Table Of ContentFederal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 239
Docket No. Type Location Effective date
USCG–2016–0095 ..... Safety Zones (Part 147 and 165) .......................... Buffalo, NY ............................................................. 6/18/2016
USCG–2016–0158 ..... Special Local Regulation ....................................... Lawrenceburg, IN ................................................... 6/18/2016
USCG–2016–0401 ..... Safety Zones (Part 147 and 165) .......................... Chattanooga, TN .................................................... 6/18/2016
USCG–2016–0512 ..... Special Local Regulations (Part 100) .................... Triathlon, Ohio River .............................................. 6/19/2016
USCG–2016–0548 ..... Security Zones (Part 165) ...................................... Cincinnati, OH ........................................................ 6/20/2016
USCG–2016–0606 ..... Safety Zones (Part 147 and 165) .......................... Clements, MI .......................................................... 6/23/2016
USCG–2016–0595 ..... Security Zones (Part 165) ...................................... Medina, WA ............................................................ 6/24/2016
USCG–2016–0631 ..... Safety Zones (Part 147 and 165) .......................... offshore of Fitzpatrick ............................................. 6/26/2016
USCG–2016–0475 ..... Special Local Regulation ....................................... Aguada, PR ............................................................ 6/26/2016
USCG–2016–0495 ..... Special Local Regulations (Part 100) .................... Chattanooga, TN .................................................... 6/26/2016
USCG–2016–0637 ..... Safety Zones (Part 147 and 165) .......................... Ironton, OH ............................................................. 6/30/2016
Dated: December 19, 2017. Compliance dates: The compliance rulemaking (SNPRM) (82 FR 5485) to
Katia Kroutil, date for all provisions of this final rule, solicit public comment on additional
Office Chief, Office of Regulations and except for §2.33(c), is February 2, 2018. proposals including: The payment and
Administrative Law. As discussed in the preamble, contracts health care operations-related
[FR Doc. 2017–28401 Filed 1–2–18; 8:45 am] between lawful holders and contractors, disclosures that can be made to
subcontractors, and legal representatives contractors, subcontractors, and legal
BILLING CODE 9110–04–P
must comply with §2.33(c) within two representatives by lawful holders under
years of the effective date of the final the part 2 rule consent provisions; and
rule. the provisions governing disclosures for
DEPARTMENT OF HEALTH AND
HUMAN SERVICES FORFURTHERINFORMATIONCONTACT: purposes of carrying out a Medicaid,
Mitchell Berger, Telephone number: Medicare or Children’s Health Insurance
Office of the Secretary (240) 276–1757, Email address: Program (CHIP) audit or evaluation.
[email protected]. SAMHSA also solicited comments on
42 CFR Part 2 SUPPLEMENTARYINFORMATION: whether an abbreviated notice of the
prohibition on re-disclosure should be
[SAMHSA–4162–20] I. Background used and, if so, under what
On February 9, 2016, SAMHSA circumstances.
RIN 0930–ZA07
published a Notice of Proposed SAMHSA received 55 comments on
Confidentiality of Substance Use Rulemaking (NPRM) in the Federal the SNPRM, and after considering those
Disorder Patient Records Register (81 FR 6988), proposing comments, is finalizing the proposed
updates to the Confidentiality of revisions, with some changes made in
AGENCY: Substance Abuse and Mental Alcohol and Drug Abuse Patient response to the public comments that
Health Services Administration Records (42 CFR part 2) regulations. were received. Some comments were
(SAMHSA), U.S. Department of Health These regulations implement title 42, outside the scope of the specific
and Human Services. section 290dd–2 of the United States provisions SAMHSA proposed in the
ACTION: Final rule. Code pertaining to the Confidentiality of SNPRM or were inconsistent with
Substance Use Disorder Patient Records SAMHSA’s legal authority regarding the
SUMMARY: This final rule makes changes held by certain substance use disorder confidentiality of substance use disorder
to the Substance Abuse and Mental treatment programs that receive federal patient records. This final rule does not
Health Services Administration’s financial assistance. As SAMHSA address these comments.
(SAMHSA) regulations governing the explained in that NPRM, it proposed to
Confidentiality of Substance Use update these regulations, last II. Discussion of Public Comments and
Disorder Patient Records. These changes substantively amended in 1987, to Final Modifications to 42 CFR Part 2
are intended to better align the reflect development of integrated health A. Align With HIPAA
regulations with advances in the U.S. care models and the use of electronic
health care delivery system while exchange of patient information. Public Comments
retaining important privacy protections SAMHSA also wished to maintain SAMHSA received a number of
for individuals seeking treatment for confidentiality protections for patient comments regarding alignment of 42
substance use disorders. This final rule identifying information, as persons with CFR part 2 with the Health Insurance
addresses the prohibition on re- substance use disorders still may Portability and Accountability Act
disclosure notice by including an option encounter significant discrimination if (HIPAA) or the Health Information
for an abbreviated notice. This final rule their information is improperly Technology for Economic and Clinical
also addresses the circumstances under disclosed. Health (HITECH) Act. Reasons cited by
which lawful holders and their legal On January 18, 2017, SAMHSA these commenters in support of aligning
representatives, contractors, and published a final rule (82 FR 6052). In the regulations with HIPAA or HIPAA/
subcontractors may use and disclose response to public comments, the final HITECH Act were to: (1) Promote
patient identifying information for rule provided for greater flexibility in information flow between providers,
D with RULES poFpuineraprlaoltysieo, snth soi,fs a pfniandya malu erduniltte,s h iasen amdlt ahekv icanalgrue am tiionnosr. disnyisfsocterlommsa iwntigho nipl aewt ciieotnhntit niind tuehnient higf eytaoiln taghd dcareres s the iranedccmolurinddi;i sn(t2gr) aa ta ocllrlosin woif cp asrelolryvv iicdcoeemsrs pg arleneatdet e pr atient
RO technical corrections to ensure accuracy need to protect the confidentiality of discretion; (3) facilitate interoperability;
B2P and clarity in SAMHSA’s regulations. substance use disorder patient records. (4) improve compliance; (5) enhance
H
Y8 DATES: Effective date: This final rule is SAMHSA concurrently issued a privacy protections by making
B
KB effective February 2, 2018. supplemental notice of proposed confidentiality restrictions more
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
240 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations
uniform across health care settings; (6) disclosure, such as communicating part SAMHSA considered the impact the
promote more innovative models of 2 restrictions through codes, flags, pop- proposed abbreviated notice would have
health care delivery, including ups, or other signifiers. However, some on electronic health records formats,
integrated and coordinated care, and of these commenters and others also system design and software
value-based and population-based explained that most of the suggestions development for clinical medical
models; (7) establish uniform, workable are not technically feasible at this time, records format, or the impact on
regulations with respect to treatment, due to the lack of standardized required HIPAA Administrative
payment and operations; and (8) electronic formats and transmission transactions. One commenter stated that
improve patient care and reduce stigma standards. One supportive commenter an abbreviated notice of the prohibition
and potential harm to patients. suggested SAMHSA work with the on re-disclosure must contain, at a
Department of Health and Human minimum, a clear warning label to
SAMHSA Response
Services (HHS) and its agencies, prevent misuse and should state that
SAMHSA has attempted to align this including the Centers for Medicare & any misuse is illegal under 42 CFR part
final rule with HIPAA, the HITECH Act, Medicaid Services (CMS), and the Office 2.
and their implementing regulations to of Civil Rights (OCR), to explore
the extent feasible, based on the whether HIPAA electronic transactions SAMHSA Response
proposed revisions in the SNPRM, the and code sets can be leveraged or The 42 CFR part 2 regulations in
public comments received, and the modified to ‘‘flag’’ part 2 information effect since 1983 have required that a
limitations on SAMHSA’s authority in and, once the recommendation becomes notice of the prohibition on re-
the governing statute, 42 U.S.C. 290dd– actionable, involve standard-setting disclosure accompany each disclosure
2. At the same time, it is important to bodies and the public. Several made with the patient’s written consent.
note that part 2 and its authorizing supportive commenters provided In the SNPRM, SAMHSA proposed the
statute are separate and distinct from circumstances they thought were option of an abbreviated notice to satisfy
HIPAA, the HITECH Act, and their appropriate for an abbreviated notice of the requirements of §2.32 due to
implementing regulations. Part 2 the prohibition on re-disclosure, concerns about character limits in free-
provides more stringent federal including: (1) All electronic disclosures text fields within electronic health
protections than other health privacy (because there may not currently be a
record systems. Specifically, many of
laws such as HIPAA and seeks to standard mechanism to ‘‘flag’’ electronic
the health care electronic systems have
protect individuals with substance use information disclosures that are covered
a standard maximum character limit of
disorders who could be subject to by part 2); (2) only paper disclosures; (3)
80 characters in the free text space that
discrimination and legal consequences limiting the use of the abbreviated
may be used to transmit this notice.
in the event that their information is notice to the exchange of records
While SAMHSA recognizes there may
improperly used or disclosed. To the between part 2 programs (that would
be technical issues to be resolved, after
extent feasible given these restrictions, have familiarity with the concept of
considering the totality of the
SAMHSA continues to review these prohibition on re-disclosure); (4)
comments, SAMHSA believes including
issues, plans to explore additional exchange of records among part 2
an abbreviated notice of the prohibition
alignment with HIPAA, and may programs and other entities (including
on re-disclosure as an option will be
consider additional rulemaking for 42 third-party payers, and other lawful
beneficial to stakeholders, particularly
CFR part 2. holders); and (5) using a single
those who use electronic health record
abbreviated notice for all circumstances.
B. Prohibition on Re-Disclosure (§2.32) systems to exchange data. However,
A couple of commenters indicated that
In the SNPRM, SAMHSA sought having the notice of prohibition on re- because even commenters supporting
comment on whether an abbreviated disclosure accompany disclosures, as inclusion of an abbreviated notice had
notice of the prohibition on re- required by §2.32, is important for differing views about the circumstances
disclosure should be included in §2.32 ensuring compliance with part 2. under which an abbreviated notice
and on the circumstances under which Commenters who opposed the should be used, SAMHSA decided,
such abbreviated notice should be used. abbreviated notice of the prohibition on consistent with its proposal, to allow
The SNPRM provided an example of an re-disclosure expressed concerns that a use of an abbreviated notice in any
abbreviated notice: ‘‘Data is subject to shortened notice: (1) May be confusing instance in which a notice is required
42 CFR part 2. Use/disclose in or unclear to patients and professionals; under the regulations. Recognizing
conformance with part 2.’’ SAMHSA (2) would fail to safeguard against concerns expressed by commenters that
has adopted an abbreviated notice that unauthorized disclosures; and (3) would an abbreviated notice could be
is 80 characters long to fit in standard be insufficient to solve logistical insufficient to convey understanding of
free-text space within health care concerns because, regardless of the part 2 requirements, SAMHSA
electronic systems. The abbreviated length of the notice, systems will need encourages part 2 programs and other
notice in this final rule reads ‘‘Federal to be put in place to tag substance use lawful holders using the abbreviated
law/42 CFR part 2 prohibits disorder information and send the notice to discuss the requirements with
unauthorized disclosure of these notice with the information being those to whom they disclose patient
records.’’ disclosed. In addition, some identifying information. In response to
commenters found the current notice to comments received that the abbreviated
Public Comments
be sufficient. notice did not provide an adequate
Several commenters expressed SAMHSA also received comments warning against potential misuse of
S
ULE support for the abbreviated notice of the stating that the SNPRM provided patient identifying information,
D with R pprroohviidbietsi omno orne frlee-xdiibsiclliotysu arned b eefcfaicuiseen icty isnuspupfofircti oenr to ipnpfoosrme tahtieo anb tbor eevitihaeterd SmAoMdiHfieSdA t,h ien ltahnisg ufiangael irnu lteh,e h as
RO in meeting the notice requirement. notice of the prohibition on re- abbreviated notice to more explicitly
P
B2 Several supportive commenters disclosure because: (1) The purpose of notify recipients that improper use or
H
Y8 suggested potential technical solutions the abbreviated notice was not made disclosure is prohibited under 42 CFR
B
KB for conveying the prohibition on re- clear; and (2) it was unclear whether part 2.
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00032 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 241
C. Disclosures Permitted With Written party payers have the expertise and would apply in connection with the
Consent (§2.33) resources to carry out certain payment disclosures. Some commenters
and health care operations without the expressed concern that the changes
In the SNPRM, SAMHSA proposed to
assistance of contractors; (2) it is often were too broad or would undermine
explicitly list under §2.33(b), specific
not feasible to specify each contractor overall part 2 protections. One
types of activities for which any lawful
on a part 2 consent form; and (3) commenter expressed concern that the
holder of patient identifying
specifying contractors on a part 2 risk of breaches might increase by
information would be allowed to further
consent form unreasonably restricts a permitting additional disclosures to
disclose the minimal information
lawful holder from changing facilitate health care operations. Several
necessary for specific payment and
contractors. One commenter observed commenters noted that the revisions in
health care operations activities.
that essential payment and operations §2.33(b) would permit lawful holders
SAMHSA proposed new regulatory text
activities directly or indirectly benefit greater latitude in sharing information
under §2.33(c) that would require
patients (e.g., by ensuring access to and with entities than would be afforded to
lawful holders that engage contractors
coverage of treatment). One commenter patients. These commenters found that
and subcontractors to carry out payment
supported the proposal because it the revisions would permit patients to
and health care operations activities that
further aligns part 2 with HIPAA, while consent to sharing patient identifying
entail the use or disclosure of patient
another commenter expressed support information with lawful holders, who
identifying information to include
for this or any proposal that would then are permitted to re-disclose that
specific contract provisions addressing
reduce the time and expense incurred information to contractors,
compliance with part 2. In this final
by part 2 programs when seeking and subcontractors, or legal representatives
rule, SAMHSA finalizes the scope and
obtaining patient consent where not without notifying the patient.
requirements for permitted disclosures
necessary. Conversely, patients would be
to contractors, subcontractors, and legal
prohibited from consenting to disclose
representatives for the purpose of SAMHSA Response
patient identifying information to
payment and health care operations.
In the SNPRM, SAMHSA proposed entities with whom they do not have a
SAMHSA does not retain the proposed
clarifications to the final regulations treating provider relationship without
list of payment and health care
issued on January 18, 2017, where they further designating an individual
operations in the regulatory text and
appeared to be needed, based on public participant in that entity. As a result,
instead, moves this list to the preamble
comment. SAMHSA appreciates the these commenters questioned
section of the final rule to serve as
support it received for clarifying the SAMHSA’s intent for this proposal.
illustrative examples of permissible
part 2 regulations. SAMHSA is One commenter thought the SNPRM
payment and health care operations
finalizing those clarifications as did not provide sufficient information to
activities. In addition, consistent with
proposed in §2.33(b) except for the list respond to the proposed §2.33 because
SAMHSA’s prior statement in the
of 17 specific types of payment and of the similarity of contractors and
SNPRM preamble, SAMHSA adds
health care operations activities for subcontractors with qualified service
language to the regulatory text in
which any lawful holder of patient organizations (QSOs) under §§2.11 and
§2.33(b) to clarify that disclosures to
identifying information would be 2.12, and the similarity to Business
contractors, subcontractors, and legal
allowed to further disclose to Associates under HIPAA. The
representatives are not permitted for
contractors, subcontractors, and legal commenter requested clarification on
substance use disorder patient
representatives. As discussed below, whether it is SAMHSA’s intent to
diagnosis, treatment, or referral for
this list of activities is being included in directly apply part 2 to these contractors
treatment. SAMHSA finalizes §2.33(c)
the preamble, rather than in regulatory and subcontractors in a manner similar
in relation to contract language
text, in order to make clear that it is an to what was accomplished under the
referencing compliance with 42 CFR
illustrative rather than exhaustive list of HIPAA Privacy and Security Rules for
part 2 and the protections of part 2
the types of payment and health care Business Associates of covered entities.
patient identifying information, but
operations activities that would be
does not retain the proposed reference SAMHSA Response
acceptable to SAMHSA. By removing
to permitted uses of patient identifying the list from the regulatory text, SAMHSA is seeking a balance
information consistent with the written SAMHSA intends for other appropriate between protecting the confidentiality
consent. payment and health care operations of substance use disorder patient
1. Disclosures by Lawful Holders activities to be permitted under §2.33 as records and ensuring that the
the health care system continues to regulations do not pose a barrier to
Public Comments
evolve. In addition, consistent with patients with substance use disorders
In response to SAMHSA’s request for SAMHSA’s prior statement in the who wish to participate in, and could
comments on proposed revisions to SNPRM preamble, SAMHSA has added benefit from, emerging health care
§2.33, SAMHSA received a number of language to the regulatory text in models that promote integrated care and
comments supporting its proposal in §2.33(b) to clarify that disclosures to patient safety. Unauthorized disclosure
§2.33 to clarify that lawful holders of contractors, subcontractors, and legal of substance use disorder patient
patient identifying information may representatives are not permitted for records can lead to a host of negative
disclose the minimum amount of activities related to a patient’s diagnosis, consequences, including loss of
information necessary to contractors, treatment, or referral for treatment. employment, loss of housing, loss of
subcontractors, and legal representatives child custody, discrimination by
ULES for payment and health care operations Public Comments medical professionals and insurers,
D with R ppurarcptoicsaels .c Soenvceerranls c womithm tehnet eprosl icciyte ads coSmAmMeHntSsA o paplsoos irnegc eiitvs epdr onpuomsaelr oinu s aTrhrees pt,u prproosseec ouft itohne, paanrdt 2in rceagrucleartaitoinosn .i s
RO stated in the January 18, 2017, final rule, §2.33. The majority of these to ensure that a patient is not made
P
B2 including: (1) It is unrealistic to assume commenters were opposed to the more vulnerable by reason of the
H
Y8 that lawful holders of patient changes because SAMHSA had not availability of their patient record than
B
KB identifying information such as third- specified additional safeguards that an individual with a substance use
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
242 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations
disorder who does not seek treatment. statement that an entity that lawfully appropriate. Several commenters
SAMHSA recognizes the legitimate receives patient identifying information expressly supported the list of payment
needs of lawful holders of patient under a valid part 2 consent may and operations activities included in the
identifying information to disclose that disclose the information to its contractor SNPRM. One commenter stated that the
information to their contractors, under a QSO agreement (QSOA) if such proposed 17 categories of payment and
subcontractors, and legal representatives disclosure is reasonably consistent with operations activities are essential to
for purposes of payment and health care the terms of the consent. This allowing third-party payers and other
operations as long as the core commenter also proposed to revise the lawful holders to reasonably operate.
protections of 42 CFR part 2 are QSO definition to align it more closely Another commenter observed that the
maintained. SAMHSA notes that the with the HIPAA ‘‘business associate’’ proposed payment and health care
part 2 regulations already state at concept. Two commenters questioned operations activities represent
§2.13(a): ‘‘. . . Any disclosure made the distinction between the needs of significant progress toward SAMHSA’s
under the regulations in this section part 2 programs and other lawful stated goal of modernizing 42 CFR part
must be limited to that information holders to engage third parties for 2 to increase opportunities for
which is necessary to carry out the operational assistance and requested individuals with substance use
purpose of the disclosure.’’ This that the QSO definition simply include disorders to participate in new and
provision helps to ensure that lawful holders in the list of entities for emerging health care models and health
information is not shared more broadly which a QSO may provide services. One information technology.
than the purpose(s) for which the of these commenters stated that this Numerous commenters recommended
patient consents. With respect to the alternative approach would give that care coordination and case
comment that proposed revisions in patients a choice and align better with management be added to the list, noting
§2.33(b) would provide lawful holders patients’ expectations without adding the importance of these services in the
greater latitude in sharing information another layer of complexity. operational and treatment
with entities for payment and health responsibilities in serving patients,
SAMHSA Response
care operations purposes than would be including those with a dual diagnosis of
afforded to patients, SAMHSA SAMHSA declines to implement the mental health and substance use
acknowledges this concern and will be suggested alternative approaches. disorder. Conversely, several
convening a stakeholder meeting SAMHSA agrees there are similarities commenters recommended that
relative to part 2 as required by the 21st between contractors under §2.33(b) and SAMHSA include a statement in the
Century Cures Act (Pub. L. No: 114– QSOs. However, SAMHSA did not regulatory text explicitly excluding care
255). propose in the SNPRM to revise the coordination and case management from
Finally, it is not SAMHSA’s intent to provision on QSOs. §2.33(b). Another commenter also
apply part 2 to contractors and stated that disclosures to contractors,
2. List of Payment and Health Care
subcontractors in a manner similar to subcontractors, and legal representatives
Operations Activities
what was accomplished under the should not include information
HIPAA Privacy and Security Rules for In the SNPRM, SAMHSA sought concerning diagnosis, treatment and/or
Business Associates in accordance with, public comment on whether the referral to treatment without a patient’s
respectively, sections 13404(a) and proposed listing of permitted activities express consent.
13401(a) of the HITECH Act, 42 U.S.C. is adequate and appropriate to ensure Several commenters were confused
17934(a), 17931(a). SAMHSA has the health care industry’s ability to by, or disagreed with, SAMHSA’s
attempted to align part 2 with HIPAA in conduct necessary payment and health omission of treatment-related activities
this final rule to the extent such changes care operations, while still maintaining such as care coordination and case
are permissible under 42 U.S.C. 290dd– adequate confidentiality of substance management from the list of payment
2. Moreover, as discussed previously, use disorder patient records. SAMHSA and health care operations activities for
SAMHSA plans to explore additional also sought comment on the specific which additional disclosures were
alignment with HIPAA and is types of activities for which a lawful proposed in the SNPRM. One such
considering additional rulemaking for holder of patient identifying commenter stated that it was unclear
42 CFR part 2. information would be allowed to further why a contractor performing a
At the same time, part 2 and its disclose the minimal information treatment-related activity should be
authorizing statute are separate and necessary for specific payment and subject to greater confidentiality
distinct from HIPAA, the HITECH Act, health care operations activities safeguards (e.g., specific consent) than
and their implementing regulations. described in the SNPRM. Further, an entity performing a payment or
Because of its targeted population, part SAMHSA requested public comment on business-related activity. Others thought
2 and its authorizing statute provides additional purposes for which lawful the benefits of care coordination
more stringent federal protections than holders should be able to disclose outweighed any risk of including it on
other health privacy laws, including the patient identifying information. the list of permitted activities because
HIPAA Rules, in order to encourage SAMHSA is finalizing the clarifications, SAMHSA also included on the list
individuals with substance use as proposed in §2.33, but now includes patient safety activities, which are
disorders to seek treatment. the list of 17 specific types of payment inextricably linked to care coordination
and health care operations as illustrative and case management. Another
Public Comments
examples in the preamble rather than commenter, stating that health
Several commenters proposed an the regulatory text. information technology and health
S
D with RULE acalhltlaeonrwng aelatsiw vinefu §alp 2hp.o3rl3od,a ecwrhsh ttiooc htch owen otpruralocdpt iownssiettdhe a d PuMblaicn yC ocommmmenentst ers responded to ibanrugfioulrdemidna tgth iboaltno t cehkxesc ehoxafc nilngutese iagorrnea toeefsd sc ecanarertie a, l
RO QSOs, just as part 2 programs currently SAMHSA’s requests for comments on coordination and case management from
P
B2 do. One such commenter proposed that, whether the proposed list of explicitly permitted health care operations would
H
Y8 instead of an explicit list of activities, permitted payment and health care make it extremely difficult for state
B
KB §2.33(b) should include a general operations activities is adequate and Medicaid agencies, managed care
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 243
organizations (MCOs), and providers to determinations regarding insurability, management and planning-related
use this technology to provide high treatment, and eligibility. analyses related to managing and
quality, integrated care. One commenter Several commenters also requested operating, including formulary
pointed out that third-party payers, to additional protections to ensure lawful development and administration,
which disclosure would be permitted holders and their contractors, development or improvement of
under the SNPRM, may perform care subcontractors, and legal representatives methods of payment or coverage
coordination and case management only use information protected under policies;
activities as well as payment and health part 2 for the purposes listed in the • Business management and general
care operations activities. patient’s written consent. administrative activities, including
SAMHSA also received comments SAMHSA Response management activities relating to
requesting a variety of additions to the implementation of and compliance with
list of permitted activities. In addition, While SAMHSA is finalizing the the requirements of this or other statutes
SAMHSA received comments clarifications as proposed in §2.33, or regulations;
SAMHSA is not including the list of 17 • Customer services, including the
requesting clarification of some of the
specific types of payment and health provision of data analyses for policy
activities included on the list. Finally,
care operations in the regulatory text holders, plan sponsors, or other
two commenters observed that the rapid
that would be the basis for further customers;
changes occurring in the health care
disclosures by a lawful holder of patient • Resolution of internal grievances;
payment and delivery system may make identifying information. Based on the • The sale, transfer, merger,
any list of permitted activities included
numerous comments received consolidation, or dissolution of an
in the final rule outdated very quickly.
requesting additions or clarifications to organization;
A few commenters disagreed with the list, as well as concerns that the • Determinations of eligibility or
including in the regulatory text a list of rapid changes occurring in the health coverage (e.g. coordination of benefit
permitted payment and health care care payment and delivery system could services or the determination of cost
operations activities. One commenter render any list of activities included in sharing amounts), and adjudication or
thought SAMHSA should be more the regulatory text outdated, SAMHSA subrogation of health benefit claims;
protective of vulnerable patients has decided to include the list in the • Risk adjusting amounts due based
because the list was seen as a loophole preamble of this final rule to illustrate on enrollee health status and
that would result in patient identifying the types of permissible payment and demographic characteristics;
information being spread beyond the health care operations activities. • Review of health care services with
immediate point of care and being used Examples of permissible activities respect to medical necessity, coverage
in unforeseen ways. For consistency, under §2.33(b) that SAMHSA considers under a health plan, appropriateness of
one commenter requested that SAMHSA to be payment and health care care, or justification of charges.
replicate HIPAA’s definition of payment operations activities include: This list of payment and health care
at 45 CFR164.501 for the purpose of • Billing, claims management, operations is substantively unchanged
collection activities under proposed collections activities, obtaining payment from that which was proposed as
§2.33(b)(1). under a contract for reinsurance, claims regulatory text in the SNPRM published
SAMHSA also received a number of filing and related health care data on January 18, 2017. In this final rule,
comments requesting that certain processing; SAMHSA maintains its position that the
activities on the list of payment and • Clinical professional support payment and health care operations
health care operations activities be services (e.g., quality assessment and activities referenced in §2.33 and listed
restricted or narrowed. A number of improvement initiatives; utilization in the preamble are not intended to
commenters requested that SAMHSA review and management services); encompass substance use disorder
remove or narrow proposed §2.33(b)(15) • Patient safety activities; patient diagnosis, treatment, or referral
& (16) to ensure patients’ protected • Activities pertaining to: for treatment. SAMHSA believes it is
substance use disorder information will • The training of student trainees and important to maintain patient choice in
not be used to limit or deny insurance health care professionals; disclosing information to health care
• The assessment of practitioner
coverage or access to health care. Some providers with whom patients have
competencies;
commenters expressed concern that the direct contact. For this reason, the final
• The assessment of provider and/or
proposed §2.33(b)(2) could be provision in §2.33(b) is not intended to
health plan performance; and
interpreted as allowing protected • Training of non-health care cover care coordination or case
information to be disclosed to management and disclosures to
professionals;
employers. Many of these commenters • Accreditation, certification, contractors, subcontractors, and legal
stated they did not support the representatives to carry out such
licensing, or credentialing activities;
SNPRM’s proposed changes in general, • Underwriting, enrollment, premium purposes are not permitted under this
or SAMHSA’s proposal to permit lawful section. In addition, SAMHSA added
rating, and other activities related to the
holders to disclose patient identifying language to the regulatory text in
creation, renewal, or replacement of a
information obtained pursuant to §2.33(b) to clarify that disclosures to
contract of health insurance or health
patient consent to contractors, contractors, subcontractors and legal
benefits, and ceding, securing, or
subcontractors, and legal representatives representatives are not permitted for
placing a contract for reinsurance of risk
for payment and health care operations activities related to a patient’s diagnosis,
relating to claims for health care;
purposes, in particular, without further • Third-party liability coverage; treatment, or referral for treatment.
S
ULE protections and safeguards. Two • Activities related to addressing SAMHSA notes that the position
D with R cinocmlumsieonnte orfs fdivisea ogrf etehde wpriothp othseed fra•udC,o wnadsutcet ainngd oarb aursrea;n ging for medical athrtei cHuIlPaAteAd iPnr itvhaics yf iRnuall er,u ulen ddeifrf ewrsh ifcrohm
RO activities (§§2.33(b)(6), 2.33(b)(10), review, legal services, and auditing ‘health care operations’ encompasses
P
B2 2.33(b)(12), 2.33(b)(15), and 2.33(b)(16)) functions; such activities as case management and
H
Y8 because they could adversely affect • Business planning and care coordination. However, SAMHSA
B
KB patient enrollment in health plans and development, such as conducting cost- appreciates the concerns expressed by
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00035 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
244 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations
some commenters about such issues as contract amendment burdens industry- comply with §2.13, lawful holders
the exclusion of care coordination and wide and would be disruptive to should ensure that the purpose section
case management from §2.33(b). business relationships. Commenters of the consent form is consistent with
SAMHSA also appreciates comments noted that business associate the role of or services provided by the
received concerning potential risks of agreements under HIPAA as well as contractor or subcontractor (e.g.,
including care coordination, case many contracts already require ‘‘payment and health care operations’’).
management and other activities in compliance with all applicable federal SAMHSA understands the concerns
§2.33(b). Consistent with the 21st and state laws, which would include expressed by commenters regarding
Century Cures Act, prior to March 21, part 2. Some commenters requested that bringing contracts into compliance with
2018, the Secretary of HHS will convene contract provisions requiring §2.33(c). To address these concerns, the
relevant stakeholders to determine the compliance with applicable federal laws final rule allows lawful holders two
effects of 42 CFR part 2 on patient care, and regulations be deemed as satisfying years from the effective date of the final
health outcomes, and patient privacy. the requirement of proposed §2.33(c) rule to bring their contracts and legal
This meeting will provide stakeholders even if part 2 is not specifically agreements with contractors,
with an additional opportunity to mentioned. One commenter stated that subcontractors, and voluntary legal
provide further input to SAMHSA contracts typically specify the purposes representatives into compliance. If
regarding implementation of part 2, for which the contractor may use any lawful holders choose not to re-disclose
including changes adopted in this final confidential information and so it is not patient identifying information to
rule. necessary to require language on contractors, subcontractors, or legal
specific permitted uses and disclosure representatives as specified under
3. Contract Provisions for Disclosures
of patient identifying information. §2.33(b), they do not have to comply
Under Proposed §2.33(c)
Some commenters stated that §2.33(c) with §2.33(c).
SAMHSA proposed new regulatory should not be included in future SAMHSA disagrees with comments
text requiring that lawful holders that rulemaking. One such commenter that propose allowing existing
engage contractors and subcontractors to requested that SAMHSA provide contractual language regarding general
carry out payment and health care evidence that current contract language compliance with applicable federal laws
operations that require using or is not adequately addressing part 2 uses to satisfy requirements under §2.33(c).
disclosing patient identifying and disclosures by those entities SAMHSA believes that it is important
information include specific contract specified in §2.33(c). Another for part 2 to be specifically mentioned
provisions requiring contractors and commenter requested that SAMHSA in contracts and legal agreements when
subcontractors to comply with the explore leveraging information lawful holders are disclosing part 2
provisions of part 2. SAMHSA is technology to identify more efficient patient identifying information to
finalizing this proposal except that it is ways for patients to consent to contractors, subcontractors and
not requiring that the contract specify disclosure. This commenter also voluntary legal representatives under
the permitted uses of patient identifying recommended that SAMHSA conduct §2.33(b). A fundamental principle of 42
information by the contractor, an assessment or promulgate an CFR part 2 is that patients should have
subcontractor, or legal representative. Advanced Notice of Proposed as much control as possible over their
An appropriate comparable legal Rulemaking to solicit information to patient identifying information.
instrument will suffice in cases where determine the adequacy of existing Referencing part 2 in contracts will help
there is otherwise no contract between contracts or business processes to to underscore the importance of
the lawful holder and a legal address information disclosures with compliance with part 2 provisions.
representative who is retained contracted entities. Several commenters However, SAMHSA also recognizes
voluntarily; when a legal representative stated that SAMHSA could address that entities may have different
is required to represent the lawful concerns with an extension, by approaches to ensuring compliance with
holder by law, the requirement for a regulation, of the part 2 protections to part 2 and other laws. While SAMHSA
contract or comparable legal instrument any entity handling the information requires compliance with §2.33(c) for
in §2.33(c) shall not apply. disclosed via consent. lawful holders who wish to disclose
SAMHSA received comments that patient identifying information pursuant
Public Comments
asked that that the language in proposed to §2.33(b), SAMHSA is not specifying
SAMHSA received several comments §2.33(c) be modified to allow the the exact contract language to be used.
expressing general support for the patient identifying information With respect to the comment
proposed provisions in §2.33(c) relating safeguards to be spelled out in the regarding limiting disclosures to the
to contracts or legal agreements between contract and/or business associates minimum information necessary, §2.13
lawful holders and their contractors, agreement. requires that any disclosure made must
subcontractors, and legal be limited to that information which is
SAMHSA Response
representatives. One of these necessary to carry out the purpose of the
commenters agreed that limits should be SAMHSA is finalizing §2.33(c) as disclosure. Contractors, subcontractors,
placed on disclosures to contractors, proposed, but has revised the regulatory and legal representatives will be
such as allowing disclosure of only the text to remove the reference to patient required to comply with this and all
minimum patient identifying consent as it relates to the requirement applicable provisions under part 2.
information necessary for specific to specify permitted uses of patient (Section 2.33(c) states that contractors
payment or health care operations. identifying information by the and any subcontractors or legal
S
ULE A number of commenters, however, contractor, subcontractor, or legal representatives are fully bound by the
D with R orepqpuoisreedm iennctlsu idni n§g2 .s3p3e(cci)f ibce ctwoneterna ct rneoptreess tehnatta §tiv2e.1. 3H roewquevireers, tShAaMt aHnSy A ppraotiveinsti oindse notfi fpyairntg 2 i nufpoornm raetcioenip).t of
RO lawful holders and their contractors disclosure made under the regulations
B2P requiring compliance with part 2. Many must be limited to that information Public Comments
H
Y8 of these commenters stated that this which is necessary to carry out the One commenter requested that
B
KB provision would impose significant purpose of the disclosure. Therefore, to SAMHSA remove the following
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00036 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 245
sentence from §2.33(c): ‘‘In making One commenter stated that a List of related to payment and health care
such disclosure, the lawful holder Disclosures requirement for lawful operations. Section §2.33(c) specifies
should specify permitted uses of patient holders who wish to re-disclose patient the requirements of a written contract;
identifying information consistent with identifying information to contractors, it is up to the lawful holder and
the written consent, by the contractor subcontractors, and legal representatives contractor to determine how their
and any subcontractors or legal should be included in contractual contracts should address these
representatives to carry out the payment language. requirements.
and health care operations activities One commenter requested that
listed in the preceding subparagraph, SAMHSA require in the contractual text With regard to cloud service providers
require such recipients to implement that contractors, subcontractors, and storing patient identifying information
appropriate safeguards to prevent legal representatives use protected for a lawful holder, SAMHSA declines
unauthorized uses and disclosures and substance use disorder information only to make the suggested changes to the
require such recipients to report any for the purpose(s) listed in the patient’s language in §2.33(c). Under §2.33,
unauthorized uses, disclosures, or written consent and that re-disclosure lawful holders, contractors and their
breaches of patient identifying by contractors, subcontractors, and legal subcontractors are responsible for
information to the lawful holder.’’ representatives to third parties be providing a prohibition on re-disclosure
Commenters stated that lawful holders allowed only as long as the third party notice (§2.32) if they re-disclose patient
will not possess the written consent discloses the patient identifying identifying information to their
because it is typically held by the part information back to the contractors or contractors in order to meet the
2 program and it would be impractical, lawful holders from which the requirements of §2.33. If other entities
if not impossible, for the written information originated. access the information as permitted by
consent form to be passed on to other SAMHSA Response the lawful holder (because the other
entities. Another commenter stated that
entities that gain access to the
mechanisms for transmitting written SAMHSA declines to provide specific
information via the cloud are
consent forms had yet to evolve. and detailed contract language because
contractors with the lawful holder
A commenter stated that a prohibition SAMHSA believes lawful holders need
on re-disclosure notice under §2.32 the flexibility to include language that (§2.33) and not the cloud services
should not be required when a fits within their contract structures. provider, or to fulfill the requirements
disclosure from a contractor that is a However, regardless of the specific on the written consent (§2.31), then the
cloud services provider is back to the contractual language used, all lawful lawful holder (not the cloud service
lawful holder or is disclosed under the holders, contractors, subcontractors, and provider) is responsible for ensuring
direction or control of the lawful holder legal representatives must comply with that a notice of the prohibition on re-
because the cloud service provider applicable requirements specified in disclosure is conveyed to those entities,
would not have control over the §2.33(c) as well as the other applicable along with the information.
disclosure and therefore could not provisions in part 2. Regardless of the specific contractual
accompany the disclosure with a notice SAMHSA does not require that part 2
language used, all lawful holders,
related to §2.32 and suggested consent forms be passed along to the
contractors, subcontractors, and legal
alternative language. contractor or subcontractor. SAMHSA
representatives must comply with
Other commenters supported the has revised the regulatory text in
provisions in proposed §2.33(c) but §2.33(c) to remove the reference to requirements specified in §2.33(c) as
specified additional safeguards that patient consent as it relates to the well as the other applicable provisions
should be added or referenced. Several requirement to specify permitted uses of in part 2. Therefore, with respect to the
commenters requested that SAMHSA patient identifying information by the comments on contractors,
include another requirement in contractor, subcontractor, or legal subcontractors, and legal representatives
proposed §2.33(c) that contractors, representative. However, §2.13 requires resisting disclosure of patient records in
subcontractors, and legal representatives that any disclosure made under the judicial proceedings, SAMSHA notes
be bound by all of the requirements that regulations must be limited to that that §2.13(a) already states: ‘‘The
apply to QSOs, as QSOs and contractors information which is necessary to carry patient records subject to the regulations
serve similar functions. These out the purpose of the disclosure. in this part may be disclosed or used
commenters stated that written Therefore, to comply with §2.13, part 2 only as permitted by the regulations in
contracts under proposed §2.33(c), programs and other lawful holders this part and may not otherwise be
therefore, would require contractors, should ensure that the purpose section disclosed or used in any civil, criminal,
subcontractors, and legal representatives of the consent form is consistent with administrative, or legislative
to agree to resist in judicial proceedings the role of or services provided by the proceedings conducted by a federal,
any efforts to obtain access to patient contractor or subcontractor (e.g., state or local authority.’’ In addition,
records identifying information related ‘‘payment and health care operations’’).
§2.13(a) already requires that any
to substance use disorder diagnosis, Those utilizing contractors or
disclosures must be limited to the
treatment, or referral for treatment subcontractors should then inform those
information which is necessary to carry
except as permitted by part 2. These parties in their contracts that
out the purpose of the consent. In
commenters also expressed opposition information governed by part 2 requires
response to the request that the contract
to the SNPRM’s proposed changes in the contractor or subcontractor to take
require compliance with the security
general or SAMHSA’s proposal to reasonable steps to prevent
D with RULES pipdeuerrnmstuiiafty nliatn wtgof iupnla fhotioremlndtae tcrioso nntos oe dbnittsa ctiolno esde patient utborn eiaanucftohhreomsr i atznheded / louarsw eufsnu aal nuhdtoh ldodiresircz leoodfs auunrseyes s .a Infd a rRpereqocugoirrrademsm,s ea anlrntesda, do§yt2h a.e1pr6 pl,a lSiweesfcu utlor hiptoyal rdfto e2rr s of
RO contractors, subcontractors and legal contractor receives information for patient identifying information, and,
P
B2 representatives, including for payment quality assurance purposes, for instance, therefore, would apply to contractors,
H
Y8 and health care operations purposes, they should not be sharing it for other subcontractors, and legal
B
KB without these and other protections. purposes, much less for activities not representatives.
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00037 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
246 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations
4. Other Comments Concerning laws and regulations, requested that the consent requirement for lawful
Disclosures by Lawful Holders SAMHSA consider defining these terms. holders that fall under §2.33(b) must be
maintained and that §2.33(b) should not
Public Comments SAMHSA Response
apply to QSOs. Further, SAMHSA
SAMHSA received a number of SAMHSA did not propose to define guidance indicates that a QSOA does
comments relative to Medicaid agencies ‘‘contractors’’ and ‘‘subcontractors’’ in not permit a QSO to re-disclose
and MCOs with which they contract; the its proposed rule and declines to do so information to a third party unless that
commenters stated that MCOs are now in the final rule. As stated in third party is a contract agent of the
considered to be an extension of the §2.33(c), lawful holders who wish to QSO, helping them provide services
Medicaid agency. Several of these disclose patient identifying information described in the QSOA, and only as
commenters requested clarification that, pursuant to subsection (b) of this section long as the agent only further discloses
under §2.33(b), MCOs (one commenter must enter into a written contract with the information back to the QSO or to
noted that such organizations are called the contractor (or appropriate the part 2 program from which it came.
coordinated care organizations in that comparable legal instrument in the case
C. Audit and Evaluation (§2.53)
state) may disclose patient identifying of a legal representative retained
information for health care operations voluntarily by the lawful holder). In the SAMHSA recognizes that federal,
and payment purposes to the state case where there is a legal state, and local governments often need
agency with which the organization is representative who is required to to access all of the records, including
under contract. One commenter represent the lawful holder by law, the part 2 program records, held by entities
requested clarification that under requirement for a contract or they regulate in order to appropriately
§2.33(b) lawful holders may disclose comparable legal instrument in §2.33(c) evaluate compliance with applicable
patient identifying information to the shall not apply. SAMHSA believes this laws, rules, and policies. As a result, in
state Medicaid agency with which they general understanding of a contractor or the SNPRM, SAMHSA proposed
are contracted. Another commenter subcontractor provides the necessary regulatory changes to clarify that audits
requested that that this provision flexibility for these types of and evaluations may be performed on
explicitly permit disclosures between arrangements while still ensuring that behalf of federal, state, and local
managed care organizations, their all parties must adhere to requirements governments providing financial
contractors and a Medicaid program. and protections specified in §2.33(c). assistance to, or regulating the activities
of, lawful holders as well as part 2
Similarly, a commenter also pointed out
Public Comments programs. SAMHSA recognizes that
that proposed §2.33(b) would only
One commenter requested that federal, state, and local governments
allow a lawful holder to disclose to its
SAMHSA add a new §2.33(d) to state often need to access all of the records,
own contractors and subcontractors,
that ‘‘if the contractor, subcontractor, or including part 2 program records, held
which would not relieve the
legal representative needs patient by entities they regulate in order to
administrative obstacles part 2
identifying information directly from appropriately evaluate compliance with
providers experience when trying to
the part 2 program, the contractor, applicable laws, rules, and policies. For
obtain insurance coverage for their
subcontractor, or legal representative example, an Accountable Care
patients because the part 2 programs
must produce a copy of the agreement Organization (ACO) or similar CMS-
would have to deal directly with a peer
mandated by §2.33(c) prior to the part regulated health care models may wish
reviewer or utilization review company
2 program releasing any information.’’ to evaluate the impact of integrated care
that is a subcontractor to the insurance
on several participating behavioral
company named on the consent form. SAMHSA Response health care programs’ quality of care, or
SAMHSA Response SAMHSA declines to require a state may wish to do an audit to see
contractors, subcontractors, and legal how many individuals who leave state-
With regard to the comments on representatives to produce a copy of the supported correctional facilities
Medicaid agencies and the managed agreement mandated by §2.33(c) prior subsequently receive substance use
care organizations with which they to the part 2 program releasing any disorder treatment. In addition,
contract, as well as those addressing information because SAMHSA did not SAMHSA proposed regulatory revisions
administrative obstacles contractors propose to do so in the SNPRM. The to: Specify that audits and evaluations
may face in obtaining patient decision as to whether to share this may be performed by contractors,
identifying information, the information information would be at the discretion subcontractors, or legal representatives
can be disclosed directly to the of the contracting parties. on behalf of a third-party payers or a
contractor or subcontractor and does not quality improvement organizations; and
need to first be disclosed to the lawful Public Comments state that if disclosures are made under
holder (i.e., recipient named on the One commenter stated that proposed this section for a Medicare, Medicaid, or
consent form) and then subsequently re- §2.33(b) should apply to all lawful CHIP audit or evaluation, including a
disclosed, as long as the information is holders (and not just those who received civil investigation or administrative
being used for the purposes of payment patient identifying information pursuant remedy, further disclosures may be
and health care operations. This is to a written consent), which would made to contractors, subcontractors, or
because contractors, legal enable QSOs to disclose without legal representatives to carry out the
representatives, and subcontractors are consent to contractors and audit or evaluation. SAMHSA is now
acting on behalf of the lawful holders subcontractors. finalizing these requirements. It has also
S
D with RULE bmPauasbnelddic ao tCneos c mionmn ltaerwanct.st s , legal agreements or SASMAHMSHAS ARe dspecolninsee s to eliminate the mcruoalredr’eesc ctte eixrnttaa tdionv eetferftceehcntntu ioacmtael iSasmsAioMennHsd SminAe t’nhst es to
RO requirement that §2.33(b) only applies intent to permit disclosure and use of
P
B2 Two commenters, pointing to the to lawful holders that receive patient patient identifying information held by
H
Y8 varying definitions for ‘‘contractors’’ identifying information pursuant to a other lawful holders for audit and
B
KB and ‘‘subcontractors’’ under different written consent. SAMHSA believes that evaluation purposes, as well as to clarify
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00038 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 247
and operationalize the requirements of other federal, state, and local rules and These commenters, noting that no
this section. regulations and improve part 2 program definitions exist in the regulatory text
quality. for ‘‘lawful holders,’’ ‘‘contractors,’’ or
Public Comments
With respect to the commenter’s ‘‘subcontractors,’’ or ‘‘legal
SAMHSA received a range of concern, if a government agency is representatives,’’ requested that
comments concerning the proposed auditing or evaluating a lawful holder, SAMHSA address whether the part 2
amendments with regard to permitted which it regulates, the agency may statute permits the extension of these
disclosures of patient identifying receive the patient identifying restrictions beyond part 2 programs.
information to contractors, information necessary for that audit or
SAMHSA Response
subcontractors, and legal representatives evaluation directly from the lawful
for purposes of carrying out an audit or holder. The statute (42 U.S.C. 290dd–2)
evaluation under part 2. SAMHSA authorizes SAMHSA to promulgate
received a number of comments Public Comments regulations to effectuate the
supporting these revisions. Several of SAMHSA also received a number of confidentiality provisions governing
the commenters also expressed support comments opposing the proposal to substance use disorder patient records.
specifically for the provision allowing permit re-disclosure of patient The part 2 rule’s applicability to third
patient identifying information to be identifying information without patient parties is a reasonable exercise of
disclosed for purposes of carrying out consent to contractors and SAMHSA’s statutory authority to ensure
an audit or evaluation, with some citing subcontractors for audit and evaluation protection of part 2 information in the
proposed §2.53(a)(1)(i) in particular. purposes unless SAMHSA provides possession of lawful holders other than
Some commenters stated this particular additional safeguards. Several of these part 2 programs.
revision would allow lawful holders of commenters noted that the proposed
2. Greater Weight to Comments From
patient identifying information to changes to §2.53 have the potential to
Patient and Part 2 Program
disclose that information to audit and greatly expand the universe of
oversight entities in order to respond to individuals and entities who may Public Comments
an audit or evaluation request, and that receive protected substance use disorder SAMHSA received several comments
clear authority to disclose patient information without patient consent for requesting that greatest weight be given
identifying information for audits audit and evaluation purposes. to comments from patients and
(which may include quality A couple of commenters expressed consumers who will be directly affected
improvement and program integrity) is concern that detailed patient records by any changes to part 2; one of these
critical to Medicaid program operations. would be used for purposes of risk commenters made this request because
Another commenter supported the adjustment and reporting of the patients entering treatment will likely
proposed changes because they would patient’s severity of illness to predict be unable to anticipate complex re-
appear to allow disclosure of patient health care cost expenditures and adjust disclosure risks for activities proposed
identifying information to a government payer payments. One commenter stated by the SNPRM. In addition, a
agency authorized to regulate the that, if data are being used to impact a commenter requested that special
activities of any lawful holder, not just patient’s score or health coverage, consideration be given to comments
a part 2 program or private payer, and patient consent should be required. from substance use disorder treatment
because this change would at least providers.
partially conform to HIPAA’s SAMHSA Response
permissible disclosures to health system SAMHSA appreciates the array of SAMHSA Response
oversight agencies. The commenter, recommendations commenters provided Every comment received on the
however, expressed concern that the for possible restrictions and safeguards. SNPRM was given careful
proposed language did not make clear SAMHSA is contemplating future consideration, and SAMHSA has
whether the government agency must rulemaking for 42 CFR part 2, and will endeavored in this final rule to take into
obtain access to the records directly take these recommendations under account the varying perspectives of
from the part 2 program rather than advisement at that time. public commenters. SAMHSA is seeking
from the other lawful holder that the With regard to the suggestion that a balance between ensuring that patients
agency regulates, as obtaining records SAMHSA require patient consent if data with substance use disorders have the
from the part 2 program posed could be used to affect a patient’s health ability to participate in, and benefit
communications challenges. coverage or health score, SAMHSA from, new and emerging health care
reiterates that under the terms of §2.53, models that promote integrated care and
SAMHSA Response
patient identifying information may patient safety and ensuring the
SAMHSA appreciates the support for only be used for audit and evaluation confidentiality of substance use disorder
the further amendments as set out in the purposes. patient records, given the potential for
regulatory text of §2.53. Inclusion of discrimination, harm to reputations and
these additional provisions reflects that D. Other Public Comments on the relationships, and serious civil and
contractors, subcontractors and legal SNPRM criminal consequences that could result
representatives are increasingly 1. Extension of Part 2 Restrictions to from impermissible disclosures.
involved in audit and evaluation Third Parties
E. Regulatory Impact Analysis (RIA)
activities. SAMHSA recognizes that
Public Comments
federal, state, and local governments In the SNPRM, SAMHSA stated that,
S
ULE often need to access all of the records, Two commenters stated that changes if adopted, the proposed revisions
D with R ibnyc elundtiitniegs p tahrety 2 r pegrouglaratem i nre ocrodredrs ,t oh eld mthaed ceo tnoc ethpet tShNaPt pRaMrt w2 ecroen pfirdeednictiaatleidty o n stoh opualrdt 2n optr oregsraumlt si.n H aonwy eavdedri,t SioAnMalH cSosAts
RO appropriately evaluate compliance with restrictions extend beyond part 2 specifically sought comment on the
P
B2 applicable laws, rules, and policies. We programs to third parties, including implications of the proposed changes on
H
Y8 believe including these changes will lawful holders, contractors, the regulatory and financial impact, if
B
KB assist in compliance with part 2 and subcontractors and legal representatives. any, of these proposed rules.
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
248 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations
Public Comments a. General c. Commenter Recommendations for
Patient Notification on the Consent
SAMHSA did not receive any Public Comments Form
comments on costs related to specific
SAMHSA received a number of Public Comments
proposals made in the SNPRM or the
responses to this request for comments
RIA. Several commenters expressed
regarding the establishment of
concern that the proposed changes to
F. Requests for Public Comment appropriate restrictions and safeguards.
§2.33 would greatly expand access to
These comments recommended a wide
patient identifying information by
In the January 18, 2017, SNPRM,
array of patient protections and individuals and entities to whom the
SAMHSA made several requests for
safeguards. While some commenters patient did not specifically consent and
public comments based on its
noted there is a legitimate need for for purposes not always evident to the
expectation that there may be future 42
lawful holders to disclose protected patient. These commenters, and a
CFR part 2-related rulemaking. Those
information to their contractors, number of others, requested that
comments are summarized below.
subcontractors, and legal representatives SAMHSA require, at a minimum, a
1. Conveying the Scope of the Written for payment and health care operations notification to patients on the consent
Consent purposes, many commenters expressed form that they are consenting to the
concern that the breadth of the proposed disclosure of their patient identifying
In the SNPRM, SAMHSA sought changes may undermine core information to both the recipient and
comment on the proper mechanisms to protections under part 2, which give the recipient’s contractors,
convey the scope of the consent to substance use disorder patients control subcontractors, and legal representatives
lawful holders, contractors, over how their information is disclosed to the extent those contractors,
subcontractors, and legal so as not to make them more vulnerable subcontractors, and legal representatives
representatives, including those who are to potential negative consequences of need the information to carry out
downstream recipients of patient such disclosures. Loss of employment, payment or health care operations
identifying information given current loss of housing, loss of child custody, purposes.
electronic data exchange technical
discrimination by medical professionals SAMHSA’s Response
designs.
and insurers, and arrest, prosecution,
SAMHSA is contemplating future
Public Comments and incarceration were cited as
rulemaking for 42 CFR part 2 and will
potential negative consequences. Most
take these recommendations under
Commenters suggested that SAMHSA commenters stated concern over, or
consideration at that time. In addition,
provide more clarity on these even their opposition to, SAMHSA
consistent with the 21st Century Cures
mechanisms, particularly given the finalizing proposed changes in the
Act, prior to March 21, 2018, the
current electronic exchange SNPRM without including certain
Secretary of HHS will convene relevant
environment and recommended more additional protections.
stakeholders to determine the effects of
specific ways to ensure patients retain
control over how their information is SAMHSA Response 42 CFR part 2 on patient care, health
outcomes, and patient privacy. The
disclosed. Another commenter asserted
SAMHSA appreciates the array of information obtained at the meeting will
proposed consent requirements could be
recommendations commenters provided help to inform the course of any further
burdensome, and a third-party payer
for possible restrictions and safeguards. part 2 rule-making. SAMHSA will
may be unable to assess part 2 program
SAMHSA believes that the existing consider these comments on privacy
compliance with consent requirements.
restrictions and safeguards—including and confidentiality in conjunction with
SAMHSA Response provisions limiting use of patient those made during the stakeholder
identifying information in criminal and meeting.
SAMHSA has modified language in
civil procedures and requiring that any
d. Commenter Recommendations for
§2.33(c) so as not to imply that the
disclosure made under these regulations Mechanisms for Identifying and
consent form must be provided to the
must be limited to that information Sanctioning Unauthorized Disclosures
recipient of part 2 records. Sections
which is necessary to carry out the
2.13, 2.31, and other sections of part 2 Public Comments
purpose of the disclosure—are adequate.
require recipients of patient identifying
Several commenters recommended
information to have knowledge of 42 b. Commenter Recommendations for
adding a requirement that lawful
CFR part 2 as it relates to the purpose Anti-Discrimination Protections holders who wish to re-disclose patient
for which information is being disclosed
identifying information to contractors,
and can be re-disclosed lawfully. Many commenters recommended the
subcontractors, and legal representatives
Individuals and entities that disclose or addition of specific anti-discrimination
be subject to the same List of
receive patient identifying information protections that would apply to Disclosures requirements that apply to
via patient consent must be able to disclosures pursuant to the proposed intermediaries who disclose patient
comply with these requirements. §§2.33(b) and 2.53. Commenters identifying information pursuant to a
expressed concern over the potential for
2. Other Restrictions and Safeguards general designation under the consent
misuse of information and a desire to
requirements at §2.31. In addition, a
balance the increased flexibility of
In the SNPRM, SAMHSA specifically couple of commenters requested that
D with RULES seaosntudag bshlaitfs echgomumaemrndtes on oft sna prleapgwraofrpudrli inhagtoe lt dhreeesr str aicntdio ns piSnrAcoMrpeoaHssSeedAd §pR§reo2stp.e3oc3tn iasonen ds .2 .53 with SraegAqeMunicHrieeSmsA. eO nimnt eop nco osaemu adm iLte inasntt edorf e rDevqiasulcuelasottsieuodnr et hs at
RO their contractors, subcontractors, and SAMHSA not finalize the proposed
P
B2 legal representatives’ use and disclosure Promulgating rules that address changes in the SNPRM without
H
Y8 of patient identifying information for discriminatory action is outside the mechanisms in place to enable
B
KB the purposes discussed in the SNPRM. scope of SAMHSA’s legal authority. individuals who have been adversely
S
D
worth on
jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1
