ebook img

Confidentiality of Substance Use Disorder Patient Records: Final Rule PDF

2018·0.27 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Confidentiality of Substance Use Disorder Patient Records: Final Rule

Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 239 Docket No. Type Location Effective date USCG–2016–0095 ..... Safety Zones (Part 147 and 165) .......................... Buffalo, NY ............................................................. 6/18/2016 USCG–2016–0158 ..... Special Local Regulation ....................................... Lawrenceburg, IN ................................................... 6/18/2016 USCG–2016–0401 ..... Safety Zones (Part 147 and 165) .......................... Chattanooga, TN .................................................... 6/18/2016 USCG–2016–0512 ..... Special Local Regulations (Part 100) .................... Triathlon, Ohio River .............................................. 6/19/2016 USCG–2016–0548 ..... Security Zones (Part 165) ...................................... Cincinnati, OH ........................................................ 6/20/2016 USCG–2016–0606 ..... Safety Zones (Part 147 and 165) .......................... Clements, MI .......................................................... 6/23/2016 USCG–2016–0595 ..... Security Zones (Part 165) ...................................... Medina, WA ............................................................ 6/24/2016 USCG–2016–0631 ..... Safety Zones (Part 147 and 165) .......................... offshore of Fitzpatrick ............................................. 6/26/2016 USCG–2016–0475 ..... Special Local Regulation ....................................... Aguada, PR ............................................................ 6/26/2016 USCG–2016–0495 ..... Special Local Regulations (Part 100) .................... Chattanooga, TN .................................................... 6/26/2016 USCG–2016–0637 ..... Safety Zones (Part 147 and 165) .......................... Ironton, OH ............................................................. 6/30/2016 Dated: December 19, 2017. Compliance dates: The compliance rulemaking (SNPRM) (82 FR 5485) to Katia Kroutil, date for all provisions of this final rule, solicit public comment on additional Office Chief, Office of Regulations and except for §2.33(c), is February 2, 2018. proposals including: The payment and Administrative Law. As discussed in the preamble, contracts health care operations-related [FR Doc. 2017–28401 Filed 1–2–18; 8:45 am] between lawful holders and contractors, disclosures that can be made to subcontractors, and legal representatives contractors, subcontractors, and legal BILLING CODE 9110–04–P must comply with §2.33(c) within two representatives by lawful holders under years of the effective date of the final the part 2 rule consent provisions; and rule. the provisions governing disclosures for DEPARTMENT OF HEALTH AND HUMAN SERVICES FORFURTHERINFORMATIONCONTACT: purposes of carrying out a Medicaid, Mitchell Berger, Telephone number: Medicare or Children’s Health Insurance Office of the Secretary (240) 276–1757, Email address: Program (CHIP) audit or evaluation. [email protected]. SAMHSA also solicited comments on 42 CFR Part 2 SUPPLEMENTARYINFORMATION: whether an abbreviated notice of the prohibition on re-disclosure should be [SAMHSA–4162–20] I. Background used and, if so, under what On February 9, 2016, SAMHSA circumstances. RIN 0930–ZA07 published a Notice of Proposed SAMHSA received 55 comments on Confidentiality of Substance Use Rulemaking (NPRM) in the Federal the SNPRM, and after considering those Disorder Patient Records Register (81 FR 6988), proposing comments, is finalizing the proposed updates to the Confidentiality of revisions, with some changes made in AGENCY: Substance Abuse and Mental Alcohol and Drug Abuse Patient response to the public comments that Health Services Administration Records (42 CFR part 2) regulations. were received. Some comments were (SAMHSA), U.S. Department of Health These regulations implement title 42, outside the scope of the specific and Human Services. section 290dd–2 of the United States provisions SAMHSA proposed in the ACTION: Final rule. Code pertaining to the Confidentiality of SNPRM or were inconsistent with Substance Use Disorder Patient Records SAMHSA’s legal authority regarding the SUMMARY: This final rule makes changes held by certain substance use disorder confidentiality of substance use disorder to the Substance Abuse and Mental treatment programs that receive federal patient records. This final rule does not Health Services Administration’s financial assistance. As SAMHSA address these comments. (SAMHSA) regulations governing the explained in that NPRM, it proposed to Confidentiality of Substance Use update these regulations, last II. Discussion of Public Comments and Disorder Patient Records. These changes substantively amended in 1987, to Final Modifications to 42 CFR Part 2 are intended to better align the reflect development of integrated health A. Align With HIPAA regulations with advances in the U.S. care models and the use of electronic health care delivery system while exchange of patient information. Public Comments retaining important privacy protections SAMHSA also wished to maintain SAMHSA received a number of for individuals seeking treatment for confidentiality protections for patient comments regarding alignment of 42 substance use disorders. This final rule identifying information, as persons with CFR part 2 with the Health Insurance addresses the prohibition on re- substance use disorders still may Portability and Accountability Act disclosure notice by including an option encounter significant discrimination if (HIPAA) or the Health Information for an abbreviated notice. This final rule their information is improperly Technology for Economic and Clinical also addresses the circumstances under disclosed. Health (HITECH) Act. Reasons cited by which lawful holders and their legal On January 18, 2017, SAMHSA these commenters in support of aligning representatives, contractors, and published a final rule (82 FR 6052). In the regulations with HIPAA or HIPAA/ subcontractors may use and disclose response to public comments, the final HITECH Act were to: (1) Promote patient identifying information for rule provided for greater flexibility in information flow between providers, D with RULES poFpuineraprlaoltysieo, snth soi,fs a pfniandya malu erduniltte,s h iasen amdlt ahekv icanalgrue am tiionnosr. disnyisfsocterlommsa iwntigho nipl aewt ciieotnhntit niind tuehnient higf eytaoiln taghd dcareres s the iranedccmolurinddi;i sn(t2gr) aa ta ocllrlosin woif cp asrelolryvv iicdcoeemsrs pg arleneatdet e pr atient RO technical corrections to ensure accuracy need to protect the confidentiality of discretion; (3) facilitate interoperability; B2P and clarity in SAMHSA’s regulations. substance use disorder patient records. (4) improve compliance; (5) enhance H Y8 DATES: Effective date: This final rule is SAMHSA concurrently issued a privacy protections by making B KB effective February 2, 2018. supplemental notice of proposed confidentiality restrictions more S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 240 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations uniform across health care settings; (6) disclosure, such as communicating part SAMHSA considered the impact the promote more innovative models of 2 restrictions through codes, flags, pop- proposed abbreviated notice would have health care delivery, including ups, or other signifiers. However, some on electronic health records formats, integrated and coordinated care, and of these commenters and others also system design and software value-based and population-based explained that most of the suggestions development for clinical medical models; (7) establish uniform, workable are not technically feasible at this time, records format, or the impact on regulations with respect to treatment, due to the lack of standardized required HIPAA Administrative payment and operations; and (8) electronic formats and transmission transactions. One commenter stated that improve patient care and reduce stigma standards. One supportive commenter an abbreviated notice of the prohibition and potential harm to patients. suggested SAMHSA work with the on re-disclosure must contain, at a Department of Health and Human minimum, a clear warning label to SAMHSA Response Services (HHS) and its agencies, prevent misuse and should state that SAMHSA has attempted to align this including the Centers for Medicare & any misuse is illegal under 42 CFR part final rule with HIPAA, the HITECH Act, Medicaid Services (CMS), and the Office 2. and their implementing regulations to of Civil Rights (OCR), to explore the extent feasible, based on the whether HIPAA electronic transactions SAMHSA Response proposed revisions in the SNPRM, the and code sets can be leveraged or The 42 CFR part 2 regulations in public comments received, and the modified to ‘‘flag’’ part 2 information effect since 1983 have required that a limitations on SAMHSA’s authority in and, once the recommendation becomes notice of the prohibition on re- the governing statute, 42 U.S.C. 290dd– actionable, involve standard-setting disclosure accompany each disclosure 2. At the same time, it is important to bodies and the public. Several made with the patient’s written consent. note that part 2 and its authorizing supportive commenters provided In the SNPRM, SAMHSA proposed the statute are separate and distinct from circumstances they thought were option of an abbreviated notice to satisfy HIPAA, the HITECH Act, and their appropriate for an abbreviated notice of the requirements of §2.32 due to implementing regulations. Part 2 the prohibition on re-disclosure, concerns about character limits in free- provides more stringent federal including: (1) All electronic disclosures text fields within electronic health protections than other health privacy (because there may not currently be a record systems. Specifically, many of laws such as HIPAA and seeks to standard mechanism to ‘‘flag’’ electronic the health care electronic systems have protect individuals with substance use information disclosures that are covered a standard maximum character limit of disorders who could be subject to by part 2); (2) only paper disclosures; (3) 80 characters in the free text space that discrimination and legal consequences limiting the use of the abbreviated may be used to transmit this notice. in the event that their information is notice to the exchange of records While SAMHSA recognizes there may improperly used or disclosed. To the between part 2 programs (that would be technical issues to be resolved, after extent feasible given these restrictions, have familiarity with the concept of considering the totality of the SAMHSA continues to review these prohibition on re-disclosure); (4) comments, SAMHSA believes including issues, plans to explore additional exchange of records among part 2 an abbreviated notice of the prohibition alignment with HIPAA, and may programs and other entities (including on re-disclosure as an option will be consider additional rulemaking for 42 third-party payers, and other lawful beneficial to stakeholders, particularly CFR part 2. holders); and (5) using a single those who use electronic health record abbreviated notice for all circumstances. B. Prohibition on Re-Disclosure (§2.32) systems to exchange data. However, A couple of commenters indicated that In the SNPRM, SAMHSA sought having the notice of prohibition on re- because even commenters supporting comment on whether an abbreviated disclosure accompany disclosures, as inclusion of an abbreviated notice had notice of the prohibition on re- required by §2.32, is important for differing views about the circumstances disclosure should be included in §2.32 ensuring compliance with part 2. under which an abbreviated notice and on the circumstances under which Commenters who opposed the should be used, SAMHSA decided, such abbreviated notice should be used. abbreviated notice of the prohibition on consistent with its proposal, to allow The SNPRM provided an example of an re-disclosure expressed concerns that a use of an abbreviated notice in any abbreviated notice: ‘‘Data is subject to shortened notice: (1) May be confusing instance in which a notice is required 42 CFR part 2. Use/disclose in or unclear to patients and professionals; under the regulations. Recognizing conformance with part 2.’’ SAMHSA (2) would fail to safeguard against concerns expressed by commenters that has adopted an abbreviated notice that unauthorized disclosures; and (3) would an abbreviated notice could be is 80 characters long to fit in standard be insufficient to solve logistical insufficient to convey understanding of free-text space within health care concerns because, regardless of the part 2 requirements, SAMHSA electronic systems. The abbreviated length of the notice, systems will need encourages part 2 programs and other notice in this final rule reads ‘‘Federal to be put in place to tag substance use lawful holders using the abbreviated law/42 CFR part 2 prohibits disorder information and send the notice to discuss the requirements with unauthorized disclosure of these notice with the information being those to whom they disclose patient records.’’ disclosed. In addition, some identifying information. In response to commenters found the current notice to comments received that the abbreviated Public Comments be sufficient. notice did not provide an adequate Several commenters expressed SAMHSA also received comments warning against potential misuse of S ULE support for the abbreviated notice of the stating that the SNPRM provided patient identifying information, D with R pprroohviidbietsi omno orne frlee-xdiibsiclliotysu arned b eefcfaicuiseen icty isnuspupfofircti oenr to ipnpfoosrme tahtieo anb tbor eevitihaeterd SmAoMdiHfieSdA t,h ien ltahnisg ufiangael irnu lteh,e h as RO in meeting the notice requirement. notice of the prohibition on re- abbreviated notice to more explicitly P B2 Several supportive commenters disclosure because: (1) The purpose of notify recipients that improper use or H Y8 suggested potential technical solutions the abbreviated notice was not made disclosure is prohibited under 42 CFR B KB for conveying the prohibition on re- clear; and (2) it was unclear whether part 2. S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00032 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 241 C. Disclosures Permitted With Written party payers have the expertise and would apply in connection with the Consent (§2.33) resources to carry out certain payment disclosures. Some commenters and health care operations without the expressed concern that the changes In the SNPRM, SAMHSA proposed to assistance of contractors; (2) it is often were too broad or would undermine explicitly list under §2.33(b), specific not feasible to specify each contractor overall part 2 protections. One types of activities for which any lawful on a part 2 consent form; and (3) commenter expressed concern that the holder of patient identifying specifying contractors on a part 2 risk of breaches might increase by information would be allowed to further consent form unreasonably restricts a permitting additional disclosures to disclose the minimal information lawful holder from changing facilitate health care operations. Several necessary for specific payment and contractors. One commenter observed commenters noted that the revisions in health care operations activities. that essential payment and operations §2.33(b) would permit lawful holders SAMHSA proposed new regulatory text activities directly or indirectly benefit greater latitude in sharing information under §2.33(c) that would require patients (e.g., by ensuring access to and with entities than would be afforded to lawful holders that engage contractors coverage of treatment). One commenter patients. These commenters found that and subcontractors to carry out payment supported the proposal because it the revisions would permit patients to and health care operations activities that further aligns part 2 with HIPAA, while consent to sharing patient identifying entail the use or disclosure of patient another commenter expressed support information with lawful holders, who identifying information to include for this or any proposal that would then are permitted to re-disclose that specific contract provisions addressing reduce the time and expense incurred information to contractors, compliance with part 2. In this final by part 2 programs when seeking and subcontractors, or legal representatives rule, SAMHSA finalizes the scope and obtaining patient consent where not without notifying the patient. requirements for permitted disclosures necessary. Conversely, patients would be to contractors, subcontractors, and legal prohibited from consenting to disclose representatives for the purpose of SAMHSA Response patient identifying information to payment and health care operations. In the SNPRM, SAMHSA proposed entities with whom they do not have a SAMHSA does not retain the proposed clarifications to the final regulations treating provider relationship without list of payment and health care issued on January 18, 2017, where they further designating an individual operations in the regulatory text and appeared to be needed, based on public participant in that entity. As a result, instead, moves this list to the preamble comment. SAMHSA appreciates the these commenters questioned section of the final rule to serve as support it received for clarifying the SAMHSA’s intent for this proposal. illustrative examples of permissible part 2 regulations. SAMHSA is One commenter thought the SNPRM payment and health care operations finalizing those clarifications as did not provide sufficient information to activities. In addition, consistent with proposed in §2.33(b) except for the list respond to the proposed §2.33 because SAMHSA’s prior statement in the of 17 specific types of payment and of the similarity of contractors and SNPRM preamble, SAMHSA adds health care operations activities for subcontractors with qualified service language to the regulatory text in which any lawful holder of patient organizations (QSOs) under §§2.11 and §2.33(b) to clarify that disclosures to identifying information would be 2.12, and the similarity to Business contractors, subcontractors, and legal allowed to further disclose to Associates under HIPAA. The representatives are not permitted for contractors, subcontractors, and legal commenter requested clarification on substance use disorder patient representatives. As discussed below, whether it is SAMHSA’s intent to diagnosis, treatment, or referral for this list of activities is being included in directly apply part 2 to these contractors treatment. SAMHSA finalizes §2.33(c) the preamble, rather than in regulatory and subcontractors in a manner similar in relation to contract language text, in order to make clear that it is an to what was accomplished under the referencing compliance with 42 CFR illustrative rather than exhaustive list of HIPAA Privacy and Security Rules for part 2 and the protections of part 2 the types of payment and health care Business Associates of covered entities. patient identifying information, but operations activities that would be does not retain the proposed reference SAMHSA Response acceptable to SAMHSA. By removing to permitted uses of patient identifying the list from the regulatory text, SAMHSA is seeking a balance information consistent with the written SAMHSA intends for other appropriate between protecting the confidentiality consent. payment and health care operations of substance use disorder patient 1. Disclosures by Lawful Holders activities to be permitted under §2.33 as records and ensuring that the the health care system continues to regulations do not pose a barrier to Public Comments evolve. In addition, consistent with patients with substance use disorders In response to SAMHSA’s request for SAMHSA’s prior statement in the who wish to participate in, and could comments on proposed revisions to SNPRM preamble, SAMHSA has added benefit from, emerging health care §2.33, SAMHSA received a number of language to the regulatory text in models that promote integrated care and comments supporting its proposal in §2.33(b) to clarify that disclosures to patient safety. Unauthorized disclosure §2.33 to clarify that lawful holders of contractors, subcontractors, and legal of substance use disorder patient patient identifying information may representatives are not permitted for records can lead to a host of negative disclose the minimum amount of activities related to a patient’s diagnosis, consequences, including loss of information necessary to contractors, treatment, or referral for treatment. employment, loss of housing, loss of subcontractors, and legal representatives child custody, discrimination by ULES for payment and health care operations Public Comments medical professionals and insurers, D with R ppurarcptoicsaels .c Soenvceerranls c womithm tehnet eprosl icciyte ads coSmAmMeHntSsA o paplsoos irnegc eiitvs epdr onpuomsaelr oinu s aTrhrees pt,u prproosseec ouft itohne, paanrdt 2in rceagrucleartaitoinosn .i s RO stated in the January 18, 2017, final rule, §2.33. The majority of these to ensure that a patient is not made P B2 including: (1) It is unrealistic to assume commenters were opposed to the more vulnerable by reason of the H Y8 that lawful holders of patient changes because SAMHSA had not availability of their patient record than B KB identifying information such as third- specified additional safeguards that an individual with a substance use S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 242 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations disorder who does not seek treatment. statement that an entity that lawfully appropriate. Several commenters SAMHSA recognizes the legitimate receives patient identifying information expressly supported the list of payment needs of lawful holders of patient under a valid part 2 consent may and operations activities included in the identifying information to disclose that disclose the information to its contractor SNPRM. One commenter stated that the information to their contractors, under a QSO agreement (QSOA) if such proposed 17 categories of payment and subcontractors, and legal representatives disclosure is reasonably consistent with operations activities are essential to for purposes of payment and health care the terms of the consent. This allowing third-party payers and other operations as long as the core commenter also proposed to revise the lawful holders to reasonably operate. protections of 42 CFR part 2 are QSO definition to align it more closely Another commenter observed that the maintained. SAMHSA notes that the with the HIPAA ‘‘business associate’’ proposed payment and health care part 2 regulations already state at concept. Two commenters questioned operations activities represent §2.13(a): ‘‘. . . Any disclosure made the distinction between the needs of significant progress toward SAMHSA’s under the regulations in this section part 2 programs and other lawful stated goal of modernizing 42 CFR part must be limited to that information holders to engage third parties for 2 to increase opportunities for which is necessary to carry out the operational assistance and requested individuals with substance use purpose of the disclosure.’’ This that the QSO definition simply include disorders to participate in new and provision helps to ensure that lawful holders in the list of entities for emerging health care models and health information is not shared more broadly which a QSO may provide services. One information technology. than the purpose(s) for which the of these commenters stated that this Numerous commenters recommended patient consents. With respect to the alternative approach would give that care coordination and case comment that proposed revisions in patients a choice and align better with management be added to the list, noting §2.33(b) would provide lawful holders patients’ expectations without adding the importance of these services in the greater latitude in sharing information another layer of complexity. operational and treatment with entities for payment and health responsibilities in serving patients, SAMHSA Response care operations purposes than would be including those with a dual diagnosis of afforded to patients, SAMHSA SAMHSA declines to implement the mental health and substance use acknowledges this concern and will be suggested alternative approaches. disorder. Conversely, several convening a stakeholder meeting SAMHSA agrees there are similarities commenters recommended that relative to part 2 as required by the 21st between contractors under §2.33(b) and SAMHSA include a statement in the Century Cures Act (Pub. L. No: 114– QSOs. However, SAMHSA did not regulatory text explicitly excluding care 255). propose in the SNPRM to revise the coordination and case management from Finally, it is not SAMHSA’s intent to provision on QSOs. §2.33(b). Another commenter also apply part 2 to contractors and stated that disclosures to contractors, 2. List of Payment and Health Care subcontractors in a manner similar to subcontractors, and legal representatives Operations Activities what was accomplished under the should not include information HIPAA Privacy and Security Rules for In the SNPRM, SAMHSA sought concerning diagnosis, treatment and/or Business Associates in accordance with, public comment on whether the referral to treatment without a patient’s respectively, sections 13404(a) and proposed listing of permitted activities express consent. 13401(a) of the HITECH Act, 42 U.S.C. is adequate and appropriate to ensure Several commenters were confused 17934(a), 17931(a). SAMHSA has the health care industry’s ability to by, or disagreed with, SAMHSA’s attempted to align part 2 with HIPAA in conduct necessary payment and health omission of treatment-related activities this final rule to the extent such changes care operations, while still maintaining such as care coordination and case are permissible under 42 U.S.C. 290dd– adequate confidentiality of substance management from the list of payment 2. Moreover, as discussed previously, use disorder patient records. SAMHSA and health care operations activities for SAMHSA plans to explore additional also sought comment on the specific which additional disclosures were alignment with HIPAA and is types of activities for which a lawful proposed in the SNPRM. One such considering additional rulemaking for holder of patient identifying commenter stated that it was unclear 42 CFR part 2. information would be allowed to further why a contractor performing a At the same time, part 2 and its disclose the minimal information treatment-related activity should be authorizing statute are separate and necessary for specific payment and subject to greater confidentiality distinct from HIPAA, the HITECH Act, health care operations activities safeguards (e.g., specific consent) than and their implementing regulations. described in the SNPRM. Further, an entity performing a payment or Because of its targeted population, part SAMHSA requested public comment on business-related activity. Others thought 2 and its authorizing statute provides additional purposes for which lawful the benefits of care coordination more stringent federal protections than holders should be able to disclose outweighed any risk of including it on other health privacy laws, including the patient identifying information. the list of permitted activities because HIPAA Rules, in order to encourage SAMHSA is finalizing the clarifications, SAMHSA also included on the list individuals with substance use as proposed in §2.33, but now includes patient safety activities, which are disorders to seek treatment. the list of 17 specific types of payment inextricably linked to care coordination and health care operations as illustrative and case management. Another Public Comments examples in the preamble rather than commenter, stating that health Several commenters proposed an the regulatory text. information technology and health S D with RULE acalhltlaeonrwng aelatsiw vinefu §alp 2hp.o3rl3od,a ecwrhsh ttiooc htch owen otpruralocdpt iownssiettdhe a d PuMblaicn yC ocommmmenentst ers responded to ibanrugfioulrdemidna tgth iboaltno t cehkxesc ehoxafc nilngutese iagorrnea toeefsd sc ecanarertie a, l RO QSOs, just as part 2 programs currently SAMHSA’s requests for comments on coordination and case management from P B2 do. One such commenter proposed that, whether the proposed list of explicitly permitted health care operations would H Y8 instead of an explicit list of activities, permitted payment and health care make it extremely difficult for state B KB §2.33(b) should include a general operations activities is adequate and Medicaid agencies, managed care S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 243 organizations (MCOs), and providers to determinations regarding insurability, management and planning-related use this technology to provide high treatment, and eligibility. analyses related to managing and quality, integrated care. One commenter Several commenters also requested operating, including formulary pointed out that third-party payers, to additional protections to ensure lawful development and administration, which disclosure would be permitted holders and their contractors, development or improvement of under the SNPRM, may perform care subcontractors, and legal representatives methods of payment or coverage coordination and case management only use information protected under policies; activities as well as payment and health part 2 for the purposes listed in the • Business management and general care operations activities. patient’s written consent. administrative activities, including SAMHSA also received comments SAMHSA Response management activities relating to requesting a variety of additions to the implementation of and compliance with list of permitted activities. In addition, While SAMHSA is finalizing the the requirements of this or other statutes SAMHSA received comments clarifications as proposed in §2.33, or regulations; SAMHSA is not including the list of 17 • Customer services, including the requesting clarification of some of the specific types of payment and health provision of data analyses for policy activities included on the list. Finally, care operations in the regulatory text holders, plan sponsors, or other two commenters observed that the rapid that would be the basis for further customers; changes occurring in the health care disclosures by a lawful holder of patient • Resolution of internal grievances; payment and delivery system may make identifying information. Based on the • The sale, transfer, merger, any list of permitted activities included numerous comments received consolidation, or dissolution of an in the final rule outdated very quickly. requesting additions or clarifications to organization; A few commenters disagreed with the list, as well as concerns that the • Determinations of eligibility or including in the regulatory text a list of rapid changes occurring in the health coverage (e.g. coordination of benefit permitted payment and health care care payment and delivery system could services or the determination of cost operations activities. One commenter render any list of activities included in sharing amounts), and adjudication or thought SAMHSA should be more the regulatory text outdated, SAMHSA subrogation of health benefit claims; protective of vulnerable patients has decided to include the list in the • Risk adjusting amounts due based because the list was seen as a loophole preamble of this final rule to illustrate on enrollee health status and that would result in patient identifying the types of permissible payment and demographic characteristics; information being spread beyond the health care operations activities. • Review of health care services with immediate point of care and being used Examples of permissible activities respect to medical necessity, coverage in unforeseen ways. For consistency, under §2.33(b) that SAMHSA considers under a health plan, appropriateness of one commenter requested that SAMHSA to be payment and health care care, or justification of charges. replicate HIPAA’s definition of payment operations activities include: This list of payment and health care at 45 CFR164.501 for the purpose of • Billing, claims management, operations is substantively unchanged collection activities under proposed collections activities, obtaining payment from that which was proposed as §2.33(b)(1). under a contract for reinsurance, claims regulatory text in the SNPRM published SAMHSA also received a number of filing and related health care data on January 18, 2017. In this final rule, comments requesting that certain processing; SAMHSA maintains its position that the activities on the list of payment and • Clinical professional support payment and health care operations health care operations activities be services (e.g., quality assessment and activities referenced in §2.33 and listed restricted or narrowed. A number of improvement initiatives; utilization in the preamble are not intended to commenters requested that SAMHSA review and management services); encompass substance use disorder remove or narrow proposed §2.33(b)(15) • Patient safety activities; patient diagnosis, treatment, or referral & (16) to ensure patients’ protected • Activities pertaining to: for treatment. SAMHSA believes it is substance use disorder information will • The training of student trainees and important to maintain patient choice in not be used to limit or deny insurance health care professionals; disclosing information to health care • The assessment of practitioner coverage or access to health care. Some providers with whom patients have competencies; commenters expressed concern that the direct contact. For this reason, the final • The assessment of provider and/or proposed §2.33(b)(2) could be provision in §2.33(b) is not intended to health plan performance; and interpreted as allowing protected • Training of non-health care cover care coordination or case information to be disclosed to management and disclosures to professionals; employers. Many of these commenters • Accreditation, certification, contractors, subcontractors, and legal stated they did not support the representatives to carry out such licensing, or credentialing activities; SNPRM’s proposed changes in general, • Underwriting, enrollment, premium purposes are not permitted under this or SAMHSA’s proposal to permit lawful section. In addition, SAMHSA added rating, and other activities related to the holders to disclose patient identifying language to the regulatory text in creation, renewal, or replacement of a information obtained pursuant to §2.33(b) to clarify that disclosures to contract of health insurance or health patient consent to contractors, contractors, subcontractors and legal benefits, and ceding, securing, or subcontractors, and legal representatives representatives are not permitted for placing a contract for reinsurance of risk for payment and health care operations activities related to a patient’s diagnosis, relating to claims for health care; purposes, in particular, without further • Third-party liability coverage; treatment, or referral for treatment. S ULE protections and safeguards. Two • Activities related to addressing SAMHSA notes that the position D with R cinocmlumsieonnte orfs fdivisea ogrf etehde wpriothp othseed fra•udC,o wnadsutcet ainngd oarb aursrea;n ging for medical athrtei cHuIlPaAteAd iPnr itvhaics yf iRnuall er,u ulen ddeifrf ewrsh ifcrohm RO activities (§§2.33(b)(6), 2.33(b)(10), review, legal services, and auditing ‘health care operations’ encompasses P B2 2.33(b)(12), 2.33(b)(15), and 2.33(b)(16)) functions; such activities as case management and H Y8 because they could adversely affect • Business planning and care coordination. However, SAMHSA B KB patient enrollment in health plans and development, such as conducting cost- appreciates the concerns expressed by S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00035 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 244 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations some commenters about such issues as contract amendment burdens industry- comply with §2.13, lawful holders the exclusion of care coordination and wide and would be disruptive to should ensure that the purpose section case management from §2.33(b). business relationships. Commenters of the consent form is consistent with SAMHSA also appreciates comments noted that business associate the role of or services provided by the received concerning potential risks of agreements under HIPAA as well as contractor or subcontractor (e.g., including care coordination, case many contracts already require ‘‘payment and health care operations’’). management and other activities in compliance with all applicable federal SAMHSA understands the concerns §2.33(b). Consistent with the 21st and state laws, which would include expressed by commenters regarding Century Cures Act, prior to March 21, part 2. Some commenters requested that bringing contracts into compliance with 2018, the Secretary of HHS will convene contract provisions requiring §2.33(c). To address these concerns, the relevant stakeholders to determine the compliance with applicable federal laws final rule allows lawful holders two effects of 42 CFR part 2 on patient care, and regulations be deemed as satisfying years from the effective date of the final health outcomes, and patient privacy. the requirement of proposed §2.33(c) rule to bring their contracts and legal This meeting will provide stakeholders even if part 2 is not specifically agreements with contractors, with an additional opportunity to mentioned. One commenter stated that subcontractors, and voluntary legal provide further input to SAMHSA contracts typically specify the purposes representatives into compliance. If regarding implementation of part 2, for which the contractor may use any lawful holders choose not to re-disclose including changes adopted in this final confidential information and so it is not patient identifying information to rule. necessary to require language on contractors, subcontractors, or legal specific permitted uses and disclosure representatives as specified under 3. Contract Provisions for Disclosures of patient identifying information. §2.33(b), they do not have to comply Under Proposed §2.33(c) Some commenters stated that §2.33(c) with §2.33(c). SAMHSA proposed new regulatory should not be included in future SAMHSA disagrees with comments text requiring that lawful holders that rulemaking. One such commenter that propose allowing existing engage contractors and subcontractors to requested that SAMHSA provide contractual language regarding general carry out payment and health care evidence that current contract language compliance with applicable federal laws operations that require using or is not adequately addressing part 2 uses to satisfy requirements under §2.33(c). disclosing patient identifying and disclosures by those entities SAMHSA believes that it is important information include specific contract specified in §2.33(c). Another for part 2 to be specifically mentioned provisions requiring contractors and commenter requested that SAMHSA in contracts and legal agreements when subcontractors to comply with the explore leveraging information lawful holders are disclosing part 2 provisions of part 2. SAMHSA is technology to identify more efficient patient identifying information to finalizing this proposal except that it is ways for patients to consent to contractors, subcontractors and not requiring that the contract specify disclosure. This commenter also voluntary legal representatives under the permitted uses of patient identifying recommended that SAMHSA conduct §2.33(b). A fundamental principle of 42 information by the contractor, an assessment or promulgate an CFR part 2 is that patients should have subcontractor, or legal representative. Advanced Notice of Proposed as much control as possible over their An appropriate comparable legal Rulemaking to solicit information to patient identifying information. instrument will suffice in cases where determine the adequacy of existing Referencing part 2 in contracts will help there is otherwise no contract between contracts or business processes to to underscore the importance of the lawful holder and a legal address information disclosures with compliance with part 2 provisions. representative who is retained contracted entities. Several commenters However, SAMHSA also recognizes voluntarily; when a legal representative stated that SAMHSA could address that entities may have different is required to represent the lawful concerns with an extension, by approaches to ensuring compliance with holder by law, the requirement for a regulation, of the part 2 protections to part 2 and other laws. While SAMHSA contract or comparable legal instrument any entity handling the information requires compliance with §2.33(c) for in §2.33(c) shall not apply. disclosed via consent. lawful holders who wish to disclose SAMHSA received comments that patient identifying information pursuant Public Comments asked that that the language in proposed to §2.33(b), SAMHSA is not specifying SAMHSA received several comments §2.33(c) be modified to allow the the exact contract language to be used. expressing general support for the patient identifying information With respect to the comment proposed provisions in §2.33(c) relating safeguards to be spelled out in the regarding limiting disclosures to the to contracts or legal agreements between contract and/or business associates minimum information necessary, §2.13 lawful holders and their contractors, agreement. requires that any disclosure made must subcontractors, and legal be limited to that information which is SAMHSA Response representatives. One of these necessary to carry out the purpose of the commenters agreed that limits should be SAMHSA is finalizing §2.33(c) as disclosure. Contractors, subcontractors, placed on disclosures to contractors, proposed, but has revised the regulatory and legal representatives will be such as allowing disclosure of only the text to remove the reference to patient required to comply with this and all minimum patient identifying consent as it relates to the requirement applicable provisions under part 2. information necessary for specific to specify permitted uses of patient (Section 2.33(c) states that contractors payment or health care operations. identifying information by the and any subcontractors or legal S ULE A number of commenters, however, contractor, subcontractor, or legal representatives are fully bound by the D with R orepqpuoisreedm iennctlsu idni n§g2 .s3p3e(cci)f ibce ctwoneterna ct rneoptreess tehnatta §tiv2e.1. 3H roewquevireers, tShAaMt aHnSy A ppraotiveinsti oindse notfi fpyairntg 2 i nufpoornm raetcioenip).t of RO lawful holders and their contractors disclosure made under the regulations B2P requiring compliance with part 2. Many must be limited to that information Public Comments H Y8 of these commenters stated that this which is necessary to carry out the One commenter requested that B KB provision would impose significant purpose of the disclosure. Therefore, to SAMHSA remove the following S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00036 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 245 sentence from §2.33(c): ‘‘In making One commenter stated that a List of related to payment and health care such disclosure, the lawful holder Disclosures requirement for lawful operations. Section §2.33(c) specifies should specify permitted uses of patient holders who wish to re-disclose patient the requirements of a written contract; identifying information consistent with identifying information to contractors, it is up to the lawful holder and the written consent, by the contractor subcontractors, and legal representatives contractor to determine how their and any subcontractors or legal should be included in contractual contracts should address these representatives to carry out the payment language. requirements. and health care operations activities One commenter requested that listed in the preceding subparagraph, SAMHSA require in the contractual text With regard to cloud service providers require such recipients to implement that contractors, subcontractors, and storing patient identifying information appropriate safeguards to prevent legal representatives use protected for a lawful holder, SAMHSA declines unauthorized uses and disclosures and substance use disorder information only to make the suggested changes to the require such recipients to report any for the purpose(s) listed in the patient’s language in §2.33(c). Under §2.33, unauthorized uses, disclosures, or written consent and that re-disclosure lawful holders, contractors and their breaches of patient identifying by contractors, subcontractors, and legal subcontractors are responsible for information to the lawful holder.’’ representatives to third parties be providing a prohibition on re-disclosure Commenters stated that lawful holders allowed only as long as the third party notice (§2.32) if they re-disclose patient will not possess the written consent discloses the patient identifying identifying information to their because it is typically held by the part information back to the contractors or contractors in order to meet the 2 program and it would be impractical, lawful holders from which the requirements of §2.33. If other entities if not impossible, for the written information originated. access the information as permitted by consent form to be passed on to other SAMHSA Response the lawful holder (because the other entities. Another commenter stated that entities that gain access to the mechanisms for transmitting written SAMHSA declines to provide specific information via the cloud are consent forms had yet to evolve. and detailed contract language because contractors with the lawful holder A commenter stated that a prohibition SAMHSA believes lawful holders need on re-disclosure notice under §2.32 the flexibility to include language that (§2.33) and not the cloud services should not be required when a fits within their contract structures. provider, or to fulfill the requirements disclosure from a contractor that is a However, regardless of the specific on the written consent (§2.31), then the cloud services provider is back to the contractual language used, all lawful lawful holder (not the cloud service lawful holder or is disclosed under the holders, contractors, subcontractors, and provider) is responsible for ensuring direction or control of the lawful holder legal representatives must comply with that a notice of the prohibition on re- because the cloud service provider applicable requirements specified in disclosure is conveyed to those entities, would not have control over the §2.33(c) as well as the other applicable along with the information. disclosure and therefore could not provisions in part 2. Regardless of the specific contractual accompany the disclosure with a notice SAMHSA does not require that part 2 language used, all lawful holders, related to §2.32 and suggested consent forms be passed along to the contractors, subcontractors, and legal alternative language. contractor or subcontractor. SAMHSA representatives must comply with Other commenters supported the has revised the regulatory text in provisions in proposed §2.33(c) but §2.33(c) to remove the reference to requirements specified in §2.33(c) as specified additional safeguards that patient consent as it relates to the well as the other applicable provisions should be added or referenced. Several requirement to specify permitted uses of in part 2. Therefore, with respect to the commenters requested that SAMHSA patient identifying information by the comments on contractors, include another requirement in contractor, subcontractor, or legal subcontractors, and legal representatives proposed §2.33(c) that contractors, representative. However, §2.13 requires resisting disclosure of patient records in subcontractors, and legal representatives that any disclosure made under the judicial proceedings, SAMSHA notes be bound by all of the requirements that regulations must be limited to that that §2.13(a) already states: ‘‘The apply to QSOs, as QSOs and contractors information which is necessary to carry patient records subject to the regulations serve similar functions. These out the purpose of the disclosure. in this part may be disclosed or used commenters stated that written Therefore, to comply with §2.13, part 2 only as permitted by the regulations in contracts under proposed §2.33(c), programs and other lawful holders this part and may not otherwise be therefore, would require contractors, should ensure that the purpose section disclosed or used in any civil, criminal, subcontractors, and legal representatives of the consent form is consistent with administrative, or legislative to agree to resist in judicial proceedings the role of or services provided by the proceedings conducted by a federal, any efforts to obtain access to patient contractor or subcontractor (e.g., state or local authority.’’ In addition, records identifying information related ‘‘payment and health care operations’’). §2.13(a) already requires that any to substance use disorder diagnosis, Those utilizing contractors or disclosures must be limited to the treatment, or referral for treatment subcontractors should then inform those information which is necessary to carry except as permitted by part 2. These parties in their contracts that out the purpose of the consent. In commenters also expressed opposition information governed by part 2 requires response to the request that the contract to the SNPRM’s proposed changes in the contractor or subcontractor to take require compliance with the security general or SAMHSA’s proposal to reasonable steps to prevent D with RULES pipdeuerrnmstuiiafty nliatn wtgof iupnla fhotioremlndtae tcrioso nntos oe dbnittsa ctiolno esde patient utborn eiaanucftohhreomsr i atznheded / louarsw eufsnu aal nuhdtoh ldodiresircz leoodfs auunrseyes s .a Infd a rRpereqocugoirrrademsm,s ea anlrntesda, do§yt2h a.e1pr6 pl,a lSiweesfcu utlor hiptoyal rdfto e2rr s of RO contractors, subcontractors and legal contractor receives information for patient identifying information, and, P B2 representatives, including for payment quality assurance purposes, for instance, therefore, would apply to contractors, H Y8 and health care operations purposes, they should not be sharing it for other subcontractors, and legal B KB without these and other protections. purposes, much less for activities not representatives. S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00037 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 246 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 4. Other Comments Concerning laws and regulations, requested that the consent requirement for lawful Disclosures by Lawful Holders SAMHSA consider defining these terms. holders that fall under §2.33(b) must be maintained and that §2.33(b) should not Public Comments SAMHSA Response apply to QSOs. Further, SAMHSA SAMHSA received a number of SAMHSA did not propose to define guidance indicates that a QSOA does comments relative to Medicaid agencies ‘‘contractors’’ and ‘‘subcontractors’’ in not permit a QSO to re-disclose and MCOs with which they contract; the its proposed rule and declines to do so information to a third party unless that commenters stated that MCOs are now in the final rule. As stated in third party is a contract agent of the considered to be an extension of the §2.33(c), lawful holders who wish to QSO, helping them provide services Medicaid agency. Several of these disclose patient identifying information described in the QSOA, and only as commenters requested clarification that, pursuant to subsection (b) of this section long as the agent only further discloses under §2.33(b), MCOs (one commenter must enter into a written contract with the information back to the QSO or to noted that such organizations are called the contractor (or appropriate the part 2 program from which it came. coordinated care organizations in that comparable legal instrument in the case C. Audit and Evaluation (§2.53) state) may disclose patient identifying of a legal representative retained information for health care operations voluntarily by the lawful holder). In the SAMHSA recognizes that federal, and payment purposes to the state case where there is a legal state, and local governments often need agency with which the organization is representative who is required to to access all of the records, including under contract. One commenter represent the lawful holder by law, the part 2 program records, held by entities requested clarification that under requirement for a contract or they regulate in order to appropriately §2.33(b) lawful holders may disclose comparable legal instrument in §2.33(c) evaluate compliance with applicable patient identifying information to the shall not apply. SAMHSA believes this laws, rules, and policies. As a result, in state Medicaid agency with which they general understanding of a contractor or the SNPRM, SAMHSA proposed are contracted. Another commenter subcontractor provides the necessary regulatory changes to clarify that audits requested that that this provision flexibility for these types of and evaluations may be performed on explicitly permit disclosures between arrangements while still ensuring that behalf of federal, state, and local managed care organizations, their all parties must adhere to requirements governments providing financial contractors and a Medicaid program. and protections specified in §2.33(c). assistance to, or regulating the activities of, lawful holders as well as part 2 Similarly, a commenter also pointed out Public Comments programs. SAMHSA recognizes that that proposed §2.33(b) would only One commenter requested that federal, state, and local governments allow a lawful holder to disclose to its SAMHSA add a new §2.33(d) to state often need to access all of the records, own contractors and subcontractors, that ‘‘if the contractor, subcontractor, or including part 2 program records, held which would not relieve the legal representative needs patient by entities they regulate in order to administrative obstacles part 2 identifying information directly from appropriately evaluate compliance with providers experience when trying to the part 2 program, the contractor, applicable laws, rules, and policies. For obtain insurance coverage for their subcontractor, or legal representative example, an Accountable Care patients because the part 2 programs must produce a copy of the agreement Organization (ACO) or similar CMS- would have to deal directly with a peer mandated by §2.33(c) prior to the part regulated health care models may wish reviewer or utilization review company 2 program releasing any information.’’ to evaluate the impact of integrated care that is a subcontractor to the insurance on several participating behavioral company named on the consent form. SAMHSA Response health care programs’ quality of care, or SAMHSA Response SAMHSA declines to require a state may wish to do an audit to see contractors, subcontractors, and legal how many individuals who leave state- With regard to the comments on representatives to produce a copy of the supported correctional facilities Medicaid agencies and the managed agreement mandated by §2.33(c) prior subsequently receive substance use care organizations with which they to the part 2 program releasing any disorder treatment. In addition, contract, as well as those addressing information because SAMHSA did not SAMHSA proposed regulatory revisions administrative obstacles contractors propose to do so in the SNPRM. The to: Specify that audits and evaluations may face in obtaining patient decision as to whether to share this may be performed by contractors, identifying information, the information information would be at the discretion subcontractors, or legal representatives can be disclosed directly to the of the contracting parties. on behalf of a third-party payers or a contractor or subcontractor and does not quality improvement organizations; and need to first be disclosed to the lawful Public Comments state that if disclosures are made under holder (i.e., recipient named on the One commenter stated that proposed this section for a Medicare, Medicaid, or consent form) and then subsequently re- §2.33(b) should apply to all lawful CHIP audit or evaluation, including a disclosed, as long as the information is holders (and not just those who received civil investigation or administrative being used for the purposes of payment patient identifying information pursuant remedy, further disclosures may be and health care operations. This is to a written consent), which would made to contractors, subcontractors, or because contractors, legal enable QSOs to disclose without legal representatives to carry out the representatives, and subcontractors are consent to contractors and audit or evaluation. SAMHSA is now acting on behalf of the lawful holders subcontractors. finalizing these requirements. It has also S D with RULE bmPauasbnelddic ao tCneos c mionmn ltaerwanct.st s , legal agreements or SASMAHMSHAS ARe dspecolninsee s to eliminate the mcruoalredr’eesc ctte eixrnttaa tdionv eetferftceehcntntu ioacmtael iSasmsAioMennHsd SminAe t’nhst es to RO requirement that §2.33(b) only applies intent to permit disclosure and use of P B2 Two commenters, pointing to the to lawful holders that receive patient patient identifying information held by H Y8 varying definitions for ‘‘contractors’’ identifying information pursuant to a other lawful holders for audit and B KB and ‘‘subcontractors’’ under different written consent. SAMHSA believes that evaluation purposes, as well as to clarify S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00038 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations 247 and operationalize the requirements of other federal, state, and local rules and These commenters, noting that no this section. regulations and improve part 2 program definitions exist in the regulatory text quality. for ‘‘lawful holders,’’ ‘‘contractors,’’ or Public Comments With respect to the commenter’s ‘‘subcontractors,’’ or ‘‘legal SAMHSA received a range of concern, if a government agency is representatives,’’ requested that comments concerning the proposed auditing or evaluating a lawful holder, SAMHSA address whether the part 2 amendments with regard to permitted which it regulates, the agency may statute permits the extension of these disclosures of patient identifying receive the patient identifying restrictions beyond part 2 programs. information to contractors, information necessary for that audit or SAMHSA Response subcontractors, and legal representatives evaluation directly from the lawful for purposes of carrying out an audit or holder. The statute (42 U.S.C. 290dd–2) evaluation under part 2. SAMHSA authorizes SAMHSA to promulgate received a number of comments Public Comments regulations to effectuate the supporting these revisions. Several of SAMHSA also received a number of confidentiality provisions governing the commenters also expressed support comments opposing the proposal to substance use disorder patient records. specifically for the provision allowing permit re-disclosure of patient The part 2 rule’s applicability to third patient identifying information to be identifying information without patient parties is a reasonable exercise of disclosed for purposes of carrying out consent to contractors and SAMHSA’s statutory authority to ensure an audit or evaluation, with some citing subcontractors for audit and evaluation protection of part 2 information in the proposed §2.53(a)(1)(i) in particular. purposes unless SAMHSA provides possession of lawful holders other than Some commenters stated this particular additional safeguards. Several of these part 2 programs. revision would allow lawful holders of commenters noted that the proposed 2. Greater Weight to Comments From patient identifying information to changes to §2.53 have the potential to Patient and Part 2 Program disclose that information to audit and greatly expand the universe of oversight entities in order to respond to individuals and entities who may Public Comments an audit or evaluation request, and that receive protected substance use disorder SAMHSA received several comments clear authority to disclose patient information without patient consent for requesting that greatest weight be given identifying information for audits audit and evaluation purposes. to comments from patients and (which may include quality A couple of commenters expressed consumers who will be directly affected improvement and program integrity) is concern that detailed patient records by any changes to part 2; one of these critical to Medicaid program operations. would be used for purposes of risk commenters made this request because Another commenter supported the adjustment and reporting of the patients entering treatment will likely proposed changes because they would patient’s severity of illness to predict be unable to anticipate complex re- appear to allow disclosure of patient health care cost expenditures and adjust disclosure risks for activities proposed identifying information to a government payer payments. One commenter stated by the SNPRM. In addition, a agency authorized to regulate the that, if data are being used to impact a commenter requested that special activities of any lawful holder, not just patient’s score or health coverage, consideration be given to comments a part 2 program or private payer, and patient consent should be required. from substance use disorder treatment because this change would at least providers. partially conform to HIPAA’s SAMHSA Response permissible disclosures to health system SAMHSA appreciates the array of SAMHSA Response oversight agencies. The commenter, recommendations commenters provided Every comment received on the however, expressed concern that the for possible restrictions and safeguards. SNPRM was given careful proposed language did not make clear SAMHSA is contemplating future consideration, and SAMHSA has whether the government agency must rulemaking for 42 CFR part 2, and will endeavored in this final rule to take into obtain access to the records directly take these recommendations under account the varying perspectives of from the part 2 program rather than advisement at that time. public commenters. SAMHSA is seeking from the other lawful holder that the With regard to the suggestion that a balance between ensuring that patients agency regulates, as obtaining records SAMHSA require patient consent if data with substance use disorders have the from the part 2 program posed could be used to affect a patient’s health ability to participate in, and benefit communications challenges. coverage or health score, SAMHSA from, new and emerging health care reiterates that under the terms of §2.53, models that promote integrated care and SAMHSA Response patient identifying information may patient safety and ensuring the SAMHSA appreciates the support for only be used for audit and evaluation confidentiality of substance use disorder the further amendments as set out in the purposes. patient records, given the potential for regulatory text of §2.53. Inclusion of discrimination, harm to reputations and these additional provisions reflects that D. Other Public Comments on the relationships, and serious civil and contractors, subcontractors and legal SNPRM criminal consequences that could result representatives are increasingly 1. Extension of Part 2 Restrictions to from impermissible disclosures. involved in audit and evaluation Third Parties E. Regulatory Impact Analysis (RIA) activities. SAMHSA recognizes that Public Comments federal, state, and local governments In the SNPRM, SAMHSA stated that, S ULE often need to access all of the records, Two commenters stated that changes if adopted, the proposed revisions D with R ibnyc elundtiitniegs p tahrety 2 r pegrouglaratem i nre ocrodredrs ,t oh eld mthaed ceo tnoc ethpet tShNaPt pRaMrt w2 ecroen pfirdeednictiaatleidty o n stoh opualrdt 2n optr oregsraumlt si.n H aonwy eavdedri,t SioAnMalH cSosAts RO appropriately evaluate compliance with restrictions extend beyond part 2 specifically sought comment on the P B2 applicable laws, rules, and policies. We programs to third parties, including implications of the proposed changes on H Y8 believe including these changes will lawful holders, contractors, the regulatory and financial impact, if B KB assist in compliance with part 2 and subcontractors and legal representatives. any, of these proposed rules. S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1 248 Federal Register/Vol. 83, No. 2/Wednesday, January 3, 2018/Rules and Regulations Public Comments a. General c. Commenter Recommendations for Patient Notification on the Consent SAMHSA did not receive any Public Comments Form comments on costs related to specific SAMHSA received a number of Public Comments proposals made in the SNPRM or the responses to this request for comments RIA. Several commenters expressed regarding the establishment of concern that the proposed changes to F. Requests for Public Comment appropriate restrictions and safeguards. §2.33 would greatly expand access to These comments recommended a wide patient identifying information by In the January 18, 2017, SNPRM, array of patient protections and individuals and entities to whom the SAMHSA made several requests for safeguards. While some commenters patient did not specifically consent and public comments based on its noted there is a legitimate need for for purposes not always evident to the expectation that there may be future 42 lawful holders to disclose protected patient. These commenters, and a CFR part 2-related rulemaking. Those information to their contractors, number of others, requested that comments are summarized below. subcontractors, and legal representatives SAMHSA require, at a minimum, a 1. Conveying the Scope of the Written for payment and health care operations notification to patients on the consent Consent purposes, many commenters expressed form that they are consenting to the concern that the breadth of the proposed disclosure of their patient identifying In the SNPRM, SAMHSA sought changes may undermine core information to both the recipient and comment on the proper mechanisms to protections under part 2, which give the recipient’s contractors, convey the scope of the consent to substance use disorder patients control subcontractors, and legal representatives lawful holders, contractors, over how their information is disclosed to the extent those contractors, subcontractors, and legal so as not to make them more vulnerable subcontractors, and legal representatives representatives, including those who are to potential negative consequences of need the information to carry out downstream recipients of patient such disclosures. Loss of employment, payment or health care operations identifying information given current loss of housing, loss of child custody, purposes. electronic data exchange technical discrimination by medical professionals SAMHSA’s Response designs. and insurers, and arrest, prosecution, SAMHSA is contemplating future Public Comments and incarceration were cited as rulemaking for 42 CFR part 2 and will potential negative consequences. Most take these recommendations under Commenters suggested that SAMHSA commenters stated concern over, or consideration at that time. In addition, provide more clarity on these even their opposition to, SAMHSA consistent with the 21st Century Cures mechanisms, particularly given the finalizing proposed changes in the Act, prior to March 21, 2018, the current electronic exchange SNPRM without including certain Secretary of HHS will convene relevant environment and recommended more additional protections. stakeholders to determine the effects of specific ways to ensure patients retain control over how their information is SAMHSA Response 42 CFR part 2 on patient care, health outcomes, and patient privacy. The disclosed. Another commenter asserted SAMHSA appreciates the array of information obtained at the meeting will proposed consent requirements could be recommendations commenters provided help to inform the course of any further burdensome, and a third-party payer for possible restrictions and safeguards. part 2 rule-making. SAMHSA will may be unable to assess part 2 program SAMHSA believes that the existing consider these comments on privacy compliance with consent requirements. restrictions and safeguards—including and confidentiality in conjunction with SAMHSA Response provisions limiting use of patient those made during the stakeholder identifying information in criminal and meeting. SAMHSA has modified language in civil procedures and requiring that any d. Commenter Recommendations for §2.33(c) so as not to imply that the disclosure made under these regulations Mechanisms for Identifying and consent form must be provided to the must be limited to that information Sanctioning Unauthorized Disclosures recipient of part 2 records. Sections which is necessary to carry out the 2.13, 2.31, and other sections of part 2 Public Comments purpose of the disclosure—are adequate. require recipients of patient identifying Several commenters recommended information to have knowledge of 42 b. Commenter Recommendations for adding a requirement that lawful CFR part 2 as it relates to the purpose Anti-Discrimination Protections holders who wish to re-disclose patient for which information is being disclosed identifying information to contractors, and can be re-disclosed lawfully. Many commenters recommended the subcontractors, and legal representatives Individuals and entities that disclose or addition of specific anti-discrimination be subject to the same List of receive patient identifying information protections that would apply to Disclosures requirements that apply to via patient consent must be able to disclosures pursuant to the proposed intermediaries who disclose patient comply with these requirements. §§2.33(b) and 2.53. Commenters identifying information pursuant to a expressed concern over the potential for 2. Other Restrictions and Safeguards general designation under the consent misuse of information and a desire to requirements at §2.31. In addition, a balance the increased flexibility of In the SNPRM, SAMHSA specifically couple of commenters requested that D with RULES seaosntudag bshlaitfs echgomumaemrndtes on oft sna prleapgwraofrpudrli inhagtoe lt dhreeesr str aicntdio ns piSnrAcoMrpeoaHssSeedAd §pR§reo2stp.e3oc3tn iasonen ds .2 .53 with SraegAqeMunicHrieeSmsA. eO nimnt eop nco osaemu adm iLte inasntt edorf e rDevqiasulcuelasottsieuodnr et hs at RO their contractors, subcontractors, and SAMHSA not finalize the proposed P B2 legal representatives’ use and disclosure Promulgating rules that address changes in the SNPRM without H Y8 of patient identifying information for discriminatory action is outside the mechanisms in place to enable B KB the purposes discussed in the SNPRM. scope of SAMHSA’s legal authority. individuals who have been adversely S D worth on jstallVerDate Sep<11>2014 15:15 Jan 02, 2018 Jkt 244001 PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 E:\FR\FM\03JAR1.SGM 03JAR1

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.