.

18. § 2.31—Consent requirements.

Align the content requirements for Part 2 written consent with the content requirements for a valid HIPAA authorization and clarify how recipients may be designated in a consent to use and disclose Part 2 records for TPO.

19. § 2.32—Notice to accompany disclosure (proposed heading).

Change the heading of this section and align the content requirements for the required notice that accompanies a disclosure of records (hereinafter “notice to accompany disclosure”) with the requirements of 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of the CARES Act.

20. § 2.33—Uses and disclosures permitted with written consent (proposed heading).

To align this provision with the statutory authority in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, replace the provisions requiring consent for uses and disclosures for payment and certain health care operations with permission to use and disclose records for TPO with a single consent given once for all such future uses and disclosures, until such time as the patient revokes the consent in writing. Create redisclosure permissions for two categories of recipients of Part 2 records pursuant to a written consent: (1) Permit a Part 2 program, covered entity, or business associate that receives Part 2 records pursuant to a written consent for TPO purposes to redisclose the records in any manner permitted by the Privacy Rule, except for certain proceedings against the patient; and (2) Permit a lawful holder that is not a covered entity, business associate, or Part 2 program to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent.

21. § 2.35—Disclosures to elements of the criminal justice system which have referred patients.

For clarity, replace “individuals” with “persons” and clarify that permitted redisclosures of information are from Part 2 records.

22. Subpart D—Uses and Disclosures Without Patient Consent (proposed heading).

Change the heading of subpart D to “Uses and Disclosures Without Patient Consent” to reflect changes made to the provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2 as amended by the CARES Act.

23. § 2.51—Medical emergencies.

For clarity in § 2.51(c)(2), replace the term “individual” with the term “person.”

24. § 2.52—Scientific research (proposed heading).

Revise the heading of § 2.52 to reflect statutory language. To further align Part 2 with the Privacy Rule, replace the requirements to render Part 2 data in research reports non identifiable with the Privacy Rule's de-identification standard in 45 CFR 164.514.

25. § 2.53—Management audits, financial audits, and program evaluation (proposed heading).

Revise the heading of § 2.53 to reflect statutory language. To support implementation of 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, add a provision to acknowledge the permission for use and disclosure of records for health care operations purposes based on written consent of the patient and the permission to redisclose such records as permitted by the HIPAA Privacy Rule if the recipient is a Part 2 program, covered entity, or business associate.

26. § 2.54—Disclosures for public health (proposed heading).

Add a new § 2.54 to implement 42 U.S.C. 290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES Act, to permit disclosure of records without patient consent to public health authorities provided that the records disclosed are de-identified according to the standards established in section 45 CFR 164.514.

27. Subpart E—Court Orders Authorizing Use and Disclosure (proposed heading).

Change the heading of subpart E to reflect changes made to the provisions of this subpart related to the uses and disclosure of Part 2 records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by sections 3221(b) and (e) of the CARES Act.

28. § 2.61—Legal effect of order.

Add the term “use” to clarify that the legal effect of a court order would include authorizing the use and disclosure of records, consistent with 42 U.S.C. 290dd-2(b) and (c), as amended by section 3221(e) of the CARES Act.

29. § 2.62—Order not applicable to records disclosed without consent to researchers, auditors, and evaluators.

For clarity, replace the term “qualified personnel” with a reference to the criteria that define such persons.

30. § 2.63—Confidential communications.

Revise paragraph (c) of § 2.63 to expressly include civil, criminal, administrative, and legislative proceedings as forums where the requirements for a court order under this part would apply, to implement 42 U.S.C. 290dd-2(c), as amended by section 3221(c) of the CARES Act.

31. § 2.64—Procedures and criteria for orders authorizing uses and disclosures for noncriminal purposes (proposed heading).

Expand the types of forums where restrictions on use and disclosure of records in civil proceedings against patients apply to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a record in civil proceedings against patients, absent consent or a court order. Add the term “uses” to the heading and in this section to align it with current statutory authority.

32. § 2.65—Procedures and criteria for orders authorizing use and disclosure of records to criminally investigate or prosecute patients (proposed heading).

Expand the types of forums where restrictions on uses and disclosure of records in criminal proceedings against patients apply to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a Part 2 record in criminal proceedings against patients, absent consent or a court order.

33. § 2.66—Procedures and criteria for orders authorizing use and disclosure to investigate or prosecute a part 2 program or the person holding the records (proposed heading).

Create requirements for investigative agencies to follow in the event they discover in good faith that they received Part 2 records during an investigation or prosecution of a Part 2 program or the person holding the records before seeking a court order as required under § 2.66.

34. § 2.67—Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

Add new criteria for issuance of a court order in instances where an application is submitted after the placement of an undercover agent or informant has already occurred, requiring an investigative agency to satisfy the conditions at § 2.3(b).

35. § 2.68—Report to the Secretary (proposed heading).

Create new requirements for investigative agencies to file annual reports about the instances in which they applied for a court order after receipt of Part 2 records or placement of an undercover agent or informant as provided in § 2.66 and § 2.67.

36. 45 CFR 164.520—Notice of privacy practices for protected health information.

Revise 45 CFR 164.520 to implement updates to the NPP to address Part 2 confidentiality requirements, as required by section 3221(i)(2) of the CARES Act.

Background and Need for Proposed Rule

There are approximately 16,066 publicly funded SUD treatment facilities and 1.8 million HIPAA covered entities and business associates, with an unknown percentage of entities subject to both HIPAA and Part 2. Part 2 records often also meet the definition of PHI when maintained by HIPAA covered entities (or their business associates on the covered entities' behalf). To ensure compliance with both sets of regulatory requirements, dually regulated entities subject to both Part 2 and the HIPAA Rules ( i.e., covered entities that also are Part 2 programs) must track and segregate the records that are subject to Part 2 from the records that are subject only to the HIPAA Rules and obtain specific written consent for most uses and disclosures of Part 2 records (including uses and disclosures for non-emergency treatment purposes). The Department has been urged by many stakeholders to change Part 2 to eliminate the need for data segmentation.

The preamble to the 2000 Final Privacy Rule explained how entities subject to the Privacy Rule and Part 2 could comply with both rules because in most cases the rules do not conflict. The Privacy Rule permits, but does not require, some disclosures that are not permitted by Part 2. Complying with Part 2's prohibitions on such disclosures would not be a violation of the Privacy Rule. And in instances where Part 2 permits disclosures that would otherwise be restricted by the Privacy Rule, an entity that is subject to both sets of regulations would be able to comply with the Privacy Rule's restrictions without violating Part 2.

Although the Department intended to facilitate compliance by entities subject to both regulatory schemes, significant differences in the statutorily permitted uses and disclosures of Part 2 records and PHI contributed to ongoing operational compliance challenges. For example, once a HIPAA covered entity or business associate disclosed PHI to a person who was not a covered entity or business associate, the information was no longer protected by the Privacy Rule, and thus the Privacy Rule's limitations on uses and disclosures did not apply. In contrast, Part 2 strictly limited the redisclosure of Part 2 records by any individual or entity that received a Part 2 record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent or as otherwise permitted under the regulations.

Regarding Part 2 records, a treating provider that is not a Part 2 program could record information about the treatment of an individual's SUD in its non-Part 2 records, even if it gleaned the information from a Part 2 record, and the information in the non-Part 2 records would not be subject to Part 2; however, any Part 2 records received from a Part 2 program or other lawful holder would need to be segregated or segmented. Previously, the need to segment Part 2 records from other health records created data “silos” that hampered the integration of SUD treatment records into covered entities' electronic record systems and billing processes. Some lawmakers have argued that these silos perpetuated negative stereotypes about persons with SUD and inhibited coordination of care during the opioid epidemic. In 2019, the National Association of Attorneys General (NAAG) urged Congress to update the 40-year-old Part 2 regulation that was created in a time of “intense stigma” surrounding SUD treatment because it now serves to “perpetuate that stigma, as the principle underlying these rules is that [SUD] treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases.” In that same year “nearly 50,000 people in the United States died from opioid-involved overdoses.” During a congressional hearing, “The Opioid Crisis: The Role of Technology and Data in Preventing and Treating Addiction,” Senator Patty Murray (D-WA) observed that, “[t]echnology and data offer important opportunities to address the opioid crisis, to prevent addi[c]tion, and avoid the tragedy so many families are facing.”

To address these concerns, Congress enacted the CARES Act, which requires the Department to promulgate regulations modifying the confidentiality requirements for Part 2 records. This rulemaking proposes modifications to 42 CFR part 2 and the Privacy Rule that are necessary to implement the statutory amendments made to 42 U.S.C. 290dd-2, and additional modifications to Part 2 to better align certain provisions of Part 2 to the Privacy Rule and address concerns about potential liability for government agencies in the course of investigating and prosecuting Part 2 programs under the new penalties and enforcement scheme.

A. Statutory and Regulatory Background

Congress enacted the first federal confidentiality protections for SUD records in section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970. The statute authorized “persons engaged in research on, or treatment with respect to, alcohol abuse and alcoholism to protect the privacy of individuals who [were] the subject of such research or treatment” from persons not connected with the conduct of the research or treatment by withholding identifying information.

Section 408 of the Drug Abuse Office and Treatment Act of 1972 applied confidentiality requirements to records relating to drug abuse prevention authorized or assisted under any provision of the Act. Section 408 permitted disclosure, with a patient's written consent, for diagnosis or treatment by medical personnel and to government personnel for obtaining patient benefits to which the patient is entitled. The 1972 Act also established exceptions to the consent requirement to permit disclosures for bona fide medical emergencies; to qualified personnel for conducting certain activities, such as scientific research or financial audit or program evaluation, as long as the patient is not identified in any reports; and as authorized by court order granted after application showing good cause.

The Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974 expanded the types of records protected by confidentiality restrictions to include records relating to alcoholism, alcohol abuse, and drug abuse prevention, maintained in connection with any program or activity conducted, regulated, or directly or indirectly federally assisted by any United States agency. The 1974 Act also permitted the disclosure of records based on prior written patient consent only to the extent such disclosures were allowed under Federal regulations. Additionally, the 1974 Act excluded the interchange of records within the Armed Forces or components of the U.S. Department of Veterans Affairs (VA), then known as the Veterans' Administration, from the confidentiality restrictions.

In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health Administration Reorganization Act (ADAMHA Reorganization Act) added section 543, Confidentiality of Records, to the Public Health Service Act (PHSA) (codified at 42 U.S.C. 290dd-2) (“Part 2 statute”), which narrowed the grounds upon which a court could grant an order permitting disclosure of such records from “good cause” ( i.e., based on weighing the public interest in the need for disclosure against the injury to the patient, physician patient relationship and treatment services) to “the need to avert a substantial risk of death or serious bodily harm.” Congress also established criminal penalties for Part 2 violations under title 18 of the United States Code, Crimes and Criminal Procedure. Finally, section 543 granted broad authority to the Secretary to prescribe regulations to carry out the purposes of section 543 and provide for safeguards and procedures, including criteria for the issuance and scope of court orders to authorize disclosure of SUD records, “as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.”

In 1975, the Department, promulgated the first federal regulations implementing statutory SUD confidentiality provisions at 42 CFR part 2. In 1987, the Department published a final rule making substantive changes to the scope of Part 2 to clarify the regulations and ease the burden of compliance by Part 2 programs within the parameters of the existing statutory restrictions. After the 1992 enactment of the ADAMHA Reorganization Act (Pub. L. 102-321), the Department later clarified the definition of “program” in a 1995 final rule to narrow the scope of Part 2 regulations pertaining to medical facilities to cover only those entities or units within a general medical facility that hold themselves out as providing diagnosis, treatment, or referral for treatment, or specialized personnel (who are identified as providing such services as a primary function) and which directly or indirectly receive federal assistance.

HIPAA and the HITECH Act

In 1996, Congress enacted HIPAA, which included Administrative Simplification provisions requiring the establishment of national standards to protect the privacy and security of individuals' health information and establishing civil money and criminal penalties for violations of the requirements, among other provisions. The Administrative Simplification provisions and implementing regulations apply to covered entities, which are health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses. Certain provisions of the HIPAA Rules also apply directly to business associates of covered entities.

The Privacy Rule, including provisions implemented as a result of the HITECH Act, regulates the use and disclosure of PHI by covered entities and business associates, requires covered entities to have safeguards in place to protect the privacy of PHI, and requires covered entities to obtain the written authorization of an individual to use and disclose the individual's PHI unless otherwise permitted by the Privacy Rule. The Privacy Rule includes several use and disclosure permissions that are relevant to this NPRM, including the permissions for covered entities to use and disclose PHI without written authorization from an individual for TPO; to public health authorities for public health purposes; and for research in the form of a limited data set or pursuant to a waiver of authorization by a Privacy Board or Institutional Review Board. The Privacy Rule also establishes the rights of individuals with respect to their PHI, including the rights to: receive adequate notice of a covered entity's privacy practices; to request restrictions of certain uses and disclosures; to access ( i.e., to inspect and obtain a copy of) their PHI; to request an amendment of their PHI; and to receive an accounting of certain disclosures of their PHI. Finally, the Privacy Rule specifies standards for de-identification of PHI such that, when applied, the information is no longer individually identifiable health information and subject to the HIPAA Rules.

The Security Rule, codified at 45 CFR parts 160 and 164, subparts A and C, requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Specifically, covered entities and business associates must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit; protect against reasonably anticipated threats or hazards to the security or integrity of the information and reasonably anticipated impermissible uses or disclosures; and ensure compliance by their workforce.

The Breach Notification Rule, codified at 45 CFR parts 160 and 164, subparts A and D, implements HITECH Act requirements for covered entities to provide notification to affected individuals, the Secretary, and in some cases the media, following a breach of unsecured PHI. The Breach Notification Rule also requires a covered entity's business associate that experiences a breach of unsecured PHI to notify the covered entity of the breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of “unsecured” PHI, subject to three exceptions: (1) the unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority; (2) the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement (OHCA) in which the covered entity participates; and (3) the covered entity or business associate making the disclosure has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

The Breach Notification Rule provides that a covered entity may rebut the presumption that such impermissible use or disclosure constituted a breach by demonstrating that there is a low probability that PHI has been compromised based on a risk assessment of at least four required factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

The Enforcement Rule, codified at 45 CFR part 160, subparts C, D, and E, includes standards and procedures relating to investigations into complaints about noncompliance with the HIPAA Rules, compliance reviews, the imposition of (CMPs), and procedures for hearings. The Enforcement Rule states generally that the Secretary will impose a CMP upon a covered entity or business associate if the Secretary determines that the covered entity or business associate violated a HIPAA Administrative Simplification provision. However, the Enforcement Rule also provides for informal resolution of potential noncompliance, which occurs through voluntary compliance by the regulated entity, corrective action, or a resolution agreement with the payment of a settlement amount to OCR.

The Department promulgated or modified key provisions of the HIPAA Rules as part of the 2013 Omnibus Final Rule, in which the Department implemented applicable provisions of the HITECH Act, among other modifications. For example, the Department strengthened privacy and security protections for PHI, finalized breach notification requirements, and enhanced enforcement by increasing potential CMPs for violations, including establishing tiers of penalties based on entities' level of culpability. The Secretary of HHS delegated authority to OCR to make decisions regarding the implementation and interpretation of the Privacy, Security, Breach Notification, and Enforcement Rules.

Earlier Efforts To Align Part 2 With the HIPAA Rules

Prior to amendment by the CARES Act, section 290dd-2 provided that records could be disclosed only with the patient's specific written consent for each disclosure, with limited exceptions. The exceptions related to records maintained by VA or the Armed Forces and, for example, disclosures for continuity of care in emergency situations or between personnel who have a need for the information in connection with their duties that arise out of the provision of the diagnosis, treatment, or referral for treatment of patients with SUD. The exceptions did not include, for example, a disclosure of Part 2 records by a Part 2 program to a third-party medical provider to treat a condition other than SUD absent an emergency situation. Therefore, the current Part 2 implementing regulations require specific patient consent for most uses and disclosures of Part 2 records, including for non-emergency treatment purposes. In contrast, the Privacy Rule permits covered entities to use and disclose an individual's PHI for TPO without the individual's valid HIPAA authorization.

The Department has modified and clarified Part 2 several times to align certain provisions more closely with the Privacy Rule, address changes in health information technology, and provide greater flexibility for disclosures of patient identifying information within the health care system, while continuing to protect the confidentiality of Part 2 records. For example, the Department clarified in a 2017 final rule that the definition of “patient identifying information” in Part 2 includes the individual identifiers listed in the Privacy Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not already listed in the Part 2 definition.

In 2018, the Department issued a final rule clarifying the circumstances under which lawful holders and their legal representatives, contractors, and subcontractors could use and disclose Part 2 records related to payment and health care operations in § 2.33(b) and for audit or evaluation-related purposes. The Department clarified that previously listed types of payment and health care operations uses and disclosures under the lawful holder permission in § 2.33(b) were illustrative, and not necessarily definitive so as to be included in regulatory text. The Department also acknowledged the similarity of the list of activities to those included in the Privacy Rule definition of “health care operations” but declined to fully incorporate that definition into Part 2. The Department specifically excluded care coordination and case management from the list of payment and health care operations activities permitted without patient consent under Part 2 based on a determination that these activities are akin to treatment. The Department also codified in regulatory text language for an abbreviated notice to accompany disclosure of Part 2 records. Although the rule retained the requirement that a patient must consent before a lawful holder may redisclose Part 2 records for treatment, the Department explained that the purpose of the Part 2 regulations is to ensure that a patient is not made more vulnerable by reason of the availability of a treatment record than an individual with a SUD who chooses not to seek treatment. The Department simultaneously recognized the legitimate needs of lawful holders to obtain payment and conduct health care operations as long as the core protections of Part 2 are maintained.

In a final rule published July 15, 2020, the Department retained the requirement that programs obtain prior written consent before disclosing Part 2 records in the first instance (outside of recognized exceptions). At the same time the Department reversed its previous exclusion of care coordination and case management from the list of payment and health care operations in § 2.33(b) for which a lawful holder may make further disclosures to its contractors, subcontractors, and legal representatives. The Department based this change on comments received on the proposed rule in 2019 and on section 3221(d)(4) of the CARES Act, which incorporated the Privacy Rule definition of health care operations, including care coordination and case management activities, into paragraph (k)(4) of 42 U.S.C. 290dd-2. The July 2020 final rule also modified the consent requirements in § 2.31 by establishing special requirements for written consent when the recipient of Part 2 records is a health information exchange (HIE) (as defined in 45 CFR 171.102 ). In this NPRM, the Department now proposes a definition for the term “intermediary” to further facilitate the exchange of Part 2 records in new models of care, including those involving an HIE, a research institution providing treatment, an accountable care organization, or a care management organization.

The Department again modified Part 2 on December 14, 2020, by amending the confidential communications section of § 2.63(a)(2), which enumerated a basis for a court order authorizing the use of a record when “the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime allegedly committed by the patient.” The December 2020 final rule removed the phrase “allegedly committed by the patient,” explaining that the phrase was included in previous rulemaking by error, and clarifying that a court has the authority to permit disclosure of confidential communications when the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime that was allegedly committed by either a patient or an individual other than the patient.

Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act

On March 27, 2020, Congress enacted the CARES Act to provide emergency assistance to individuals, families, and businesses affected by the COVID-19 pandemic. Section 3221 of the CARES Act, Confidentiality and Disclosure of Records Relating to Substance Use Disorder, substantially amended 42 U.S.C. 290dd-2 to more closely align federal privacy standards applicable to Part 2 records with HIPAA and HITECH Act privacy use and disclosure standards, breach notification standards, and enforcement authorities that apply to PHI, among other modifications.

The requirements in sections 42 U.S.C. 290dd-2(b), (c), and (f), as amended by section 3221 of the CARES Act, with respect to patient consent and redisclosures of SUD records, now align more closely with Privacy Rule provisions permitting uses and disclosures for TPO and establish certain patient rights with respect to their Part 2 records consistent with provisions of the HITECH Act; restrict the use and disclosure of Part 2 records in legal proceedings; and set civil and criminal penalties for violations, respectively. Section 3221 also amended 42 U.S.C. 290dd-2j) and (k) by adding HITECH Act breach notification requirements and new terms and definitions consistent with the HIPAA Rules and the HITECH Act, respectively. Finally, section 3221 requires the Department to modify the NPP requirements at 45 CFR 164.520 so that covered entities and Part 2 programs provide notice to individuals regarding privacy practices related to Part 2 records, including patients' rights and uses and disclosures that are permitted or required without authorization.

Paragraph (b) of section 3221, Disclosures to Covered Entities Consistent with HIPAA, adds a new paragraph (1), Consent, to section 543 of the PHSA and expands the ability of covered entities, business associates, and Part 2 programs to use and disclose Part 2 records for TPO. The text of section 3221(b) adding paragraph (1)(B) to 42 U.S.C. 290dd-2 states that once prior written consent of the patient has been obtained, those contents may be used or disclosed by a covered entity, business associate, or a program subject to this section for the purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations. Any disclosed information may then be redisclosed in accordance with the HIPAA regulations.

To the extent that 42 U.S.C. 290dd-2(b)(1) now provides for a general written consent covering all future uses and disclosures for TPO “as permitted by the HIPAA regulations,” and expressly permits the redisclosure of Part 2 records received for TPO “in accordance with the HIPAA regulations,” the Department believes that this means that the entity receiving the records based on such general consent, and then redisclosing the records, must be a covered entity, business associate, or Part 2 program. The Department's proposals throughout this NPRM are premised on its reading of section 3221(b) as applying to redisclosures of Part 2 records by covered entities, business associates, and Part 2 programs, including those covered entities that are Part 2 programs.

In addition to the provisions of section 3221 described above, paragraph (g) of section 3221, Antidiscrimination, adds a new provision (i)(1) to 42 U.S.C. 290dd-2 to prohibit discrimination against an individual based on their Part 2 records in: (A) admission, access to, or treatment for health care; (B) hiring, firing, or terms of employment, or receipt of worker's compensation; (C) the sale, rental, or continued rental of housing; (D) access to Federal, State, or local courts; or (E) access to or maintenance of social services and benefits provided or funded by Federal, State, or local governments. Further, the new paragraph (i)(2) prohibits discrimination by any recipient of Federal funds against individuals based on their Part 2 records. As a recent legal analysis noted, “The decision to protect individuals whose disclosed patient records reveal or appear to reveal current illegal use of drugs is also consistent with Section 3221's specific purpose to remove well-founded fear of discrimination as a barrier to treatment.” Patients with SUD who are currently using illegal drugs are not protected from discrimination on the basis of their illegal drug use under existing law of the Rehabilitation Act of 1973, Americans with Disabilities Act (ADA), the Affordable Care Act, and the Fair Housing Act. The CARES Act nondiscrimination provision, in conjunction with the newly applicable HITECH Act penalty tiers, will serve to protect the treatment records of all patients with SUD, whether or not they are currently using illicit drugs. The Department intends to implement the CARES Act antidiscrimination provisions in a separate rulemaking.

Section-by-Section Description of Proposed Amendments to 42 CFR Part 2

Below, the Department describes the proposals in this NPRM to amend 42 CFR part 2 and 45 CFR 164.520 to implement changes made to 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES Act. Some of the Department's proposals are not expressly required by the CARES Act, but are proposed to align the language of this part with that in the Privacy Rule and to clarify already-existing Part 2 permissions or restrictions. The Department believes these additional proposals fall within the Department's scope of regulatory authority and are necessary to facilitate implementation of the CARES Act. For example, consistently throughout this NPRM, the Department proposes to re-order the terms “disclosure and use” to “use and disclosure” to better align the language of Part 2 with the Privacy Rule which generally regulates the “use and disclosure” of PHI. The Department does not believe these proposed changes are substantive, but requests comment on this assumption. In another example, the Department proposes to add the term “use” to where only the term “disclose” exists in regulatory text, or in some cases to add the term “disclose” to an existing “use” because it more accurately describes the scope of the activity that is the subject of the regulatory provision or could be within the scope of the activity. These changes are aligned with changes made to 42 U.S.C. 290dd-2 paragraph (b)(1)(A) by section 3221(b) of the CARES Act (providing that Part 2 records may be used or disclosed in accordance with prior written consent); to 42 U.S.C. 290dd-2(b)(1)(B) and (b)(1)(C) by section 3221(b) of the CARES Act (providing that the contents of Part 2 records may be used or disclosed by covered entities, business associates, or programs in accordance with the HIPAA Rules for TPO purposes); and to paragraph 42 U.S.C. 290dd-2(c) by section 3221(e) of the CARES Act (prohibiting disclosure and use of Part 2 records in proceedings against the patient). The Department describes these proposed additions of terms in each section of this NPRM where applicable. The Department requests comment on its proposals to reorder the terms “use” and “disclosure” as described, and to add the term “use” to clarify these regulations as described above.

In addition, the Department proposes changes to subpart E, Court Orders Authorizing Use and Disclosure, relying on both the Secretary's broad rulemaking authority under section 543 of the PHSA and on the authority granted in section 3221 of the CARES Act. The Department proposes to heighten protections against use or disclosure of records in proceedings against patients by aligning the regulatory language regarding the scope of proceedings to which subpart E applies with the amended statute to expressly include administrative and legislative proceedings and to expressly include testimony that relays information contained in records. Additionally, the Department is adopting the HIPAA phrasing of “use and disclosure” in most instances where only one of those terms is used in the current regulation, including throughout subpart E.

The Department also proposes additional changes to facilitate compliance by investigative agencies when they seek records for investigations and prosecutions of Part 2 programs pursuant to applicable authorities. In particular, the Department proposes to limit liability for violations when an investigative agency unknowingly receives Part 2 records in the course of investigating a Part 2 program or person holding Part 2 records, provided the agency takes certain actions, and to require annual reporting to the Secretary by investigative agencies about the use of the proposed safe harbor. The Department is proposing these changes because the Department believes the proposals are a necessary consequence of the new enforcement penalties for violations of Part 2 pursuant to 42 U.S.C. 290dd-2(f) as amended by section 3221 (f) and the expanded scope of proceedings where a court order is required pursuant to 42 U.S.C. 290dd-2(c) as amended by section 3221(e). In particular, the Department understands that investigative agencies could potentially become subject to the new penalties for violations in the event that they are unaware that a provider under investigation is subject to Part 2 and as a result they fail to follow the requirements of subpart E before obtaining the provider's records. The Department requests comment on these additional proposed changes.

The Department further requests comment on all proposals described in the following paragraphs of this NPRM, including those expressly implementing CARES Act amendments to section 290dd-2, those the Department describes as necessary to further align this part with the Privacy Rule, and those proposals described as necessary to clarify the full scope of activities that it is regulating in this part. The Department also requests comment on all aspects of the Regulatory Impact Analysis, including the assumptions and estimates about the costs and benefits of the proposed changes, and the alternatives the Department considered when developing the proposals in this NPRM. The Department proposes the following amendments to this part:

A. § 2.1—Statutory Authority for Confidentiality of Substance Use Disorder Patient Records

The Department proposes to revise § 2.1 to more closely align this section with the statutory text of 42 U.S.C. 290dd-2(g) and add references to subsection 290dd-2(b)(2)(C) related to the issuance of court orders authorizing disclosures of Part 2 records.

§ 2.2—Purpose and Effect

Section 2.2 of 42 CFR part 2 establishes the purpose and effect of regulations imposed in this part upon the use and disclosure of Part 2 records. The Department proposes to add language to paragraph (b) of § 2.2 to conform that paragraph to changes proposed to § 2.3(b) that would compel disclosures to the Secretary that are necessary for enforcement of this rule. The new language is adapted from a similar provision of the Privacy Rule at 45 CFR 164.502(a)(2)(ii).

The Department also proposes to replace the phrase “disclosure and use” by re-ordering the phrase to “use or disclosure” at §§ 2.2(a), (a)(4), and 2.2(b)(1), to align the language with that used in the Privacy Rule.

The Department proposes several changes in § 2.2 that would facilitate implementation of the CARES Act in general. For example, in §§ 2.2(a)(2), (a)(3), and (b)(1), the Department proposes to add the phrase “uses and” in front of the existing term “disclose” or “disclosures.” The Department proposes these additions in §§ 2.2(a)(2) and (3), which list subparts C and D of this part, to conform to changes the Department proposes to the heading titles of subparts C and D. In those heading titles, the Department proposes to refer to “Uses and Disclosures with Patient Consent” and “Uses and Disclosures without Patient Consent” respectively.

In § 2.2(b)(1), Effect, the Department proposes to refer to “use and disclosure” instead of only “disclosure” to better describe how the regulations in this part, as modified by the CARES Act, prohibit the “use and disclosure” of Part 2 records. The Department proposes to modify the end of § 2.2(b)(1) to provide that the regulations generally do not generally require the use or disclosure of Part 2 records under any circumstance except when disclosure is required by the Secretary to investigate or determine a person's compliance with this part pursuant to § 2.3(b), now proposed for modification to reflect newly required civil and criminal penalties for violations of this part.

Finally, the Department proposes to add a new paragraph (b)(3) to § 2.2 to incorporate the rules of construction in section 3221(j)(1) and (2) of the CARES Act. Accordingly, the proposed paragraphs would provide that nothing in this part shall be construed to limit a patient's right to request restrictions on use of records for TPO or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the Privacy Rule.

In addition to the above-described proposed amendments to § 2.2, the Department proposes minor wording changes to improve readability or conform the use of terms to newly proposed definitions. These proposals are reflected in proposed regulatory text and may be reflected throughout this NPRM and include:

• Inserting a parenthetical reference to “records” to reflect how the Department proposes to refer to SUD records; and
• Striking the word “patient” from in front of the term “record”.

The Department requests comments on all proposed changes to this section.

§ 2.3—Civil and Criminal Penalties for Violations (Proposed Heading)

Section 2.3 of 42 CFR part 2 currently requires that any person who violates any provision of the Part 2 regulations be criminally fined in accordance with title 18 U.S.C. As amended by section 3221(f) of the CARES Act, 42 U.S.C. 290dd-2(f) applies the provisions of §§ 1176 and 1177 of the Social Security Act to a Part 2 program for a violation of 42 CFR part 2 in the same manner as they apply to a covered entity for a violation of part C of title XI of the Social Security Act. Therefore, the Department proposes to replace title 18 criminal enforcement with civil and criminal penalties under §§ 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as implemented in the Enforcement Rule.

Specifically, the Department proposes to rename § 2.3 as Civil and criminal penalties for violations and reorganize § 2.3 into section paragraphs 2.3(a), (b), and (c). Proposed § 2.3(a) would incorporate the penalty provisions of 42 U.S.C. 290dd-2(f), which apply the civil and criminal penalties of §§ 1176 and 1177 of the Social Security Act, respectively, to violations of Part 2.

After consultation with the Department of Justice, the Department proposes in § 2.3(b) to create a limitation on civil or criminal liability for persons acting on behalf of investigative agencies when, in the course of investigating or prosecuting a Part 2 program or other person holding Part 2 records, they may unknowingly receive Part 2 records without first obtaining the requisite court order, provided that specified conditions are met. Such a safe harbor, as proposed, would be limited to only instances where records are obtained for the purposes of investigating a program or person holding the record, not a patient. Investigative agencies are required to follow Part 2 requirements for obtaining, using, and disclosing Part 2 records as part of an investigation or prosecution; such requirements include seeking a court order, filing protective orders, maintaining security for records, and ensuring that records obtained in program investigations are not used in legal actions against patients who are the subjects of the records. Investigative agencies' potential liability for violating Part 2 has increased due to the expanded application of HIPAA/HITECH Act penalties for violations, codified at 42 U.S.C. 1320d-5 (CMPs) and 1320d-6 (criminal penalties), to violations of Part 2. In addition, the need for investigation and prosecution of bad actors has increased in accordance with the intensity and duration of the opioid overdose epidemic. The Department solicits comments on the need for investigation of Part 2 programs and holders of Part 2 records and a related safe harbor for law enforcement due to proposed changes in enforcement of Part 2 requirements.

To address concerns about potential liability for Part 2 violations arising from investigators who, in good faith, unknowingly receive Part 2 records, the Department proposes at § 2.3(b) to create a limitation on civil or criminal liability for persons acting on behalf of investigative agencies if they unknowingly receive Part 2 records without first obtaining the required court order while investigating or prosecuting a Part 2 program or other person holding Part 2 records (or their employees or agents). The limitation on liability would be available for uses or disclosures inconsistent with Part 2 when the person acted with reasonable diligence to determine in advance whether Part 2 applied to the records or program. Paragraph (b)(1) would also clarify what constitutes “reasonable diligence” in determining whether Part 2 applies to a record or program before an investigative agency makes an investigative demand or places an undercover agent with the program or person holding the records. Reasonable diligence would require acting within a reasonable period of time, but no more than 60 days prior to, the request for records or placement of an undercover agent or informant. Reasonable diligence would include taking the following actions to determine whether a health care practice or provider (where it is reasonable to believe that the practice or provider provides SUD diagnostic, treatment, or referral for treatment services) provides such services by:

(1) checking a prescription drug monitoring program in the state where the provider is located, if available and accessible to the agency under state law; or

(2) checking the website or physical location of the provider.

In addition, § 2.3(b) would require an investigative agency to meet any other applicable requirements within Part 2 for any use or disclosure of the records that occurred, or will occur, after the investigative agency knew, or by exercising reasonable diligence would have known, that it received Part 2 records. The Department has added applicable requirements in § 2.66 and § 2.67, discussed below, and requests comment on the impact of the proposed safe harbor on patient privacy and access to SUD treatment.

The proposed safe harbor could promote public safety by permitting government agencies to investigate or prosecute Part 2 programs and persons holding Part 2 records for suspected criminal activity, in good faith without risk of HIPAA/HITECH Act penalties. The current rule contains no mechanism for an investigative agency to correct an error if it unknowingly obtains Part 2 records and as a result fails to obtain the required court order in advance. By proposing a pathway for investigative agencies to seek the required court order after the fact (a pathway that is only available for agencies that have first exercised reasonable diligence to determine in advance whether Part 2 applies), the proposal creates an incentive for investigative agencies to take steps that should reduce the need for “after the fact” court orders. Thus, investigative agencies that follow the proposed reasonable diligence steps and yet unknowingly receive Part 2 records and then seek a court order would be less likely to be denied on the basis of a procedural shortcoming and would not risk incurring HIPAA/HITECH Act penalties. Investigative agencies that do not use reasonable diligence as proposed at § 2.3(b)(1) would be precluded from seeking a court order to use or disclose Part 2 records that they later discover in their possession.

The Department acknowledges that proposed § 2.3(b) may be viewed as a reduction in privacy protection, but believes that the exclusive application to investigations and prosecution of programs and holders of records affords an overall benefit without harming patient confidentiality when the proposed additional protections in §§ 2.66 and 2.67 are applied. The Department has limited the proposed safe harbor to investigative agencies that unknowingly obtain Part 2 records and relies on the CMP tiers to allow appropriate flexibility when a Part 2 program has unknowingly violated Part 2. However, the Department solicits comments on situations for which a safe harbor should be considered for SUD providers that unknowingly hold Part 2 records and unknowingly disclose them in violation of Part 2. As mentioned above, the Department also solicits comments on the impact of this proposed safe harbor to patient privacy and access to SUD treatment.

The Department does not intend to modify the applicability of § 2.12 or § 2.53 for investigative agencies, but to make the proposed safe harbor available in those situations where a court order would otherwise be required for a government agency to use or disclose records under these regulations. Thus, under § 2.12(c) an agency with direct administrative control over a Part 2 program still would not be subject to the Part 2 limits on communications between the program and the agency for purposes of diagnosis, treatment, or referral of patients, although the agency is also an investigative agency due to its supervisory role. Similarly, the disclosure permission under § 2.53 would continue to apply to audits and evaluations conducted by a health oversight agency without patient consent. The Department does not believe that the text of section 3221(e) of the CARES Act indicates congressional intent to alter the established oversight mechanisms for Part 2 programs, including those that provide services reimbursed by Medicare, Medicaid, and Children's Health Insurance Program (CHIP).

Proposed § 2.3(c) would specify that the Enforcement Rule shall apply to violations of Part 2 in the same manner as they apply to covered entities and business associates for violations of part C of title XI of the Social Security Act and its implementing regulations with respect to PHI. The Department requests comment on the likely benefits and costs of these proposed changes.

§ 2.4—Complaints of Violations (Proposed Heading)

Paragraphs (a) and (b) of this section currently provide that reports of violations of the Part 2 regulations may be directed to the U.S. Attorney for the judicial district in which the violation occurs and reports of any violation by an opioid treatment program may be directed to the U.S. Attorney and also to the Substance Abuse and Mental Health Services Administration (SAMHSA). Section 290dd-2(f), as amended by section 3221(f) of the CARES Act, grants civil enforcement authority to the Department, which currently exercises its HIPAA enforcement authority under 1176 of the Social Security Act in accordance with the Enforcement Rule. To implement the change from U.S. Attorney enforcement, the Department proposes to re-title the heading to this section, replacing “Reports of violations” with “Complaints of violations,” and to replace the existing provisions about directing reports of Part 2 violations to the U.S. Attorney's Office and to SAMHSA with provisions about filing complaints of potential violations with a Part 2 program or the Secretary. The Department notes that SAMHSA continues to regulate opioid treatment programs (OTPs) and may receive reports of alleged violations by OTPs of federal opioid treatment standards, including privacy and confidentiality requirements.

Specifically, the Department proposes to add § 2.4(a) to require a Part 2 program to have a process to receive complaints concerning the program's compliance with the Part 2 regulations. Proposed § 2.4(b) would provide that a program may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any patient for the exercise of any right established, or for participation in any process provided for, in Part 2, including the filing of a complaint. The Department also proposes to add § 2.4(c) to prohibit a program from requiring patients to waive their right to file a complaint as a condition of the provision of treatment, payment, enrollment, or eligibility for any program subject to Part 2.

The proposed changes to § 2.4 would align Part 2 with Privacy Rule provisions concerning complaints. Section 2.4(a) is consistent with the administrative requirements in 45 CFR 164.530(d), Standard: Complaints to the covered entity. Proposed § 2.4(b) would align with the Privacy Rule provision at 45 CFR 164.530(g), Standard: Refraining from intimidating or retaliatory acts. The proposed § 2.4(c) would be consistent with the Privacy Rule provision at 45 CFR 164.530(h), Standard: Waiver of rights. Thus, Part 2 programs that are also covered entities already have these administrative requirements in place, but programs that are not covered entities would need to adopt new policies and procedures.

The Department requests comment on these proposed changes, including any concerns about potential unintended negative consequences on programs or patients of aligning § 2.4 with the cited provisions of the Privacy Rule.

§ 2.11—Definitions

Section 2.11 includes definitions for key regulatory terms in 42 CFR part 2. The Department proposes to add thirteen defined regulatory terms and modify the definitions of ten existing terms. The proposed new or modified definitions would be: Breach, Business associate, Covered entity, Health care operations, HIPAA, HIPAA regulations, Informant, Intermediary, Investigative agency, Part 2 program director, Patient, Payment, Person, Program, Public health authority, Qualified service organization, Records, Third-party payer, Treating provider relationship, Treatment, Unsecured protected health information, Unsecured record, and Use. Most of these terms and definitions would be added or modified by referencing existing HIPAA regulatory terms in 45 CFR parts 160 and 164, either in accordance with the adoption of such definitions by section 3221(d) of the CARES Act, which added paragraph (k) (containing definitions) to 42 U.S.C. 290dd-2, or as a logical outgrowth of CARES Act amendments. Several other definitions would be modified for clarity and consistency, as described below. The Department requests comment on all proposals to add new or modify existing definitions to this part. Breach. The proposed definition of Breach would adopt the Breach Notification Rule definition by reference to 45 CFR 164.402, but as applied to Part 2 records rather than to PHI. The Department proposes this definition to implement paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring that the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations. Because the CARES Act requires Part 2 programs to comply with HITECH Act breach notification requirements, a Part 2 regulatory definition of breach is necessary to implement and enforce these requirements.

Business associate. The Department proposes to adopt the same meaning of this term as is used in the HIPAA Rules. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.

Covered entity. The Department proposes to adopt the same meaning of this term as is used in the HIPAA Rule. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd- 2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.

Health care operations. The proposal would incorporate the HIPAA Privacy Rule definition for health care operations.

HIPAA. Although not required by the CARES Act, the Department proposes to add a definition of HIPAA that encompasses the statutory and regulatory provisions pertaining to the privacy, security, breach notification, and enforcement standards with respect to PHI. This definition would exclude other components of the HIPAA statute, such as insurance portability, and other HIPAA regulatory standards, such as the standard electronic transactions regulation, which are not relevant to this proposed rule. The Department proposes this definition to make clear the specific components of the relevant statutes that would be incorporated into this part.

HIPAA regulations. The current rule does not define HIPAA regulations. The proposed definition is based on the statutory definition added by the CARES Act and has the same meaning as “HIPAA Rules,” which refers to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, when used in this document, OCR rulemaking, and OCR's guidance and other materials. For purposes of this rulemaking, the term does not include Standard Unique Identifiers, Standard Electronic Transactions, and Code Sets, 42 CFR part 162—Administrative Requirements.

Informant. Within the definition of “informant,” the Department proposes to replace the term “individual” with the term “person” as is used in the HIPAA Rules and discussed below.

Intermediary. The current rule uses the term intermediary in § 2.13(d)(2) without providing a definition. To improve understanding of the requirements for intermediaries, and to distinguish those requirements from the proposed accounting of disclosure requirements, the Department proposes to establish a definition of intermediary.

Examples of an intermediary include, but are not limited to, a health information exchange, a research institution that is providing treatment, an accountable care organization, or a care management organization. In contrast, a research institution that is not providing treatment or a health app that is providing individual patients with access to their records would not be considered an intermediary. Member participants of an intermediary refers to health care provider practices or health-related organizations. It does not include individual health plan subscribers or workforce members who share access to the same electronic health record system.

In the current rule, if a patient provides a written consent that is specific to treatment, the general designation of a recipient entity who is an intermediary may be used and the patient would have a right to obtain a list of recipients to whom the intermediary has disclosed their record.

Under section 3221 of the CARES Act, a patient consent may contain a general designation of recipients for treatment, payment, and health care operations. Without regulatory clarification this could result in the recipients exchanging health information through an HIE/HIN or other means without triggering the intermediary requirements. To avoid this unintended consequence, the Department proposes additional changes to § 2.31(a)(4) to ensure that intermediaries continue to be named whenever they are used to exchange Part 2 records.

Under this proposal, an intermediary would be a person who has received records, under a general designation in a written patient consent, for the purpose of disclosing the records to one or more of its member participants who has a treating provider relationship with the patient. The term intermediary is based on the function of the person—receiving records and disclosing them to other providers as a key element of its role—rather than on a title or category of an organization or business. For example, an electronic health record vendor that enables entities at two different health systems to share records likely would be an intermediary. That same vendor would not be an intermediary when used by employees in different departments of a hospital to access the same patient's records. Where an intermediary is also a business associate under the HIPAA Rules, it would be subject to the requirements of both an intermediary and a business associate.

The requirements for intermediaries would remain unchanged but would be redesignated from § 2.13(d), Lists of disclosures, to new § 2.24, Requirements for intermediaries. These proposed modifications are discussed separately below.

Investigative agency. The Department proposes to create a new definition for “investigative agency” to describe those government agencies with responsibilities for investigating and prosecuting Part 2 programs and persons holding Part 2 records, such that they would be required to comply with subpart E when seeking to use or disclose records against a Part 2 program or lawful holder. In conjunction with proposed changes to subpart E pertaining to use and disclosure of records by law enforcement, the Department proposes to define an investigative agency as “A state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.” By creating a definition of investigative agency, the Department does not intend to change the applicability of § 2.53 or subpart E, but only to establish a limitation on liability for such agencies in certain circumstances when a court order is otherwise required by these regulations.

Part 2 program director. Within the definition of “part 2 program director,” the Department proposes to replace the first instance of the term “individual” with the term “natural person” and the other instances of the term “individual” with the term “person” as used in the HIPAA Rules and discussed below.

Patient. The Department proposes to add language to the existing definition to clarify that when the HIPAA regulations apply to Part 2 records, a patient is an individual as that term is defined in the HIPAA regulations.

Payment. The Department proposes to adopt the same definition for this term as in the HIPAA Rules. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.

Person. The term “person ” is currently defined as “an individual, partnership, corporation, federal, state or local government agency, or any other legal entity, (also referred to as “individual or entity”).” Thus, the current Part 2 regulation uses the term “individual” in reference to someone who is not the patient and therefore not the subject of the Part 2 record. In contrast, the HIPAA Rules at 45 CFR 160.103 define the term “individual” to refer to the subject of PHI, and “person” to refer to “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” To further the alignment of Part 2 and the HIPAA Rules and provide clarity for programs and entities that must comply with both sets of requirements, the Department proposes to replace the Part 2 definition of “person” with the HIPAA definition in 45 CFR 160.103. As an extension of this clarification, the Department also proposes to replace the term “individual” with “patient” when the regulation refers to someone who is the subject of Part 2 records, to use the term “person” when it refers to someone who is not the subject of the records at issue, and to modify the definition of “patient” in Part 2 to include an “individual” as that term is used in the HIPAA Rules. The Department believes that this combination of modifications would promote the understanding of both Part 2 and the HIPAA Rules and requests comment on whether this or other approaches would provide more clarity.

Program. Within the definition of “program,” the Department proposes to replace the term “individual or entity” with the term “person” as is used in the HIPAA Rules and discussed above.

Public health authority. The Department proposes to adopt the same meaning for this term as in the Privacy Rule. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.

Qualified service organization. The Department proposes to modify the definition of Qualified service organization (QSO) by adding HIPAA business associates to the regulatory text to clarify that they are QSOs in circumstances when Part 2 records also meet the definition of PHI ( i.e., when a Part 2 program is also a covered entity). The Department believes this proposal would facilitate the implementation of the CARES Act with respect to disclosures to QSOs. The HIPAA Rules generally permit disclosures from a covered entity to a person who meets the definition of a business associate ( i.e., a person who works on behalf of or provides services to the covered entity) without individual authorization, when based on a business associate agreement that incorporates certain protections. Similarly, the use and disclosure restrictions of this part do not apply to the communications between a Part 2 program and QSO when the information is needed by the QSO to provide services to the Part 2 program. This definition is proposed in conjunction with a proposal to modify § 2.12, Applicability, to clarify that QSOs also use Part 2 records received from programs to work “on behalf of” the program.

The Department also proposes a wording change to replace the phrase “individual or entity” with the term “person” as now proposed to comport with the HIPAA meaning of the term.

Records. The definition of records specifies the scope of information that Part 2 protects. The Department proposes to remove the last sentence of the definition as unnecessary. In the five decades since the promulgation of the Part 2 regulation, health information technology has become widely adopted and it is evident that records include both paper and electronic formats. The Department does not intend to change the meaning or understanding of records with this proposed modification, but only to streamline the description.

The Department offers clarification here about how the definition of Part 2 records operates in relation to the HIPAA definitions of PHI, designated record set, and psychotherapy notes.

These issues are most pertinent with respect to the right individuals have to access their records under the HIPAA Rules, as explained below (Part 2 does not contain a parallel patient right of access to records).

Generally, the HIPAA Privacy Rule gives individuals the right to access all of their PHI in a designated record set. A designated record set is a group of records maintained by or for a covered entity that are a provider's medical and billing records, a health plan's enrollment, payment, claims adjudication, and case or medical management record systems, and any other records used, in whole or in part, by or for the covered entity to make decisions about individuals. A covered entity's Part 2 records usually fall into these categories, and thus are part of the designated record set. This is true when a Part 2 program is a covered entity, as well as when a covered entity receives Part 2 records but is not a Part 2 program. In the latter situation, the Part 2 records become PHI when they are received by or for the covered entity, and part of a designated record set. As such, they are subject to the Privacy Rule's right of access requirements.

However, the Privacy Rule right of access excludes psychotherapy notes. If SUD treatment is provided by a mental health professional that is a Part 2 program and a covered entity, and the provider creates notes of counseling sessions that are kept separate from the individual's medical record, those notes would be psychotherapy notes as well as Part 2 records. In this case, the individual would not have a Privacy Rule right of access to those records, but a provider may voluntarily provide access upon request by the individual patient. Additionally, psychotherapy notes created by a Part 2 program that is a covered entity could only be disclosed with a separate written authorization or consent.

The Department is considering whether to create a new definition similar to psychotherapy notes that is specific to the notes of SUD counseling sessions by a Part 2 program professional. Such notes would be Part 2 records, but could not be disclosed based on a general consent for TPO. They could only be disclosed with a separate written consent that is not combined with a consent to disclose any other type of health information. The Department solicits comments on the benefits and burdens of creating such additional privacy protection for SUD counseling notes that are maintained primarily for use by the originator of the notes, similar to psychotherapy notes as defined in the Privacy Rule. Under consideration is a definition such as this:

SUD counseling notes means notes recorded (in any medium) by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the patient's record. SUD counseling notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

As with psychotherapy notes under the Privacy Rule, the separate consent requirement, if adopted, would not apply to SUD counseling notes in the following situations:

1. Use by the originator of the SUD counseling notes for treatment;

2. Use or disclosure by the program for its own training programs in which students, trainees, or practitioners in SUD treatment learn under supervision to practice or improve their skills in group, joint, family, or individual counseling;

3. For the program to defend itself in a legal action or other proceeding brought by the patient;

4. Required for the reporting of child abuse or neglect;

5. Required by law;

6. Required for oversight of the originator of the SUD counseling notes;

7. To a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law; or

8. When necessary to lessen a serious and imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

Third-party payer. The term third-party payer refers to an entity with a contractual obligation to pay for a patient's Part 2 services and includes some health plans, which by definition are covered entities. The current regulation, at § 2.12, limits disclosures by third-party payers to a shorter list of purposes than the Privacy Rule allows for health plans. The Department proposes to exclude covered entities from the definition of third-party payer to facilitate implementation of 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of the CARES Act, which enacted a permission for certain recipients of Part 2 records to redisclose them according to the HIPAA standards. The result of this proposed change would be that the current Part 2 disclosure restrictions continue to apply to a narrower set of entities, such as grant-funded programs. The Department believes that this approach would carry out the intent of the CARES Act, while preserving the privacy protections that apply to payers that are not covered entities. The Department also proposes a wording change to replace the phrase “individual or entity” with the term “person” as now proposed to comport with the HIPAA meaning of the term.

The Department welcomes comments on the number and type of third-party payers that would not be considered health plans.

Treating provider relationship. The Department proposes to modify the Part 2 definition of “treating provider relationship” by replacing the phase “individual or entity” with “person,” in accordance with the proposed changes to the definition of “person” described above.

Treatment. The Department proposes to modify the Part 2 definition of “treatment” by adopting the Privacy Rule definition by reference. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring that the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations. By replacing the existing language, the Department does not intend to change the scope of activities that constitute treatment. Thus, it remains true, as provided in the prior definition, that treatment includes the care of a patient suffering from an SUD, a condition which is identified as having been caused by the SUD, or both, in order to reduce or eliminate the adverse effects upon the patient.

Unsecured protected health information. The Department proposes to adopt the same meaning of this term as used in the HIPAA Rules. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring that the term in this part be given the same meaning as the term in the purposes of the HIPAA regulations.

Unsecured record. To align with the definition of “unsecured protected health information” at 45 CFR 164.402, the Department proposes to apply a similar concept to records, as defined in this part. Thus, an unsecured record would be one that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under Public Law 111-5, 13402(h)(2). The Department believes this proposal is necessary to implement the newly required breach notification standards for Part 2 records and requests comment on this approach.

Use. The Department proposes to add a definition for this term that is consistent with that in the HIPAA Rules at 45 CFR 160.103, and as the term is applied to the conduct of proceedings specified in statute at 42 U.S.C. 290dd-2(c). The Department believes this proposal is necessary to more fully align this part with the HIPAA Rules use of the language “use and disclosure”, as well as make clear, where applicable, that many of the activities regulated by this part involve not only disclosures but internal uses of Part 2 records by programs or recipients of Part 2 records. The Department also proposes this definition to make clear that in this part, the term “use” has a secondary meaning in accordance with the statutory requirements at 42 U.S.C. 290dd-2(c) for “use” of records in proceedings. The Department discusses in greater detail the addition of the term “use” to specific provisions throughout this NPRM, and in particular, in connection to § 2.12 below.

§ 2.12—Applicability

Section 2.12 includes five provisions outlining the scope of the rule's requirements. Paragraph (a) of § 2.12 describes which records are protected and describes the restrictions on use and disclosure of Part 2 records; paragraph (b) outlines what constitutes federal assistance for purposes of the regulation's applicability; paragraph (c) specifies exceptions for certain disclosures; paragraph (d) provides restrictions that apply to: (1) any recipient of Part 2 records, and (2) third-party payers and administrators; and paragraph (e) details the types of records and diagnoses to which the restrictions in this regulation apply.

The Department proposes to amend the Part 2 regulation in paragraph (c)(2) of § 2.12, which excludes from Part 2 requirements certain interchanges of information within the Armed Forces and between the Armed Forces and the Department of Veterans Affairs, by replacing “Armed Forces” with “Uniformed Services.” This change would align the regulatory text with the statutory language at 42 U.S.C. 290dd-2(e). The change also would create consistency with the Department's proposal to expand the Privacy Rule permission for covered entities, at 45 CFR 164.512(k), to use or disclose the PHI of Armed Services personnel when deemed necessary by certain military command authorities to all Uniformed Services, which would then include the U.S. Public Health Service (USPHS) and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps. As the Department noted in that NPRM to modify the Privacy Rule, the USPHS and NOAA Commissioned Corps share responsibility with the Armed Services for certain critical missions, support military readiness and maintain medical fitness for deployment in response to urgent and emergency public health crises, and maintain fitness for deployment onto U.S. Coast Guard manned aircraft and shipboard missions. Because this Part 2 proposal with respect to the Uniformed Services is consistent with the underlying statute, the Department does not believe the modification will change how SUD treatment records are treated for USPHS and NOAA Commissioned Corps personnel, but requests comment on this assumption.

The Department also proposes to add the term “use” to paragraphs (a)(1), (c)(3), (c)(4), and (d)(2) of this section, and the term “disclosure” to paragraphs (a)(2) and (d)(1), to make clear that as amended by CARES Act section 3221(b), these provisions include both uses and disclosures that are restricted by Part 2. The Department also proposes to add “use” to the second sentence of paragraph (e)(3). Historically, the Part 2 regulation associated “use” with the initiation of legal proceedings against a patient and associated “disclosure” with sharing records to an external entity. In contrast, the Privacy Rule applies the term “use” to refer to internal use of health information within an entity, such as access by staff members. With this understanding, a Part 2 record could be both used and disclosed for purposes related to the provision of health care, but also for the purposes such as the initiation of a legal proceeding. To align Part 2 with the Privacy Rule, the Department proposes to adopt the “use and disclosure” terminology throughout the regulation when both actions could apply. The Department requests comment on this approach.

The Department also proposes in paragraph (d)(1) of § 2.12 to expand the restrictions on the use of records as evidence in criminal proceedings against the patient by incorporating the four prohibited actions specified in 42 U.S.C. 290dd-2(c), as amended by the CARES Act, and expanding the regulatory prohibition to cover civil, administrative, or legislative proceedings in addition to criminal proceedings. Absent patient consent or a court order, the proposed prohibitions are: (1) the introduction into evidence of a record or testimony in any criminal prosecution or civil action before a Federal or State court, (2) reliance on the record or testimony to form part of the record for decision or otherwise be taken into account in any proceeding before a Federal, State, or local agency, (3) the use of such record or testimony by any Federal, State, or local agency for a law enforcement purpose or to conduct any law enforcement investigation, and (4) the use of such record or testimony in any application for a warrant.

The proposed narrowing of the definition of third-party payer in § 2.11 would exclude covered entity health plans from the limits on redisclosure of Part 2 records in paragraph (d)(2) of § 2.12. To clarify the modified scope of this paragraph, the Department proposes to insert qualifying language in § 2.12(d)(2) to refer to third-party payers, “as defined in this part.” This approach implements the CARES Act changes in a manner that preserves the existing redisclosure limitations for any third-party payers that are not covered entities. The Department seeks comment and data on the number and types of third-party payers, as defined in the proposed rule, to which the redisclosure limitations would continue to apply. The Department especially seeks comment on how this provision would apply to grant-funded programs.

The Department proposes to conform paragraph (e)(3) of § 2.12 to 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES Act, by expanding the restrictions on the use of Part 2 records in criminal proceedings against the patient to expressly include disclosures of Part 2 records and to add civil and administrative proceedings as additional types of forums where use and disclosure of Part 2 records is prohibited, absent written patient consent or a court order. Additionally, the Department proposes to clarify the language in subparagraph (e)(4)(i) of § 2.12, which excludes from Part 2 those diagnoses of SUD that are created solely to be used as evidence in a legal proceeding. The proposed change would narrow the exclusion to diagnoses of SUD made “on behalf of and at the request of a law enforcement agency or official or a court of competent jurisdiction” to be used as evidence “in legal proceedings.” The Department believes the proposed clarification would tighten the nexus between a law enforcement or judicial request for the diagnosis and the use or disclosure of the SUD diagnosis based on that request, and requests comment on this approach.

The Department proposes to substitute the term “person” for the term “entity” and the phrase “individuals and entities” in § 2.12(d)(2)(i)(B) and (C), respectively. As discussed above in relation to § 2.11, Definitions, the Department does not intend this to be a substantive change, but rather an alignment with the term as it is defined in the Privacy Rule at 45 CFR 160.103.

§ 2.13—Confidentiality Restrictions and Safeguards

The current provisions of this section apply confidentiality restrictions and safeguards to how Part 2 records may be “disclosed and used” in this part, and specifically provide that Part 2 records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings. The current provisions also provide that unconditional compliance with the part is required by programs and lawful holders and restrict the ability of programs to acknowledge the presence of patients at certain facilities.

To more accurately describe how the regulations of this part apply to the activities of programs after the amendment of 42 U.S.C. 290dd-2 by section 3221 of the CARES Act, and to align the language throughout this section with language in the Privacy Rule, the Department proposes to modify paragraphs (a) and (b) of this section by replacing the phrase “disclosed or used” with “used or disclosed”, and in paragraph (a), adding the term “use” in front of the term “disclosure.” The Department proposes to add the term “use” in paragraph (a) of this section because sections 3221(b) and (e) of the CARES Act amends key provisions of 42 U.S.C. 290dd-2 so that confidentiality restrictions and safeguards apply to both uses and disclosures.

Paragraph (d) of § 2.13, List of disclosures, includes a requirement for intermediaries to provide patients with a list of entities to which an intermediary, such as a health information exchange (HIE), has disclosed the patient's identifying information pursuant to a general designation. The Department proposes to remove § 2.13(d) and redesignate the content as § 2.24, change the heading to Requirements for Intermediaries, and in § 2.11 create a regulatory definition of the term “intermediary,” as discussed above. The Department's proposal to redesignate § 2.13(d) as 2.24 would move the section toward the end of Subpart B—General Provisions, to be grouped with the newly proposed §§ 2.25 and 2.26 about patient rights and disclosure. The Department's proposed change to the heading is intended to distinguish the right to a list of disclosures made by intermediaries from the proposed new right to an accounting of disclosures made by a part 2 program.

In addition to these proposed structural changes, the Department also proposes wording changes to paragraphs (a) through (c) of § 2.13 to clarify who is subject to the restrictions and safeguards with respect to Part 2 records. The Department solicits comment on the extent to which Part 2 programs look to the HIPAA Security Rule as a guide for safeguarding Part 2 electronic records. The Department also requests comment on whether it should modify Part 2 to apply the same or similar safeguards requirements to electronic Part 2 records as the Security Rule applies to ePHI or whether other safeguards should be applied to electronic Part 2 records.

§ 2.14—Minor Patients

Current § 2.14 establishes the consent requirements for the disclosure of records of minor patients. To align the description of these requirements with 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of the CARES Act, and to align the language of this provision with the Privacy Rule, the Department proposes to add the term “use” in paragraphs (a) and (b) to clarify that requirements related to consent given by minor patients would apply to both uses and disclosures of records. For example, as amended by section 3221(b) of the CARES Act, 42 U.S.C. 290dd-2(b)(1)(A) and (B) require a program or covered entity to obtain the appropriate consent, as determined by this section, to use or disclose the Part 2 records of the minor, and to use or disclose the same records for TPO purposes in accordance with the Privacy Rule. Subsection (c) of this section addresses when a minor's application for treatment may be disclosed to the minor's parents. The Department proposes to change the verb “judges” to “determines” to describe a program director's evaluation and decision that a minor lacks decision making capacity that could trigger a disclosure to the patient's parents. This change is intended to distinguish between the evaluation by a program director about patient decision making capacity and an adjudication of incompetence made by a court, which is addressed in § 2.15. The Department also proposes a technical edit to § 2.14(c)(1) to correct a typographical error from “youthor” to “youth or.”

The Department also proposes to substitute the term “person” for the term “individual” in § 2.14(b)(1), (b)(2), (c), (c)(1), and (c)(2), respectively. As discussed above in relation to § 2.11, Definitions, the Department does not intend this to be a substantive change, but rather an alignment with the term as it is defined in the Privacy Rule at 45 CFR 160.103.

§ 2.15—Patients Who Lack Capacity and Deceased Patients (Proposed Heading)

Section 2.15 of 42 CFR part 2 addresses who may consent to a disclosure of records when a patient lacks capacity to make health care decisions or is deceased. The Department proposes to replace the outdated term “incompetent” and refer instead to patients who lack capacity to make health care decisions. This modification is not intended as a substantive change, but would replace a term that may be considered derogatory. The rule clearly distinguishes between situations involving an adjudication and those without adjudication. Consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) of the CARES Act, the Department proposes to clarify, by referring to the “use” of records in addition to disclosures of records in paragraphs (a)(2) and (b), that confidentiality requirements related to the records of patients who lack the capacity to make health care decisions and deceased patients apply to both uses and disclosures. The Department also proposes to substitute the term “person” for the term “individual” as discussed above in relation to § 2.11, Definitions. The Department further proposes to clarify that paragraph (a) of this section refers to lack of capacity to make health care decisions as adjudicated by a court while paragraph (b) refers to lack of capacity to make health care decisions that is not adjudicated, and to add health plans to the list of entities to which a program may disclose records without consent to obtain payment during a period when the patient has an unadjudicated inability to make decisions. Finally, the Department proposes in paragraphs (b)(1) and (b)(2) of this section to clearly identify that the restriction on the ability to use or disclose patient identifying information applies to the Part 2 program.

§ 2.16—Security for Records and Notification of Breaches (Proposed Heading)

Section 2.16, Security for records, currently includes a set of requirements for securing records. Specifically, § 2.16(a) requires a Part 2 program or other lawful holder of patient identifying information to maintain formal policies and procedures to protect against unauthorized uses and disclosures of such information, and to protect the security of this information. Sections 2.16(a)(1)-(2) set forth minimum requirements for what these policies and procedures must address with respect to paper and electronic records, respectively, including, for example, transfers of records, maintaining records in a secure location, and appropriate destruction of records. Section 2.16(a)(1)(v) requires part 2 programs to implement formal policies and procedures to address removing patient identifying information to render it non-identifiable in a manner that creates a low risk of re-identification.

The Department proposes to change the requirements in § 2.16(a) to more closely align them with the Privacy Rule de-identification standard. Specifically, the Department proposes to modify § 2.16(a)(1)(v) (for paper records) and § 2.16(a)(2)(iv) (for electronic records), as follows: “Rendering patient identifying information de-identified in accordance with the requirements of the Privacy Rule at 45 CFR 164.514(b), such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder.” The Department requests comment on the extent to which Part 2 programs render patient identifying information de-identified under § 2.16(a)(1)(v) and § 2.16(a)(2)(iv) in a manner that differs from the Privacy Rule de-identification standard, such that conforming the Part 2 requirements to the Privacy Rule standard would create unintended adverse consequences for Part 2 programs or patients. In addition, the Department requests comment on examples of situations in which Part 2 programs or covered entities render Part 2 information not readily identifiable but the information is not de-identified in accordance with the Privacy Rule.

The Department's proposals would increase the alignment of regulatory requirements for Part 2 with the Privacy Rule and Breach Notification Rule. The same public policy objectives of the Breach Notification Rule as applied to covered entities would be furthered by establishing analogous requirements for Part 2 programs, namely: (1) greater accountability for Part 2 programs through requirements to maintain written policies and procedures to address breaches and document actions taken in response to a breach; (2) enhanced oversight and public awareness through notification of the Secretary, affected patients, and in some cases the media; (3) greater protection of patients through obligations to mitigate harm to affected patients resulting from a breach; and (4) improved measures to prevent future breaches as Part 2 programs timely resolve the causes of a breach of records.

The Department proposes to modify the heading of § 2.16 to add “and notification of breaches” and add a new paragraph § 2.16(b) to require Part 2 programs to establish and implement policies and procedures for notification of breaches of unsecured part 2 records, consistent with the requirements of 45 CFR parts 160 and 164, subpart D, as mandated by section 3221(h) of the CARES Act. In the event of a breach, Part 2 programs would be required to notify the Secretary, affected patients, and in some cases the media, consistent with the Breach Notification Rule.

Section 2.16 applies security requirements for Part 2 records to both Part 2 programs and “lawful holders.” The term “lawful holder” is enshrined in several Part 2 regulatory provisions but not defined in regulation. Generally, the term refers to “an individual or entity who has received such information as the result of a part 2-compliant consent (with a prohibition on redisclosure) or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations and, therefore, is bound by 42 CFR part 2.”

However, the Department believes that the requirements of this section do not currently apply uniformly across all persons who receive Part 2 records pursuant to consent and therefore qualify as “lawful holders”, such that a failure to have “formal policies and procedures” or to “protect” against threats would result in the imposition of civil or criminal penalties. The Department does not propose to expand the existing scope of persons who are liable for noncompliance with requirements that are applicable only to Part 2 programs and lawful holders. Instead, due to the variety of persons that could receive Part 2 records based on a valid written Part 2 consent, the Department would determine the extent of the duty and ability of a particular person to “reasonably protect against unauthorized uses” and against “reasonably anticipated threats or hazards” based on the facts and circumstances.

The Department requests comment on its assumptions, and examples of persons who are lawful holders under the existing regulation, but who may not be appropriately held liable for compliance with the administrative requirements for protecting Part 2 records they have received ( e.g., policies and procedures to protect against unauthorized use or disclosure) or providing breach notification, such as a patient's family members. The Department also requests comment on whether it would be helpful to create a regulatory definition of “lawful holder” and what persons such definition should encompass.

The Department further requests public comment regarding the estimated burden of notification, potential regulatory flexibilities for Part 2 programs to minimize burdens during their initial implementation of the policies and procedures required by the breach notification proposal, and the characteristics of programs to which any suggested flexibilities should apply. In addition, the Department welcomes comments from Part 2 programs that are not covered entities on whether they look to the Security Rule generally for guidance on protecting electronic Part 2 records or otherwise voluntarily attempt to follow the requirements of the Security Rule. For any programs that may do so, the Department requests comment on what their experience has been, including any implementation costs.

§ 2.17—Undercover Agents and Informants

The current provision prohibits, absent court order, a Part 2 program from knowingly employing or enrolling a patient as an undercover agent and restricts the use of information obtained by an undercover agency in any criminal investigation against any patient. To fully implement 42 U.S.C. 290dd-2(c)(3), as amended by section 3221(e) of the CARES Act, The Department proposes to add “or disclosed” behind “used” in this section so that the use and disclosure of Part 2 records is prohibited by this section pursuant to the statutory authority.

§ 2.19—Disposition of Records by Discontinued Programs

Current § 2.19 requires a Part 2 program to remove patient identifying information or destroy the records when a program discontinues services or is acquired by another program, unless patient consent is obtained or another law requires retention of the records. The Department proposes to create a third exception to this general requirement to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of Part 2 programs pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), in order to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. § 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. For example, in the event the Department needs to take over operations of a such a program on short notice, the program records would remain intact, permitting the Department to ensure continuation of services. Without this provision, program records would be destroyed if patient consent is unavailable at the time services are transferred to the Department, which could occur without sufficient opportunity to seek consent from all current or former patients. The Department also proposes wording changes to improve readability and modernize the regulation, such as by referring to “non-electronic” records instead of “paper” records, and structural changes to the numbering of paragraphs.

§ 2.20—Relationship to State Laws

Current § 2.20 establishes the relationship of state laws to Part 2 and provides that Part 2 does not preempt the field of law which it covers to the exclusion of all applicable state laws, but that no state law may either authorize or compel a disclosure prohibited by Part 2. The Department proposes to add the term “use” to § 2.20 to clarify that this section applies to both uses and disclosures under Part 2 and state law. The Department believes this proposal is consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) CARES Act, which imposes requirements related to the use and disclosure of Part 2 records.

Records subject to regulation by Part 2 frequently are also subject to regulation by various state laws. For example, similar to Part 2, state laws impose restrictions to varying degree on uses and disclosures of records related to SUD (and often other issues commonly considered sensitive, such as reproductive health, HIV, or serious mental illness). The Department assumes that, to the extent state laws address SUD records, Part 2 programs generally are able to comply with Part 2 and state law. The Department requests comment on this assumption and examples of any circumstances in which a state law compels a use or disclosure that is prohibited by Part 2, such that Part 2 preempts such state law.

§ 2.21—Relationship to Federal Statutes Protecting Research Subjects Against Compulsory Disclosure of Their Identity

The current language of § 2.21 recognizes the potential for concurrent coverage of certain federal laws that regulate patient identifying information. The Department proposes to reorder “disclosure and use” to read “use and disclosure” to better align the wording of this section with language used in the Privacy Rule.

§ 2.22—Notice to Patients of Federal Confidentiality Requirements; and 45 CFR 164.520—Notice of Privacy Practices for Protected Health Information

Section 3221(i) of the CARES Act directs the Secretary to modify or “update” the HIPAA NPP requirements at 45 CFR 164.520 to specify new requirements for covered entities and Part 2 programs with respect to Part 2 records that are PHI ( i.e., records of SUD treatment by a Part 2 program that are transmitted or maintained by or for covered entities). The CARES Act notice requirements would therefore apply to entities that are subject to both Part 2 and HIPAA, which include covered entities that are Part 2 programs as well as covered entities that receive Part 2 records from a Part 2 program.

The Privacy Rule, at 45 CFR 164.520, establishes an individual right to receive an NPP, written in plain language, providing adequate notice of a covered entity's privacy practices and obligations with respect to individuals' PHI. Health care clearinghouses, correctional institutions that are covered entities, and certain group health plans are excepted from the requirement, but other covered health plans and covered health care providers that maintain a direct treatment relationship with an individual must provide the individual with adequate notice about how the covered entity may use and disclose the individual's PHI, as well as the individual's rights and the covered entity's obligations with respect to the individual's PHI.

To implement section 3221(i)(2) of the CARES Act, the Department proposes to modify both the Patient Notice requirements at § 2.22 and the NPP requirements at 45 CFR 164.520 to provide notice requirements for all Part 2 records. While the CARES Act only expressly requires the modification of the NPP requirements at 45 CFR 164.520, the Department proposes to also modify the Part 2 Patient Notice at § 2.22 to align more closely with the NPP requirements. The proposal to modify § 2.22 would ensure that patients of Part 2 programs that are not covered by HIPAA are afforded as much notice and transparency as is provided to individuals in the NPP. Accordingly, the Department proposes to modify § 2.22 pursuant to the Secretary's authority under 42 U.S.C. 290dd-2(g) to prescribe regulations to carry out the purposes of that section.

The Department also believes there is a statutory mandate to modify the NPP requirements for some HIPAA covered entities that are not Part 2 programs, namely, those covered entities that receive and maintain Part 2 records, and thus are obligated to comply with certain Part 2 requirements with respect to such records. Covered entities that receive and maintain Part 2 records would need to add a provision to their NPP that references the restrictions on use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual. The current NPP requirements would continue to apply, without change, to covered entities that do not receive or maintain Part 2 records. The proposed changes to § 2.22, notice of federal confidentiality requirements, for Part 2 programs that are not covered entities, followed by proposed changes to 45 CFR 164.520 for covered entities that are dually subject to HIPAA and Part 2, and for other covered entities that receive and maintain Part 2 records, are described below.

Consistent with the requirements of section 3221(i)(2) of the CARES Act, the Department proposes to revise the Patient Notice at § 2.22 of this part, and to update NPP requirements using plain language that is easily understandable and parallel to changes proposed in the NPRM modifying the Privacy Rule published on January 21, 2021. The Department specifically requests comment from legal, clinical, privacy, and civil rights experts on whether the below proposals achieve this goal.

1. Modifying the § 2.22 Patient Notice

Because the HIPAA Rules and Part 2 cover different, but often overlapping, sets of regulated entities, and because the NPP currently offers more robust notice requirements than the Patient Notice, the Department proposes to modify § 2.22 to provide the same information to individuals under the Privacy Rule as to patients of Part 2 programs. The Department's proposed modifications to the Patient Notice would also restructure it to substantially mirror the structure of the NPP. As discussed below, instead of the Patient Notice containing elements described as a “summary” of the federal law that applies to protect Part 2 records, the Patient Notice would address the same key elements of the HIPAA NPP such as a required Header, Uses and Disclosures, Individual Rights, and Duties of Part 2 Programs. As further discussed below, the Department proposes to add to the Patient Notice key features of the NPP, such as explaining to patients that they may file a complaint when they believe their privacy rights have been violated, and that they have the right to revoke their consent for Part 2 programs to disclose records in certain circumstances. The Department believes this approach would best implement the intent of Congress to apply NPP protections to these records and requests comment on this approach, including any burdens associated with this approach.

Part 2 programs should be mindful that federal civil rights laws require certain entities, including recipients of federal financial assistance and public entities, to take appropriate steps to ensure that communications with individuals with disabilities are as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary. In addition, recipients of federal financial assistance must take reasonable steps to ensure meaningful access to their programs and activities for individuals with limited English proficiency, including through language assistance services when necessary.

Section 2.22, Notice to patients of federal confidentiality requirements, requires a Part 2 program, at the time of admitting a patient to the program, to give written notice of and summarize the federal law and regulations that protect the confidentiality of SUD records. Section 2.22(b) requires that the notice include five elements: (1) a general description of the limited circumstances in which a Part 2 program may share information that would identify the patient as having or having had a SUD; (2) a statement informing the patient that violation of the federal law and regulations is a crime and contact information for the appropriate authorities; (3) a statement that information related to a patient's commission of a crime on the premises is not protected as confidential; (4) a statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected; and (5) a citation to the federal law and regulations. Finally, § 2.22 gives the option to a Part 2 program to include information about applicable state law and its own local policies. Although § 2.22 does not expressly apply to covered entities and PHI, any covered entity that uses or discloses Part 2 SUD records would be subject to the notice requirements of § 2.22 in addition to the NPP requirements in 45 CFR 164.520. Conversely, Part 2 programs that are not covered entities and not subject to HIPAA would only be obligated to comply with § 2.22.

The Department proposes to modify § 2.22 by incorporating most of the notice requirements in the HIPAA NPP at 45 CFR 164.520, and then excluding those that are non-applicable or pose special privacy risks, and separately addressing certain provisions that have special requirements or differences between application to covered entities and part 2 programs as specified in 42 U.S.C. 290dd-2, as amended by the CARES Act. The Department proposes the following with respect to the Patient Notice at § 2.22.

Header. The Department proposes to require Part 2 programs to include a header in the Patient Notice. The header would be nearly identical to the header required in the NPP (and as proposed for amendment above) at 45 CFR 164.520(b)(1)(i) except where necessary to distinguish components of the notice not applicable to 42 CFR part 2. For example, the Patient Notice that would be provided pursuant to this part would not include notice that patients could exercise the right to get copies of records at limited costs or in some cases, free of charge, nor would it provide notice that patients could inspect or get copies of records under HIPAA.

Uses and Disclosures. The Department proposes to require a Part 2 program to include in the Patient Notice descriptions of uses and disclosures that are permitted for TPO, permitted without written consent, or will only be made with written consent. Consistent with the current set of NPP requirement for covered entities, the Department proposes to add a requirement that a covered entity that creates or maintains Part 2 records include sufficient detail in its Patient Notice to place the patient on notice of the uses and disclosures that are permitted or required. Although the Department believes section 3221(k)(4) of the CARES Act—stating that certain de-identification and fundraising activities should be excluded from the definition of health care operations—has no legal effect as a Sense of Congress, the Department believes it prudent to propose new § 2.22(b)(1)(iii). This proposal would require that a program provide notice to patients that the program must obtain written consent before it may use or disclose records for fundraising on behalf of the program. This new notice requirement is consistent with a newly proposed consent requirement at § 2.31(a)(5) in which a program must obtain a patient's permission for such uses and disclosures.

Before proposing the approach above, the Department first considered whether to propose a consent requirement for both de-identification and fundraising and whether to structure it as an opt-in or an opt-out. The Department believes that an opt-in requirement would afford patients a greater amount of control over their records and best fulfill patients' expectations about how their Part 2 information would be protected. However, the Department believes that requiring patient consent for de-identification activities would be inconsistent with the new permission to disclose de-identified information for public health purposes as provided in section 3221(c) of the CARES Act. Such a requirement also would create a barrier to de-identification that may negatively affect patient privacy by increasing permissible but unnecessary uses and disclosures of identifiable Part 2 records in circumstances when de-identified records would serve the intended purpose. As noted above, the Department believes uses and disclosures for fundraising warrant this added privacy protection, consistent with congressional intent as expressed in the Sense of Congress.

Individual Rights. The Department proposes to require that a Part 2 program include in the Patient Notice statements of patients' rights with respect to Part 2 records. The structure would mirror the statements of rights required in the NPP for covered entities and PHI but, based on amended 42 U.S.C. 290dd-2, would include:

• Right to request restrictions of disclosures made with prior consent for purposes of TPO, as provided in 42 U.S.C. 290dd-2(b)(1)(C) and when a Part 2 program must agree to a request.
• Right to request and obtain restrictions of disclosures of Part 2 records to the patient's health plan for those services for which the patient has paid in full, in the same manner as 45 CFR 164.522 applies to restrictions of disclosures of PHI.
• Right to an accounting of disclosures of electronic Part 2 records for the past 3 years, as provided in 42 U.S.C. 290dd-2(b)(1)(B) and right to an accounting of disclosures of Part 2 records that mirrors the right in the Privacy Rule at 45 CFR 164.528.
• Right to obtain an electronic or non-electronic copy of the notice from the program upon request.
• Right to discuss the notice with a designated contact person identified by the program pursuant to paragraph 45 CFR 164.520(b)(1)(vii).

Part 2 program's duties. The Department proposes to incorporate into the Patient Notice statements describing the duties of Part 2 programs with respect to Part 2 records that parallel the statements of duties of covered entities required in the NPP with respect to PHI. Although this change is not required by 42 U.S.C. 290dd-2, the statement of duties would put patients on notice of the obligations of Part 2 programs to maintain the privacy and security of Part 2 records, abide by the terms of the Patient Notice, and inform patients that it may change the terms of a Patient Notice. The Patient Notice also would include a statement of the new duty under 42 U.S.C. 290dd-2(j) to notify affected patients following a breach of Part 2 records.

Complaints. The Department proposes to require that a Part 2 program inform patients, in the Patient Notice, that the patients may complain to the Part 2 program and Secretary when they believe their privacy rights have been violated, as well as a brief description of how the patient may file the complaint and a statement that the patient will not be retaliated against for filing a complaint. These statements would support the implementation of the CARES Act enforcement provisions, which apply the civil enforcement provisions of section 1176 of the Social Security Act to violations of 42 U.S.C. 290dd-2.

Contact and Effective Date. The Department proposes to require that the Patient Notice provide the name or title, telephone number, and email address of a person a patient may contact for further information about the Part 2 Notice, and information about the date the Patient Notice takes effect. These provisions would parallel requirements for the NPP.

Optional Elements. The Department proposes to incorporate into the Patient Notice the optional elements of an NPP, which a Part 2 program could include in its Patient Notice. This provision permits a program that elects to place more limits on its uses or disclosures than required by Part 2 to describe its more limited uses or disclosures in its notice, provided that the program may not include in its notice a limitation affecting its ability to make a use or disclosure that is required by law or permitted to be made for emergency treatment.

Revisions to the Patient Notice. The Department proposes to require that a Part 2 program must promptly revise and distribute its Patient Notice when there has been a material change and provide that, except when required by law, such material change may not be implemented prior to the effective date of the Patient Notice. These provisions would parallel requirements for the NPP.

Implementation Specifications. The Department proposes to require that a Part 2 program provide the Patient Notice to anyone who requests it and provide it to a patient not later than the date of the first service delivery, including where first service is delivered electronically, after the compliance date for the Patient Notice. This provision also would require that the Patient Notice be provided as soon as reasonably practicable after emergency treatment. Finally, if the Part 2 program has a physical delivery site, the Patient Notice would have to be posted in a clear and prominent location at the delivery site where a patient would be able to read the notice in a manner that does not identify the patient as receiving SUD treatment, and the Patient Notice would need to be included on a program's website, if it has one. These provisions would parallel the requirements for provision of the NPP by covered health care providers.

The Department requests comment on each Patient Notice proposal, including information on how incorporating NPP elements into the Patient Notice requirements would increase or alleviate burdens for Part 2 programs.

2. Modifying 45 CFR 164.520

Applying the NPP requirements to certain entities. Section 3221(i)(2) of the CARES Act requires the Department to update the NPP to provide notice of privacy practices with respect to Part 2 records being created or maintained by “covered entities and entities creating or maintaining the records described in subsection (a)” (referring to section 543(a) of the PHSA, 42 U.S.C. 290dd-2(a), specifying and defining Part 2 records). The Department proposes all of the following changes to 45 CFR 164.520 to update it in accordance with the CARES Act and to ensure adequate notice is given to patients who are the subject of these records.

The Department proposes to modify 45 CFR 164.520(a) by adding a new paragraph (2) to expressly apply the NPP provisions to covered entities using and disclosing Part 2 records. The proposed change would further align the Patient Notice requirements for Part 2 records with NPP requirements with respect to PHI.

The Department also proposes to remove paragraph (3) of 45 CFR 164.520(a), Exception for inmates. The Department no longer believes it is appropriate to withhold notice from an incarcerated individual with respect to their health information privacy rights and a covered entity's practices. When the Department finalized the exception, it stated “[n]o person, including a current or former inmate, has the right to notice of such a covered entity's privacy practices” seeming to distinguish correctional facilities that are covered entities from other covered entities. The Department is unable to discern a safety or security risk associated with providing inmates notice concerning the covered entity correctional institute's privacy practices for PHI. This proposal would ensure that regulated entities provide an NPP to inmates consistent with what is provided to other individuals and retains the limitation on the right of access due to security concerns.

Content of Notice requirements apply to all covered entities, including those that are also subject to Part 2. The Department proposes to amend the required Header at 45 CFR 164.520(b)(1) to specifically reference covered entities maintaining or receiving Part 2 records. In addition, the proposed regulatory text at 45 CFR 164.520(b)(1)(i) reflects the changes to 45 CFR 164.520 previously proposed in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, published in 2021. Further, in 45 CFR 164.520(b)(1)(i) and in § 2.22, the Department proposes to change the word “Medical” to “Health” to refer to the type of information covered by the NPP. This change is not intended to modify substantive requirements, but instead is proposed to more accurately reflect and clarify that the information covered by the notice is not limited to the information a covered entity places in an individual's medical record.

Description of Uses and Disclosures. Section 3221(i)(2)(B) of the CARES Act requires the updated NPP for Part 2 records to include descriptions for every purpose for which the covered entity is permitted or required to use or disclose PHI without the patient's written authorization, “as required by subsection (b)(2) of such section 164.520.” However, 45 CFR 164.520(b)(2) sets out optional elements for the NPP and does not address uses or disclosures that are permitted or required without the individual's authorization. Therefore, the Department believes that the drafters of the CARES Act provision intended to refer instead to 45 CFR 164.520(b)(1)(ii), which requires that the NPP include descriptions of Uses and Disclosures, including a description of each use or disclosure that is permitted or required without the individual's written authorization.

The Department proposes to add to the description in 45 CFR 164.520(b)(1)(ii)(C) and (D) the language “such as 42 CFR part 2” to ensure that covered entities understand their specific obligation to address restrictions placed on the use and disclosure of Part 2 records.

Section 164.520(b)(1)(iii) includes requirements for Separate statements for certain uses or disclosures. In the introductory paragraph of this sub-section, the Department proposes to add “or (B)” to include sub-paragraph (B) in the list of descriptions that require a separate statement to describe TPO uses and disclosures under 45 CFR 164.520(b)(1)(ii)(A) or those made without authorization under 45 CFR 164.520(b)(1)(ii)(B). The Department also proposes to add new sub-paragraph (D) providing notice that Part 2 records or testimony relaying the content of such records shall not be used or disclosed in certain proceedings against the individual without written consent or court order, and new sub-paragraph (E) providing notice that if a covered entity that is a Part 2 program intends to engage in activities addressed in the Sense of Congress in section 3221(k)(4) of the CARES Act, the program must first obtain the patient's express written consent. This provision would support the implementation of 42 U.S.C. 290dd-2(c).

Statement of Rights. Section 3221(i)(2)(A) of the CARES Act requires the NPP for Part 2 records to include a statement of the patient's rights with respect to PHI and how the individual may exercise such rights as required by 45 CFR 164.520(b)(1)(iv). The statement must address the rights of patients who self-pay ( i.e., cash or other payment not billed to a third-party payer or health plan).

Current 45 CFR 164.520(b)(1)(iv) requires a covered entity to include in its NPP a statement of an individual's rights with respect to PHI. To implement the CARES Act requirements related to a Statement of Rights, the Department proposes to revise 45 CFR 164.520(b)(1)(iv)(C), to require a covered entity, when providing notice about the right of access, to include notice about the right to inspect and obtain a copy of PHI, the right to do so at limited cost or free of charge, and the right to direct a covered health care provider to transmit an electronic copy of PHI in an electronic health record to a third party. The Department also proposes to add a new § 164.520(b)(1)(iv)(G) to require a covered entity to provide notice of the right to discuss the NPP with a designated contact person identified by the covered entity. These changes are made to reflect the changes to the NPP provisions proposed by the Department in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement.

Covered entity's duties. The Department proposes, at 45 CFR 164.520(b)(1)(v)(A), to remove the second reference to “protected health information” to expand the requirement that a covered entity provide individuals with notice of the covered entity's legal duties and privacy practices to information beyond that of PHI ( i.e., to Part 2 records). The Department proposes to modify 45 CFR 164.520(b)(1)(v)(C), a provision that addresses a covered entity's right to change the terms of its NPP, to simplify the text, remove the reference to the administrative requirements of the Privacy Rule ( i.e., so that it also applies to Part 2), and insert a limitation that any new terms must not be material or contrary to law.

Other proposed updates to the NPP. The Department proposes other changes to conform the NPP requirements at 45 CFR 164.520 to changes required by the CARES Act. For example, the Department proposes to modify 45 CFR 164.520(b)(1)(iii) to address the Sense of Congress expressed at 42 U.S.C. 290dd-2(k)(4). Although the Sense of Congress does not give legal effect to the exclusion of fundraising and the creation of de-identified health information and limited data sets as permissible disclosures under “health care operations”, the Department believes that fundraising is far enough outside an individual's reasonable expectation of how their Part 2 records will be used or disclosed that entities should obtain written consent. This means that the NPP provision at 45 CFR 164.520(b)(1)(iii) would still give notice to individuals that a covered entity may use or disclose the individual's PHI for fundraising with an option to opt out of such communications. However, in the case of a covered entity that is also a Part 2 program, it would also provide notice that a covered entity may use or disclose the individual's Part 2 records for fundraising on behalf of the covered entity only with the written consent of the individual. The Department also proposes to incorporate changes proposed to the NPP requirements in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement. These proposals include adding a requirement, at 45 CFR 164.520(b)(1)(vii), that a covered entity's NPP include the email address for a designated person who would be available to answer questions about the covered entity's privacy practices; adding a permission for a covered entity to provide information, in its NPP, concerning the right to direct copies of PHI to third parties when the PHI is not in an EHR and the ability to request the transmission using an authorization; and removing the existing requirement for a covered entity to obtain a written acknowledgement of receipt of the NPP. Finally, the Department proposes a new paragraph at 45 CFR 164.520(d)(4) to prohibit construing the permissions for OHCAs to disclose PHI between participants as negating obligations related to Part 2 records.

The Department is mindful of the compliance burden imposed on all entities due to NPP requirements. The Department carefully considered how to accomplish the CARES Act mandate to update the NPP and believes that the proposed changes to 45 CFR 164.520 implements the statutory requirement to inform individuals in a manner that places the least burden on regulated entities. The Department requests comment on this assumption.

§ 2.23—Patient Access and Restrictions on Use and Disclosure (Proposed Heading)

The Department proposes to add the term “disclosure” to the heading of this section and throughout paragraphs (a) and (b) to clarify that a patient is not required to provide written consent or authorization in order to access their own Part 2 records. The Department proposes additional wording changes to this section to improve readability and to replace the word “information” to “records,” which more accurately describes the scope of the information to which the regulation applies.

§ 2.24—Requirements for Intermediaries (Redesignated and Proposed Heading)

Under § 2.13(d), a patient has a right to request a list of disclosures made by an intermediary; the intermediary must provide the patient with information regarding disclosures made within the past two years. As described above in §§ 2.11 Definitions and 2.13 Confidentiality restrictions and safeguards, the Department proposes to remove paragraph (d) of § 2.13 and redesignate it as § 2.24; change the subheading from Lists of disclosures to a heading titled Requirements for intermediaries; and in § 2.11 create a regulatory definition of the term “intermediary”. The Department proposes modifications to clarify the newly designated § 2.24 without intending to change the obligations of intermediaries, other than the time period covered by the list of disclosures.

Specifically, the Department proposes to replace the description of intermediaries with a new regulatory definition and to move the statement of responsibility for complying with the applicable requirements from the end of the provision to the beginning. The intent is to clarify what types of entities would be considered intermediaries— e.g., HIEs, research institutions, accountable care organizations, and care management organizations—and their responsibilities for providing patients with a list of disclosures made to member or participant treating providers. An intermediary may be a business associate when a Part 2 program is also a covered entity under HIPAA; in such situations, the intermediary would be subject to requirements of intermediaries as well as those for business associates. The Department proposes to extend the period covered by a list of disclosures from two years to three years to align with the new right to an accounting of disclosures as proposed in § 2.25(b) for disclosures made for purposes of treatment, payment, and health care operations, discussed below. The Department also proposes modifications to the redesignated section to improve clarity and understanding without intending any substantive change.

§ 2.25—Accounting of Disclosures (Proposed Heading)

Except for disclosures made by intermediaries, the existing Part 2 regulation does not include a right for patients to obtain an accounting of disclosures of Part 2 records. Section 290dd-2(b)(1)(B) of 42 U.S.C., as amended by section 3221(b) of the CARES Act, applies section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c), Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record, to Part 2 disclosures for TPO with prior written consent. Therefore, the Department proposes to add a new § 2.25, Accounting of disclosures, to establish the patient's right to receive, upon request, an accounting of disclosures of Part 2 records made with written consent for up to three years prior to the date the accounting is requested.

This proposal would apply to the individual right to an accounting of disclosures in the HITECH Act. The first paragraph of the section, (a), would generally require an accounting of disclosures made with patient consent, and the second paragraph, (b), would limit the requirement with respect to disclosures made with consent for TPO purposes, which would only be required for TPO disclosures made from an electronic health record system. In both instances, the proposed changes would be contingent on the promulgation of HITECH Act modifications to the accounting of disclosures standard in the Privacy Rule at 42 CFR 164.528.

The Department believes this approach is consistent with section 3221(b) of the CARES Act, 42 U.S.C. 290dd-2(b)(1)(B), as amended. The Department notes that the CARES Act applied the HITECH Act timelines and structure for accounting of disclosures to “all disclosures” and not just those disclosures of PHI contained in an EHR. From a policy perspective the Department believes it is appropriate apply the regulatory framework to all accountings.

Because the Department has not yet finalized the HITECH Act accounting of disclosures modifications within the Privacy Rule, the Department does not intend to apply requirements similar to 45 CFR 164.528 before finalizing the Privacy Rule provision. The Department seeks comment on this approach to aligning the accounting of disclosures requirements of the Privacy Rule and Part 2 by incorporating a general requirement for an accounting of disclosures and a limited requirement with respect to TPO disclosures, and by tolling the effective date of the accounting of disclosures proposals in this rule until the effective date of the modified Privacy Rule accounting provision. Additionally, the Department requests data from Part 2 programs that are also covered entities or business associates on the number and type of requests for an accounting of disclosures of PHI received annually and to what extent such covered entities are providing an accounting of disclosures for TPO disclosures through an electronic health record based on the HITECH Act statutory requirement, even absent regulations. For Part 2 programs that are covered entities, the Department requests comments concerning the staff time and other costs involved in responding to an individual's request for an accounting of disclosures of PHI.

§ 2.26—Right to Request Privacy Protection for Records (Proposed Heading)

The existing Part 2 regulation does not expressly provide a patient the right to request restrictions on disclosures of Part 2 records. Section 3221(b) of the CARES Act amended the PHSA to apply section 13405(a) of the HITECH Act, Restricted restrictions on certain disclosures of health information, to all disclosures of Part 2 records for TPO purposes with prior written consent. Therefore, the Department proposes to codify in § 2.26 patient rights to: (1) request restrictions on disclosures of Part 2 records for TPO purposes, and (2) obtain restrictions on disclosures to health plans for services paid in full. The proposed provision would align with the individual right in the HITECH Act, as implemented in the Privacy Rule at 45 CFR 164.522. As with the Privacy Rule right to request restrictions, a covered entity that denies a request for restrictions still would be subject to any applicable state or other law that imposes greater restrictions on disclosures than Part 2 requires.

In addition to applying the HITECH Act requirements to Part 2, the CARES Act emphasized the importance of the right to request restrictions in three provisions, including:

(1) A rule of construction that the CARES Act should not be construed to limit a patient's right under the Privacy Rule to request restrictions on the use or disclosure of Part 2 records for TPO;

(2) A Sense of Congress that patients have the right to request a restriction on the use or disclosure of a Part 2 record for TPO; and

(3) A Sense of Congress that encourages covered entities to make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding TPO uses or disclosures of Part 2 records.

The Department requests comments and data on the extent to which covered entities currently receive requests from patients to restrict disclosures of patient identifying information for TPO purposes, how covered entities document such requests, and the procedures and mechanisms used by covered entities to ensure compliance with patient requests to which they have agreed or that they are otherwise required to comply with by law.

Subpart C—Uses and Disclosures With Patient Consent (Proposed Heading)

The Department proposes to modify the heading of Subpart C from “Disclosures with Patient Consent” to “Uses and Disclosures with Patient Consent” to make the heading consistent with the changes the Department proposes to this subpart.

§ 2.31—Consent Requirements

The Part 2 consent provision in current § 2.31 specifies in paragraph (a) the required elements of a valid written patient consent for the disclosure of Part 2 records, and in paragraph (b) what constitutes a deficient consent upon which a disclosure of Part 2 records is not permitted. To further align Part 2 with the Privacy Rule and implement the requirements of section 3221(b) of the CARES Act, the Department proposes numerous changes to the consent requirements in paragraph (a). Specifically, the Department proposes to change requirements concerning:

• Identity of the discloser
• Description of the information to be disclosed
• Designation of the recipient
• Purpose of the disclosure
• Right to revoke consent
• Expiration of consent

In addition, the Department proposes new required statements as part of a consent for use and disclosure for TPO and a new required statement about the consequences to the patient of a failure to sign a consent.

The Department also proposes to add the phrase “use or” in § 2.31(a), and “used or” in § 2.31(a)(4)(ii)(B), to clarify that the elements of a written consent would address both use and disclosure of records. The Department believes these proposals are consistent with section 3221(b) of the CARES Act, which addresses permissions and restrictions for both uses and disclosures of records for TPO by programs and covered entities. The Department also proposes a wording change to replace the phrase “individual or entity” and the term “individual” with the term “person” as now proposed to comport with the meaning of the term in the HIPAA Rules. The Department does not believe that as amended, 42 U.S.C. 290dd-2 diminishes the ability of a patient to only grant consent for disclosure of specific types of information contained in the Part 2 record or for specific TPO purposes. Additionally, the proposed change to the designation of a recipient would continue to permit patients to, for example, name a government agency to receive records when applying for public benefits and not require the name of a specific employee within the agency.

The Department notes the permission enacted in 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of the CARES Act, allows that the contents of Part 2 records “may,” and are not required, to be used or disclosed in accordance with the Privacy Rule for TPO (after prior written consent is obtained). The Department believes therefore, that the revised statute still permits the disclosing entity to employ more granular consent provisions. Further, the rules of construction in section 3221(j)(1) of the CARES Act support the continued ability of covered entities to obtain consent by stating that nothing in the Act shall be construed to limit “a covered entity's choice, as described in section 164.506 of title 45, Code of Federal Regulations, or any successor regulation, to obtain the consent of the individual to use or disclose a record referred to in such section 543(a) to carry out treatment, payment, or health care operation.”

The Department also notes that its proposal to modify § 2.31(a)(3) would still require the consent form to include a description of the information to be used or disclosed that identifies the information “in a specific and meaningful fashion.” This language mirrors that in the Privacy Rule standard for written authorization requiring that a valid authorization pursuant to 45 CFR 164.508 contain “at least . . . [a] description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.” The Department believes that its treatment of consent requirements here remains consistent with that of SAMHSA's prior expressed guidance. The Department requests comment on this assumption.

Several of the proposed changes to the language of the required consent elements are not intended to create substantive changes, but merely to align with the wording of similar requirements in the Privacy Rule. This includes, for example, the identity of the discloser, the description of the information to be disclosed, the right to revoke consent, and the expiration of consent.

To fully accomplish the aims of the right to revoke consent, the Department expects that Part 2 programs would need to ensure that any ongoing or automatic disclosure mechanisms are halted upon receipt of a request for revocation. The CARES Act redisclosure permission for a covered entity, business associate, and Part 2 program recipients of Part 2 records limits the ability to “pull back” Part 2 information from those entities once it is disclosed. Thus, once a Part 2 program discloses a record for TPO purposes to a Part 2 program, covered entity, or business associate with prior written consent, a revocation would only be effective to prevent additional disclosures to those entities. It would not prevent a recipient Part 2 program, covered entity, or business associate from using the record for TPO, or redisclosing the record as permitted by the Privacy Rule.

Another set of proposals in this section address general designations of the recipient of Part 2 records for TPO, which may be an intermediary or a Part 2 program, covered entity or business associate. To accommodate TPO written consents, the recipient may be a class of persons, rather than only an identified person. In addition, for a single consent for all future uses and disclosures for TPO, the recipient may be described as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement.

The proposed changes to the requirements for general designation of an intermediary would clarify and simplify the subheading and remove the required statement of the patient's right to a list of disclosures made by the intermediary for the prior two years. These changes are proposed in conjunction with the proposal to add a regulatory definition of intermediary that includes as examples the types of entities listed in § 2.31 and described in previous Part 2 rulemaking preamble discussions. Additionally, the Department proposes to add consent requirements that are similar to the Privacy Rule authorization elements at 45 CFR 164.508, with modifications to address the Part 2 requirement to obtain prior written consent for TPO uses and disclosures. Specifically, the Department proposes to require Part 2 programs to inform patients in the written consent of the potential for their Part 2 records that are disclosed to a Part 2 program, covered entity, or business associate pursuant to the patient's written consent for treatment, payment, and health care operations to be further used or disclosed by the recipient to the extent permitted by the Privacy Rule and no longer protected by this regulation.

However, the Department does not propose to require, similar to the Privacy Rule at 45 CFR 164.522 that a written consent inform patients of the ability, under certain circumstances, to condition treatment on signing a consent for the use or disclosure of Part 2 records, because Part 2 does not prohibit the conditioning of treatment. For example, a Part 2 program may condition the provision of treatment on the patient's consent to disclose information as needed, for example, to make referrals to other providers, obtain payment from a health plan (unless the patient has paid in full), or conduct quality review of services provided.

The Department is aware of public uncertainty about when a patient consent is considered “written” under § 2.31. In previous guidance, SAMHSA clarified that an electronic signed consent form is allowable. The Department reaffirms the previous guidance concerning signatures and further clarifies that, where the Department has issued regulations adopting electronic standards to be used for patient consent management, and Part 2 programs have implemented such standards, the information conveyed using those standards would constitute a “written” patient consent where the individual provides all of the information required for a valid patient consent under § 2.31.

Regarding revocation of consent, the proposed changes reflect the text of the CARES Act with respect to TPO consent and also parallels the language of 45 CFR 164.508(c)(2)(i) for the core elements of a HIPAA authorization, which requires a statement about “[t]he individual's right to revoke the authorization in writing.” The intent in this section is to align the Part 2 consent requirements with the HIPAA authorization core elements to the extent feasible by establishing written revocation as a patient right. However, a Part 2 program still may accept an oral revocation of consent. Consistent with HIPAA, if an entity receives a revocation orally, the entity “knows” that the consent has been revoked and can no longer treat the consent as valid under Part 2 and must consider it deficient under § 2.31(b)(3). For oral revocations, the Department recommends the program obtaining the revocation document the revocation in the patient's record.

The Department's proposal to replace an “expiration date, event, or condition” with an “expiration date or an expiration event that relates to the individual patient or the purpose of the use or disclosure” is not intended to create substantive change, but only to align with the HIPAA authorization required elements. The Department believes that a “condition” may be considered an event that relates to the individual patient. Further, the Department believes the modified language would continue to serve an aim of both the HIPAA and Part 2 expiration elements, which is to ensure that the consent or authorization will last no longer than necessary to accomplish the purpose of the use(s) or disclosure(s).

The Department requests comments on its proposals that would implement changes to § 2.31. Specifically, the Department requests comment on whether there are other changes that it should make to further align § 2.31 with the Privacy Rule using its general regulatory authority in § 3221(i)(1) of the CARES Act to “make such revisions to regulations as may be necessary for implementing and enforcing the amendments.” In particular, the Department seeks comment from the public, including routine requestors of Part 2 records, on whether and to what extent the Department should require Part 2 programs to inform requestors when a preexisting consent exists for disclosure and the scope of such consent for disclosure. This input would be helpful as the Department considers how to facilitate covered entities' abilities to use the new permissions for TPO disclosures and related redisclosures under the Privacy Rule and Part 2. The Department also seeks comments on the extent to which Part 2 programs accept or rely on oral revocations of consent, and if so, whether and how this is documented or tracked.

§ 2.32—Notice To Accompany Disclosure (Proposed Heading)

The Department proposes to change the heading of this section from “Prohibition on re-disclosure” to “Notice to accompany disclosure” because § 2.32 is wholly a notice requirement, while other provisions (§ 2.12(d)) prohibit recipients of Part 2 records from redisclosing the records without obtaining a separate written patient consent. To ensure that recipients of Part 2 records comply with the prohibition at § 2.12(d), § 2.32(a) requires that Part 2 programs attach a notice whenever Part 2 records are disclosed with patient consent, notifying the recipient of the prohibition on redisclosure and of the prohibition on use of the records in civil, criminal, administrative, and legislative proceedings against the patient.

The Department proposes to modify paragraph (a)(1) of § 2.32 to reflect the expanded prohibition on use and disclosure of Part 2 records in certain proceedings against the patient, which includes testimony that relays information in a Part 2 record and the use or disclosure of such records or testimony in civil, criminal, administrative, and legislative proceedings, absent consent or a court order. The Department intends for “proceedings” to be understood broadly, to encompass investigations as in the existing regulation. Thus, investigative agencies should understand the continuing expectation that the requirement to seek a court order applies at the early stages of a proceeding where Part 2 records are sought to be used and disclosed.

In addition, the proposal would list exceptions to the general rule prohibiting further use or disclosure of the Part 2 records by recipients of such records, which would include an exception for covered entities, business associates, and Part 2 programs who receive Part 2 records for TPO based on a patient's consent and now may redisclose the records as permitted by the Privacy Rule. This exception also would apply to entities that received Part 2 records from a covered entity or business associate under the Privacy Rule disclosure permissions although the legal proceedings prohibition would still apply to covered entities and business associates that receive these Part 2 records. These changes are necessary to conform § 2.32 with 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of the CARES Act concerning redisclosure permissions for covered entity, business associate, and Part 2 program recipients of Part 2 records.

The Department also proposes a change to the simplified alternative language in paragraph (a)(2) of § 2.32. The Department would add the term “use” to make clear that authorized uses and disclosures are prohibited by this part. The Department notes that a Part 2 program or other person holding of Part 2 records could still choose whether to adopt the more detailed revised notice or to use the simple notice.

The Department requests comment on the proposed approach to the notice to accompany disclosure, including whether the alternative simplified notice in paragraph (a)(2) is sufficient to inform recipients of Part 2 records and whether the revised notice in paragraph (a)(1) should include different elements.

§ 2.33—Uses and Disclosures Permitted With Written Consent (Proposed Heading)

Section 2.33 of 42 CFR part 2 currently permits Part 2 programs to disclose Part 2 records in accordance with written patient consent in paragraph (a); and permits lawful holders, upon receipt of the records based on consent for payment or health care operations purposes, to redisclose such records to contractors and subcontractors for certain activities, such as those provided as examples in paragraph (b).

To implement sections 3221(b) and (k)(4) of the CARES Act, the Department proposes to amend the heading of this section to refer to “Uses and disclosures permitted with written consent” instead of solely “disclosures.” The Department further proposes to add “use” to refer to “use or disclosure” instead of only “disclosure” in paragraphs (a) and (b) and (b)(2), as modified. The Department believes these changes would align this section with proposed §§ 2.31 and 2.32 as discussed above. The Department further believes these proposals are consistent with the congressional intent expressed in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, which aligns Part 2 with the Privacy Rule for purposes of TPO uses and disclosures.

The Department also proposes to revise paragraph (b) by removing the list of permitted payment and health care operations uses and disclosures, adding language to paragraphs (b) and (b)(1), re-designating paragraph (2) as paragraph (3), and adding a new paragraph (b)(2). Specifically, the Department proposes to create two categories of redisclosure permissions. The first category would apply to Part 2 programs, covered entities, and business associates that have received a Part 2 record with consent for TPO and would permit the recipient to redisclose the records for uses and disclosures as permitted by the Privacy Rule, subject to the limitations of proposed subpart E of Part 2 pertaining to legal proceedings. The second category would apply to lawful holders that are not business associates, covered entities, or Part 2 programs and have received Part 2 records with written consent for payment and health care operations purposes. This category would permit the recipient to redisclose the records for uses and disclosures to its contractors, subcontractors, and legal representatives to carry out the intended purpose, also subject to the limitations of proposed subpart E of part 2 pertaining to legal proceedings. A lawful holder under this provision would not be permitted to redisclose Part 2 records it receives for treatment purposes before obtaining an additional written consent from the patient. The Department has not proposed to define the terms “contractors, subcontractors, and legal representatives” because it does not intend to change the accepted understanding of these business relationships between the recipient of Part 2 records under a written patient consent and the entities that it uses to carry out its business activities. The Department requests comment on whether it would be helpful to define these terms and, if so, what definitions would appropriately retain the existing accepted understanding of the business relationships.

The proposed changes would implement section 3221 of the CARES Act by permitting covered entities and business associates to use and redisclose Part 2 records in accordance with the standards that apply to PHI in the Privacy Rule and permitting Part 2 programs to use, disclose, and redisclose Part 2 records for TPO purposes when the records are obtained under a written consent given once for all future TPO uses and disclosures. The expanded ability to use and disclose Part 2 records would facilitate greater integration of SUD treatment information with other PHI. The Department believes this change would improve communication and care coordination between providers and with other elements of the health care system, such as the ability of payers to share SUD treatment claims information with alternative payment model providers for population health management, and enhance the ability to comprehensively diagnose and treat the whole patient. It would also facilitate the exchange of Part 2 records between Part 2 programs and reduce burdens on such exchanges by allowing a written consent to be given once for all future TPO uses and disclosures. The Department supports the sharing of Part 2 records among health care entities and patients for continuity of care purposes and has proposed to align the Part 2 consent requirements and disclosure permissions with the Privacy Rule to the extent possible for such purposes within the legal authority granted by Congress.

Only redisclosures for legal proceedings by covered entities or business associates would be subject to the more stringent Part 2 restrictions, as discussed below in relation to §§ 2.64 and 2.65. Finally, the Department proposes to exclude covered entities and business associates from the requirements of paragraph (c) because they are already subject to the Privacy Rule requirements for business associate agreements. The Department welcomes comments concerning the extent to which the proposed changes to § 2.33 would result in reduction of patient trust that their Part 2 records will be kept confidential and thus affect the ability to provide treatment to patients with SUD. The Department requests comment on how Part 2 programs and recipients of Part 2 records would identify records for which a patient has given consent for TPO uses and disclosures generally as compared to consent for one purpose or a consent limited to certain segments of Part 2 information. In addition, the Department seeks comment on the ways to increase coordination amongst not only amongst Part 2 programs or recipients of Part 2 records and providers of other healthcare services but also with the health IT developer and HIE communities to protect privacy for Part 2 records within EHRs. Finally, the Department requests comment on how the proposed revisions to § 2.33 might affect the future data segregation practices of Part 2 programs and recipients of Part 2 records.

§ 2.34—Uses and Disclosures To Prevent Multiple Enrollments (Proposed Heading)

Section 2.34 permits a Part 2 program to disclose patient records to certain central registries to prevent multiple enrollments of a patient to withdrawal management or maintenance treatment programs when conditions are met. The Department proposes to replace the phrase “re-disclose or use” with “use or redisclose” at § 2.34(b), as it relates to preventing a registry from using or redisclosing Part 2 records, to align the language of this provision with the Privacy Rule as discussed above. The Department also proposes a minor wording change to refer to “use of information in records” instead of just “use of information” to make clear that this provision relates to Part 2 records.

§ 2.35—Disclosures to Elements of the Criminal Justice System Which Have Referred Patients

Section 2.35 of 42 CFR part 2 outlines conditions for disclosures back to persons within the criminal justice system who have referred patients to a Part 2 program for SUD diagnosis or treatment as a condition of the patients' confinement or parole. The Department proposes to clarify that the permitted disclosures would be of information from the Part 2 record and to replace the term “individual” within the criminal justice system with “persons.” As discussed above, the term “individual” is defined in the HIPAA Rules to refer to natural persons who are the subject of PHI, while the analogous term in Part 2 for the subjects of Part 2 records is “patient.”

To avoid potential misunderstanding due to different terminology, the Department proposes to use “persons” when referring to someone other than the individual patient. In conjunction with this proposed change in usage, the Department proposes to replace the Part 2 definition of “person” with the HIPAA regulatory definition at 45 CFR 160.103. This definition includes both natural persons and legal entities. The Department also proposes to add the phrase “from a record” after the term “information” to make clear that this section regulates “records”, and replaces “disclosure and use” with “use and disclosure” in several places to parallel the Privacy Rule.

The Department welcomes comment on its approach to identifying “persons” within the criminal justice system who have referred patients to a Part 2 program, including whether the alternative term “personnel” would more accurately cover the circumstances under which referrals under § 2.35 are made.

Subpart D—Uses and Disclosures Without Patient Consent (Proposed Heading)

The Department proposes to modify the heading of subpart D by adding the term “uses” so it reads “Uses and Disclosures Without Patient Consent” to clarify that some of the regulated activities in this subpart—including research in § 2.52(b) ( e.g., conducting scientific research using patient identifying information), preparing research reports in § 2.52(b)(3), and Audit and evaluation (now proposed as “Management audits, financial audits, and program evaluation”)—include internal uses of Part 2 records by regulated entities.

§ 2.51—Medical Emergencies

Section 2.51 of 42 CFR part 2 permits Part 2 programs to disclose patient identifying information to medical personnel in certain circumstances. In § 2.51(c)(2), the Department proposes to replace the term “individual” with the term “person” as discussed above in § 2.11, Definitions.

§ 2.52—Scientific Research (Proposed Heading)

Section 2.52 of 42 CFR part 2 permits Part 2 programs to disclose patient identifying information for research, without patient consent, under limited circumstances. The Department proposes to update the title of this section for consistency with the statute and to add the term “use” to § 2.52(a). In § 2.52(b)(3), any individual or entity conducting scientific research using patient identifying information may include part 2 data in research reports only in non-identifiable aggregate form. The Department proposes to change the standard in § 2.52(b)(3) to more closely align with the Privacy Rule de-identification standard. Specifically, for § 2.52(b)(3), the Department proposes changes to the text to read: “. . . patient identifying information has been de-identified in accordance with the requirements of the Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder.” The Department requests comment on any benefits, costs, and potential unintended adverse consequences that may result from this proposed change. The Department also proposes to replace several instances of the phrase “individual or entity” with the term “person”, which would encompass both individuals and entities, and to replace the term “individual” with the term “person.”

§ 2.53—Management Audits, Financial Audits, and Program Evaluation (Proposed Heading)

The Department proposes to change the heading of § 2.53 to specifically refer to management audits, financial audits, and program evaluation to more clearly describe the disclosures permitted without consent under 42 U.S.C. 290dd-2(b)(2)(B). The Department also proposes to replace several instances of the phrase “individual or entity” with the term “person”, which would encompass both individuals and entities.

Section 2.53 of 42 CFR part 2 permits a Part 2 program or lawful holder to disclose patient identifying information to any individual or entity in the course of certain Federal, State, or local audit and program evaluation activities. Section 2.53 also permits a Part 2 program to disclose patient identifying information to Federal, State, or local government agencies and their contractors, subcontractors, and legal representatives when mandated by law, if the audit or evaluation cannot be carried out using de-identified information.

There is significant overlap between activities described as “audit and evaluation” in § 2.53 and health care operations as defined in the Privacy Rule at 45 CFR 164.501. For example, the following audit and evaluation activities under Part 2 align with the health care operations defined in the Privacy Rule, as cited below:

• § 2.53(c)(1) (government agency or third-party payer activities to identify actions, such as changes to its policies or procedures, to improve care and outcomes for patients with SUDs who are treated by part 2 programs; ensure that resources are managed effectively to care for patients; or determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD);

• § 2.53(c)(2) (reviews of appropriateness of medical care, medical necessity, and utilization of services).

• § 2.53(d) (accreditation).

In addition, activities by individuals and entities conducting Medicare, Medicaid, and CHIP audits or evaluations described at § 2.53(e) parallel those defined as health oversight activities in the Privacy Rule at 45 CFR 164.512(d)(1). Part 2 programs and lawful holders making disclosures to these individuals and entities must agree to comply with all applicable provisions of 42 U.S.C. 290dd-2, ensure that the activities involving patient identifying information occur in a confidential and controlled setting, ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification ( e.g., through the use of codes) of a patient as having or having had an SUD; and must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part. Patient identifying information disclosed pursuant to § 2.53(e) may be further redisclosed to contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, but are restricted to only that which is necessary to complete the audit or evaluation as specified in paragraph (e).

Section 3221(b) of the CARES Act amended the PHSA to permit Part 2 programs, covered entities, and business associates to use or disclose the contents of Part 2 records for TPO after obtaining the written consent of a patient. Covered entities, business associates, and Part 2 programs are further permitted to redisclose the same information in accordance with the Privacy Rule. As the Department has noted throughout this NPRM, these new disclosure pathways are permissive, not required.

To implement the new TPO permission that includes the ability of such entities to use or disclose Part 2 records for health care operations with a general consent, the Department proposes to modify the audit and evaluation provisions at § 2.53 by adding the term “use” where the current language of § 2.53 refers only to disclosure and by adding paragraph (h), Disclosures for health care operations. This new provision would clarify that Part 2 programs, covered entities, and business associates are permitted to disclose Part 2 records pursuant to a consent for all future TPO uses and disclosures when a requesting entity is seeking records for activities described in paragraphs (c) or (d) of § 2.53. Such activities are health care operations, but do not include treatment and payment. To the extent that a requesting entity is itself a Part 2 program, covered entity, or business associate that has received Part 2 records pursuant to a consent that includes disclosures for health care operations, it would then be permitted to redisclose the records for other purposes as permitted by the Privacy Rule. Thus, if an auditing entity is a Part 2 program, covered entity, or business associate that has obtained consent and is not performing health oversight, it would not be subject to all the requirements of § 2.53 ( e.g., the requirement to only disclose the records back to the program that provided them). Requesting entities that are not Part 2 programs, covered entities, or business associates would not have this flexibility but would still use existing permissions in § 2.53 to obtain access to records for audit and evaluation purposes, and they would remain subject to the redisclosure limitations therein.

The CARES Act does not expressly address § 2.53; however, there is overlap between the audit and evaluation activities contemplated in § 2.53 and some activities defined as health care operations and health oversight activities in the Privacy Rule. The Department has consistently subjected its health oversight uses and disclosures to the requirements of § 2.53, and it does not believe that Congress intended differently when it amended section 290dd-2(b)(1)(B) of 42 U.S.C.

As under the existing regulation, a person performing applicable audit and evaluation activities may rely instead on patient consent for health care operations as a means of obtaining the needed records. The Department believes that in many instances this would not be feasible because it would require tracking and segregating records with consent from those without consent, and would reduce the overall number of records available for auditing and evaluation. However, the Department requests comment on whether the new redisclosure permission for Part 2 programs, covered entities, and business associates may create incentives for such recipients to rely on patient consent more frequently when performing audit and evaluation of records made available by Part 2 programs. Proposed paragraph (h) would leave intact existing disclosure permissions and requirements for audit and evaluation activities without consent, including health care oversight activities, such as described in paragraph (e). At the same time, the proposal would provide a new mechanism for programs and covered entities to obtain patient consents for all future TPO uses and disclosures (including redisclosures), which in some instances may include audit and evaluation activities.

The Department proposes this approach because it believes there is no basis to fully align the Part 2 audit and evaluation provisions with the Privacy Rule, given that the CARES Act consent provisions specifically incorporated only uses and disclosures for TPO purposes, not for health oversight activities. The Department requests comment on this interpretation and any anticipated benefits or costs of treating some audit and evaluation activities under Part 2 differently than others based on whether the activities would constitute health care operations or health oversight activities.

§ 2.54—Disclosures for Public Health (Proposed Heading)

The existing Part 2 regulations do not permit the disclosure of Part 2 records for public health purposes. The CARES Act, section 3221(c), added paragraph (b)(2)(D) to 42 U.S.C. 290dd-2 to permit Part 2 programs to disclose de-identified health information to public health authorities. Therefore, the Department proposes to add § 2.54 to permit Part 2 programs to disclose Part 2 records without patient consent to public health authorities provided that the information is de-identified in accordance with the standards in 45 CFR 164.514(b). This change is proposed in conjunction with the Department's proposed definitions for public health authority as described above. Further, the proposed change should not be construed as extending the protections of Part 2 to de-identified information, as such information is outside the scope of 2.12(a). Thus, once Part 2 records are de-identified for disclosure to public health authorities, Part 2 no longer applies to the de-identified records.

The Department requests comment on any benefits or costs that may result from this proposed change.

Subpart E—Court Orders Authorizing Use and Disclosure (Proposed Heading)

The Department proposes to modify the heading of subpart E to reflect changes made to the provisions of this subpart related to the use and disclosure of Part 2 records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by the section 3221(b) and (e) of the CARES Act.

§ 2.61—Legal Effect of Order

Current § 2.61 includes the requirement that beyond a court order, a subpoena must be issued to a Part 2 program in order to compel disclosure of Part 2 records. In addition to non-substantive wording edits reflected in the proposed regulatory text, the Department proposes to add the word “use” to paragraphs (a), (b)(1) and (b)(2) to clarify that the legal effect of a court order with respect to Part 2 records would include authorizing the use of Part 2 records, in addition to the disclosure of Part 2 records. The Department believes this approach is consistent with the CARES Act amendments to 42 U.S.C. 290dd-2.

§ 2.62—Order Not Applicable to Records Disclosed Without Consent to Researchers, Auditors and Evaluators

Currently, § 2.62 provides that a court order may not authorize qualified personnel who have received patient identifying information without consent for research, audit, or evaluation, to disclose the information or use it to conduct a criminal investigation of the patient. In addition to wording changes to improve readability, and reordering the phrase “disclosure and use” to “use and disclosure” for the same reasons described in other sections, the Department proposes to replace the term “qualified personnel” with a description of who falls within the term. The term “Qualified personnel” has a precise meaning but does not have a regulatory definition within 42 CFR part 2 and is used only once within the regulation. For greater clarity, the Department proposes to refer instead to “persons who meet the criteria specified in § 2.52(a)(1)(i)-(iii) of this part,” and later in the paragraph to “such persons.”

§ 2.63—Confidential Communications

Section 2.63(a) of 42 CFR part 2 currently provides that a court order may authorize disclosure of confidential communications made by a patient to a Part 2 program during diagnosis, treatment, or referral only if necessary: (1) to protect against a threat of serious bodily injury; (2) to prosecute the patient for a serious crime; or (3) in connection with litigation or an administrative proceeding in which the patient introduces their own Part 2 records. Paragraph (c) of 42 U.S.C. 290dd-2, as amended by section 3221(e) CARES Act, provides that Part 2 records may be disclosed in noncriminal legal proceedings only with patient consent or a court order, and added civil litigation and administrative proceedings to the list of proceedings for which Part 2 records cannot be used or disclosed by a government authority against a patient, absent a court order. To implement the changes to 42 U.S.C. 290dd-2, the Department proposes to specify in § 2.63(a)(3) that civil, as well as criminal, administrative, and legislative proceedings are circumstances under which a court may authorize disclosures of confidential communications made by a patient to a Part 2 program in Part 2 records when the patient opens the door by introducing their records or testimony that relays information in their records as evidence.

§ 2.64—Procedures and Criteria for Orders Authorizing Uses and Disclosures for Noncriminal Purposes (Proposed Heading)

Section 2.64 of 42 CFR part 2 governs court orders authorizing the disclosure of patient records for noncriminal investigations or prosecutions. Paragraph (a) of this section provides that any person with a legally recognized interest may apply for a court order authorizing the disclosure of patient records in noncriminal proceedings, and such person may file the application separately or as part of a pending civil action in which they assert the evidentiary need for the records. A court order under this section (or any section within subpart E) would be limited to the circumstances specified in § 2.63, discussed above. Section 3221(e) of the CARES Act expanded privacy protections by prohibiting the use of Part 2 records for these purposes, or disclosure or use of testimony relaying the contents of a patient's records. To implement this change, the Department proposes to modify the heading, paragraph (a), and paragraph (e) to include use, not only disclosure, of Part 2 records, and the use or disclosure of testimony relaying the information in such records.

The Department further proposes to modify § 2.64(a) by adding administrative, or legislative proceedings to the types of noncriminal proceedings for which a use or disclosure of Part 2 records must be authorized by a court order, absent patient consent or the application of § 2.53(e). Section 290dd-2(c) of 42 U.S.C., as amended, requires a court order, even when the disclosure or use is sought in an administrative, or legislative proceeding. Thus, when disclosure or use of Part 2 records or testimony relaying information in a record is sought in a non-judicial proceeding, the application would be filed separately in court.

Paragraph (e) of § 2.64 sets forth limitations for court orders authorizing the disclosure of patient records in noncriminal proceedings, limiting such disclosures to the portions of the patient's record that are essential to fulfill the purpose of the order. The Department proposes to add the word “only” to clarify the extent of the limitation. The disclosure must also be limited to those persons whose need for the information is the basis for the order and must include necessary measures to limit the use or disclosure.

The Department also proposes to modify subparagraphs (e)(1) through (e)(3) to include the use of patient records and the use or disclosure of testimony relaying the information in patient records. The Department proposes these modifications to align with 42 U.S.C. 290dd-2(c)(1) through (c)(3), as amended by section 3221(e) of the CARES Act (expanding privacy protection by prohibiting the use or disclosure of patient records or testimony relaying the contents of a patient's records).

§ 2.65—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Criminally Investigate or Prosecute Patients (Proposed Heading)

Section 2.65 of 42 CFR part 2 establishes procedures and criteria for court orders authorizing the use and disclosure of patient records in criminal investigations or prosecutions of the patient. Under § 2.65(a), the custodian of the patient's records, or a law enforcement or prosecutorial official responsible for conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws, may apply for a court order authorizing the disclosure of Part 2 records to criminally investigate or prosecute a patient of a Part 2 program. The Department proposes the change, as discussed above, to refer to “use and disclosure” throughout this section instead of “disclosure and use.”

Parallel to the proposed changes to § 2.64, discussed above, the Department proposes to modify § 2.65(a) to include the use and disclosure of testimony relaying the information in patient records because the current provision is limited to disclosure of records and does not address the CARES Act expanded privacy protection which also prohibits the use or disclosure of testimony relaying the contents of a patient's records. The Department further proposes to modify § 2.65(a) to add administrative, and legislative criminal proceedings to the criminal proceedings for which the use or disclosure of Part 2 patient records may be authorized by a court order, consistent with the CARES Act. In addition to criminal prosecutions brought as part of the judicial process, criminal investigations may be carried out by executive agencies and legislative bodies and the CARES Act has widened the confidentiality protections for patients in all of these forums where there may be a risk of exposure and liability.

Subparagraph (d) of § 2.65 sets forth criteria for the issuance of a court order authorizing the disclosure and use of patient records to conduct a criminal investigation or prosecution of a patient. Specifically, § 2.65(d)(2) requires a reasonable likelihood that the records would disclose information of substantial value in the investigation or prosecution.

The Department proposes to modify §§ 2.65(d) and (d)(2) in a manner similar to proposed § 2.65(a), discussed above, to include the use or disclosure of testimony relaying the information in Part 2 records. Under the proposed modification, the criteria in § 2.65(d) would apply to court orders authorizing not only the use and disclosure of Part 2 records, but also the use and disclosure of testimony relaying the information in those records, consistent with 42 U.S.C. 290dd-2(c), as amended section 3221(c) of the CARES Act.

Subparagraph (e) of § 2.65 sets forth requirements for the content of a court order authorizing the use or disclosure of patient records for the criminal investigation or prosecution of the patient. Specifically, § 2.65(e)(1) requires that such order must limit the use or disclosure to those parts of the patient's record as are essential to fulfill the objective of the order. Section 2.65(e)(2) requires that the order limit the disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigation and prosecution of the extremely serious crime or suspected crime specified in the application. The existing rule, at § 2.63(1) and (2), specifies that the type of crime for which an order could be granted would be one “which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect.” Thus, the use of an illegal substance does not in itself constitute an extremely serious crime.

The Department proposes to modify §§ 2.65(e) and (e)(1) through (e)(2) in a manner similar to §§ 2.65(a) and 2.65(d) and (d)(2), discussed above, to include the use and disclosure of testimony relaying the information in patient records. The proposed modification would apply the same limitations on a court order authorizing the use or disclosure of a patient's records to court orders authorizing not only the use or disclosure of testimony relaying the information in those records. The proposed modification to § 2.65(e)(1) would limit uses and disclosures to those parts of a patient's records or testimony relaying the information in those records which are essential to fulfill the objective of the order. Likewise, the proposed modification to § 2.65(e)(2) would limit disclosures to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records or testimony to investigation and prosecution of the extremely serious or suspected crime specified in the application and as limited by § 2.63.

The above-noted proposed modifications to §§ 2.65(d) and (d)(2), 2.65(e), and 2.65(e)(1) and (e)(2), each would add the use and disclosure of testimony relaying the information in patient records to the protections already afforded Part 2 records under the regulations.

§ 2.66—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or Person Holding the Records (Proposed Heading)

Section 2.66 specifies the persons who may apply for an order authorizing the disclosure of patient records for the purpose of investigating or prosecuting a Part 2 program in connection with legal proceedings, how such persons may file the application, and provides that, at the court's discretion, such orders may be granted without notice to the Part 2 program or patient.

The Department proposes a new paragraph (a)(3) that details procedures for investigative agencies to follow in the event they unknowingly obtain Part 2 records during an investigation or prosecution of a Part 2 program or person holding Part 2 records. Specifically, the Department would require an investigative agency (other than one proceeding under § 2.53(e)) that discovers in good faith that it has obtained Part 2 records to secure the records according to § 2.16 and cease using or disclosing them until it obtains a court order authorizing the use and disclosure of the records and any records later obtained, within a reasonable period of time, but not more than 120 days after discovering it received the records. If the agency does not seek a court order, it must return the records to the Part 2 program or person holding the records if it is legally permissible to do so, within a reasonable period of time, but not more than 120 days from discovery; or, if the agency does not seek a court order or return the records, it must destroy the records in a manner that renders the patient identifying information non-retrievable, within a reasonable period of time, but not more than 120 days from discovery. Finally, if the agency's application for a court order is rejected by the court and no longer subject to appeal, the agency must return the records to the Part 2 program or person holding the records, if it is legally permissible to do so, or destroy the records immediately after notice of rejection from the court.

The Department proposes in paragraph (b) to provide an option for substitute notice by publication when it is impracticable under the circumstances to provide individual notification of the opportunity to seek revocation or amendment of a court order issued under § 2.66. Additionally, the Department proposes to reorganize paragraph (c) by expressly incorporating the provisions from § 2.64(d) that would require an applicant to show a court the good cause requirement and criteria, and adding the proposed § 2.3(b) requirements as elements of good cause for investigative agencies that apply for a court order under proposed § 2.66(a)(3)(ii).

The Department proposes to replace the phrase “disclosure and use” with “use and disclosure” to align the language of this section with the Privacy Rule in paragraphs (a) through (d). The Department also proposes minor wording changes to improve readability, viewable in proposed regulatory text.

§ 2.67—Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter

Current § 2.67 authorizes the placement of an undercover agent in a Part 2 program as an employee or patient by law enforcement or prosecutorial agency pursuant to court order when the law enforcement organization has reason to believe the employees of the Part 2 program are engaged in criminal misconduct.

The Department proposes to clarify that the good cause criteria for a court order in paragraph (c)(2) includes circumstances when obtaining the evidence another way would “yield incomplete evidence.” The Department also proposes to create a new paragraph (c)(4) addressing investigative agencies' belated applications for a court order authorizing placement of an undercover informant or agent to investigate a Part 2 program or its employees. The provision would require the investigative agency to satisfy the conditions at proposed § 2.3(b) before applying for a court order for Part 2 records after discovering that it unknowingly had received such records.

Finally, the Department proposes to replace the phrase “law enforcement or prosecutorial” with “investigative” in paragraph (a) and to add the words “using or” in front of “disclosing” in paragraph (d)(3) of this section and “and disclosure” after the term “use” in paragraph (e) of this section to implement 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES Act, which prohibits the use or disclosure of Part 2 records in these circumstances.

§ 2.68—Report to the Secretary (Proposed Heading)

The Department proposes to create a new § 2.68 to require investigative agencies to file an annual report with the Secretary of the applications filed for court orders after use or disclosure of records in an investigation or prosecution of a program or holder of records under § 2.66(a)(3)(ii) and after placement of an undercover agent or informant under § 2.67(c)(4). The report would also include the number of instances in which such applications were denied due to findings by the court of violations of this part during the calendar year, and the number of instances in which the investigative agency returned or destroyed Part 2 records following unknowing receipt without a court order, in compliance with § 2.66(a)(3)(iii), (iv), or (v), respectively during the calendar year. The Department proposes that such reports would be due within 60 days following the end of the calendar year.

Request for Comments

The Department requests public comment on all aspects of the proposed amendments to the regulations at 42 CFR part 2, Confidentiality of Substance Use Disorder Patient Records (Part 2), and 45 CFR 164.520, Notice of Privacy Practices for Protected Health Information, and on the specific questions below. The Department welcomes public comment on any benefits or drawbacks of the proposed amendments set forth above in this proposed rule.

1. § 2.2 Purpose and Effect. The Department requests comment on whether the Department's proposals adding the terms “use” or “uses” to existing regulatory text that currently only state “disclose” or “disclosure,” would substantively expand the scope of the applicable requirements and prohibitions in a manner not intended. The Department seeks input and specific examples of where the proposed insertion of new terms could result in any unintended adverse consequences for regulated entities.

2. § 2.3 Civil and Criminal Penalties for Violations. The Department requests comment on its proposals at § 2.3(b) to create a limitation on civil or criminal liability for persons acting on behalf of investigative agencies if they unknowingly receive Part 2 records while investigating a program or other person holding Part 2 records without first obtaining the requisite court order, and on the proposed conditions to qualify for the limitation. Specifically, the Department requests comment on the potential impact on patient privacy and access to SUD treatment if investigative agencies can utilize a safe harbor when they unknowingly are in receipt of Part 2 records after first checking whether the program actually provides SUD services. Additionally, the Department requests comment on whether the listed activities should be the only ways an investigative agency may establish reasonable diligence. If there should be additional ways, what should they be and should they be included in regulatory text as an exclusive list?

3. § 2.11 Definitions.

Business associate. The Department solicits comment on the proposal to adopt the definition of “business associate” that is used in the HIPAA Privacy Rule.

Health care operations. The Department requests comment on the proposed definition of “health care operations”, including the proposed approach in the consent requirements to offer an opt-in for fundraising, but not for de-identification and creating a designated record set.

Intermediary. The Department requests comment on the proposed definition of intermediary and whether, in light of the new permission to disclose records for TPO based on a single prior consent, the requirements for an intermediary should be retained or removed.

Investigative agency. The Department requests comment on the proposed definition of “investigative agency” and any concerns about including local agencies in the term, such as lack of uniform procedures, inconsistency across a state, or examples of local investigative agencies involvement in investigating Part 2 programs. The Department also requests comment on whether to interpret state (or local, if it is added) to include Tribal agencies or whether to expressly include Tribal agencies within the regulatory definition. The existing Part 2 regulation does not reference the term “Tribal.”

Lawful holder. Additionally, the Department requests comment on whether a definition of “lawful holder” is needed to properly enforce § 2.16 as discussed above and in the regulatory alternatives considered. The Department also requests comment on whether, with respect to § 2.33, there are types of recipients of Part 2 records by way of a consent that should be excluded from a definition of “lawful holder”.

Personal representative. With respect to persons who are authorized to make health care decisions on behalf of a minor, a patient who lacks capacity to make their own decisions, or a patient who is deceased, the Department requests comment on any benefits or drawbacks of adopting the Privacy Rule term “personal representative,” and the description of the term in 45 CFR 164.502(g)(2), as a defined term within this part. If adopted, this term would replace the phrase “guardian or other persons authorized under state law to act on the patient's behalf” and “executor, administrator, or other personal representative appointed under applicable state law.”

Records. With respect to the consideration of newly defining SUD counseling notes that would be part of a record, the Department requests comment on the benefits and burdens of adopting such a definition, similar to the psychotherapy notes provision under HIPAA. Additionally, the Department requests comment on the scope of SUD personnel who could potentially create SUD counseling notes and utilize the additional patient privacy protections they afford and whether a regulatory definition for SUD professional should be created.

Use. With respect to the proposed definition of “use”, the Department requests comment on whether to retain the specific reference to the use of records in certain proceedings against the patient, addressed at §§ 2.61-2.67, or whether it would be clearer to adopt only the definition of the term “use” from the HIPAA Rules at 45 CFR 160.103.

4. § 2.16 Security for records and notification of breaches. The Department requests public comment regarding the estimated burden for Part 2 programs that are not covered entities to comply with the proposed breach notification requirements. The Department also requests comment regarding the application of the Privacy Rule de-identification standard to rendering Part 2 records non-identifiable, as provided in the proposed modifications to § 2.16(a)(1)(v) and (a)(2)(iv), including any unintended adverse consequences that may result from these proposed changes. The Department requests comment regarding whether the Security Rule or similar requirements should apply to Part 2 programs that maintain electronic records but are not covered entities in the same manner as the Security Rule applies to covered entities and business associates. The Department requests comment on whether breach notification requirements that apply to business associates pursuant to the Privacy Rule should apply to QSOs as they are similarly situated. In addition, the Department requests comments from Part 2 programs that are not covered entities on whether they look to the HIPAA Security Rule generally for guidance on protecting electronic Part 2 records or otherwise voluntarily attempt to follow the requirements of the Security Rule. For any programs that may do so, the Department requests comment on what their experience has been, including any implementation costs. Finally, the Department requests comment on whether the requirements of this section that apply to a lawful holder should in any way depend on the level of sophistication of a lawful holder who is in receipt of Part 2 records by written consent, or should depend on whether the lawful holder is acting in some official or professional capacity connected to or related to the Part 2 records.

5. § 2.22 Notice to patients of Federal confidentiality requirements and 45 CFR 164.520 Notice of privacy practices for protected health information. The Department requests comment on ways to make the proposed notices more easily understandable, including examples of possible approaches, such as requiring the document to be at a particular reading grade level, maximum number of pages, or other suggestions. The Department specifically requests comment from legal, clinical, privacy, and civil rights experts on this matter.

6. § 2.24 Requirements for intermediaries. The Department solicits comment on the proposed reorganization and clarification of requirements for entities that facilitate health information exchange and whether there is a continued need for these requirements in light of the accounting of disclosures proposed in § 2.25. Specifically, the Department solicits comment on how Part 2 programs have been implementing the existing requirements for intermediaries in § 2.13(d) and § 2.31(a)(4)(ii) and examples of how those requirements have affected the ability of Part 2 programs to utilize HIEs.

7. § 2.25 Accounting of disclosures. The Department requests comment on the proposals to add a requirement for an accounting of disclosures for non-TPO disclosures and an accounting of disclosures through an electronic health record for TPO. The Department welcomes data from Part 2 programs that are also covered entities on the number and type of requests for an accounting of disclosures of PHI received annually, whether and how frequently they receive requests for an accounting of disclosures for TPO, and to what extent such covered entities are choosing to provide individuals with an accounting of TPO disclosures made through an electronic health record based on the HITECH Act statutory requirement, even absent an implementing regulation. The Department also welcomes comment on the provider burden and costs to respond to a request for an accounting for both TPO disclosures and non-TPO disclosures.

8. § 2.26 Right to request privacy protection for records. The Department requests comment and data on the extent to which covered entities and Part 2 programs receive requests from patients to restrict disclosures of patient identifying information for TPO purposes, how entities and programs track such requests, and the procedures and mechanisms used to comply with patient requests to which they have agreed or that they are otherwise required to comply with by law.

9. § 2.31 Consent requirements. The Department requests comments on its proposals that would implement changes to § 2.31. Specifically, the Department requests comment on whether there are other changes that it should make to further align § 2.31 with the Privacy Rule using its general regulatory authority in section 3221(i)(1) of the CARES Act “to make such revisions to regulations as may be necessary for implementing and enforcements the amendments.” For example, the Department requests comment on the extent to which Part 2 programs segment out SUD treatment records considered “SUD counseling notes.” The Department requests comment on whether to propose special protection for SUD counseling notes to add a layer of regulatory protection that equates to the protection granted to psychotherapy notes in the Privacy Rule by requiring a separate written consent for their disclosure.

The Department also solicits comment on the proposed changes to the consent requirements for entities that facilitate health information exchanges ( i.e., intermediaries), particularly how they would affect the implementation of proposed changes to consent for TPO. The Department requests comment on whether, and to what extent, Part 2 programs currently act on an oral revocation of consent, and if so, whether and how this is documented or tracked.

10. § 2.32 Notice to accompany disclosure. The Department welcomes comment from Part 2 programs that are covered entities, and recipients of Part 2 records that are covered entities or business associates, on whether and how the proposed changes to the redisclosure permissions in § 2.32 are likely to reduce data segregation and positively affect the ability to provide treatment to patients with SUD and perform other beneficial activities. Specifically, the Department seeks comment on whether the proposed changes alone would be sufficient to implement section 3221 of the CARES Act, or whether different or additional modifications to Part 2 would be more effective to promote integration of Part 2 records with PHI, reduce stigma for patients with SUD, and improve access to SUD treatment while maintaining the confidentiality of Part 2 records as required by 42 U.S.C. 290dd-2.

11. § 2.33 Uses and disclosures permitted with written consent. The Department requests comment on whether or how recipients of Part 2 records are informed that the records have been disclosed based on patient consent and the scope of the consent that is provided. Specifically, the Department welcomes data on how Part 2 programs and recipients of Part 2 records communicate information about the purpose of a disclosure or set of disclosures and the extent of the information communicated about the purpose or the scope of the disclosure permission, authorization, or mandate. Should the Department consider requiring Part 2 programs to provide a copy of the written patient consent when disclosing records? Should the Department consider requiring Part 2 programs, covered entities, and business associates to retain a copy of the written patient consent for a minimum period of time so that they can provide documentation of the consent to future recipients, or to the Secretary for purposes of investigating compliance with Part 2? Are programs already doing this? To what extent would such requirements be useful to recipients of Part 2 records or impose a burden on programs? Additionally, should the Department require programs to inform an HIE when a patient revokes consent for TPO so that additional uses and disclosures by the HIE would not be imputed to the programs that have disclosed Part 2 records to the HIE? The Department also welcomes comments on the potential unintended negative effects on confidentiality and privacy from the combined application of the proposed disclosure permissions for TPO with consent under § 2.33, and the removal of § 2.53 protections for audit and evaluation activities that fall within the definition of health care operations, and suggested regulatory approaches.

12. § 2.52 Scientific research. The Department requests public comment on whether any Part 2 programs conduct research using their own Part 2 records. The Department also requests public comment regarding the application of the HIPAA de-identification standard to Part 2 records disclosed for research, as provided in the proposed modifications to § 2.52(a)(3), including any unintended adverse consequences that may result from this proposed change.

13. § 2.53 Management audits, financial audits, and program evaluation. The Department requests comment on its proposal to acknowledge within this section the applicable permission for use and disclosure of records for health care operations purposes based on written consent of the patient for all future uses and disclosures for TPO and the permission for the third party conducting such audit or evaluation activities to redisclose the records as permitted by the HIPAA Privacy Rule if the third-party recipient is a Part 2 program, covered entity, or business associate that is not acting as a health oversight agency.

14. Section 2.54 Disclosures for public health. The Department requests comment on its proposal to permit disclosures only of de-identified records for public health purposes without patient consent.

15. Subpart E. The Department seeks comment on the set of proposals in §§ 2.3, 2.66, 2.67, and 2.68 to create a limitation on civil and criminal liability for investigative agencies that in good faith discover they have received Part 2 records before obtaining the required court order in the course of investigating or prosecuting a program, and the related requirement for agencies that make use of these provisions to submit a report to the Secretary.

Public Participation

The Department seeks comment on all issues raised by the proposed regulation, including any unintended adverse consequences. Because of the large number of public comments normally received on Federal Register documents, the Department is not able to acknowledge or respond to them individually. In developing the final rule, the Department will consider all comments that are received by the date and time specified in the DATES section of the Preamble.

Because mailed comments may be subject to security delays due to security procedures, please allow sufficient time for mailed comments to be timely received in the event of delivery delays. Any attachments submitted with electronic comments on www.regulations.gov should be in Microsoft Word or Portable Document Format (PDF). Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted.

Regulatory Impact Analysis

The Department has examined the impact of the proposed rule as required by Executive Order 12866 on Regulatory Planning and Review, 58 FR 51735 (October 4, 1993); Executive Order 13563 on Improving Regulation and Regulatory Review, 76 FR 3821 (January 21, 2011); Executive Order 13132 on Federalism, 64 FR 43255 (August 10, 1999); Executive Order 13175 on Consultation and Coordination with Indian Tribal Governments, 65 FR 67249 (November 9, 2000); the Congressional Review Act, Public Law 104-121, sec. 251, 110 Stat. 847 (March 29, 1996); the Unfunded Mandates Reform Act of 1995, Public Law 104-4, 109 Stat.48 (March 22, 1995); the Regulatory Flexibility Act, Public Law 96-354, 94 Stat. 1164 (September 19, 1980); Executive Order 13272 on Proper Consideration of Small Entities in Agency Rulemaking, 67 FR 53461 (August 16, 2002); the Assessment of Federal Regulations and Policies on Families, Public Law 105-277, sec. 654, 112 Stat. 2681 (October 21, 1998); and the Paperwork Reduction Act of 1995, Public Law 104-13, 109 Stat. 163 (May 22, 1995).

A. Executive Orders 12866 and 13563 and Related Executive Orders on Regulatory Review

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). Executive Order 13563 is supplemental to, and reaffirms the principles, structures, and definitions governing regulatory review as established in, Executive Order 12866.

This proposed rule is partially regulatory and partially deregulatory. The Department estimates that the effects of the proposed requirements for Part 2 programs would result in new costs of $19,364,667 within 12 months of implementing the final rule. The Department estimates these first-year costs would be partially offset by $12,755,378 of first year cost savings, attributable to reductions in the need for Part 2 programs to obtain written patient consent for disclosures for treatment, payment, or health care operations (TPO) ($9.8 million); reductions in the need for covered entities, business associates, and Part 2 programs to obtain written patient consent for redisclosures ($2.5 million); and reductions in capital expenses for printing consent forms ($0.5 million). This is followed by net savings of $10,240,622 annually in years two through five, resulting from a continuation of first-year cost saving of $12.8 million per year, minus the estimated annual costs of $2.5 million primarily attributable to compliance with breach notification requirements. This results in overall net cost savings of $34,353,198 over 5 years for changes to 42 CFR part 2. In addition, the Department estimates that changes to 45 CFR 164.520 would result in new nonrecurring costs for covered entities that receive or maintain Part 2 records in the amount of $44,935,225. Combined, the proposed regulatory changes to Part 2 and the Privacy Rule would result in estimated total costs of $64,299,891 in the first year (approximately $19 million from Part 2 programs and $45 million from 45 CFR 164.520), followed by $2,514,756 of recurring annual costs in years two through five (from Part 2 programs), for a total of $74,358,914. This would be offset by an estimated annual savings of $12,755,378 for a total of $63,776,888 over five years. The combined result would be a net cost of $51,544,514 in the first year following the rule's effective date, followed by annual net savings of $10,240,622, resulting in 5-year net cost of $10,582,027 for HIPAA covered entities and Part 2 programs.

The Department estimates that the private sector would bear approximately 60 percent of the costs, with state and federal health plans bearing the remaining 40 percent of the costs. All of the cost savings experienced from the first year through subsequent years would benefit Part 2 programs and covered entities. As a result of the economic impact, the Office of Management and Budget (OMB) has determined that this proposed rule is not an economically significant regulatory action within the meaning of section (3)(f)(1) of E.O. 12866; however, it is a significant regulatory action because it presents novel legal and policy issues. Accordingly, OMB has reviewed this proposed rule.

The Department presents a detailed analysis below.

Summary of the Proposed Rule

This Notice of Proposed Rulemaking (NPRM) proposes to modify 42 CFR part 2 (“Part 2”) and 45 CFR 164.520 to implement changes required by section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, to further align Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules, and for clarity and consistency. Major proposals are summarized below:

(1) § 2.1—Statutory authority for confidentiality of substance use disorder patient records.

Revise § 2.1 to more closely reflect the authority granted in 42 U.S.C. 290dd-2(g), especially with respect to court orders authorizing the disclosure of records.

(2) § 2.2—Purpose and effect.

Amend paragraph (b) of § 2.2 to reflect that § 2.3(b) compels disclosures to the Secretary that are necessary for enforcement of this rule, using language adapted from the Privacy Rule at 45 CFR 164.502(a)(2)(ii). Add a new paragraph (b)(3) to this section to prohibit any limits on a patient's right to request restrictions on use of records for treatment, payment, or health care operations (TPO) or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the Privacy Rule.

(3) § 2.3—Civil and criminal penalties for violations (proposed heading).

Amend the heading and replace title 18 U.S.C. enforcement with references to the HIPAA enforcement authorities in the Social Security Act at sections 1176 (civil enforcement, including the CMP tiers established by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and 1177 (criminal penalties), as implemented in the Enforcement Rule. Create a limitation on civil or criminal liability for investigative agencies that act with reasonable diligence before making a demand for records in the course of an investigation of a program or other person holding Part 2 records by taking certain steps to determine whether a provider is subject to Part 2.

(4) § 2.4—Complaints of violations. (proposed heading)

Amend the heading and insert requirements consistent with those applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a requirement to establish a process for the Part 2 program to receive complaints, a prohibition against taking adverse action against patients who file complaints, and a prohibition against requiring individuals to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.

(5) § 2.11—Definitions.

Add new terms and definitions to align with the following statutory and regulatory HIPAA terms: Breach, Business associate, Covered entity, Health care operations, HIPAA, HIPAA regulations, Payment, Person, Public health authority, Treatment, Unsecured protected health information, and Use. Create new definitions for the terms Intermediary, Investigative agency, and Unsecured record, and modify the definitions of Informant, Part 2 program director, Patient, Program, Records, Third-party payer, Treating provider relationship, and Qualified service organization.

(6) § 2.12—Applicability.

Replace “Armed Forces” with “Uniformed Services” in paragraph (c)(2) of § 2.12. Incorporate four statutory examples of restrictions on the use or disclosure of Part 2 records to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient. Add language to qualify the term third-party payer with the phrase “as defined in this part.” Revise paragraph (e)(4)(i) to clarify when a diagnosis it not covered by Part 2.

(7) § 2.13—Confidentiality restrictions and safeguards.

Redesignate § 2.13(d) requiring a list of disclosures as new § 2.24 and modify the text for clarity. Amend the heading to distinguish the right to a list of disclosures made by intermediaries from the proposed new right to an accounting of disclosures made by a Part 2 program.

(8) § 2.14—Minor patients.

Change the verb “judges” to “determines” to describe a program director's evaluation and decision that a minor lacks decision making capacity.

(9) § 2.15—Patients who lack capacity and deceased patients. (proposed heading)

Revise to replace outdated language and refer instead to a lack of capacity to make health care decisions and add health plans to the list of entities to which a program may disclose records without consent.

(10) § 2.16—Security for records and notification of breaches. (proposed heading)

Apply the HITECH Act breach notification provisions that are currently implemented in the Breach Notification Rule to breaches of records by Part 2 programs and retitle the provision to include breach notification to implement CARES Act provisions. Modify the provision to refer to the Privacy Rule de-identification standard at 45 CFR 164.514.

(11) § 2.19—Disposition of records by discontinued programs.

Add an exception to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of Part 2 programs under the Indian Self-Determination and Education Assistance Act (ISDEAA), in order to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. Modernize the language to refer to “non-electronic” records and include “paper” records as an example of non-electronic records.

(12) § 2.22—Notice to patients of federal confidentiality requirements.

Modify the Part 2 confidentiality notice requirements (hereinafter, “Patient Notice”) to align with the Notice of Privacy Practices (NPP) and address protections required by 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES Act, for entities that create or maintain Part 2 records.

(13) § 2.23—Patient access and restrictions on use and disclosure. (proposed heading)

Add the term “disclosure” to the heading and body of this section to clarify that information obtained by patient access to their record may not be used or disclosed for purposes of a criminal charge or criminal investigation.

(14) § 2.24—Requirements for intermediaries (redesignated and proposed heading).

Retitle the redesignated section (to be moved from § 2.13(d)) as “Requirements for intermediaries” to clarify the responsibilities of recipients of records received under a consent with a general designation, such as health information exchanges, research institutions, accountable care organizations, and care management organizations.

(15) § 2.25—Accounting of disclosures (proposed heading).

Add this section to implement 42 U.S.C. 290dd-2(b)(1)(D), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act right to an accounting of certain disclosures of records for up to three years prior to the date the accounting is requested and add a right to an accounting of disclosures of records that mirrors the standard in the Privacy Rule at 45 CFR 164.528.

(16) § 2.26—Right to request privacy protection for records (proposed heading).

Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act rights implemented in the Privacy Rule at 45 CFR 164.522, namely: (1) a patient right to request restrictions on disclosures of records otherwise permitted for TPO purposes, and (2) a patient right to obtain restrictions on disclosures to health plans for services paid in full by the patient.

(17) Subpart C—Uses and Disclosures With Patient Consent. (proposed heading)

Change the heading of subpart C to “Uses and Disclosures With Patient Consent” to reflect changes made to the provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2(b), as amended by the section 3221(b) of the CARES Act.

(18) § 2.31—Consent requirements.

Align the content requirements for Part 2 written consent with the content requirements for a valid HIPAA authorization and clarify how recipients may be designated in a consent to use and disclose Part 2 records for TPO.

(19) § 2.32—Notice to accompany disclosure (proposed heading).

Change the heading of this section and align the content requirements for the required notice that accompanies a disclosure of records (hereinafter “notice to accompany disclosure”) with the requirements of 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of the CARES Act.

(20) § 2.33—Uses and disclosures permitted with written consent (proposed heading).

To align this provision with the statutory authority in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, replace the provisions requiring consent for uses and disclosures for payment and certain health care operations with permission to use and disclose records for TPO based on a single consent given once for all such future uses and disclosures, until such time as the patient revokes the consent in writing. Create redisclosure permissions for two categories of recipients of Part 2 records pursuant to a written consent: (1) Permit a Part 2 program, covered entity, or business associate that receives Part 2 records pursuant to a written consent for TPO purposes to redisclose the records in any manner permitted by the Privacy Rule, except for certain legal proceedings against the patient; and (2) Permit a lawful holder that is not a covered entity, business associate, or Part 2 program to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent.

(21) § 2.35—Disclosures to elements of the criminal justice system which have referred patients.

For clarity, replace “individuals” with “persons” and clarify that permitted redisclosures of information are from Part 2 records.

(22) Subpart D—Uses and Disclosures Without Patient Consent (proposed heading).

Change the heading of subpart D to “Uses and Disclosures Without Patient Consent” to reflect changes made to the provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2 as amended by the CARES Act.

(23) § 2.51—Medical emergencies.

For clarity in § 2.51(c)(2), replace the term “individual” with the term “person.”

(24) § 2.52—Scientific research (proposed heading).

Revise the heading of § 2.52 to reflect statutory language. To further align Part 2 with the Privacy Rule, replace the requirements to render Part 2 data in research reports non identifiable with the Privacy Rule's de-identification standard in 45 CFR 164.514.

(25) § 2.53—Management audits, financial audits, and program evaluation (proposed heading).

Revise the heading of § 2.53 to reflect statutory language. To support implementation of 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, add a provision to acknowledge the permission for use and disclosure of records for health care operations purposes based on written consent of the patient and the permission to redisclose such records as permitted by the HIPAA Privacy Rule if the recipient is a Part 2 program, covered entity, or business associate.

(26) § 2.54—Disclosures for public health (proposed heading).

Add a new § 2.54 to implement 42 U.S.C. 290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES Act, to permit disclosure of records without patient consent to public health authorities provided that the records disclosed are de-identified according to the standards established in section 45 CFR 164.514.

(27) Subpart E—Court Orders Authorizing Use and Disclosure (proposed heading).

Change the heading of subpart E to reflect changes made to the provisions of this subpart related to the uses and disclosure of Part 2 records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by sections 3221(b) and (e) of the CARES Act.

(28) § 2.61—Legal effect of order.

Add the term “use” to clarify that the legal effect of a court order would include authorizing the use and disclosure of records, consistent with 42 U.S.C. 290dd-2(b) and (c), as amended by section 3221(e) of the CARES Act.

(29) § 2.62—Order not applicable to records disclosed without consent to researchers, auditors, and evaluators.

For clarity, replace the term “qualified personnel” with a reference to the criteria that define such persons.

(30) § 2.63—Confidential communications.

Revise paragraph (c) of § 2.63 to expressly include civil, criminal, administrative, and legislative proceedings as forums where the requirements for a court order under this part would apply, to implement 42 U.S.C. 290dd-2(c), as amended by section 3221(c) of the CARES Act.

(31) § 2.64—Procedures and criteria for orders authorizing uses and disclosures for noncriminal purposes (proposed heading).

Expand the types of forums where restrictions on use and disclosure of records in civil proceedings against patients apply to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a record in civil proceedings against patients, absent consent or a court order. Add the term “uses” to the heading and in this section to align it with current statutory authority.

(32) § 2.65—Procedures and criteria for orders authorizing use and disclosure of records to criminally investigate or prosecute patients (proposed heading).

Expand the types of forums where restrictions on uses and disclosure of records in criminal proceedings against patients apply to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a Part 2 record in criminal legal proceedings against patients, absent consent or a court order.

(33) § 2.66—Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a Part 2 program or the person holding the records. (proposed heading)

Create requirements for investigative agencies to follow in the event they discover in good faith that they received Part 2 records before seeking a court order as required under § 2.66.

(34) § 2.67—Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

Add new criteria for issuance of a court order in instances where an application is submitted after the placement of an undercover agent or informant has already occurred, requiring an investigative agency to satisfy the conditions at § 2.3(b).

(35) § 2.68—Report to the Secretary (proposed heading).

Create new requirements for investigative agencies to file annual reports about the instances in which they applied for a court order after receipt of Part 2 records or placement of an undercover agent or informant as provided in § 2.66 and § 2.67.

(36) 45 CFR 164.520—Notice of privacy practices for protected health information.

Revise 45 CFR 164.520 to implement updates to the NPP to address Part 2 confidentiality requirements, as required by section 3221(i)(2) of the CARES Act.

The proposed changes to Part 2 and 45 CFR 164.520 would create some estimated costs, and numerous and substantial estimated cost savings and anticipated benefits that the Department is unable to quantify but are described in depth below. These include improving the integration of SUD treatment with that of other health care by facilitating the integration of SUD treatment records with other medical records, reductions in paperwork for providers, and regulatory certainty.

The Department estimates that the first-year costs for Part 2 programs will total approximately $19 million. These first-year costs are attributable to Part 2 programs training workforce members on the revised requirements ($12.4 million); capital expenses ($0.8 million); compliance with breach notification requirements ($1.5 million); updating Patient Notices and NPPs ($2.4 million); updating consent forms ($1.5 million); updating the notice to accompany disclosures ($0.6 million). It also includes nominal costs for responding to requests for privacy protection, providing accounting of disclosures, and $25,795 for investigative agencies to file reports to the Secretary. For years 2 through 5, the estimated annual costs of $2.5 million are primarily attributable to compliance with breach notification requirements and related capital expenses. Additionally, the Department estimates nonrecurring costs of $45 million for covered entities that receive or maintain Part 2 records due to updating the HIPAA NPP under 45 CFR 164.520.

The Department estimates annual cost savings of $12.8 million per year, over 5 years, attributable to reductions in the need for Part 2 programs to obtain written patient consent for disclosures for TPO ($9.8 million), reductions in the need for covered entities and business associates to obtain written patient consent for redisclosures ($2.5 million), and reductions in capital expenses for printing consent forms ($0.5 million).

The Department estimates net costs for Part 2 programs totaling approximately $6.6 million in the first year followed by net savings of approximately $10 million annually in years 2 through 5, resulting in overall net cost savings of approximately $34 million over 5 years.

2. Need for the Proposed Rule

On March 27, 2020, Congress enacted the CARES Act as Public Law 116-136. Section 3221 of the CARES Act amended 42 U.S.C. 290dd-2, the statute that establishes requirements regarding the confidentiality and disclosure of certain records relating to SUD, and section 3221(i) of the CARES Act requires the Secretary to promulgate regulations implementing those amendments. With this NPRM, the Department proposes changes to Part 2 and 45 CFR 164.522 to implement section 3221 of the CARES Act, increase clarity, and decrease compliance burdens for regulated entities. The Department believes the proposed changes would reduce data segmentation within entities subject to the regulatory requirements promulgated under both HIPAA and Part 2.

Significant differences in the permitted uses and disclosures of Part 2 records and protected health information (PHI) as defined under the Privacy Rule contribute to ongoing operational compliance challenges. For example, currently, entities subject to Part 2 must obtain specific written consent for most uses and disclosures of Part 2 records, including for TPO, while the Privacy Rule permits many uses and disclosures of PHI without authorization. Therefore, to comply with both sets of regulations, HIPAA covered entities subject to Part 2 must track and segregate Part 2 records from other health records ( e.g., records that are protected under the HIPAA Rules but not Part 2).

In addition, once PHI is disclosed to an entity not covered by HIPAA it is no longer protected by the HIPAA Rules. In contrast, Part 2 strictly limits redisclosures of Part 2 records by individuals or entities that receive a record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent. Therefore, any Part 2 records received from a Part 2 program or other lawful holder must be segregated or segmented from non-Part 2 records. The need to segment Part 2 records from other health records created data “silos” that hamper the integration of SUD treatment records into entities' electronic record systems and billing processes, which in turn may impact the ability to integrate treatment for behavioral health conditions and other health conditions. Many stakeholders have urged the Department to take action to eliminate the need for such data segmentation, and the Department believes its proposals will reduce, but not completely eliminate, the need for data segmentation or tracking.

3. Cost-Benefit Analysis

Overview and Methodology

In comparison to the estimated number of HIPAA covered entities (774,331 ) the estimated number of Part 2 program is very small (16,066 ) or just 2 percent of the number of covered entities. Because the number of Part 2 programs is so small, the Department includes the entire estimated number of Part 2 programs when estimating the projected costs and cost savings of the proposals in this NPRM, even though a percentage of Part 2 programs are already complying with HIPAA requirements because they are subject to both Part 2 and HIPAA. The Department requests comment on this approach and data on the number or proportion of Part 2 programs that are also HIPAA covered entities.

This regulatory impact analysis (RIA) relies on the same data source used by SAMHSA for the estimated number of Part 2 programs in SAMHSA's 2020 Information Collection Request (ICR) (“Part 2 ICR”) and uses an updated statistic from that source. The NPRM also adopts the estimated number of covered entities used in the OCR's 2021 ICR for the Privacy Rule NPRM (“2021 HIPAA ICR”), as well as its cost assumptions for many requirements of the HIPAA Rules, including breach notification activities.

When applying HIPAA cost assumptions to Part 2 programs, the Department multiplies the figures by 2 percent (.02), representing the number of Part 2 programs in proportion to the total number of covered entities. In some instances, the estimates historically used by OCR and SAMHSA for similar regulatory requirements were developed based on different methodologies, resulting in significantly different fiscal projections for some required activities. This RIA adopts OCR's approach for those projected costs and cost savings.

In addition to the quantitative analyses of the effects of the proposed regulatory modifications, the Department analyzes some benefits and burdens qualitatively; relatedly, there is uncertainty inherent in predicting the actions that a diverse scope of regulated entities might take in response to this proposed rule. The Department requests comment on the estimates, assumptions, and analyses contained herein—and any relevant information or data that would inform a quantitative analysis of proposed reforms that the Department qualitatively addresses in this RIA.

For reasons explained more fully below, the proposed changes to the consent requirements for Part 2 programs and redisclosure permissions for covered entities and business associates would result in economic cost savings of approximately $63,776,888 over 5 years based on the proposed changes. The resulting net costs over 5 years is due to first year expenses including costs for some health plans to mail an updated NPP which would be finalized as part of a comprehensive HIPAA Privacy Rule.

Baseline Assumptions

In developing its estimates of the potential costs and cost savings of the proposed regulation the Department relied substantially on recent prior estimates for modifications to this regulation and the Privacy Rule and associated ICRs. Specifically, the Part 2 ICR data previously approved under OMB control #0930-0092 informs the Department's estimates with respect to proposed modifications to Part 2 provisions. However, for proposed Part 2 provisions that are based on provisions of the HIPAA Rules, and for proposed changes to 45 CFR 164.520, the Department relies on OCR's HIPAA regulatory ICRs previously approved under OMB control #0945-0003 and updated consistent with OCR's 2021 Privacy Rule NPRM.

Because the Department lacks data to determine the percentage of Part 2 programs that are also subject to the HIPAA Rules, the Department assumes for purposes of this analysis that the proposed changes to Part 2 would affect all Part 2 programs equally—including those programs that are also HIPAA covered entities, and thus already are subject to requirements under the HIPAA Rules ( e.g., breach notification) that the Department proposes to incorporate into Part 2. Thus, this RIA likely overestimates the overall compliance burden on Part 2 programs posed by the proposals in this NPRM. In contrast, this RIA likely underestimates the cost savings of the NPRM. The estimated cost savings are primarily attributed to the reduction in the number of written patient consents that would be needed to use or disclose records for TPO and to redisclose them for other purposes permitted by the Privacy Rule. Because the Department lacks data to estimate the annual numbers of written patient consents and disclosures to covered entities, this RIA adopts an assumption that only three consents per patient are currently obtained per year (one each for treatment, payment, and health care operations) and only one half of such consents result in a disclosure of records to a HIPAA covered entity or business associate, for which consent would be no longer required to use or redisclose the record under the NPRM's proposals. The Department requests comments on its assumptions and data to refine its estimates.

Part 2 Programs, Covered Entities, and Patient Population

The Department relies on the same source as the approved Part 2 ICR as the basis for its estimates of the total number of Part 2 programs and total annual Part 2 patient admissions. Part 2 programs are publicly (Federal, State, or local) funded, assisted, or regulated SUD treatment programs. The Part 2 ICR's estimate of the number of such programs (respondents) is based on the results of the 2020 National Survey of Substance Abuse Treatment Services (N-SSATS), and the average number of annual total responses is based on the results of the average number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode Data Set (TEDS) as the number of patients treated annually by Part 2 programs, both approved under OMB Control No. 0930- 0335. In the 2020 data from N-SSATS, the number of Part 2 respondents was 16,066. The TEDS data for SUD treatment admissions has been updated, so the Department relies on the 2019 statistic, as shown in the table below.

For purposes of calculating estimated costs and benefits the Department relies on mean hourly wage rates for occupations involved in providing treatment and operating health care facilities, as noted in the table below.

Qualitative Analysis of Non-Quantified Benefits and Burdens

The Department's analysis focuses on primary areas of proposed changes that are likely to have an impact on regulated entities or patients. These are proposals to establish or modify requirements with respect to: enforcement and penalties, notification of breaches, consent for uses and disclosures, Patient Notice and the NPP, notice accompanying disclosure, requests for privacy protection, accounting of disclosures, audit and evaluation, disclosures for public health, and use and disclosure of records by investigative agencies. In addition to these proposals, the Department believes the modifications to Part 2 that are proposed for clarification, readability, or consistency with HIPAA terminology, would have the unquantified benefits of providing clarity and regulatory certainty. The provisions that fall into this category and for which anticipated benefits are not discussed in-depth, are:

§§ 2.1-2.2, 2.4 Statutory authority and enforcement, § 2.11 Definitions, § 2.12 Applicability, § 2.13 Confidentiality restrictions and safeguards, § 2.14 Minor patients, § 2.15 Patients who lack capacity and deceased patients, § 2.17 Undercover agents and informants, § 2.19 Disposition of records by discontinued programs, § 2.20 Relationship to state laws, § 2.21 Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity, § 2.23 Patient access and restrictions on use and disclosure, § 2.24 Requirements for intermediaries, § 2.34 Uses and Disclosures to prevent multiple enrollments, § 2.35 Disclosures to elements of the criminal justice system which have referred patients, § 2.52 Scientific research, §§ 2.61-2.65 Court Orders Authorizing Use and Disclosure.

The Department provides its analysis of non-quantified benefits and burdens for the primary areas of proposed regulatory change below, followed by estimates and analysis of quantified benefits and costs in section (e).

§ 2.3—Civil and criminal penalties for violations (proposed heading).

The Department proposes to create limitations on civil and criminal liability for investigative agencies in the event they unknowingly receive Part 2 records in the course of investigating or prosecuting a Part 2 program or other person holding Part 2 records prior to obtaining the required court order under subpart E. This safe harbor would promote public safety by permitting agencies to investigate Part 2 programs and persons holding Part 2 records in good faith without risk of HIPAA/HITECH Act penalties. The liability limitations would be available only to agencies that could demonstrate reasonable diligence in attempting to determine whether a provider was subject to Part 2 before making a legal demand for records or placement of an undercover agent or informant. The proposed changes would benefit SUD providers, Part 2 programs, investigative agencies, and the courts, by encouraging agencies to seek information about a provider's Part 2 status in advance and potentially reduce the number of instances where applications for good cause court orders are denied. Incentivizing investigative agencies to check whether Part 2 applies in advance of investigating a provider would benefit the court system, programs public safety, patients, and agencies by enhancing efficiencies within the legal system, promoting the rule of law, and ensuring the Part 2 protections for records are utilized when applicable.

The limitations on liability for investigative agencies may result in more disclosures of patient records to such agencies by facilitating investigations and prosecutions of Part 2 programs and lawful holders. The Department believes that limiting the application of proposed § 2.3(b) to investigations and prosecutions of programs and holders of records, requiring non-identifying information in the application for the requisite court orders, and keeping patient identifying information under seal will provide strong and continuing protections for patient privacy while promoting public safety.

§ 2.16 Security for records and notification of breaches (proposed heading).

The Department proposes to add notification of breaches to § 2.16 so that the requirements of 45 CFR 164.400 et seq., would apply to breaches of Part 2 records programs in the same manner as those requirements apply to breaches of PHI. Notification of breaches is a cornerstone element of good information practices because it permits affected individuals or patients to take steps to remediate harm, such as putting fraud alerts on their credit cards, checking their credit reports, notifying financial institutions, and informing personal contacts of potential scams involving the patient's identity. It is difficult to quantify the value of receiving notification in comparison to the costs incurred in restoring one's credit, correcting financial records, or the cost of lost opportunities due to loss of income or reduced credit ratings.

The benefit to the patient of learning about a breach of personally identifying information includes the opportunity for the patient to take timely action to regain control over their information and identity. The Department does not have data to predict how many patients will sign up for credit monitoring or other identity protections after receiving a notification of breach of their Part 2 records; however, the Department believes that the costs to patients of taking these actions will be far outweighed by the savings of avoiding identity theft. Requiring Part 2 programs to provide breach notification would ensure that patients of such programs are provided the same informational protections as patients that receive other types of health care services from HIPAA covered entities.

§ 2.22 Patient Notice & 45 CFR 164.520 (NPP).

Patients, Part 2 programs, and covered entities are all likely to benefit from proposed changes to more closely align the Patient Notice and NPP regulatory requirements, which would simplify their compliance with the two regulations. The Department proposes to establish for patients the right to discuss the Patient Notice with a person designated by the program as the contact person and to include information about this right in the header of the Patient Notice as proposed in the HIPAA NPRM. These proposed changes would help improve a patient's understanding of the program's privacy practices and the patient's rights with respect to their records. Even for patients who do not request a discussion under this proposal, knowledge of the right may promote trust and confidence in how their records are handled.

§ 2.25 Accounting of Disclosures (proposed heading).

Adding a requirement to account for disclosures for TPO through an electronic health record would benefit patients by increasing transparency about how their records are used and disclosed for those purposes. This proposed requirement could counterbalance concerns about loss of control that patients may experience as a result of the proposed changes to the consent process that would permit all future TPO uses and disclosures based on a single general consent. The data logs that Part 2 programs would need to maintain to create an accurate and complete accounting of TPO disclosures could also be beneficial for such programs in the event of an impermissible access by enabling programs to identify the responsible workforce member or other wrongful actor.

§ 2.26 Right to request privacy protection for records (proposed heading).

Adding a new right for patients to request restrictions on uses and disclosures of their records for TPO is likely to benefit patients by giving them a new opportunity to assert their privacy interests to program staff, to address patients' concerns about who may see their records and what may be done with the information their records contain.

With respect to the right for patients to restrict disclosures to their health plan when patients have paid in full for services, patients will benefit by being shielded from potential harmful effects of some health plans' restrictive coverage policies or other potential negative effects, such as employers learning of patients' SUD diagnoses.

This right may also improve rates of access to SUD treatment because of patients' increased trust that they have the opportunity to ensure that their records will remain within the Part 2 program. A limitation on the benefits of this right is that it is only available to patients with the means to pay privately for SUD treatment.

Part 2 programs may benefit from increased frequency of patients paying in full out of pocket, which could decrease the time spent by staff in billing and claims activities. Part 2 programs also may benefit from increased patient trust in the programs' protection of records.

§ 2.31 Consent requirements and § 2.33 Uses and disclosures permitted with written consent (proposed heading).

The proposed changes to consent for Part 2 records are two-fold: changes to the required elements on the written consent form and a reduction in the instances where a separate written consent is needed (the process of obtaining consent). Proposed changes to the consent form for alignment with the HIPAA authorization form would likely benefit Part 2 programs because they would employ more uniform language and concepts related to information use and disclosure. Such changes may particularly benefit Part 2 programs that are also subject to the HIPAA Rules, so staff do not have to compare and interpret different terms on forms that request the use or disclosure of similar types of information.

Permitting patients to sign a single general consent for all uses and disclosures of their record for TPO, may carry both burdens and benefits to patients. Patients may benefit from a reduction in the amount of paperwork they must sign to give permission for routine purposes related to the treatment and payment and associated reductions in time spent waiting for referrals, transfer of records among providers, and payment of health insurance claims. At the same time, patients may experience a sense of loss of control over their records and the information they contain when they lose the opportunity to make specific decisions about which uses and disclosures they would permit. In some instances, the reduced ability to make specific use and disclosure decisions could result in a greater likelihood of harm to reputation, relationships, and livelihood.

Part 2 programs would likely benefit from the efficiencies resulting from permitting a general consent for all TPO uses and disclosures by freeing staff from burdensome paperwork. In contrast, clinicians in Part 2 programs may find it harder to gain the therapeutic trust needed for patients to divulge sensitive information during treatment if patients become less confident about where their information may be shared and their ability to control those uses and disclosures. Some potential patients may avoid initiating treatment altogether, which would harm both patients and programs.

Covered entities and business associates would benefit markedly from the ability to follow only one set of federal regulations when making decisions about using and disclosing Part 2 records by streamlining processes and simplifying decision making procedures. Additionally, covered entities and business associates would no longer need to segregate SUD treatment data and could improve care coordination and integration of behavioral health with general medical treatment, resulting in comprehensive holistic treatment of the entire patient.

In contrast, this proposal could also create a burden because covered entities and business associates subject to Part 2 may need to sort and filter Part 2 records for certain uses and disclosures, such as audit and evaluation activities that are health care operations, according to whether or not a patient consent for TPO has been obtained. The Department seeks comment and specific data on the number and type of Part 2 programs that are also HIPAA covered entities or business associates. The Department also solicits comment and data on any concerns or questions Part 2 programs may have about how the information technology currently available to them can support implementation of either or both of these proposed provisions.

§ 2.32 Notice to accompany disclosure. (proposed heading)

The proposed revisions to the notice accompanying each disclosure of Part 2 records made with written consent would benefit patients by ensuring that recipients of Part 2 records would be on notice of the expanded prohibition on use of such records against patients in legal proceedings even though uses and redisclosures for other purposes would be more readily permissible. Due to the proposed changes in redisclosure permissions for recipients of Part 2 records that are covered entities and business associates, the importance of the notice to accompany disclosure would increase.

Part 2 programs would benefit from having notice language that accurately reflects statutory changes in the privacy protections for records. Retaining the notice to accompany disclosure requirement would also ensure that certain protections for Part 2 records continue to “follow the record,” as compared to the Privacy Rule whereby protections are limited to PHI held by a covered entity or business associate.

§ 2.53 Management audits, financial audits, and program evaluation (proposed heading).

Programs that are also covered entities would benefit from the proposed changes that would clarify that the limits on use and disclosure for audit and evaluation purposes do not apply to covered entities and business associates to the extent these activities fall within the Privacy Rule disclosure permissions for health care operations. This benefit would provide regulatory flexibility for covered entities when Part 2 records are subject to audit or evaluation.

In some instances, a third-party auditor or evaluator may also be a Part 2 program or a covered entity or business associate. As recipients of Part 2 records, such third parties would be permitted to redisclose the records as permitted by the Privacy Rule, with patient consent for TPO. This flexibility would not extend to government oversight audits and evaluations.

§ 2.54 Disclosures for public health (new provision)

The Department proposes to create a new permission to disclose de-identified records without patient consent for public health activities, consistent with statutory changes. This would benefit public health by permitting records to be disclosed that would address the opioid overdose crisis and other public health issues related to SUDs, and it would protect patient confidentiality because the permission is limited to disclosure of de-identified records.

§ 2.66 Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a part 2 program or the person holding the records (proposed heading).

The Department proposes to specify the actions investigative agencies should take when they discover in good faith that they have received Part 2 records without obtaining the required court order, such as securing the records, ceasing to use or disclose the records, applying for a court order, and returning or destroying the records, as applicable to the situation. This proposal would provide the dual benefits of enabling agencies to move forward with investigations when they have unknowingly sought records from a Part 2 program and protecting patient privacy by ensuring agencies have clear responsibilities to continue protecting records even absent a court order. The proposal would limit the liability of investigative agencies that unknowingly obtain records without the necessary court order and increase agencies' effectiveness in prosecuting programs. The minimal burden for exercising reasonable diligence before an unknowing receipt of Part 2 records is outweighed by the reduction in risk of a penalty for noncompliance. This analysis applies as well to § 2.67 below.

§ 2.67 Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

The Department's proposal would add a requirement for investigative agencies that seek a good cause court order after placement of an undercover agent or information in a Part 2 program to first meet the reasonable diligence criteria in § 2.3(b). This requirement would ensure that agencies take basic actions to determine whether a SUD treatment provider is subject to Part 2 before seeking to place an undercover agent or informant with the provider. Additionally, the reasonable diligence requirement would enhance patient privacy by ensuring that agencies consult available registries and visit websites or physical locations before placing agents in a position to access patients' records. As discussed above in reference to § 2.66, this proposal would also have the benefit of enhancing public safety and aid courts to streamline the application process for court orders for the use and disclosure of records.

§ 2.68 Report to the Secretary (proposed heading).

The Department's proposal to require annual reports by investigative agencies concerning applications for court orders made after receipt of Part 2 records would benefit programs, patients, and investigative agencies by making data available about the frequency of investigative requests made “after the fact.” This requirement would benefit agencies and programs by highlighting the potential need for increased awareness about Part 2's applicability. A program that makes its Part 2 status publicly known would benefit from the procedural protections afforded within the court order requirements of § 2.66 and § 2.67 in the event it becomes the target of an investigation. The proposed reporting requirement could also potentially serve as a deterrent to agencies from overly relying on the ability to obtain belated court orders instead of doing a reasonable amount of research to determine before making an investigative demand whether Part 2 applies. Any resulting reduction in unauthorized uses and disclosures of records could be viewed as a benefit by patients and privacy advocates. In contrast, investigative agencies could view the reporting requirement as an administrative burden requiring resources that otherwise could be used to pursue investigations.

e. Estimated Quantified Cost Savings and Costs From Proposed Changes

The Department has estimated quantified costs and cost savings likely to result from its proposed regulatory modifications for two core expense categories (capital expenses and workforce training) and seven substantive regulatory requirements. The remaining proposed regulatory changes are unlikely to result in quantifiable costs or cost savings, as explained following the discussion of projected costs and savings.

Capital Expenses

Capital expenses related to compliance with the proposed rule fall into two categories: notification of breaches and printing forms and notices. The Department's estimates for capital costs related to providing breach notification are based on estimates from the HIPAA ICR multiplied by a factor of 0.02, representing the proportion of Part 2 programs as compared to covered entities (774,331 × 16,066 = .02). For example, for an estimated 58,482 annual breaches of PHI the Department calculates that there are 1,170 breaches of Part 2 records (58,482 × .02 = 1,170), and associated costs. Those costs are estimated on an ongoing annual basis because programs could experience a breach at any time that would require notification.

The Department's estimate of the costs for printing revised consent forms is based on SAMHSA's Part 2 ICR estimates for total annual patient admissions to Part 2 programs at a rate of $0.10 per copy. Programs are already required to print forms and notices on an ongoing basis and no change to the number of such forms and notices is projected, so the Department has not added any new capital costs for printing the revised Patient Notice, NPP, and notice to accompany disclosures. However, the Department estimates that as a result of changes to the requirement to obtain consent for disclosures related to TPO, Part 2 programs and covered entities and business associates would experience cost savings from a significant reduction in the number of needed consent forms. The Department assumes that, on average, each patient's treatment results in a minimum of three written consents obtained by Part 2 programs, one each for treatment, payment, and health care operations purposes. The proposed changes would result in an estimated decrease in the total number of consents by two-thirds because only one patient consent would be required to cover all TPO uses and disclosures. At an estimated cost of $0.10 per consent, for a total of 1,864,367 annual patient admissions, this would result in an annual cost savings to Part 2 programs of 3,728,734 fewer written consents, or $372,873. The Department requests comment on its assumption and welcomes data that may help refine its estimates.

Additionally, covered entities and business associates that receive Part 2 records would also experience a reduced need to obtain written patient consent or a HIPAA authorization because redisclosure under the Privacy Rule does not require patient consent or authorization for TPO and many other purposes. The Department lacks data to make a precise estimate of projected cost savings, but each patient record disclosed to a covered entity or business associate would potentially generate a savings based on eliminating the need for the recipient to obtain additional consent for redisclosure. The Department has adopted a low cost savings estimate that one-half of Part 2 annual admissions would result in receipt of Part 2 records by a covered entity or business associate that would no longer be required to obtain specific written patient consent to redisclose such record, representing an annual capital expense savings from printing 932,184 fewer consent forms. At a per-consent cost of $0.10, this would result in annual savings of $93,218. The savings related to the cost of staff time to obtain the patient consent are estimated and discussed separately in the section on consent below.

Training Costs

Although Part 2 does not expressly require training and the proposed rule would not require retraining, the Department anticipates that all Part 2 programs would choose to train their workforce members on the modified Part 2 requirements to ensure compliance. The Department estimates the potential costs that all Part 2 programs would incur to train staff on the changes to the confidentiality requirements if they are finalized as proposed. As indicated in the chart below, only certain staff would need to be trained on specific topics and each program would rely on a training specialist whose preparation time would also be accounted for. As compared to the proposed HIPAA Privacy Rule right to discuss privacy practices, the costs for training Part 2 counselors include a higher number of staff per program because Part 2 programs would have no required Privacy Officer who is already assigned similar duties and would be more likely to incur costs for developing a new training regimen. The Department of Labor, Bureau of Labor Statistics (BLS) last reported statistics for substance use and behavioral disorder counselors separate from mental health counselors in 2016, and substance use and behavioral disorder counselors represented 65 percent of the combined total. The Department thus calculates its estimate for the number of substance use and behavioral disorder counselors as 65 percent of the workers in the BLS occupational category for “substance abuse, behavioral disorder, and mental health counselors” and uses that as a proxy for the number of Part 2 program counselors that would require training on the new Patient Notice or NPP. The Department estimates that a total of $12 million in one-time new training costs would be incurred in the first year of the final rule's implementation.

iii. Notification of Breaches

The Department estimates annual labor costs of $1.5 million to Part 2 programs for providing notification of breaches of unsecured records, including notification to the Secretary, affected patients, and the media, consistent with the requirements of the Breach Notification Rule. This estimate is derived from calculating two percent of the total estimated breach notification activities for covered entities and business associates under the Breach Notification Rule. Capital costs for providing breach notification are discussed separately in Table 5a above.

iv. Patient Notice and NPP

The Department estimates a first-year total of $2.4 million in costs to Part 2 programs for updating the Patient Notice and the NPP, as applicable, and providing patients a right to discuss the program's Patient Notice or NPP. Under the proposed modifications to § 2.22 and 45 CFR 164.520, as under the existing rules, a Part 2 program that is also a covered entity would only need to have one notice that meets the requirements of both rules, so the Department's estimates are based on an unduplicated count of Part 2 programs, each one needing to update either its Patient Notice or its NPP. The Department's estimate is based on the number of total entities and one hour of a lawyer's time to update the notice(s), as detailed in Table 8. The Department anticipates that the changed requirements for the NPP under this proposed rule and the HIPAA NPRM would become effective at the same time so that covered entities would only incur costs for printing, mailing, and posting a revised NPP one time. There would be no new costs for providers associated with distribution of the revised notice other than posting it on the entity's website (if it has one), as providers have an ongoing obligation to provide the notice to first-time patients. The Department bases the estimate on its previous estimates from the 2013 Omnibus Rule, in which the Department estimated approximately 613 million first time visits with health care providers annually. Health plans that post their NPP online would incur minimal costs by posting the updated notice, and then, including the updated NPP in the next annual mailing to subscribers. The Department estimates a potential increase in costs for health plans that do not post an NPP online or provide an annual mailing to subscribers. The increased costs would be associated with the requirement to mail an updated NPP to subscribers within 60 days of making a material change. The Department requests comments on the burdens on covered entity health plans of doing a separate mailing for the updated NPP if they are not subject to requirements in other law for an annual mailing, how many such entities there are, whether there should be an exception to allow entities to send it in the next three-year mailing, and any unintended adverse consequences for individuals of creating such an exception.

In addition to the costs of updating the Patient Notice and NPP, the Department estimates that programs would incur ongoing costs to implement the right to discuss a program's Patient Notice or NPP calculated as 1 percent of all patients, or 18,644 requests, at the hourly wage of a substance abuse, behavioral disorder, and mental health counselor, as defined by BLS, for an average of 7 minutes per request or $111,887 total per year. The number of discussions is based on the same percentage of new patients as the parallel proposal in the HIPAA NPRM, which reflects the anticipated number of patients who would ask to speak with the identified contact person about the NPP or Patient Notice. It does not include the discussion that each counselor may have with a new patient about confidentiality in the clinical context which the Department views as part of treatment.

v. Accounting of Disclosures

The Department's estimate of minimal annual costs to Part 2 programs for providing patients an accounting of disclosures is based on OCR's estimates for covered entities to comply with the requirements in 45 CFR 164.528 multiplied by a factor of .02. This represents two percent of the total estimated requests for an accounting of disclosures under the Privacy Rule. The Department included this estimate in its calculations (detailed in Table 8), although it is negligible, due to the CARES Act mandate to include the requirement in Part 2. The responses to OCR's 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care indicated that covered entities and their business associates receive very few requests for an accounting of disclosures annually (a high of .00006). The Department is unable to estimate the additional burdens, if any, of offering these accountings in a machine readable or other electronic format (unless the individual requests otherwise). Further, the Department lacks specific information about the costs to revise electronic health record systems to generate a report of disclosures for TPO, other than they could be substantial. The Department asks for public comments or information that will help to estimate these burdens.

Requests for Privacy Protection for Records

The Department estimates that Part 2 programs would incur a total of $1,590 in annual costs arising from the right to request restrictions on disclosures. OCR's HIPAA ICR estimate of costs for covered entities to comply with the parallel requirement under 45 CFR 164.522 represents a doubling of previous estimated responses from 20,000 to 40,000. However, costs remain low for compliance with this regulatory requirement, in part because the requirement to accept a patient's request for restrictions is mandatory only for services for which the patient has paid in full; the cost of complying with a request not to disclose records or PHI to a patient's health plan occurs in a context in which providers are saved the labor that would be needed to submit claims to health insurers. The details of the Department's estimate are noted in Table 8.

Updated Consent Form

The Department estimates that each program would incur the costs for 40 minutes of a lawyer's time to update its patient consent form for use and disclosure of records. This would result in an estimated total nonrecurring cost of approximately $1.5 million, to be incurred in the first year after publication of a final rule, as detailed in Table 8 below.

Updated Notice To Accompany Disclosures

The Department estimates that each program would incur the costs for 20 minutes of a health care managers' time to update the regulatory notice that is to accompany each disclosure of records with written patient consent. The Department believes that a manager can accomplish this task, rather than a lawyer, because specific text for the notice to accompany disclosure is required and is included in the proposed regulation. For a total of 16,066 programs this would result in estimated total nonrecurring costs in the first year of the rule's implementation of approximately $0.6 million as detailed in Table 8 below.

New Reporting to the Secretary

The proposed reporting requirement in proposed § 2.68 would be directed to those agencies that investigate and prosecute programs and holders of Part 2 records. Part 2 programs are subject to investigations for Medicare and Medicaid fraud and diversion of opioids used in medication assisted treatment (MAT). Medicaid and Medicare fraud investigations may involve both the Department of Justice (DOJ) and the HHS Office of the Inspector General (OIG). The Department estimates that these agencies conduct approximately 225 investigations of Part 2 programs annually. For fiscal years 2019 and 2020 the HHS OIG reported the number of end-of-year open enforcement cases as 159 and 191, respectively, for an average of 175 per year, and annual criminal convictions and civil settlements or penalties totaling 19 and 16, respectively, for an average of 18 annual cases. Open Medicaid Fraud Cases of SUD Providers at end of FY 2020 included 140 criminal and 51 civil settlements or penalties for a total of 191. At the end of FY 2019, the total was 159. Additionally, the Drug Enforcement Agency's (DEA) Drug Diversion Division reported actions against 50 registrants in 2020. The Department adds this number to the average of 175 health fraud cases, for an estimate of 225 investigations annually. The Department assumes, as an over-estimate, that all 225 cases targeted Part 2 programs and that all cases result in a required report under proposed § 2.68.

The burden on investigative agencies for annual reporting about unknowing receipt of Part 2 records prior to a court order would include the labor of gathering data and submitting it to the Secretary. As a proxy for this burden, the Department estimates that the labor would be equal to that of reporting large breaches of PHI under HIPAA which has been calculated at 1.5 hours per response at an hourly wage rate of $76.43 for a total estimated cost of $114.65 per response. For an estimated 225 annual investigations this would result in a total cost of $25,794. This figure, albeit low, represents an overestimate because it assumes 100 percent of investigations would involve unknowing receipt of Part 2 records prior to seeking a court order. The Department assumes that the actual proportion of investigations falling within the reporting requirement would be less than 25 percent of cases, although it lacks data to substantiate this assumption, and welcome comments and data to better inform all of the assumptions related to the estimated costs.

Proposed Changes Resulting in Negligible Fiscal Impact

§§ 2.1-2.4 Statutory authority and enforcement.

While civil enforcement of Part 2 by the Department may increase costs for Part 2 programs or lawful holders that experience a breach or become the subject of a Part 2 complaint or compliance review, the costs of responding to a potential violation are not calculated separately from the costs of complying with proposed new or changed regulatory requirements. Thus, the Department's analysis does not estimate any program costs for the proposed changes to §§ 2.1 through 2.4 of 42 CFR part 2.

§ 2.11 Definitions.

Proposed changes to the regulatory definitions are not likely to create significant increases or decreases in burdens for Part 2 programs or covered entities and business associates. These entities, collectively, would benefit from the regulatory certainty resulting from clarification of terms; however, the proposed definitions are generally intended to codify current usage and understanding of the defined terms.

§ 2.12 Applicability.

The proposal to change “Armed Forces” to “Uniformed Services” in paragraph (c)(2) of § 2.12 is likely to result in only a negligible change in burden because this terminology is already in use in 42 U.S.C. 290dd-2. Adding “uses” and “disclosures” in several places provides clarity and consistency, but is unlikely to create quantifiable costs or cost savings. Adding the four express statutory restrictions on use and disclosure of records for court proceedings in paragraph (d)(1) of this section will likely result in no significant burden change, as the restrictions on use and disclosure of records for criminal investigations and prosecutions of patients are already stringent and the ability to obtain a court order remains. Excluding covered entities from the restrictions applied to other “third-party payers” in paragraph (d)(2) of this section would reduce burden on covered entities that are health plans because they will be permitted to disclose records for a wider range of health care operations than under the current regulation. However, this burden reduction is similar to that for all covered entities under the proposed rule, so the Department has not estimated the costs or benefits separately from the effects of § 2.33, Uses and disclosures permitted with written consent.

§ 2.13 Confidentiality restrictions and safeguards.

The primary proposed change to this section is to remove paragraph (d) and redesignate it as § 2.24. Additionally, adding the term “use” to the circumstances when disclosures are permitted or prohibited provides clarification, but is unlikely to generate a change in burden associated with this provision.

§ 2.14 Minor patients.

The proposed changes to this section would clarify that a program director may clinically evaluate whether a minor has decision making capacity, but not issue a legal judgment to that effect. The proposals would also add “uses” to “disclosures” as the types of activities regulated under this section. None of the proposed changes would be likely to result in quantifiable burdens to Part 2 programs.

§ 2.15 Patients who lack capacity and deceased patients.

The Department's proposed modification will replace outdated references to incompetence and instead refer to a lack of capacity to make health care decisions and will add “uses” to “disclosures” to describe the activities permitted when certain conditions are met. These clarifications and additions are unlikely to generate a change in burden that can be quantified, and thus they are not included in the Department's calculation of estimated costs and cost savings.

§ 2.20 Relationship to state laws.

The Department proposes to add the term “use” to describe activities regulated by this section. Similar to 42 CFR part 2, state laws impose restrictions on uses and disclosures related to SUD and the Department assumes programs subject to regulation by this part would be able to comply with Part 2 and the state law. The Department does not anticipate these proposed changes would result in a quantifiable increase or decrease in burden.

§ 2.21 Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.

The Department replaced “disclosure and use” with “use and disclosure” to align the language of this section with that of the Privacy Rule. The edit does not require any changes to existing Part 2 requirements. The Department does not anticipate this proposed change would result in a quantifiable increase or decrease in burden.

§ 2.24 Requirements for intermediaries. (redesignated and proposed heading)

The Department estimates no change in burdens and benefits as a result of this regulatory clarification because no substantive change is intended.

§ 2.34 Uses and disclosures to prevent multiple enrollments.

The Department proposes to add the term “uses” to the heading and incorporate minor word changes and style edits for clarity. The edits do not require any changes to existing Part 2 requirements. The Department does not anticipate these proposed changes would result in a quantifiable increase or decrease in burden.

§ 2.35 Disclosures to elements of the criminal justice system which have referred patients.

The Department proposes to replace the term “individuals” with “persons,” clarify that permitted redisclosures of information are from Part 2 records, and make minor word and style edits for clarity. The edits do not require any changes to existing Part 2 requirements. The Department does not anticipate these proposed changes would result in a quantifiable increase or decrease in burden.

§ 2.52 Scientific research (proposed heading)

The Department considered whether the proposal to align the de-identification standard in § 2.52 (and throughout Part 2) with the Privacy Rule de-identification standard in 45 CFR 164.514 would significantly increase burden for Part 2 programs or result in any unintended negative consequences. The Department concluded that the proposed change would not significantly increase burden because a Part 2 program would need to follow detailed protocols to ensure that the current standard is met that are similar to the level of work needed to adhere to the Privacy Rule standard. Additionally, the proposal would ensure that all Part 2 programs are following similar standards for de-identification, which would benefit researchers when creating data sets from different Part 2 programs, by enabling them to populate the data sets with similar content elements.

§ 2.53 Management audits, financial audits, and program evaluation. (proposed heading)

The proposal to clarify that some audit and evaluation activities may be considered health care operations could be used by Part 2 programs, covered entities, and business associates to obtain records based on consent for health care operations and then such entities could redisclose them as permitted by the Privacy Rule. The Privacy Rule may allow these entities greater flexibility to use or redisclose the Part 2 records for permitted purposes as compared to the limitations contained in § 2.53 of Part 2. For Part 2 programs that are covered entities, this proposed change could result in burden reduction because they would not have to track the records used for audit and evaluation purposes as closely; however, the Department is without data to quantify the potential cost reduction. For business associates, there would likely be no change in burden because they are already obligated by contract to only use or disclose PHI (which may be Part 2 records) as allowed by the agreement with the covered entity.

As discussed in preamble, the disclosure permission under § 2.53 would continue to apply to audits and evaluations conducted by a health oversight agency without patient consent. The Department does not believe that the text of section 3221(e) of the CARES Act indicates congressional intent to alter the established oversight mechanisms for Part 2 programs, including those that provide services reimbursed by Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The Department also intends that a government agency conducting activities that could fall within either § 2.53 or § 2.33 for health care operations would have the flexibility to choose which permission to rely on and would not have to meet the conditions of both sections. In the event that the agency is a covered entity that has received the records based on a consent for TPO, it could further redisclose the records as permitted by the Privacy Rule.

§ 2.54 Disclosures for public health. (proposed heading)

The Department does not believe that an express permission to disclose records to public health authorities without patient consent will impact burdens to a significant degree. While programs will likely experience a burden reduction from the lifting of a consent requirement, the permission may cause an increase in disclosures to public health authorities, resulting in a net impact of no change to burdens. Additionally, to the extent these disclosures are required by other law, the compliance burden is not calculated as a change caused by Part 2.

§§ 2.61-2.65 Procedures for court orders.

The Department lacks sufficient data to estimate the number of instances where the expanded scope of protection from use or disclosure of records against the patient in legal proceedings (including in administrative and legislative forums) would result in increased applications for court orders authorizing the disclosure of Part 2 records or testimony.

§ 2.66 Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a part 2 program or the person holding the records. (proposed heading)

Proposed § 2.66(a)(3) provides specific procedures for investigative agencies to follow upon discovering after the fact that they are holders of Part 2 records, such as securing, returning, or destroying the records and optionally seeking a court order under subpart E. Although the existing regulation does not expressly require law enforcement agencies to return or destroy records that it cannot use in investigations or prosecutions against a program when it does not obtain the required court order, it requires lawful holders to comply with § 2.16 Security for records. The Department developed the proposed requirements in § 2.66(a)(3) (to return or destroy records that an investigative agency is unable to use or disclose in an investigation or prosecution) to parallel the existing requirements in § 2.16 for programs and lawful holders to establish policies for securing paper and electronic records, removing them, and destroying them. The proposed § 2.66 requirements to obtain a court order, or to return or destroy the records within a reasonable time (no more than 120 days from discovering it has received Part 2 records), would not significantly increase the existing burden for investigative agencies to comply with § 2.16. The Department requests comment on these assumptions and data on the burden for complying within 120 days of discovering that an investigative agency has unknowingly received Part 2 records.

§ 2.67 Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

Proposed § 2.67(c)(4) restricts an investigative agency from seeking a court order authorizing placement of an undercover agent or informant unless it has first exercised reasonable diligence as described by proposed § 2.3(b), which provides that steps such as checking an available prescription drug monitoring program (PDMP) or visiting the provider's website or physical location to determine if it is providing SUD-related services shall presumptively constitute reasonable diligence. This provision serves as a prerequisite that would allow an investigative agency to continue placement of the undercover agent or informant in a Part 2 program by correcting an error of oversight if the investigative agency learns after the fact that the undercover agent or informant is in a Part 2 program and avoiding the risk of penalties for the violation. The Department anticipates that the burden for checking a PDMP or a program's website or physical location to ascertain whether the program provides SUD treatment would be minimal, as these activities would normally be included in the course of investigating and prosecuting a program. The proposed requirement would merely shift the timing of these actions in some cases so that investigative agencies ensure they are completed prior to requesting court approval of an undercover agent or use of an informant. The primary burden on investigative agencies would be to include a statement in an application for a court order after learning of the program's Part 2 status after the fact, that the investigator or prosecutor first exercised reasonable diligence to determine whether the program provided SUD treatment. The burden for including this statement within an application for a court order is minimal and could consist of standard language used in each application. Thus, the Department has not calculated specific quantitative costs for compliance. The Department requests comment on the likely utilization of the proposed safe harbor involving undercover agents and informants.

f. Costs Borne by the Department

This rule would have a cost impact on HHS. HHS has the primary responsibility to assess the regulatory compliance of covered entities and business associates and Part 2 programs. This proposed rule would extend those responsibilities to Part 2 programs. In addition to promulgating the current regulation, HHS would be responsible for developing guidance and conducting outreach to educate the regulated community and the public. HHS also would be required to investigate and resolve complaints and compliance reviews as part of its expanded responsibility for Part 2 compliance and enforcements. The Department estimates that implementing the proposals would require two full-time policy employees (or contractors) at the OPM General Schedule (GS) GS-14 or equivalent level who will develop regulation, guidance, and national-level outreach. Additionally, the Department estimates needing eight full-time employees (or contractors) for enforcement at a GS-13 or equivalent level to investigate, train investigators, and provide local outreach to regulated entities. The Department also estimates costs for hiring a contractor to create a breach portal or a Part 2 module for the existing HIPAA breach portal. The initial posting of such breaches is automated, and HHS currently pays a contractor approximately $13,000 annually to maintain the database to receive reports of breaches from covered entities. The Department estimates approximately $13,000 to hire a second contractor to maintain the database to receive reports of breaches from Part 2 programs. Additionally, HHS drafts and posts summaries of each large breach on the website at a labor cost of approximately $22,600 per year. To implement these policies, the Department estimates that initial Federal costs will be approximately $1,695,716 million. The Department estimates that based on the GS within grade step increases for each of the proposed GS-13 and GS-14 employees the Federal costs will be approximately $8,972,716 million over 5 years.

Comparison of Benefits and Costs

4. Consideration of Regulatory Alternatives

The Department carefully considered several alternatives to the proposals in this NPRM. The Department welcomes public comment on any benefits or drawbacks of the following alternatives it considered while developing the NPRM.

Definitions for “breach,” “health care operations,” “lawful holder,” and “third-party payer.”

Breach. The Department considered adopting only the first sentence of the HIPAA definition of breach in the introductory text of the paragraph and not the remainder of the definition. The Department considered that the HIPAA definition, which includes exclusions from the term breach ( i.e., unintentional access, inadvertent disclosure, disclosure based on good faith belief that an unauthorized recipient would not reasonably been able to retain the information) did not offer a parallel level of protection to Part 2 records as is intended by its overall structure of requiring consent for most disclosures. However, due to the amount of overlap between the types of entities that must comply with both Part 2 and the HIPAA Rules, the Department decided to adopt the HIPAA breach definition in its entirety. Congress was aware of the Breach Notification Rule when it passed the CARES Act, so the Department assumes that Congress intended to apply the full scope of the definition to Part 2 records. The Department welcomes comments on any unintended negative consequences of this approach and how any alternative approaches could be implemented consistent with Congressional intent.

Health care operations. The Department considered including the “Sense of Congress” in section 3221(k)(4) of the CARES Act, which states that the definition of health care operations shall have the same meaning as provided in the HIPAA Rules except that clause (v) of paragraph (6) shall not apply. This would have had the effect of excluding from the HIPAA disclosure and redisclosure permissions the use of records for fundraising. In contrast, the Department also considered not including the Sense of Congress in any provision of the proposed rule. This would have narrowly hewed to the statutory amendment mandated by section 3221 of the CARES Act without acknowledging Congressional intent. Instead, the Department proposed to add an opt-in approach for fundraising activities in the requirements for a written consent proposed at § 2.31(a)(5). The Department similarly is proposing in § 2.22 and 45 CFR 164.520 to require that programs and covered entities provide notice to a patient that the use and disclosure of records for such activities may be made only with the patient's written consent. The Department welcomes comments on any unintended adverse consequences of this approach and how any alternative approaches could be implemented consistent with statutory authority and Congressional intent.

Lawful holder. Although not required by the CARES Act, the Department considered proposing a new regulatory definition for the term “lawful holder,” which is not currently defined in Part 2. The definition would be drawn from the Department's descriptions of lawful holders in previous Part 2 proposed and final rule preambles. In particular, the Department considered whether the definition was needed to distinguish the category of records recipients that includes covered entities, business associates, qualified service organizations, and other components of the health care system from other types of recipients of records based on a written patient consent for purposes of applying different requirements to the different categories.

SAMHSA has described a lawful holder as “an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a notice to accompany disclosure) or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations and, therefore, is bound by 42 CFR part 2.” Further, § 2.33(a) provides that a valid consent may name any person or category of persons: “If a patient consents to a disclosure of their records under § 2.31, a [P]art 2 program may disclose those records in accordance with that consent to any person or category of persons identified or generally designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.” Taken together, the description of lawful holder and provision on consent mean that any person who receives records pursuant to a valid consent could be considered a lawful holder, and thus subject to the Part 2 requirements that apply to lawful holders.

The Department is concerned that some of the restrictions and obligations placed on lawful holders are not appropriate to apply across all types of persons who receive Part 2 records pursuant to a consent. For example, a patient's family member who receives a record based on consent could not be reasonably expected to develop policies and procedures for securing records. To address this concern, the Department considered proposing a definition that would exclude certain types of persons, such as those who are acting in their capacity as private citizens (rather than in a professional or official capacity as part of the health care system or government authority, for example). The Department also considered a definition that would expressly include only covered entities, Part 2 programs, any person conducting diagnosis, treatment, or referral for treatment, billing or payment, and any other purpose related to a patient's enrollment or participation in a Part 2 program. However, the Department is concerned that inserting a new definition in regulatory text may inadvertently exclude persons who rightfully should be subject to Part 2 requirements and restrictions that apply to both Part 2 programs and lawful holders.

The Department has considered that a small minority of recipients of Part 2 records based on a patient's consent may not be properly subject to regulatory requirements that apply only to Part 2 programs and lawful holders. For example, it is unclear how the Department would enforce organizational requirements, such as policies and procedures, against some persons who receive records based on written consent, such as natural persons who are family members of a patient and are not acting in any professional or official capacity.

Therefore, rather than propose a regulatory definition or create an enforcement exception, the Department instead asks for comment on what would be reasonable to expect of a person who is a lawful holder, but not a covered entity, business associate, or qualified service organization with respect to protecting records against unauthorized use and disclosure or security threats. The Department requests comment on whether it would be appropriate to include a definition of lawful holder—and, if so, what persons should be considered lawful holders.

Third-party payer. The Department considered removing the term “third-party payer” from the regulations because the definition is limited to entities with a contractual obligation to pay for Part 2 services, many of which are covered entity health plans to whom Part 2 redisclosure restrictions will no longer apply. Upon further consideration, the Department determined that some Part 2 programs may be paid based on a contractual obligation between the payer and the patient, but by entities other than a health plan. Retaining a narrower definition of third-party payer rather than removing the definition entirely would ensure that the restrictions on redisclosure are maintained for any third-party payers that are not covered entities. The Department welcomes data on how many and what types of third-party payers are not covered entities.

Exception for reporting suspected abuse and neglect.

The Department considered expanding the exception under § 2.12(c)(6) for reporting suspected child abuse and neglect to include reporting suspected abuse and neglect of adults. Such an expansion would be consistent with the Privacy Rule permission to report abuse, neglect, or domestic violence at 45 CFR 164.512(c), and could be beneficial for vulnerable adults, such as persons who are incapacitated or otherwise are unable to make health care decisions on their own behalf. However, § 2.12(c)(6), under the authority of 42 U.S.C. 290dd-2, limits the reporting of abuse and neglect to reporting child abuse and neglect as required by State or local law. Further, section (c) of the authorizing statute also restricts uses of records in criminal, civil, or administrative contexts, which could include investigations by a protective services agency, for example, unless pursuant to a court order or with the patient's consent. Therefore, the Department determined that expanding the exception under § 2.12(c)(6) to include reporting abuse and neglect of adults would exceed the statutory authority.

Security of records and notification of breaches.

The Department considered retaining the current language in § 2.16 (a)(1)(v) with respect to “non-identifiable” information and adding a reference to the Privacy Rule standard with the phrase “as consistent with 45 CFR 164.514.” Upon consideration, the Department decided instead to insert text from the Privacy Rule de-identification standard and a reference to 45 CFR 164.514 to more closely align the two sets of regulations.

The Department also considered further harmonizing Part 2 and the HIPAA Rules by applying the Security Rule, or components of it, to Part 2 programs and other lawful holders with respect to electronic Part 2 records. The Security Rule contains standards and implementation specifications for securing electronic PHI that are consistent with industry best practices, and the implementation of robust security safeguards can prevent many breaches of patients' Part 2 records. However, the CARES Act did not make the Security Rule applicable to Part 2 programs. Therefore, the Department believes it does not have statutory authority to the Security Rule to encompass Part 2 programs that are not covered entities or business associates. The Department requests comment on this interpretation and on whether the Part 2 security provisions should be modified to incorporate additional or different safeguards consistent with the Security Rule.

Patient Notice and NPP.

The Department considered proposing more limited modifications to the Patient Notice in § 2.22 to narrowly address only those changes specifically identified in section (i)(2) of the CARES Act, without incorporating into the Patient Notice other aspects of the NPP. However, the Department determined that greater alignment between the requirements of the Patient Notice and NPP would create more consistency in notices among Part 2 programs and other types of health care providers, and thus more consistency in patients' understanding and expectations regarding their rights and regulated entities' duties with respect to their Part 2 records.

Adding a requirement for notification of TPO consent.

The Department considered adding a requirement to § 2.32 to require Part 2 programs to notify the recipient that a record is being disclosed to them pursuant to a global consent for TPO or whether it is a more limited consent. The Department considered how this might help covered entities to avail themselves of the new redisclosure permissions enacted into the CARES Act by section 3221(b) so that they would be aware when they could redisclose a record according to the HIPAA Rules. However, the Department determined that this would be unduly burdensome on Part 2 programs. The Department requests comment on this alternative and the extent to which covered entities that receive Part 2 records are aware of the purpose of the disclosure and how that information is conveyed between programs and covered entity recipients of Part 2 records.

Adding a new definition for “confidential communications.”

The Department considered adding a new definition for “confidential communications” as an alternative modification to § 2.63 (confidential communications). Specifically, the Department considered whether to propose incorporating in regulatory text a preamble description of “confidential communications” from prior Part 2 rulemaking, which describes the term as “the essence of those matters to be afforded protection” and “highly sensitive communication.” The Department did not propose this approach as it is only used in one specific context and a new definition would likely create unnecessary complexity without improving understanding of the regulatory requirements.

Creating limitations on liability for investigative agencies' unknowing receipt of Part 2 records.

The Department considered creating an enforceable requirement for Part 2 programs to notify investigative agencies of the applicability of Part 2 when presented with an investigative demand for records, but deemed this an unnecessary burden on programs. Instead, the Department created prerequisites for investigative agencies to meet before they could benefit from liability protection, and thus avoided any increased burden on programs.

5. Request for Comments on Costs and Benefits

The Department requests public comment on all the estimates, assumptions, and analyses within the cost-benefits analysis, including the costs to regulated entities and patients. The Department also requests comments on any relevant information or data that would inform a quantitative analysis of proposed reforms that the Department qualitatively addresses in this RIA. The Department also requests comments on whether there may be other indirect costs and benefits resulting from the proposed changes in the proposed rule and welcomes additional information that may help quantify those costs and benefits.

B. Regulatory Flexibility Act

The Department has examined the economic implications of this proposed rule as required by the Regulatory Flexibility Act (5 U.S.C. 601-612). If a rule has a significant economic impact on a substantial number of small entities, the Regulatory Flexibility Act (RFA) requires agencies to analyze regulatory options that would lessen the economic effect of the rule on small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. The Act defines “small entities” as (1) a proprietary firm meeting the size standards of the Small Business Administration (SBA), (2) a nonprofit organization that is not dominant in its field, and (3) a small government jurisdiction of less than 50,000 population. Because 90 percent or more of all health care providers meet the SBA size standard for a small business or are nonprofit organization, the Department generally treats all health care providers as small entities for purposes of performing a regulatory flexibility analysis. The SBA size standard for health care providers ranges between a maximum of $8 million and $41.5 million in annual receipts, depending upon the type of entity.

The projected costs and savings are discussed in detail in the regulatory impact analysis (section 3a). This proposed rule would create average net costs for regulated entities (Part 2 programs and covered entities), many of which are small entities, and the proposed changes are needed to implement required statutory changes. As its measure of significant economic impact on a substantial number of small entities, HHS uses a threshold for the size of the impact of 3 to 5 percent. The total costs from this rule are estimated to be $10,582,027, spread across 774,331 small entities. The average cost per small entity over 5 years is equal to $13.67, and we do not believe that this threshold will be reached by the requirements in this proposed rule. Therefore, the Secretary certifies that this proposed rule would not result in a significant negative impact on a substantial number of small entities.

C. Unfunded Mandates Reform Act

Section 202(a) of The Unfunded Mandates Reform Act of 1995 (UMRA) requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending that may result in expenditures in any one year of $100 million in 1995 dollars, updated annually for inflation. In 2021, that threshold is approximately $158 million. The Department does not anticipate that this proposed rule would result in the expenditure by state, local, and tribal governments, taken together, or by the private sector, of $158 million or more in any one year. The proposals, however, present novel legal and policy issues, for which the Department is required to provide an explanation of the need for this proposed rule and an assessment of any potential costs and benefits associated with this rulemaking in accordance with Executive Orders 12866 and 13563. The Department presents this analysis in the preceding sections.

D. Executive Order 13132—Federalism

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. The Department does not believe that this rulemaking would have any federalism implications.

The federalism implications of the Privacy, Security, Breach Notification, and Enforcement Rules were assessed as required by Executive Order 13132 and published as part of the preambles to the final rules on December 28, 2000, February 20, 2003, and January 25, 2013. Regarding preemption, the preamble to the final Privacy Rule explains that the HIPAA statute dictates the relationship between state law and Privacy Rule requirements, and the Rule's preemption provisions do not raise federalism issues. The HITECH Act, at section 13421(a), provides that the HIPAA preemption provisions shall apply to the HITECH Act provisions and requirements.

The Federalism implications of Part 2 were assessed and published as part of the preamble to proposed rules on February 9, 2016.

The Department anticipates that the most significant direct costs on state and local governments would be the cost for state and local government-operated covered entities to revise consent forms, policies and procedures, providing notification in the event of a breach of Part 2 records and drafting, printing, and distributing Patient Notices or NPPs for individuals with first-time health encounters. The regulatory impact analysis above addresses these costs in detail.

In considering the principles in and requirements of Executive Order 13132, the Department has determined that these proposed modifications to the Privacy Rule would not significantly affect the rights, roles, and responsibilities of the States.

E. Assessment of Federal Regulation and Policies on Families

Section 654 of the Treasury and General Government Appropriations Act of 1999 requires Federal departments and agencies to determine whether a proposed policy or regulation could affect family well-being. If the determination is affirmative, then the Department or agency must prepare an impact assessment to address criteria specified in the law. The Department believes that these regulations would positively impact the ability of patients and families to coordinate treatment and payment for health care, particularly for families to participate in the care and recovery of their family members experiencing SUD treatment, by aligning the permission for covered entities and business associates to use and disclose records disclosed to them for TPO purposes with the permissions available in the Privacy Rule. The Department does not anticipate negative impacts on family well-being as a result of this regulation or the separate rulemaking as described.

F. Paperwork Reduction Act of 1995

Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104-13), agencies are required to submit to the Office of Management and Budget (OMB) for review and approval any reporting or record-keeping requirements inherent in a proposed or final rule, and are required to publish such proposed requirements for public comment. The PRA requires agencies to provide a 60-day notice in the Federal Register and solicit public comment on a proposed collection of information before it is submitted to OMB for review and approval. To fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that the Department solicit comment on the following issues:

1. Whether the information collection is necessary and useful to carry out the proper functions of the agency;

2. The accuracy of the agency's estimate of the information collection burden;

3. The quality, utility, and clarity of the information to be collected; and

4. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

The PRA requires consideration of the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section. The Department explicitly seeks, and will consider, public comment on its assumptions as they relate to the PRA requirements summarized in this section. To comment on the collection of information or to obtain copies of the supporting statements and any related forms for the proposed paperwork collections referenced in this section, email your comment or request, including your address and phone number to Sherrette.Funn@hhs.gov, or call the Reports Clearance Office at (202) 690-6162. Written comments and recommendations for the proposed information collections must be directed to the OS Paperwork Clearance Officer at the above email address within 60 days.

As discussed below, the Department estimates a total program burden associated with all proposed Part 2 changes of 565,029 hours and $43,911,857, including capital costs and one-time burdens, across all 16,066 Part 2 programs for 1,864,367 annual patient admissions. On average, this equates to an annual burden of 35 hours and $2,733 per Part 2 program and 0.30 hours and $24 per patient admission. Excluding one-time costs that would be incurred in the first year of the final rule's implementation, the average annual burden would be 22 hours and $1,704 per Part 2 program and 0.19 hours and $15 per patient admission. In addition to program burdens, the Department's proposals would increase burdens on investigative agencies for reporting annually to the Secretary in the collective amount of 338 hours of labor and $25,795 in costs. This would result in a total burden for Part 2 of 565,367 hours in the first year after the rule becomes effective and 350,172 annual burden hours thereafter.

Further, due to the proposed changes to 45 CFR 164.520, covered entities may need to update their NPP in order to comply with the documentation requirements of 45 CFR 164.530. Section 164.530 contains the administrative requirements for covered entities, including documenting training of personnel, updating policies and procedures, and updating the NPP in accordance with changes in the law. Due to these proposals, the burden for respondent covered entities to comply with the requirements of the suite of HIPAA Rules (Privacy, Breach Notification, Security, and Enforcement) would increase by 258,110 burden hours.

In this NPRM, the Department is revising certain information collection requirements and, as such, is revising the information collection last prepared in 2020 and previously approved under OMB control #0930-0092. The Department is also revising the NPP information collection requirements in OCR's HIPAA ICR previously approved under OMB control #0945-0003. The estimated burdens of these proposed changes are shown in the tables that follow.

1. Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2

The Department presents, in separate tables below, revised estimates for existing burdens (Table 11), previously unquantified ongoing burdens (Table 12), new ongoing burdens of the proposals (Table 13), and new one-time burdens of the proposals (Table 13).

As shown in Table 11, the Department is adjusting the currently approved burden estimates to reflect an increase in the number of Part 2 programs, from 13,585 to 16,066. The respondents for this collection of information are publicly (Federal, State, or local) funded, assisted, or regulated SUD treatment programs. The estimate of the number of such programs (respondents) is based on the results of the 2020 National Survey of Substance Abuse Treatment Services (N-SSATS), which represents an increase of 2,481 program from the 2017 N-SSATS which was the basis for the approved ICR under OMB No. 0930-0335. The average number of annual total responses is based the results of the average number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode Data Set (TEDS) as the number of annual patient admissions by part 2 programs (1,864,367 patients).) To accurately reflect the number of disclosures, the Department based some estimates on the number of patients (or a multiple of that number) and then divided by the number of programs to arrive at the number of responses per respondent. The Department based other estimates on the number of programs and then multiplied by the estimated number of disclosures to arrive at the total number of responses.

The estimate in the currently approved ICR includes the time spent with the patient to obtain consent and the time for training for counselors. The Department is now estimating the time for obtaining consent separately from the burden of training time and applies an average of 5 minutes per patient admission for obtaining consent.

For § 2.31, § 2.52, and § 2.53, the Department is separating out estimates for each provision which were previously reported together and is also adjusting the estimates. For § 2.31, the Department believes that disclosures with written consent for TPO are made for 100 percent of patients; due to the proposed changes to the consent requirements, the Department assumes that programs would experience a decreased burden from an average of 3 consents per admission to 1 consent. The Table above reflects 1 consent for each of the 1,864,367 annual patient admissions (used as a proxy for the estimated number of patients) and a time burden of 5 minutes per consent for a total of 155,364 burden hours. The previously unacknowledged burden of obtaining multiple consents for each patient is shown in Table 12, below.

The Department previously estimated that for § 2.31 (consent), § 2.52 (research), and § 2.53 (audit and evaluation) combined, programs would need to disclose an average of 15 percent of all patients' records (1,864,367 records × .15 = 279,655 disclosures). The Department is adjusting its estimates to reflect that 15 percent of patients would have records disclosed without consent for research and audits or evaluations and that this would be divided evenly between the two provisions, resulting in 7.5% of 1,864,367 records (or approximately 139,828 disclosures) for § 2.52 disclosures and the same for § 2.53 disclosures. The Department previously estimated that 10 percent of disclosed records would be disclosed in paper form while the remaining 90 percent would be disclosed electronically. The time burden for disclosing a paper record is estimated as 15 minutes and the time for disclosing an electronic record as 5 minutes. For Part 2 programs using paper records, the Department expects that a staff member would need to gather and aggregate the information from paper records, and manually track disclosures; for those Part 2 programs with a health IT system, the Department expects records and tracking information will be available within the system.

For § 2.36, the Department used the average number of opiate treatment admissions from SAMHSA's 2019 TEDS (565,610 admissions) and assumed the PDMP databases would need to be accessed and reported once initially and quarterly thereafter for each patient (565,610 × 5 = 2,828.050). Dividing the number of opiate treatment admissions by the number of SUD programs results in an average of 35.21 patients per program (565,610 patients ÷ 16,066 programs) and 176.03 PDMP updates per respondent (35.21 patients/program × 5 PDMP updates per patient). Based on discussions with providers, the Department believes accessing and reporting to PDMP databases would take approximately 2 minutes per patient, resulting in a total annual burden of 10 minutes (5 database accesses/updates × 2 minutes per access/update) or 0.166 hours annually per patient. For § 2.51, the time estimate for recordkeeping for a clerk to locate a patient record, record the necessary information and re-file the record is 10 minutes.

As shown in Table 12, for § 2.31 the Department is recognizing for the first time the burden on programs to obtain multiple consents for each patient annually. The Department estimates that for each patient admission to a program a minimum of 3 consents is needed for disclosures of records: one each for treatment, payment, and health care operations (1,864,367 × 3).

As shown in Table 11, a burden is already recognized for obtaining consent, but the estimate assumed only one consent per admission under the existing regulation and it was combined with estimates for disclosures without consent under § 2.52 (research) and § 2.53 (audit and evaluation). The Department believes its previous calculations underestimated the numbers of consents obtained annually, and thus the Department views its updated estimate ( i.e., adding two consents per patient annually) as acknowledging a previously unquantified burden. Additionally, recipients of Part 2 records that are covered entities or business associates must obtain consent for redisclosure of these records. The Department estimates an average of one-half of patients' records are disclosed to a covered entity or business associate that needs to redisclose the record with consent (1,864,367 × .5), and this also represents a previously unquantified burden. Together, this would result in an increase of 2.5 consents annually per patient. However, this would be offset by the changes proposed in this NPRM which would result in a reduction in the number of consents by 2.5 per patient, thus resulting in no change from the currently approved burden of 1 consent per patient.

In Table 13 above, the Department shows an annualized new hourly burden of approximately 28,378 hours due to proposed regulatory requirements for breach notification, accounting of disclosures of records, responding to patient's requests for restrictions on disclosures, discussing the Patient Notice, and required reporting by investigative agencies. These burdens would be recurring. The estimates represent 2 percent of the total estimated by the Department for compliance with the parallel HIPAA requirements for covered entities. This percentage was calculated by dividing the total number of covered entities by the number of Part 2 programs (16,066/771,334 = .02). The Department recognizes that this is an overestimate because an unknown proportion of Part 2 programs are also covered entities. The total in Table 13 also includes the Department's estimates for a recurring annual burden on investigative agencies of 338 hours, relying on previous estimates for the burden of reporting breaches of PHI to the Secretary at 1.5 hours per report.

As shown in Table 14, the Department estimates one-time burden increases as a result of proposed changes to § 2.16, § 2.22, § 2.31, and § 2.32 and due to proposed new provisions § 2.25 and § 2.26. The proposed nonrecurring burdens are for training staff on the proposed provisions and for updating forms and notices. The Department estimates that each program would need 5 hours of a training specialist's time to prepare and present the training for a total of 80,330 burden hours.

For § 2.16, the Department estimates that each program would need to train 1 manager on breach notification requirements for 1 hour, for a total of 16,066 burden hours. For § 2.22, the Department estimates that each program will need 1 hours of a lawyer's time to update the content of the Patient Notice (for a total of 16,066 burden hours) and 15 minutes to train 202,072 Part 2 counselors on the new Patient Notice and right to discuss the Patient Notice requirements (for 50,518 total burden hours).

For § 2.25, the Department estimates that each program would need to train a medical records specialist on the requirements of proposed accounting of disclosures requirements for 30 minutes, resulting in a total burden of approximately 8,033 hours. For § 2.26, the Department estimates that each program would need to train three staff (a front desk receptionist, a medical records technician, and a billing clerk (16,066 Part 2 programs × 3 staff)) for 15 minutes each on the right of a patient to request restrictions on disclosures for TPO. The base wage rate is an average of the mean hourly rate for the three occupations being trained. This would total approximately 12,050 burden hours.

For § 2.31, each program would need 40 minutes of a lawyer's time to update the consent to disclosure form (for a total of approximately 10,711 burden hours) and 30 minutes to train an average of 2 front desk receptionists on the changed requirements for consent (for a total of approximately 16,066 burden hours). For § 2.32, the Department estimates that each program would need 20 minutes of a health care manager's time to update the content of the notice to accompany disclosure with the changed language provided in the proposed regulations, for a total of approximately 5,355 burden hours. This is likely an over-estimate because an alternative, short form of the notice is also provided in regulation, and the language for that form is unchanged such that programs that are using the short form notice could continue using the same notice and avoid any burden increase.

2. Explanation of Estimated Capital Expenses for 42 CFR Part 2

As shown above in Table 15, Part 2 programs would incur new capital costs for providing breach notification. The table also reflects existing burdens for printing the Patient Notice, the Notice to Accompany Disclosure, and Consents. The Department has estimated 50 percent of forms used would be printed on paper, taking into account the notable increase in the use of telehealth services for the delivery of SUD treatment and the expectation that the demand for telehealth will continue.

3. Explanation of Estimated Annualized Burden Hours for 45 CFR 164.520

As shown in Table 16, above, the Department proposes increasing the estimated number of covered entities from 700,000 to 774,331 due to updating the estimated the total number of covered entities, consistent with its estimates associated with the HIPAA NPRM published on January 21, 2021. The Department also proposes adding one new burden element for covered entities to update the NPP as required by 45 CFR 164.530 to include the proposed revisions to 45 CFR 164.520. This burden estimate is primarily applicable to covered entities that receive or maintain Part 2 records because the burdens for covered entities that create Part 2 records ( i.e., that are Part 2 programs) are addressed in the Part 2 ICR, discussed above. However, the Department recognizes this likely overestimates the overall compliance burden on covered entities because some covered entities may not receive or maintain Part 2 records and may find the Part 2 NPP language is not applicable. The Department estimates that each covered entity that is not a Part 2 program would incur the burden of 20 minutes of a lawyer's time to evaluate how the modifications may apply to them and to update the NPP accordingly. The Department estimates 258,110 total one-time burden hours in the first year attributable to the proposed changes to 45 CFR 164.520 in this NPRM and no additional burden thereafter.

List of Subjects

42 CFR Part 2

• Administrative practice and procedure
• Alcoholism
• Administrative practice and procedure
• Alcohol use disorder
• Breach
• Confidentiality
• Courts
• Drug abuse
• Electronic information system
• Grant programs—health
• Health
• Health care
• Health care operations
• Health care providers
• Health information exchange
• Health plan
• Health records
• HIPAA
• HITECH Act
• Hospitals
• Investigations
• Medicaid
• Medical research
• Medicare
• Part 2
• Part 2 programs
• Patient rights
• Penalties
• Privacy
• Reporting and record keeping requirements
• Security measures
• Substance use disorder
• SUD

45 CFR Part 164

• Administrative practice and procedure
• Breach
• Confidentiality
• Courts
• Drug abuse
• Electronic information system
• Health
• Health care
• Health care operations
• Health information exchange
• Health plan
• Health records
• HIPAA
• HITECH Act
• Hospitals
• Individual rights
• Investigations
• Medicaid
• Medical research
• Medicare
• Part 2
• Patient rights
• Penalties
• Privacy
• Reporting and record keeping requirements
• Security measures
• Substance use disorder
• SUD

Proposed Rule

For the reasons stated in the preamble, the Department of Health and Human Services proposes to amend 42 CFR part 2 and 45 CFR part 164 as set forth below:

Title 42—Public Health

PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

1. Revise the authority citation for part 2 to read as follows:

Authority: Sec. 408 of Pub. L. 92-255, 86 Stat. 79, as amended by sec. 303(a), (b) of Pub. L. 93-282, 83 Stat. 137, 138; sec. 4(c)(5)(A) of Pub. L. 94-237, 90 Stat. 244; sec. 111(c)(3) of Pub. L. 94-581, 90 Stat. 2852; sec. 509 of Pub. L. 96-88, 93 Stat. 695; sec. 973(d) of Pub. L. 97-35, 95 Stat. 598; and transferred to sec. 527 of the Public Health Service Act by sec. 2(b)(16)(B) of Pub. L. 98-24, 97 Stat. 182 and as amended by sec. 106 of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 290ee-3) and sec. 333 of Pub. L. 91-616, 84 Stat. 1853, as amended by sec. 122(a) of Pub. L. 93-282, 88 Stat. 131; and sec. 111(c)(4) of Pub. L. 94-581, 90 Stat. 2852 and transferred to sec. 523 of the Public Health Service Act by sec. 2(b)(13) of Pub. L. 98-24, 97 Stat. 181 and as amended by sec. 106 of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 290dd-3), as amended by sec. 131 of Pub. L. 102-321, 106 Stat. 368, (42 U.S.C. 290dd-2), as amended by sec. 3221 of Pub. L. 114-136.

2. Revise § 2.1 to read as follows:

3. Amend § 2.2 by revising paragraphs (a) introductory text, (a)(2), (a)(3), (a)(4), (b)(1), (b)(2), and (b)(3) to read as follows:

4. Revise § 2.3 to read as follows:

5. Revise § 2.4 to read as follows:

6. Amend § 2.11 by:

a. Adding in alphabetical order definitions of “Breach”; “Business associate”; “Covered entity”; “Health care operations”; “HIPAA”; “HIPAA regulations”;

b. In the definition of “Informant” revising the introductory text;

c. Adding in alphabetical order definitions of “Intermediary”; and “Investigative agency” ';

d. Revising the definition of “Part 2 program director”;

e. Adding a sentence at the end of the definition of “Patient”;

f. Adding in alphabetical order the definition of “Payment”;

g. Revising the definition of “Person”;

h. In the definition of “Program” revising paragraph (1);

i. Adding in alphabetical order the definition of “Public health authority”;

j. In the definition of “Qualified service organization” revising the introductory text, paragraph (2) introductory text, and adding paragraph (3);

k. Revising the definition of “Records”, “Third-party payer”, “Treating provider relationship”, and “Treatment”;

l. Adding in alphabetical order definitions of “Unsecured protected health information”; “Unsecured record”; and “Use”.

The revisions and additions read as follows:

7. Amend § 2.12 by:

a. Revising paragraphs (a)(1) introductory text, (a)(1)(ii), and (a)(2);

b. Revising paragraphs (c)(2), (c)(3) introductory text, (c)(4), (c)(5) introductory text and (c)(6);

c. Revising paragraphs (d)(1) and (2); and

d. Revising paragraphs (e)(3), (e)(4) introductory text, and (e)(4)(i).

The revisions read as follows:

7. Amend § 2.13 by revising paragraphs (a), (b) and (c)(1) and removing paragraph (d) to read as follows:

8. Amend § 2.14 by revising paragraphs (a), (b)(1), (b)(2) introductory text, (b)(2)(ii) and (c) to read as follows:

9. Amend § 2.15 by revising the section heading, paragraphs (a) and (b)(2) to read as follows.

10. Amend § 2.16 by:

a. Revising the section heading and paragraphs (a) introductory text, (a)(1)(v), and (a)(2)(iv); and

b. Adding paragraph (b).

The revisions and addition read as follows:

11. Amend § 2.17 by revising paragraph (b) to read as follows.

12. Amend § 2.19 by:

a. Adding paragraph (a)(3);

b. Revising paragraphs (b)(1) introductory text, (b)(1)(i) introductory text (b)(1)(i)(A), and (b)(2).

The addition and revisions read as follows:

13. Revise § 2.20 to read as follows.

14. Amend § 2.21 by revising paragraph (b) to read as follows:

15. Revise § 2.22 to read as follows:

16. Amend § 2.23 by revising the section heading and paragraph (b) to read as follows.

17. Add § 2.24 to subpart B to read as follows:

18. Add § 2.25 to subpart B to read as follows.

19. Add § 2.26 to subpart B to read as follows:

20. Revise the heading of subpart C to read as follows:

Subpart C—Uses and Disclosures With Patient Consent

a. Revising paragraph (a) introductory text, and paragraphs (a)(2) through (a)(8);

b. Adding paragraph (a)(10); and

c. Revising paragraph (b)(4).

The revisions and additions read as follows:

22. Amend § 2.32 by revising the section heading and paragraph (a) to read as follows:

23. Revise § 2.33 to read as follows:

24. Amend § 2.34 by revising the section heading and paragraph (b) to read as follows:

25. Amend § 2.35 by revising paragraphs (a) introductory text, (a)(1), (b)(3), and (d) to read as follows:

26. Revise the heading of subpart D to read as follows:

Subpart D—Uses and Disclosures Without Patient Consent

28. Amend § 2.52 by:

a. Revising the section heading and paragraphs (a) introductory text, (a)(1) introductory text and (a)(2);

b. Revising paragraphs (b) introductory text, (b)(2) and (3);

c. Revising paragraph (c)(1) introductory text and adding paragraph (c)(1)(iii); and

d. Removing the second paragraph (c)(2).

The revisions and addition read as follows:

29. Amend § 2.53 by:

a. Revising the section heading;

b. Revising paragraph (a) introductory text and paragraph (a)(1)(ii);

c. Revising paragraphs (b) introductory text, (b)(1)(iii) and (b)(2)(ii);

d. Revising paragraphs (c)(1) introductory text and (c)(1)(i);

e. Revising paragraphs (e)(1) introductory text, (e)(1)(iii), (e)(5), and (e)(6);

f. Revising paragraph (f); and

g. Adding paragraph (h).

The revisions and addition read as follows:

30. Add § 2.54 to subpart D to read as follows:

31. Revise the heading of subpart E to read as follows:

Subpart E—Court Orders Authorizing Use and Disclosure

32. Revise § 2.61 to read as follows:

33. Revise § 2.62 to read as follows:

34. Amend § 2.63 by revising paragraph (a)(3) to read as follows:

(a) * * *

(3) The disclosure is in connection with a civil, criminal, administrative, or legislative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.

35. Amend § 2.64 by by revising the section heading, paragraph (a), paragraph (b) introductory text, (d) and (e) to read as follows:

36. Amend § 2.65 by revising the section heading, paragraphs (a), (b) introductory text, (d) introductory text, (d)(2) and (e) to read as follows:

37. Amend § 2.66 by

a. Revising the section heading and paragraph (a)(1);

b. Adding new paragraph (a)(3);

c. Revising paragraphs (b), (c), and (d).

The revisions and addition read as follows:

38. Amend § 2.67 by revising paragraphs (a), (c), (d)(3) and (e) to read as follows:

39. Add § 2.68 to subpart E to read as follows:

PART 164—SECURITY AND PRIVACY

40. The authority citation for part 164 is revised to read as follows:

Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279 (42 U.S.C. 17921, 17931-17954); and sec. 3221(i)(2), Pub. L. 116-136.

41. Amend § 164.520 by:

a. Revising paragraphs (a)(1) and removing paragraph (a)(3);

b. Redesignating paragraph (a)(2) as (a)(3) and adding a new paragraph (a)(2);

c. Revising paragraphs (b)(1) introductory text, (b)(1)(i), b)(1)(ii)(C), (b)(1)(ii)(D), and (b)(1)(iii);

d. Revising paragraphs (b)(1)(iv)(C), (b)(1)(iv)(G), (b)(1)(v)(A), (b)(1)(v)(C), (b)(1)(vii), and (b)(2)(iii);

e. Removing paragraph (c)(2)(ii), redesignating paragraphs (c)(2)(iii) and (iv) as (c)(2)(ii) and (iii) and revising newly redesignated (c)(2)(ii) introductory text and (iii) and (c)(3)(iii);

f. Adding paragraph (d)(4); and

g. Revising paragraph (e).

The revisions and additions read as follows: