| Page Range | 239-252 | |
| FR Document | 2017-28400 |
[Federal Register Volume 83, Number 2 (Wednesday, January 3, 2018)] [Rules and Regulations] [Pages 239-252] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-28400] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 42 CFR Part 2 [SAMHSA-4162-20] RIN 0930-ZA07 Confidentiality of Substance Use Disorder Patient Records AGENCY: Substance Abuse and Mental Health Services Administration (SAMHSA), U.S. Department of Health and Human Services. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: This final rule makes changes to the Substance Abuse and Mental Health Services Administration's (SAMHSA) regulations governing the Confidentiality of Substance Use Disorder Patient Records. These changes are intended to better align the regulations with advances in the U.S. health care delivery system while retaining important privacy protections for individuals seeking treatment for substance use disorders. This final rule addresses the prohibition on re-disclosure notice by including an option for an abbreviated notice. This final rule also addresses the circumstances under which lawful holders and their legal representatives, contractors, and subcontractors may use and disclose patient identifying information for purposes of payment, health care operations, and audits and evaluations. Finally, this final rule is making minor technical corrections to ensure accuracy and clarity in SAMHSA's regulations. DATES: Effective date: This final rule is effective February 2, 2018. Compliance dates: The compliance date for all provisions of this final rule, except for Sec. 2.33(c), is February 2, 2018. As discussed in the preamble, contracts between lawful holders and contractors, subcontractors, and legal representatives must comply with Sec. 2.33(c) within two years of the effective date of the final rule. FOR FURTHER INFORMATION CONTACT: Mitchell Berger, Telephone number: (240) 276-1757, Email address: [email protected]. SUPPLEMENTARY INFORMATION: I. Background On February 9, 2016, SAMHSA published a Notice of Proposed Rulemaking (NPRM) in the Federal Register (81 FR 6988), proposing updates to the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2) regulations. These regulations implement title 42, section 290dd-2 of the United States Code pertaining to the Confidentiality of Substance Use Disorder Patient Records held by certain substance use disorder treatment programs that receive federal financial assistance. As SAMHSA explained in that NPRM, it proposed to update these regulations, last substantively amended in 1987, to reflect development of integrated health care models and the use of electronic exchange of patient information. SAMHSA also wished to maintain confidentiality protections for patient identifying information, as persons with substance use disorders still may encounter significant discrimination if their information is improperly disclosed. On January 18, 2017, SAMHSA published a final rule (82 FR 6052). In response to public comments, the final rule provided for greater flexibility in disclosing patient identifying information within the health care system while continuing to address the need to protect the confidentiality of substance use disorder patient records. SAMHSA concurrently issued a supplemental notice of proposed rulemaking (SNPRM) (82 FR 5485) to solicit public comment on additional proposals including: The payment and health care operations-related disclosures that can be made to contractors, subcontractors, and legal representatives by lawful holders under the part 2 rule consent provisions; and the provisions governing disclosures for purposes of carrying out a Medicaid, Medicare or Children's Health Insurance Program (CHIP) audit or evaluation. SAMHSA also solicited comments on whether an abbreviated notice of the prohibition on re-disclosure should be used and, if so, under what circumstances. SAMHSA received 55 comments on the SNPRM, and after considering those comments, is finalizing the proposed revisions, with some changes made in response to the public comments that were received. Some comments were outside the scope of the specific provisions SAMHSA proposed in the SNPRM or were inconsistent with SAMHSA's legal authority regarding the confidentiality of substance use disorder patient records. This final rule does not address these comments. II. Discussion of Public Comments and Final Modifications to 42 CFR Part 2 A. Align With HIPAA Public Comments SAMHSA received a number of comments regarding alignment of 42 CFR part 2 with the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act. Reasons cited by these commenters in support of aligning the regulations with HIPAA or HIPAA/HITECH Act were to: (1) Promote information flow between providers, including a clinically complete patient record; (2) allow providers and administrators of services greater discretion; (3) facilitate interoperability; (4) improve compliance; (5) enhance privacy protections by making confidentiality restrictions more [[Page 240]] uniform across health care settings; (6) promote more innovative models of health care delivery, including integrated and coordinated care, and value-based and population-based models; (7) establish uniform, workable regulations with respect to treatment, payment and operations; and (8) improve patient care and reduce stigma and potential harm to patients. SAMHSA Response SAMHSA has attempted to align this final rule with HIPAA, the HITECH Act, and their implementing regulations to the extent feasible, based on the proposed revisions in the SNPRM, the public comments received, and the limitations on SAMHSA's authority in the governing statute, 42 U.S.C. 290dd-2. At the same time, it is important to note that part 2 and its authorizing statute are separate and distinct from HIPAA, the HITECH Act, and their implementing regulations. Part 2 provides more stringent federal protections than other health privacy laws such as HIPAA and seeks to protect individuals with substance use disorders who could be subject to discrimination and legal consequences in the event that their information is improperly used or disclosed. To the extent feasible given these restrictions, SAMHSA continues to review these issues, plans to explore additional alignment with HIPAA, and may consider additional rulemaking for 42 CFR part 2. B. Prohibition on Re-Disclosure (Sec. 2.32) In the SNPRM, SAMHSA sought comment on whether an abbreviated notice of the prohibition on re-disclosure should be included in Sec. 2.32 and on the circumstances under which such abbreviated notice should be used. The SNPRM provided an example of an abbreviated notice: ``Data is subject to 42 CFR part 2. Use/disclose in conformance with part 2.'' SAMHSA has adopted an abbreviated notice that is 80 characters long to fit in standard free-text space within health care electronic systems. The abbreviated notice in this final rule reads ``Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records.'' Public Comments Several commenters expressed support for the abbreviated notice of the prohibition on re-disclosure because it provides more flexibility and efficiency in meeting the notice requirement. Several supportive commenters suggested potential technical solutions for conveying the prohibition on re-disclosure, such as communicating part 2 restrictions through codes, flags, pop-ups, or other signifiers. However, some of these commenters and others also explained that most of the suggestions are not technically feasible at this time, due to the lack of standardized electronic formats and transmission standards. One supportive commenter suggested SAMHSA work with the Department of Health and Human Services (HHS) and its agencies, including the Centers for Medicare & Medicaid Services (CMS), and the Office of Civil Rights (OCR), to explore whether HIPAA electronic transactions and code sets can be leveraged or modified to ``flag'' part 2 information and, once the recommendation becomes actionable, involve standard-setting bodies and the public. Several supportive commenters provided circumstances they thought were appropriate for an abbreviated notice of the prohibition on re-disclosure, including: (1) All electronic disclosures (because there may not currently be a standard mechanism to ``flag'' electronic information disclosures that are covered by part 2); (2) only paper disclosures; (3) limiting the use of the abbreviated notice to the exchange of records between part 2 programs (that would have familiarity with the concept of prohibition on re-disclosure); (4) exchange of records among part 2 programs and other entities (including third-party payers, and other lawful holders); and (5) using a single abbreviated notice for all circumstances. A couple of commenters indicated that having the notice of prohibition on re-disclosure accompany disclosures, as required by Sec. 2.32, is important for ensuring compliance with part 2. Commenters who opposed the abbreviated notice of the prohibition on re-disclosure expressed concerns that a shortened notice: (1) May be confusing or unclear to patients and professionals; (2) would fail to safeguard against unauthorized disclosures; and (3) would be insufficient to solve logistical concerns because, regardless of the length of the notice, systems will need to be put in place to tag substance use disorder information and send the notice with the information being disclosed. In addition, some commenters found the current notice to be sufficient. SAMHSA also received comments stating that the SNPRM provided insufficient information to either support or oppose the abbreviated notice of the prohibition on re-disclosure because: (1) The purpose of the abbreviated notice was not made clear; and (2) it was unclear whether SAMHSA considered the impact the proposed abbreviated notice would have on electronic health records formats, system design and software development for clinical medical records format, or the impact on required HIPAA Administrative transactions. One commenter stated that an abbreviated notice of the prohibition on re-disclosure must contain, at a minimum, a clear warning label to prevent misuse and should state that any misuse is illegal under 42 CFR part 2. SAMHSA Response The 42 CFR part 2 regulations in effect since 1983 have required that a notice of the prohibition on re-disclosure accompany each disclosure made with the patient's written consent. In the SNPRM, SAMHSA proposed the option of an abbreviated notice to satisfy the requirements of Sec. 2.32 due to concerns about character limits in free-text fields within electronic health record systems. Specifically, many of the health care electronic systems have a standard maximum character limit of 80 characters in the free text space that may be used to transmit this notice. While SAMHSA recognizes there may be technical issues to be resolved, after considering the totality of the comments, SAMHSA believes including an abbreviated notice of the prohibition on re- disclosure as an option will be beneficial to stakeholders, particularly those who use electronic health record systems to exchange data. However, because even commenters supporting inclusion of an abbreviated notice had differing views about the circumstances under which an abbreviated notice should be used, SAMHSA decided, consistent with its proposal, to allow use of an abbreviated notice in any instance in which a notice is required under the regulations. Recognizing concerns expressed by commenters that an abbreviated notice could be insufficient to convey understanding of part 2 requirements, SAMHSA encourages part 2 programs and other lawful holders using the abbreviated notice to discuss the requirements with those to whom they disclose patient identifying information. In response to comments received that the abbreviated notice did not provide an adequate warning against potential misuse of patient identifying information, SAMHSA, in this final rule, has modified the language in the abbreviated notice to more explicitly notify recipients that improper use or disclosure is prohibited under 42 CFR part 2. [[Page 241]] C. Disclosures Permitted With Written Consent (Sec. 2.33) In the SNPRM, SAMHSA proposed to explicitly list under Sec. [thinsp]2.33(b), specific types of activities for which any lawful holder of patient identifying information would be allowed to further disclose the minimal information necessary for specific payment and health care operations activities. SAMHSA proposed new regulatory text under Sec. [thinsp]2.33(c) that would require lawful holders that engage contractors and subcontractors to carry out payment and health care operations activities that entail the use or disclosure of patient identifying information to include specific contract provisions addressing compliance with part 2. In this final rule, SAMHSA finalizes the scope and requirements for permitted disclosures to contractors, subcontractors, and legal representatives for the purpose of payment and health care operations. SAMHSA does not retain the proposed list of payment and health care operations in the regulatory text and instead, moves this list to the preamble section of the final rule to serve as illustrative examples of permissible payment and health care operations activities. In addition, consistent with SAMHSA's prior statement in the SNPRM preamble, SAMHSA adds language to the regulatory text in Sec. 2.33(b) to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for substance use disorder patient diagnosis, treatment, or referral for treatment. SAMHSA finalizes Sec. [thinsp]2.33(c) in relation to contract language referencing compliance with 42 CFR part 2 and the protections of part 2 patient identifying information, but does not retain the proposed reference to permitted uses of patient identifying information consistent with the written consent. 1. Disclosures by Lawful Holders Public Comments In response to SAMHSA's request for comments on proposed revisions to Sec. 2.33, SAMHSA received a number of comments supporting its proposal in Sec. 2.33 to clarify that lawful holders of patient identifying information may disclose the minimum amount of information necessary to contractors, subcontractors, and legal representatives for payment and health care operations purposes. Several commenters cited practical concerns with the policy as stated in the January 18, 2017, final rule, including: (1) It is unrealistic to assume that lawful holders of patient identifying information such as third-party payers have the expertise and resources to carry out certain payment and health care operations without the assistance of contractors; (2) it is often not feasible to specify each contractor on a part 2 consent form; and (3) specifying contractors on a part 2 consent form unreasonably restricts a lawful holder from changing contractors. One commenter observed that essential payment and operations activities directly or indirectly benefit patients (e.g., by ensuring access to and coverage of treatment). One commenter supported the proposal because it further aligns part 2 with HIPAA, while another commenter expressed support for this or any proposal that would reduce the time and expense incurred by part 2 programs when seeking and obtaining patient consent where not necessary. SAMHSA Response In the SNPRM, SAMHSA proposed clarifications to the final regulations issued on January 18, 2017, where they appeared to be needed, based on public comment. SAMHSA appreciates the support it received for clarifying the part 2 regulations. SAMHSA is finalizing those clarifications as proposed in Sec. 2.33(b) except for the list of 17 specific types of payment and health care operations activities for which any lawful holder of patient identifying information would be allowed to further disclose to contractors, subcontractors, and legal representatives. As discussed below, this list of activities is being included in the preamble, rather than in regulatory text, in order to make clear that it is an illustrative rather than exhaustive list of the types of payment and health care operations activities that would be acceptable to SAMHSA. By removing the list from the regulatory text, SAMHSA intends for other appropriate payment and health care operations activities to be permitted under Sec. 2.33 as the health care system continues to evolve. In addition, consistent with SAMHSA's prior statement in the SNPRM preamble, SAMHSA has added language to the regulatory text in Sec. 2.33(b) to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for activities related to a patient's diagnosis, treatment, or referral for treatment. Public Comments SAMHSA also received numerous comments opposing its proposal in Sec. 2.33. The majority of these commenters were opposed to the changes because SAMHSA had not specified additional safeguards that would apply in connection with the disclosures. Some commenters expressed concern that the changes were too broad or would undermine overall part 2 protections. One commenter expressed concern that the risk of breaches might increase by permitting additional disclosures to facilitate health care operations. Several commenters noted that the revisions in Sec. 2.33(b) would permit lawful holders greater latitude in sharing information with entities than would be afforded to patients. These commenters found that the revisions would permit patients to consent to sharing patient identifying information with lawful holders, who then are permitted to re-disclose that information to contractors, subcontractors, or legal representatives without notifying the patient. Conversely, patients would be prohibited from consenting to disclose patient identifying information to entities with whom they do not have a treating provider relationship without further designating an individual participant in that entity. As a result, these commenters questioned SAMHSA's intent for this proposal. One commenter thought the SNPRM did not provide sufficient information to respond to the proposed Sec. 2.33 because of the similarity of contractors and subcontractors with qualified service organizations (QSOs) under Sec. Sec. 2.11 and 2.12, and the similarity to Business Associates under HIPAA. The commenter requested clarification on whether it is SAMHSA's intent to directly apply part 2 to these contractors and subcontractors in a manner similar to what was accomplished under the HIPAA Privacy and Security Rules for Business Associates of covered entities. SAMHSA Response SAMHSA is seeking a balance between protecting the confidentiality of substance use disorder patient records and ensuring that the regulations do not pose a barrier to patients with substance use disorders who wish to participate in, and could benefit from, emerging health care models that promote integrated care and patient safety. Unauthorized disclosure of substance use disorder patient records can lead to a host of negative consequences, including loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration. The purpose of the part 2 regulations is to ensure that a patient is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use [[Page 242]] disorder who does not seek treatment. SAMHSA recognizes the legitimate needs of lawful holders of patient identifying information to disclose that information to their contractors, subcontractors, and legal representatives for purposes of payment and health care operations as long as the core protections of 42 CFR part 2 are maintained. SAMHSA notes that the part 2 regulations already state at Sec. 2.13(a): ``. . . Any disclosure made under the regulations in this section must be limited to that information which is necessary to carry out the purpose of the disclosure.'' This provision helps to ensure that information is not shared more broadly than the purpose(s) for which the patient consents. With respect to the comment that proposed revisions in Sec. 2.33(b) would provide lawful holders greater latitude in sharing information with entities for payment and health care operations purposes than would be afforded to patients, SAMHSA acknowledges this concern and will be convening a stakeholder meeting relative to part 2 as required by the 21st Century Cures Act (Pub. L. No: 114-255). Finally, it is not SAMHSA's intent to apply part 2 to contractors and subcontractors in a manner similar to what was accomplished under the HIPAA Privacy and Security Rules for Business Associates in accordance with, respectively, sections 13404(a) and 13401(a) of the HITECH Act, 42 U.S.C. 17934(a), 17931(a). SAMHSA has attempted to align part 2 with HIPAA in this final rule to the extent such changes are permissible under 42 U.S.C. 290dd-2. Moreover, as discussed previously, SAMHSA plans to explore additional alignment with HIPAA and is considering additional rulemaking for 42 CFR part 2. At the same time, part 2 and its authorizing statute are separate and distinct from HIPAA, the HITECH Act, and their implementing regulations. Because of its targeted population, part 2 and its authorizing statute provides more stringent federal protections than other health privacy laws, including the HIPAA Rules, in order to encourage individuals with substance use disorders to seek treatment. Public Comments Several commenters proposed an alternative approach to the proposed changes in Sec. 2.33, which would instead allow lawful holders to contract with QSOs, just as part 2 programs currently do. One such commenter proposed that, instead of an explicit list of activities, Sec. 2.33(b) should include a general statement that an entity that lawfully receives patient identifying information under a valid part 2 consent may disclose the information to its contractor under a QSO agreement (QSOA) if such disclosure is reasonably consistent with the terms of the consent. This commenter also proposed to revise the QSO definition to align it more closely with the HIPAA ``business associate'' concept. Two commenters questioned the distinction between the needs of part 2 programs and other lawful holders to engage third parties for operational assistance and requested that the QSO definition simply include lawful holders in the list of entities for which a QSO may provide services. One of these commenters stated that this alternative approach would give patients a choice and align better with patients' expectations without adding another layer of complexity. SAMHSA Response SAMHSA declines to implement the suggested alternative approaches. SAMHSA agrees there are similarities between contractors under Sec. 2.33(b) and QSOs. However, SAMHSA did not propose in the SNPRM to revise the provision on QSOs. 2. List of Payment and Health Care Operations Activities In the SNPRM, SAMHSA sought public comment on whether the proposed listing of permitted activities is adequate and appropriate to ensure the health care industry's ability to conduct necessary payment and health care operations, while still maintaining adequate confidentiality of substance use disorder patient records. SAMHSA also sought comment on the specific types of activities for which a lawful holder of patient identifying information would be allowed to further disclose the minimal information necessary for specific payment and health care operations activities described in the SNPRM. Further, SAMHSA requested public comment on additional purposes for which lawful holders should be able to disclose patient identifying information. SAMHSA is finalizing the clarifications, as proposed in Sec. 2.33, but now includes the list of 17 specific types of payment and health care operations as illustrative examples in the preamble rather than the regulatory text. Public Comments Many commenters responded to SAMHSA's requests for comments on whether the proposed list of explicitly permitted payment and health care operations activities is adequate and appropriate. Several commenters expressly supported the list of payment and operations activities included in the SNPRM. One commenter stated that the proposed 17 categories of payment and operations activities are essential to allowing third-party payers and other lawful holders to reasonably operate. Another commenter observed that the proposed payment and health care operations activities represent significant progress toward SAMHSA's stated goal of modernizing 42 CFR part 2 to increase opportunities for individuals with substance use disorders to participate in new and emerging health care models and health information technology. Numerous commenters recommended that care coordination and case management be added to the list, noting the importance of these services in the operational and treatment responsibilities in serving patients, including those with a dual diagnosis of mental health and substance use disorder. Conversely, several commenters recommended that SAMHSA include a statement in the regulatory text explicitly excluding care coordination and case management from Sec. 2.33(b). Another commenter also stated that disclosures to contractors, subcontractors, and legal representatives should not include information concerning diagnosis, treatment and/or referral to treatment without a patient's express consent. Several commenters were confused by, or disagreed with, SAMHSA's omission of treatment-related activities such as care coordination and case management from the list of payment and health care operations activities for which additional disclosures were proposed in the SNPRM. One such commenter stated that it was unclear why a contractor performing a treatment-related activity should be subject to greater confidentiality safeguards (e.g., specific consent) than an entity performing a payment or business-related activity. Others thought the benefits of care coordination outweighed any risk of including it on the list of permitted activities because SAMHSA also included on the list patient safety activities, which are inextricably linked to care coordination and case management. Another commenter, stating that health information technology and health information exchange are essential building blocks of integrated care, argued that the exclusion of care coordination and case management from permitted health care operations would make it extremely difficult for state Medicaid agencies, managed care [[Page 243]] organizations (MCOs), and providers to use this technology to provide high quality, integrated care. One commenter pointed out that third- party payers, to which disclosure would be permitted under the SNPRM, may perform care coordination and case management activities as well as payment and health care operations activities. SAMHSA also received comments requesting a variety of additions to the list of permitted activities. In addition, SAMHSA received comments requesting clarification of some of the activities included on the list. Finally, two commenters observed that the rapid changes occurring in the health care payment and delivery system may make any list of permitted activities included in the final rule outdated very quickly. A few commenters disagreed with including in the regulatory text a list of permitted payment and health care operations activities. One commenter thought SAMHSA should be more protective of vulnerable patients because the list was seen as a loophole that would result in patient identifying information being spread beyond the immediate point of care and being used in unforeseen ways. For consistency, one commenter requested that SAMHSA replicate HIPAA's definition of payment at 45 CFR164.501 for the purpose of collection activities under proposed Sec. 2.33(b)(1). SAMHSA also received a number of comments requesting that certain activities on the list of payment and health care operations activities be restricted or narrowed. A number of commenters requested that SAMHSA remove or narrow proposed Sec. 2.33(b)(15) & (16) to ensure patients' protected substance use disorder information will not be used to limit or deny insurance coverage or access to health care. Some commenters expressed concern that the proposed Sec. 2.33(b)(2) could be interpreted as allowing protected information to be disclosed to employers. Many of these commenters stated they did not support the SNPRM's proposed changes in general, or SAMHSA's proposal to permit lawful holders to disclose patient identifying information obtained pursuant to patient consent to contractors, subcontractors, and legal representatives for payment and health care operations purposes, in particular, without further protections and safeguards. Two commenters disagreed with the inclusion of five of the proposed activities (Sec. Sec. 2.33(b)(6), 2.33(b)(10), 2.33(b)(12), 2.33(b)(15), and 2.33(b)(16)) because they could adversely affect patient enrollment in health plans and determinations regarding insurability, treatment, and eligibility. Several commenters also requested additional protections to ensure lawful holders and their contractors, subcontractors, and legal representatives only use information protected under part 2 for the purposes listed in the patient's written consent. SAMHSA Response While SAMHSA is finalizing the clarifications as proposed in Sec. 2.33, SAMHSA is not including the list of 17 specific types of payment and health care operations in the regulatory text that would be the basis for further disclosures by a lawful holder of patient identifying information. Based on the numerous comments received requesting additions or clarifications to the list, as well as concerns that the rapid changes occurring in the health care payment and delivery system could render any list of activities included in the regulatory text outdated, SAMHSA has decided to include the list in the preamble of this final rule to illustrate the types of permissible payment and health care operations activities. Examples of permissible activities under Sec. 2.33(b) that SAMHSA considers to be payment and health care operations activities include:Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing; Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services); Patient safety activities; Activities pertaining to: The training of student trainees and health care professionals; The assessment of practitioner competencies; The assessment of provider and/or health plan performance; and Training of non-health care professionals; Accreditation, certification, licensing, or credentialing activities; Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care; Third-party liability coverage; Activities related to addressing fraud, waste and abuse; Conducting or arranging for medical review, legal services, and auditing functions; Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies; Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations; Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers; Resolution of internal grievances; The sale, transfer, merger, consolidation, or dissolution of an organization; Determinations of eligibility or coverage (e.g. coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims; Risk adjusting amounts due based on enrollee health status and demographic characteristics; Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges. This list of payment and health care operations is substantively unchanged from that which was proposed as regulatory text in the SNPRM published on January 18, 2017. In this final rule, SAMHSA maintains its position that the payment and health care operations activities referenced in Sec. 2.33 and listed in the preamble are not intended to encompass substance use disorder patient diagnosis, treatment, or referral for treatment. SAMHSA believes it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact. For this reason, the final provision in Sec. 2.33(b) is not intended to cover care coordination or case management and disclosures to contractors, subcontractors, and legal representatives to carry out such purposes are not permitted under this section. In addition, SAMHSA added language to the regulatory text in Sec. 2.33(b) to clarify that disclosures to contractors, subcontractors and legal representatives are not permitted for activities related to a patient's diagnosis, treatment, or referral for treatment. SAMHSA notes that the position articulated in this final rule differs from the HIPAA Privacy Rule, under which `health care operations' encompasses such activities as case management and care coordination. However, SAMHSA appreciates the concerns expressed by [[Page 244]] some commenters about such issues as the exclusion of care coordination and case management from Sec. 2.33(b). SAMHSA also appreciates comments received concerning potential risks of including care coordination, case management and other activities in Sec. 2.33(b). Consistent with the 21st Century Cures Act, prior to March 21, 2018, the Secretary of HHS will convene relevant stakeholders to determine the effects of 42 CFR part 2 on patient care, health outcomes, and patient privacy. This meeting will provide stakeholders with an additional opportunity to provide further input to SAMHSA regarding implementation of part 2, including changes adopted in this final rule. 3. Contract Provisions for Disclosures Under Proposed Sec. 2.33(c) SAMHSA proposed new regulatory text requiring that lawful holders that engage contractors and subcontractors to carry out payment and health care operations that require using or disclosing patient identifying information include specific contract provisions requiring contractors and subcontractors to comply with the provisions of part 2. SAMHSA is finalizing this proposal except that it is not requiring that the contract specify the permitted uses of patient identifying information by the contractor, subcontractor, or legal representative. An appropriate comparable legal instrument will suffice in cases where there is otherwise no contract between the lawful holder and a legal representative who is retained voluntarily; when a legal representative is required to represent the lawful holder by law, the requirement for a contract or comparable legal instrument in Sec. 2.33(c) shall not apply. Public Comments SAMHSA received several comments expressing general support for the proposed provisions in Sec. 2.33(c) relating to contracts or legal agreements between lawful holders and their contractors, subcontractors, and legal representatives. One of these commenters agreed that limits should be placed on disclosures to contractors, such as allowing disclosure of only the minimum patient identifying information necessary for specific payment or health care operations. A number of commenters, however, opposed including specific contract requirements in Sec. 2.33(c) between lawful holders and their contractors requiring compliance with part 2. Many of these commenters stated that this provision would impose significant contract amendment burdens industry-wide and would be disruptive to business relationships. Commenters noted that business associate agreements under HIPAA as well as many contracts already require compliance with all applicable federal and state laws, which would include part 2. Some commenters requested that contract provisions requiring compliance with applicable federal laws and regulations be deemed as satisfying the requirement of proposed Sec. 2.33(c) even if part 2 is not specifically mentioned. One commenter stated that contracts typically specify the purposes for which the contractor may use any confidential information and so it is not necessary to require language on specific permitted uses and disclosure of patient identifying information. Some commenters stated that Sec. 2.33(c) should not be included in future rulemaking. One such commenter requested that SAMHSA provide evidence that current contract language is not adequately addressing part 2 uses and disclosures by those entities specified in Sec. 2.33(c). Another commenter requested that SAMHSA explore leveraging information technology to identify more efficient ways for patients to consent to disclosure. This commenter also recommended that SAMHSA conduct an assessment or promulgate an Advanced Notice of Proposed Rulemaking to solicit information to determine the adequacy of existing contracts or business processes to address information disclosures with contracted entities. Several commenters stated that SAMHSA could address concerns with an extension, by regulation, of the part 2 protections to any entity handling the information disclosed via consent. SAMHSA received comments that asked that that the language in proposed Sec. 2.33(c) be modified to allow the patient identifying information safeguards to be spelled out in the contract and/or business associates agreement. SAMHSA Response SAMHSA is finalizing Sec. 2.33(c) as proposed, but has revised the regulatory text to remove the reference to patient consent as it relates to the requirement to specify permitted uses of patient identifying information by the contractor, subcontractor, or legal representative. However, SAMHSA notes that Sec. 2.13 requires that any disclosure made under the regulations must be limited to that information which is necessary to carry out the purpose of the disclosure. Therefore, to comply with Sec. 2.13, lawful holders should ensure that the purpose section of the consent form is consistent with the role of or services provided by the contractor or subcontractor (e.g., ``payment and health care operations''). SAMHSA understands the concerns expressed by commenters regarding bringing contracts into compliance with Sec. 2.33(c). To address these concerns, the final rule allows lawful holders two years from the effective date of the final rule to bring their contracts and legal agreements with contractors, subcontractors, and voluntary legal representatives into compliance. If lawful holders choose not to re- disclose patient identifying information to contractors, subcontractors, or legal representatives as specified under Sec. 2.33(b), they do not have to comply with Sec. 2.33(c). SAMHSA disagrees with comments that propose allowing existing contractual language regarding general compliance with applicable federal laws to satisfy requirements under Sec. 2.33(c). SAMHSA believes that it is important for part 2 to be specifically mentioned in contracts and legal agreements when lawful holders are disclosing part 2 patient identifying information to contractors, subcontractors and voluntary legal representatives under Sec. 2.33(b). A fundamental principle of 42 CFR part 2 is that patients should have as much control as possible over their patient identifying information. Referencing part 2 in contracts will help to underscore the importance of compliance with part 2 provisions. However, SAMHSA also recognizes that entities may have different approaches to ensuring compliance with part 2 and other laws. While SAMHSA requires compliance with Sec. 2.33(c) for lawful holders who wish to disclose patient identifying information pursuant to Sec. 2.33(b), SAMHSA is not specifying the exact contract language to be used. With respect to the comment regarding limiting disclosures to the minimum information necessary, Sec. 2.13 requires that any disclosure made must be limited to that information which is necessary to carry out the purpose of the disclosure. Contractors, subcontractors, and legal representatives will be required to comply with this and all applicable provisions under part 2. (Section 2.33(c) states that contractors and any subcontractors or legal representatives are fully bound by the provisions of part 2 upon receipt of patient identifying information). Public Comments One commenter requested that SAMHSA remove the following [[Page 245]] sentence from Sec. 2.33(c): ``In making such disclosure, the lawful holder should specify permitted uses of patient identifying information consistent with the written consent, by the contractor and any subcontractors or legal representatives to carry out the payment and health care operations activities listed in the preceding subparagraph, require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder.'' Commenters stated that lawful holders will not possess the written consent because it is typically held by the part 2 program and it would be impractical, if not impossible, for the written consent form to be passed on to other entities. Another commenter stated that mechanisms for transmitting written consent forms had yet to evolve. A commenter stated that a prohibition on re-disclosure notice under Sec. 2.32 should not be required when a disclosure from a contractor that is a cloud services provider is back to the lawful holder or is disclosed under the direction or control of the lawful holder because the cloud service provider would not have control over the disclosure and therefore could not accompany the disclosure with a notice related to Sec. 2.32 and suggested alternative language. Other commenters supported the provisions in proposed Sec. 2.33(c) but specified additional safeguards that should be added or referenced. Several commenters requested that SAMHSA include another requirement in proposed Sec. 2.33(c) that contractors, subcontractors, and legal representatives be bound by all of the requirements that apply to QSOs, as QSOs and contractors serve similar functions. These commenters stated that written contracts under proposed Sec. 2.33(c), therefore, would require contractors, subcontractors, and legal representatives to agree to resist in judicial proceedings any efforts to obtain access to patient records identifying information related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by part 2. These commenters also expressed opposition to the SNPRM's proposed changes in general or SAMHSA's proposal to permit lawful holders to disclose patient identifying information obtained pursuant to patient consent to contractors, subcontractors and legal representatives, including for payment and health care operations purposes, without these and other protections. One commenter stated that a List of Disclosures requirement for lawful holders who wish to re-disclose patient identifying information to contractors, subcontractors, and legal representatives should be included in contractual language. One commenter requested that SAMHSA require in the contractual text that contractors, subcontractors, and legal representatives use protected substance use disorder information only for the purpose(s) listed in the patient's written consent and that re-disclosure by contractors, subcontractors, and legal representatives to third parties be allowed only as long as the third party discloses the patient identifying information back to the contractors or lawful holders from which the information originated. SAMHSA Response SAMHSA declines to provide specific and detailed contract language because SAMHSA believes lawful holders need the flexibility to include language that fits within their contract structures. However, regardless of the specific contractual language used, all lawful holders, contractors, subcontractors, and legal representatives must comply with applicable requirements specified in Sec. 2.33(c) as well as the other applicable provisions in part 2. SAMHSA does not require that part 2 consent forms be passed along to the contractor or subcontractor. SAMHSA has revised the regulatory text in Sec. 2.33(c) to remove the reference to patient consent as it relates to the requirement to specify permitted uses of patient identifying information by the contractor, subcontractor, or legal representative. However, Sec. 2.13 requires that any disclosure made under the regulations must be limited to that information which is necessary to carry out the purpose of the disclosure. Therefore, to comply with Sec. 2.13, part 2 programs and other lawful holders should ensure that the purpose section of the consent form is consistent with the role of or services provided by the contractor or subcontractor (e.g., ``payment and health care operations''). Those utilizing contractors or subcontractors should then inform those parties in their contracts that information governed by part 2 requires the contractor or subcontractor to take reasonable steps to prevent unauthorized uses and disclosures and to inform the lawful holder of any breaches and/or unauthorized uses. If a contractor receives information for quality assurance purposes, for instance, they should not be sharing it for other purposes, much less for activities not related to payment and health care operations. Section Sec. 2.33(c) specifies the requirements of a written contract; it is up to the lawful holder and contractor to determine how their contracts should address these requirements. With regard to cloud service providers storing patient identifying information for a lawful holder, SAMHSA declines to make the suggested changes to the language in Sec. 2.33(c). Under Sec. 2.33, lawful holders, contractors and their subcontractors are responsible for providing a prohibition on re-disclosure notice (Sec. 2.32) if they re-disclose patient identifying information to their contractors in order to meet the requirements of Sec. 2.33. If other entities access the information as permitted by the lawful holder (because the other entities that gain access to the information via the cloud are contractors with the lawful holder (Sec. 2.33) and not the cloud services provider, or to fulfill the requirements on the written consent (Sec. 2.31), then the lawful holder (not the cloud service provider) is responsible for ensuring that a notice of the prohibition on re-disclosure is conveyed to those entities, along with the information. Regardless of the specific contractual language used, all lawful holders, contractors, subcontractors, and legal representatives must comply with requirements specified in Sec. 2.33(c) as well as the other applicable provisions in part 2. Therefore, with respect to the comments on contractors, subcontractors, and legal representatives resisting disclosure of patient records in judicial proceedings, SAMSHA notes that Sec. 2.13(a) already states: ``The patient records subject to the regulations in this part may be disclosed or used only as permitted by the regulations in this part and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by a federal, state or local authority.'' In addition, Sec. 2.13(a) already requires that any disclosures must be limited to the information which is necessary to carry out the purpose of the consent. In response to the request that the contract require compliance with the security requirements, Sec. 2.16, Security for Records, already applies to part 2 programs and other lawful holders of patient identifying information, and, therefore, would apply to contractors, subcontractors, and legal representatives. [[Page 246]] 4. Other Comments Concerning Disclosures by Lawful Holders Public Comments SAMHSA received a number of comments relative to Medicaid agencies and MCOs with which they contract; the commenters stated that MCOs are considered to be an extension of the Medicaid agency. Several of these commenters requested clarification that, under Sec. 2.33(b), MCOs (one commenter noted that such organizations are called coordinated care organizations in that state) may disclose patient identifying information for health care operations and payment purposes to the state agency with which the organization is under contract. One commenter requested clarification that under Sec. 2.33(b) lawful holders may disclose patient identifying information to the state Medicaid agency with which they are contracted. Another commenter requested that that this provision explicitly permit disclosures between managed care organizations, their contractors and a Medicaid program. Similarly, a commenter also pointed out that proposed Sec. 2.33(b) would only allow a lawful holder to disclose to its own contractors and subcontractors, which would not relieve the administrative obstacles part 2 providers experience when trying to obtain insurance coverage for their patients because the part 2 programs would have to deal directly with a peer reviewer or utilization review company that is a subcontractor to the insurance company named on the consent form. SAMHSA Response With regard to the comments on Medicaid agencies and the managed care organizations with which they contract, as well as those addressing administrative obstacles contractors may face in obtaining patient identifying information, the information can be disclosed directly to the contractor or subcontractor and does not need to first be disclosed to the lawful holder (i.e., recipient named on the consent form) and then subsequently re-disclosed, as long as the information is being used for the purposes of payment and health care operations. This is because contractors, legal representatives, and subcontractors are acting on behalf of the lawful holders based on contracts, legal agreements or mandates in law. Public Comments Two commenters, pointing to the varying definitions for ``contractors'' and ``subcontractors'' under different laws and regulations, requested that SAMHSA consider defining these terms. SAMHSA Response SAMHSA did not propose to define ``contractors'' and ``subcontractors'' in its proposed rule and declines to do so now in the final rule. As stated in Sec. 2.33(c), lawful holders who wish to disclose patient identifying information pursuant to subsection (b) of this section must enter into a written contract with the contractor (or appropriate comparable legal instrument in the case of a legal representative retained voluntarily by the lawful holder). In the case where there is a legal representative who is required to represent the lawful holder by law, the requirement for a contract or comparable legal instrument in Sec. 2.33(c) shall not apply. SAMHSA believes this general understanding of a contractor or subcontractor provides the necessary flexibility for these types of arrangements while still ensuring that all parties must adhere to requirements and protections specified in Sec. 2.33(c). Public Comments One commenter requested that SAMHSA add a new Sec. 2.33(d) to state that ``if the contractor, subcontractor, or legal representative needs patient identifying information directly from the part 2 program, the contractor, subcontractor, or legal representative must produce a copy of the agreement mandated by Sec. 2.33(c) prior to the part 2 program releasing any information.'' SAMHSA Response SAMHSA declines to require contractors, subcontractors, and legal representatives to produce a copy of the agreement mandated by Sec. 2.33(c) prior to the part 2 program releasing any information because SAMHSA did not propose to do so in the SNPRM. The decision as to whether to share this information would be at the discretion of the contracting parties. Public Comments One commenter stated that proposed Sec. 2.33(b) should apply to all lawful holders (and not just those who received patient identifying information pursuant to a written consent), which would enable QSOs to disclose without consent to contractors and subcontractors. SAMHSA Response SAMHSA declines to eliminate the requirement that Sec. 2.33(b) only applies to lawful holders that receive patient identifying information pursuant to a written consent. SAMHSA believes that the consent requirement for lawful holders that fall under Sec. 2.33(b) must be maintained and that Sec. 2.33(b) should not apply to QSOs. Further, SAMHSA guidance indicates that a QSOA does not permit a QSO to re-disclose information to a third party unless that third party is a contract agent of the QSO, helping them provide services described in the QSOA, and only as long as the agent only further discloses the information back to the QSO or to the part 2 program from which it came. C. Audit and Evaluation (Sec. 2.53) SAMHSA recognizes that federal, state, and local governments often need to access all of the records, including part 2 program records, held by entities they regulate in order to appropriately evaluate compliance with applicable laws, rules, and policies. As a result, in the SNPRM, SAMHSA proposed regulatory changes to clarify that audits and evaluations may be performed on behalf of federal, state, and local governments providing financial assistance to, or regulating the activities of, lawful holders as well as part 2 programs. SAMHSA recognizes that federal, state, and local governments often need to access all of the records, including part 2 program records, held by entities they regulate in order to appropriately evaluate compliance with applicable laws, rules, and policies. For example, an Accountable Care Organization (ACO) or similar CMS-regulated health care models may wish to evaluate the impact of integrated care on several participating behavioral health care programs' quality of care, or a state may wish to do an audit to see how many individuals who leave state-supported correctional facilities subsequently receive substance use disorder treatment. In addition, SAMHSA proposed regulatory revisions to: Specify that audits and evaluations may be performed by contractors, subcontractors, or legal representatives on behalf of a third-party payers or a quality improvement organizations; and state that if disclosures are made under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, further disclosures may be made to contractors, subcontractors, or legal representatives to carry out the audit or evaluation. SAMHSA is now finalizing these requirements. It has also made certain technical amendments to correct inadvertent omissions in the rule's text to effectuate SAMHSA's intent to permit disclosure and use of patient identifying information held by other lawful holders for audit and evaluation purposes, as well as to clarify [[Page 247]] and operationalize the requirements of this section. Public Comments SAMHSA received a range of comments concerning the proposed amendments with regard to permitted disclosures of patient identifying information to contractors, subcontractors, and legal representatives for purposes of carrying out an audit or evaluation under part 2. SAMHSA received a number of comments supporting these revisions. Several of the commenters also expressed support specifically for the provision allowing patient identifying information to be disclosed for purposes of carrying out an audit or evaluation, with some citing proposed Sec. 2.53(a)(1)(i) in particular. Some commenters stated this particular revision would allow lawful holders of patient identifying information to disclose that information to audit and oversight entities in order to respond to an audit or evaluation request, and that clear authority to disclose patient identifying information for audits (which may include quality improvement and program integrity) is critical to Medicaid program operations. Another commenter supported the proposed changes because they would appear to allow disclosure of patient identifying information to a government agency authorized to regulate the activities of any lawful holder, not just a part 2 program or private payer, and because this change would at least partially conform to HIPAA's permissible disclosures to health system oversight agencies. The commenter, however, expressed concern that the proposed language did not make clear whether the government agency must obtain access to the records directly from the part 2 program rather than from the other lawful holder that the agency regulates, as obtaining records from the part 2 program posed communications challenges. SAMHSA Response SAMHSA appreciates the support for the further amendments as set out in the regulatory text of Sec. 2.53. Inclusion of these additional provisions reflects that contractors, subcontractors and legal representatives are increasingly involved in audit and evaluation activities. SAMHSA recognizes that federal, state, and local governments often need to access all of the records, including part 2 program records, held by entities they regulate in order to appropriately evaluate compliance with applicable laws, rules, and policies. We believe including these changes will assist in compliance with part 2 and other federal, state, and local rules and regulations and improve part 2 program quality. With respect to the commenter's concern, if a government agency is auditing or evaluating a lawful holder, which it regulates, the agency may receive the patient identifying information necessary for that audit or evaluation directly from the lawful holder. Public Comments SAMHSA also received a number of comments opposing the proposal to permit re-disclosure of patient identifying information without patient consent to contractors and subcontractors for audit and evaluation purposes unless SAMHSA provides additional safeguards. Several of these commenters noted that the proposed changes to Sec. 2.53 have the potential to greatly expand the universe of individuals and entities who may receive protected substance use disorder information without patient consent for audit and evaluation purposes. A couple of commenters expressed concern that detailed patient records would be used for purposes of risk adjustment and reporting of the patient's severity of illness to predict health care cost expenditures and adjust payer payments. One commenter stated that, if data are being used to impact a patient's score or health coverage, patient consent should be required. SAMHSA Response SAMHSA appreciates the array of recommendations commenters provided for possible restrictions and safeguards. SAMHSA is contemplating future rulemaking for 42 CFR part 2, and will take these recommendations under advisement at that time. With regard to the suggestion that SAMHSA require patient consent if data could be used to affect a patient's health coverage or health score, SAMHSA reiterates that under the terms of Sec. 2.53, patient identifying information may only be used for audit and evaluation purposes. D. Other Public Comments on the SNPRM 1. Extension of Part 2 Restrictions to Third Parties Public Comments Two commenters stated that changes made to the SNPRM were predicated on the concept that part 2 confidentiality restrictions extend beyond part 2 programs to third parties, including lawful holders, contractors, subcontractors and legal representatives. These commenters, noting that no definitions exist in the regulatory text for ``lawful holders,'' ``contractors,'' or ``subcontractors,'' or ``legal representatives,'' requested that SAMHSA address whether the part 2 statute permits the extension of these restrictions beyond part 2 programs. SAMHSA Response The statute (42 U.S.C. 290dd-2) authorizes SAMHSA to promulgate regulations to effectuate the confidentiality provisions governing substance use disorder patient records. The part 2 rule's applicability to third parties is a reasonable exercise of SAMHSA's statutory authority to ensure protection of part 2 information in the possession of lawful holders other than part 2 programs. 2. Greater Weight to Comments From Patient and Part 2 Program Public Comments SAMHSA received several comments requesting that greatest weight be given to comments from patients and consumers who will be directly affected by any changes to part 2; one of these commenters made this request because patients entering treatment will likely be unable to anticipate complex re-disclosure risks for activities proposed by the SNPRM. In addition, a commenter requested that special consideration be given to comments from substance use disorder treatment providers. SAMHSA Response Every comment received on the SNPRM was given careful consideration, and SAMHSA has endeavored in this final rule to take into account the varying perspectives of public commenters. SAMHSA is seeking a balance between ensuring that patients with substance use disorders have the ability to participate in, and benefit from, new and emerging health care models that promote integrated care and patient safety and ensuring the confidentiality of substance use disorder patient records, given the potential for discrimination, harm to reputations and relationships, and serious civil and criminal consequences that could result from impermissible disclosures. E. Regulatory Impact Analysis (RIA) In the SNPRM, SAMHSA stated that, if adopted, the proposed revisions should not result in any additional costs to part 2 programs. However, SAMHSA specifically sought comment on the implications of the proposed changes on the regulatory and financial impact, if any, of these proposed rules. [[Page 248]] Public Comments SAMHSA did not receive any comments on costs related to specific proposals made in the SNPRM or the RIA. F. Requests for Public Comment In the January 18, 2017, SNPRM, SAMHSA made several requests for public comments based on its expectation that there may be future 42 CFR part 2-related rulemaking. Those comments are summarized below. 1. Conveying the Scope of the Written Consent In the SNPRM, SAMHSA sought comment on the proper mechanisms to convey the scope of the consent to lawful holders, contractors, subcontractors, and legal representatives, including those who are downstream recipients of patient identifying information given current electronic data exchange technical designs. Public Comments Commenters suggested that SAMHSA provide more clarity on these mechanisms, particularly given the current electronic exchange environment and recommended more specific ways to ensure patients retain control over how their information is disclosed. Another commenter asserted proposed consent requirements could be burdensome, and a third-party payer may be unable to assess part 2 program compliance with consent requirements. SAMHSA Response SAMHSA has modified language in Sec. 2.33(c) so as not to imply that the consent form must be provided to the recipient of part 2 records. Sections 2.13, 2.31, and other sections of part 2 require recipients of patient identifying information to have knowledge of 42 CFR part 2 as it relates to the purpose for which information is being disclosed and can be re-disclosed lawfully. Individuals and entities that disclose or receive patient identifying information via patient consent must be able to comply with these requirements. 2. Other Restrictions and Safeguards In the SNPRM, SAMHSA specifically sought comments regarding the establishment of appropriate restrictions and safeguards on lawful holders and their contractors, subcontractors, and legal representatives' use and disclosure of patient identifying information for the purposes discussed in the SNPRM. a. General Public Comments SAMHSA received a number of responses to this request for comments regarding the establishment of appropriate restrictions and safeguards. These comments recommended a wide array of patient protections and safeguards. While some commenters noted there is a legitimate need for lawful holders to disclose protected information to their contractors, subcontractors, and legal representatives for payment and health care operations purposes, many commenters expressed concern that the breadth of the proposed changes may undermine core protections under part 2, which give substance use disorder patients control over how their information is disclosed so as not to make them more vulnerable to potential negative consequences of such disclosures. Loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, and arrest, prosecution, and incarceration were cited as potential negative consequences. Most commenters stated concern over, or even their opposition to, SAMHSA finalizing proposed changes in the SNPRM without including certain additional protections. SAMHSA Response SAMHSA appreciates the array of recommendations commenters provided for possible restrictions and safeguards. SAMHSA believes that the existing restrictions and safeguards--including provisions limiting use of patient identifying information in criminal and civil procedures and requiring that any disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure--are adequate. b. Commenter Recommendations for Anti-Discrimination Protections Many commenters recommended the addition of specific anti- discrimination protections that would apply to disclosures pursuant to the proposed Sec. Sec. 2.33(b) and 2.53. Commenters expressed concern over the potential for misuse of information and a desire to balance the increased flexibility of proposed Sec. Sec. 2.33 and 2.53 with increased protections. SAMHSA Response Promulgating rules that address discriminatory action is outside the scope of SAMHSA's legal authority. c. Commenter Recommendations for Patient Notification on the Consent Form Public Comments Several commenters expressed concern that the proposed changes to Sec. 2.33 would greatly expand access to patient identifying information by individuals and entities to whom the patient did not specifically consent and for purposes not always evident to the patient. These commenters, and a number of others, requested that SAMHSA require, at a minimum, a notification to patients on the consent form that they are consenting to the disclosure of their patient identifying information to both the recipient and the recipient's contractors, subcontractors, and legal representatives to the extent those contractors, subcontractors, and legal representatives need the information to carry out payment or health care operations purposes. SAMHSA's Response SAMHSA is contemplating future rulemaking for 42 CFR part 2 and will take these recommendations under consideration at that time. In addition, consistent with the 21st Century Cures Act, prior to March 21, 2018, the Secretary of HHS will convene relevant stakeholders to determine the effects of 42 CFR part 2 on patient care, health outcomes, and patient privacy. The information obtained at the meeting will help to inform the course of any further part 2 rule-making. SAMHSA will consider these comments on privacy and confidentiality in conjunction with those made during the stakeholder meeting. d. Commenter Recommendations for Mechanisms for Identifying and Sanctioning Unauthorized Disclosures Public Comments Several commenters recommended adding a requirement that lawful holders who wish to re-disclose patient identifying information to contractors, subcontractors, and legal representatives be subject to the same List of Disclosures requirements that apply to intermediaries who disclose patient identifying information pursuant to a general designation under the consent requirements at Sec. 2.31. In addition, a couple of commenters requested that SAMHSA impose a List of Disclosures requirement on audit and evaluation agencies. One commenter requested that SAMHSA not finalize the proposed changes in the SNPRM without mechanisms in place to enable individuals who have been adversely [[Page 249]] impacted to identify the source of a disclosure and initiate sanctions. SAMHSA Response SAMHSA appreciates the recommendations to add mechanisms to enable individuals who have been adversely impacted to identify the source of a disclosure, including adding a List of Disclosures requirement. SAMHSA is contemplating future rulemaking for 42 CFR part 2, and will take these recommendations under consideration. e. Other Commenter Recommendations for Additional Restrictions and Safeguards Public Comments SAMHSA also received comments recommending other types of protections and safeguards. One commenter recommended SAMHSA reinforce patients' rights to file grievances and complaints and suggested that SAMHSA explore the ability to impose a confidentiality certificate on information disclosed to third parties similar to 42 U.S.C. 241(d), which protects the privacy of research subjects. A couple of commenters suggested strengthening patient protections by adding re-disclosure prohibitions in the statute similar to the confidentiality protections extended to certain veterans' medical records, including substance use disorder patient records in Title 38. Another commenter stated that given stigma and risk of adverse impact, it was critical to have additional protections in place such as substantial penalties for disclosure violations and failure to maintain tracking of disclosures and mechanisms for an individual to identify and correct errors in an electronic health record and for identifying the source of the disclosed errors. This commenter stated that, because there is no clear mechanism to correct errors in records, it is critical that initial sharing of information be restricted until such mechanisms are developed. In addition, two commenters stated that the proposed audit and evaluation revisions could conflict with intended court order protections at Sec. Sec. 2.64 through 2.67 and requested SAMHSA clarify the necessity to obtain court orders in such investigations and prosecutions as a result of a Medicare, Medicaid, or CHIP audit or evaluation. SAMHSA Response SAMHSA appreciates the recommendations for identifying the source of a disclosure under Sec. 2.33, and strengthening language regarding a patient's right to file a grievance. SAMHSA is contemplating future rulemaking for 42 CFR part 2, and will take these recommendations under advisement at that time. In addition, SAMHSA does not have the authority to make statutory revisions, so SAMHSA cannot add re-disclosure prohibitions to the authorizing statute. With regard to the comment regarding the imposition of substantial penalties, the part 2 regulations already include provisions to implement the statutory criminal penalties for violations. Further, SAMHSA does not have the authority to require a mechanism for making corrections in an electronic health record. SAMSHA believes that permitting contractors, subcontractors, and legal representatives to obtain information for audit and evaluation purposes does not contradict or undermine protections currently within Sec. Sec. 2.64 through 2.67. For instance, Sec. 2.53 provides that the audit and evaluation provisions ``do not authorize the part 2 program, the federal, state, or local government agency, or any other individual or entity to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation.'' Similarly, Sec. 2.53(d) explicitly states that, except as provided, ``patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under Sec. [thinsp]2.66.'' 3. Impact on Privacy and Confidentiality and Part 2 Goals SAMHSA specifically sought comment on the implications of the proposed revisions on the privacy and confidentiality of substance use disorder patient records and the overall goals of 42 CFR part 2. Public Comment SAMHSA received several comments that addressed this request, some of which were general in nature, while others were specific to proposed revisions in either Sec. 2.32 or in Sec. 2.33. All commenters expressed support for preserving patients' confidentiality. One commenter expressed general concerns about parties trying to alter federal confidentiality protections in a manner that will not benefit patients. These concerns included prospective patients avoiding seeking treatment over fears that the proposed broader dissemination of their treatment information may lead to that information becoming known by friends, family, employers, insurers, and other providers of medical services. Commenters expressed concern regarding the privacy and confidentiality impact of the SNPRM changes to Sec. Sec. 2.32 and 2.33. These commenters asserted that: (1) The changes would, over time, result in gradual disclosure of part 2 data as a result of failing to communicate through the notice the importance of avoiding improper re- disclosures; (2) substance use disorder patients would not likely agree to the broad use of their personal information for activities that they do not understand or are perhaps incapable of refusing (e.g., incompetent); and (3) terms such as ``health care operations'' and ``quality improvement'' are too general, allowing activities that have few limits or boundaries. A couple of commenters stated that the proposed changes would result in patients attempting to exclude their records from research and quality improvement systems or avoiding lifesaving treatment services. In addition, one commenter expressed concern that SAMHSA may have unintentionally abrogated its responsibility to protect vulnerable patients. SAMHSA Response As stated previously, this final rule builds on efforts in the January 18, 2017, 42 CFR part 2 final rule (82 FR 6052) to better reflect changes in the health care system, such as the increasing use of electronic health records, and drive toward greater integration of physical and behavioral health care. Despite efforts to enhance integration, SAMHSA remains committed to protecting the confidentiality of patient records. This rule updates 42 CFR part 2 to balance these important needs. However, as an added protection and consistent with the 21st Century Cures Act, prior to March 21, 2018, the Secretary of HHS will convene relevant stakeholders to determine the effects of 42 CFR part 2 on patient care, health outcomes, and patient privacy. The information obtained at the meeting will help to inform the course of any further part 2 rule-making, and SAMHSA will consider these comments on privacy and confidentiality in conjunction with those made during the stakeholder meeting. [[Page 250]] III. Rulemaking Analysis Regulatory Impact Analysis (RIA) In this final rule, SAMHSA finalizes certain revisions to 42 CFR part 2 as follows: Prohibition on re-disclosure (Sec. 2.32); the disclosures permitted with written consent (Sec. [thinsp]2.33), including the payment and health care operations activities for which lawful holders may disclose patient identifying information to their contractors, subcontractors, and legal representatives. In addition, SAMHSA clarifies that the audit and evaluation provision (Sec. [thinsp]2.53) permits certain disclosures to contractors, subcontractors, and legal representatives for purposes of carrying out an audit or evaluation, and that audits and evaluations may be performed on behalf of federal, state, and local governments providing financial assistance to or regulating the activities of lawful holders of patient identifying information as well as part 2 programs. Notably, SAMHSA explicitly sought comment on costs and benefits of its proposed changes. Of the 55 public comments received on the proposed rule, none substantively focused on cost or burden issues. Public comments support SAMHSA's view in this final rule that these modifications will enhance information-sharing and efficiency of such payment and health care operations as claims processing, business management, training, and customer service and facilitate audit and evaluation activities. Further, SAMHSA believes that the re-disclosure provisions will make it easier for some part 2 programs and other lawful holders to use electronic health systems. The January 18, 2017, final rule noted that in ``the absence of data and studies specifically focused on compliance with 42 CFR part 2, SAMHSA has estimated these costs based on a range of published costs associated with HIPAA implementation and compliance.'' SAMHSA notes that the HIPAA Omnibus Final Rule (78 FR 5566, Jan. 25, 2013) similarly provided a transition period for covered entities to incorporate new provisions into agreements between business associates and covered entities (up to 20 months after publication of the final rule for some agreements, provided certain conditions were met) and anticipated that there would be little added cost as these contracts would already be required. SAMHSA believes that the cost of updating agreements among part 2 programs and other lawful holders to reflect the provisions adopted in this final rule would be negligible. In order to provide entities with maximum flexibility reflecting their unique contractual arrangements, contracts may include statements about required compliance with 42 CFR part 2; however, no specific language beyond this concept is required by the rule. This rule provides up to two years from the effective date to comply with this section. Because part 2 programs and other lawful holders can modify their contracts during the normal renegotiation of contracts as existing contracts expire or, if such contracts are not regularly updated, can make such changes up to two years from this final rule's effective date, new regulatory language required by Sec. 2.33(c), as revised, should impose a minimal burden. SAMHSA similarly believes that the abbreviated notice of the prohibition on re-disclosure adopted in this final rule provides additional options to part 2 entities that will facilitate adoption of electronic health records and reduce regulatory burdens. Entities not wishing to use the abbreviated notice may use the standard prohibition on re-disclosure notice. As the revised notice has limited characters, SAMHSA believes that it can be more readily used with existing electronic health record systems. Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. PRA issues were discussed in the SNPRM. SAMHSA stated that it anticipated no substantive changes in PRA requirements should changes proposed in the SNPRM be adopted. SAMHSA received no public comment on our assumptions as they relate to the PRA requirements. SAMHSA continues to believe that the final rule imposes no new PRA burdens. SAMHSA has examined the impact of this final rule under Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13771 on Reducing Regulation and Controlling Regulatory Costs (January 30, 2017), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act of 1980 (Pub. L. 96-354, September 19, 1980), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, March 22, 1995), and Executive Order 13132 on Federalism (August 4, 1999). Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, and safety effects; distributive impacts; and equity). Executive Order 13563 is supplemental to, and reaffirms the principles, structures, and definitions governing regulatory review, as established in Executive Order 12866. Executive Order 13771 requires that the costs associated with significant new regulations ``shall, to the extent permitted by law, be offset by the elimination of existing costs associated with at least two prior regulations.'' The changes finalized in this rule will not have an annual effect on the economy of $100 million or more in at least one year. Therefore, this final rule is not an economically significant regulatory action as defined by Executive Order 12866, or a significant regulation under Executive Order 13771. The Regulatory Flexibility Act (RFA) requires agencies that issue a regulation to analyze options for regulatory relief of small businesses if a rule has a significant impact on a substantial number of small entities. The RFA generally defines a ``small entity'' as (1) a proprietary firm meeting the size standards of the Small Business Administration; (2) a nonprofit organization that is not dominant in its field; or (3) a small government jurisdiction with a population of less than 50,000. (States and individuals are not included in the definition of ``small entity''). For similar rules, HHS considers a rule to have a significant economic impact on a substantial number of small entities if at least five percent of small entities experience an impact of more than three percent of revenue. This final rule will not have a significant economic impact on a substantial number of small entities. Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires that agencies prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing ``any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.'' This final rule does not trigger the Unfunded Mandates Reform Act, because it will not result in expenditures of this magnitude by states or other government entities. IV. Provisions of Technical Amendments This section contains corrections to the final regulations published in the Federal Register on January 18, 2017 (82 FR 6988). The word ``manage'' was inadvertently omitted from the [[Page 251]] regulation text at Sec. 2.15 concerning incompetent and deceased patients. It should read ``to manage their own affairs'' rather than ``to their own affairs.'' A typographical error and reference in the regulation to ``paragraph (a)(8)'' should have instead read ``paragraph (a)(6)'' in the text of the regulations at Sec. 2.35 concerning disclosures to elements of the criminal justice system which have referred patients. As a result, we are making technical corrections in 42 CFR part 2 at Sec. Sec. 2.15 and 2.35. Section 553 of the Administrative Procedure Act, 5 U.S.C. 553(b)(3)(B), provides that, when an agency for good cause finds that notice and public procedure are impracticable, unnecessary, or contrary to the public interest, the agency may issue a rule without providing notice and an opportunity for public comment. We have determined that there is good cause for making these technical corrections final without prior notice and opportunity for comment because the changes address minor typographical errors, misprints, or omissions, which are noncontroversial and do not substantively change the requirements of the rule. Furthermore, the minor corrections do not impose any additional obligations on any party. Thus, notice and public comment is impracticable, unnecessary, or contrary to the public interest. Conclusion SAMHSA is finalizing changes to clarify the payment and health care operations activities for which lawful holders may disclose patient identifying information to their contractors, subcontractors, and legal representatives. In addition, SAMHSA clarifies that the audit and evaluation provision permits certain disclosures to contractors, subcontractors, and legal representatives for purposes of carrying out an audit or evaluation under Sec. [thinsp]2.53. SAMHSA is finalizing changes to clarify that audits and evaluations may be performed on behalf of federal, state and local governments providing financial assistance to, or regulating the activities of lawful holders, as well as part 2 programs. The final rule also includes an abbreviated notice of the prohibition on re-disclosure. Finally, SAMHSA is making minor technical corrections to select provisions of the 42 CFR part 2 final rule published in the Federal Register on January 18, 2017. List of Subjects in 42 CFR Part 2 Alcohol abuse, Alcoholism, Drug abuse, Grant programs--health, Health records, Privacy, Reporting, and Recordkeeping requirements. For the reasons stated in the preamble of this final rule, 42 CFR part 2 is amended as follows: PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS 0 1. The authority citation for part 2 continues to read as follows: Authority: 42 U.S.C. 290dd-2. Sec. 2.15 [Amended] 0 2. Amend Sec. 2.15(a)(1) by removing the phrase ``to their own affairs'' and adding in its place the phrase ``to manage their own affairs''. 0 3. Revise Sec. 2.32 to read as follows: Sec. 2.32 Prohibition on re-disclosure. (a) Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by one of the following written statements: (1) This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see Sec. 2.31). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at Sec. Sec. 2.12(c)(5) and 2.65; or (2) 42 CFR part 2 prohibits unauthorized disclosure of these records. (b) [Reserved] 0 4. Revise Sec. [thinsp]2.33 to read as follows: Sec. [thinsp]2.33 Disclosures permitted with written consent. (a) If a patient consents to a disclosure of their records under Sec. [thinsp]2.31, a part 2 program may disclose those records in accordance with that consent to any person or category of persons identified or generally designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of Sec. Sec. [thinsp]2.34 and 2.35, respectively. (b) If a patient consents to a disclosure of their records under Sec. [thinsp]2.31 for payment and/or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or health care operations on behalf of such lawful holder. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are not permitted under this section. In accordance with Sec. [thinsp]2.13(a), disclosures under this section must be limited to that information which is necessary to carry out the stated purpose of the disclosure. (c) Lawful holders who wish to disclose patient identifying information pursuant to paragraph (b) of this section must have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information. In making any such disclosures, the lawful holder must furnish such recipients with the notice required under Sec. [thinsp]2.32; require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder. The lawful holder may only disclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated. 0 5. Amend Sec. 2.35 by revising paragraph (a)(2) as follows: Sec. 2.35 Disclosure to elements of the criminal justice system which have referred patients. (a) * * * (2) The patient has signed a written consent meeting the requirements of [[Page 252]] Sec. [thinsp]2.31 (except paragraph (a)(6) of this section which is inconsistent with the revocation provisions of paragraph (c) of this section) and the requirements of paragraphs (b) and (c) of this section. 0 6. Amend Sec. [thinsp]2.53 by: 0 a. Revising paragraphs (a) introductory text, (a)(1)(i) and (ii), (a)(2). 0 b. Revising paragraphs (b) introductory text, (b)(2)(i) and (ii). 0 c. Revising paragraph (c)(5). 0 d. Revising paragraph (d). The revisions and addition read as follows: Sec. [thinsp]2.53 Audit and evaluation. (a) Records not copied or removed. If patient records are not downloaded, copied or removed from the premises of a part 2 program or other lawful holder, or forwarded electronically to another electronic system or device, patient identifying information, as defined in Sec. 2.11, may be disclosed in the course of a review of records on the premises of a part 2 program or other lawful holder to any individual or entity who agrees in writing to comply with the limitations on re- disclosure and use in paragraph (d) of this section and who: (1) * * * (i) Any federal, state, or local governmental agency that provides financial assistance to a part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder; (ii) Any individual or entity which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review, or such individual's or entity's or quality improvement organization's contractors, subcontractors, or legal representatives. (2) Is determined by the part 2 program or other lawful holder to be qualified to conduct an audit or evaluation of the part 2 program or other lawful holder. (b) Copying, removing, downloading, or forwarding patient records. Records containing patient identifying information, as defined in Sec. 2.11, may be copied or removed from the premises of a part 2 program or other lawful holder or downloaded or forwarded to another electronic system or device from the part 2 program's or other lawful holder's electronic records by any individual or entity who: (2) * * * (i) Any federal, state, or local governmental agency that provides financial assistance to the part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder; or (ii) Any individual or entity which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review, or such individual's or entity's or quality improvement organization's contractors, subcontractors, or legal representatives. * * * * * (c) * * * (5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section, the individual or entity may further disclose the patient identifying information that is received for such purposes to its contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may disclose the information to that individual or entity (or, to such individual's or entity's contractors, subcontractors, or legal representatives, but only for the purposes of this section). * * * * * (d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under Sec. [thinsp]2.66. * * * * * Dated: December 19, 2017. Elinore F. McCance-Katz Assistant Secretary for Mental Health and Substance Use. Approved: December 20, 2017. Eric D. Hargan, Acting Secretary, Department of Health and Human Services. [FR Doc. 2017-28400 Filed 1-2-18; 8:45 am] BILLING CODE P
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | Effective date: This final rule is effective February 2, 2018. | |
| Contact | Mitchell Berger, Telephone number: | |
| FR Citation | 83 FR 239 | |
| RIN Number | 0930-ZA07 | |
| CFR Associated | Alcohol Abuse; Alcoholism; Drug Abuse; Grant Programs-Health; Health Records; Privacy; Reporting and Recordkeeping Requirements |