e-CFR banner

Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

 

Electronic Code of Federal Regulations

e-CFR data is current as of October 16, 2019

Title 42Chapter ISubchapter A → Part 2


Title 42: Public Health


PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS


Contents

Subpart A—Introduction

§2.1   Statutory authority for confidentiality of substance use disorder patient records.
§2.2   Purpose and effect.
§2.3   Criminal penalty for violation.
§2.4   Reports of violations.

Subpart B—General Provisions

§2.11   Definitions.
§2.12   Applicability.
§2.13   Confidentiality restrictions and safeguards.
§2.14   Minor patients.
§2.15   Incompetent and deceased patients.
§2.16   Security for records.
§2.17   Undercover agents and informants.
§2.18   Restrictions on the use of identification cards.
§2.19   Disposition of records by discontinued programs.
§2.20   Relationship to state laws.
§2.21   Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.
§2.22   Notice to patients of federal confidentiality requirements.
§2.23   Patient access and restrictions on use.

Subpart C—Disclosures With Patient Consent

§2.31   Consent requirements.
§2.32   Prohibition on re-disclosure.
§2.33   Disclosures permitted with written consent.
§2.34   Disclosures to prevent multiple enrollments.
§2.35   Disclosures to elements of the criminal justice system which have referred patients.

Subpart D—Disclosures Without Patient Consent

§2.51   Medical emergencies.
§2.52   Research.
§2.53   Audit and evaluation.

Subpart E—Court Orders Authorizing Disclosure and Use

§2.61   Legal effect of order.
§2.62   Order not applicable to records disclosed without consent to researchers, auditors and evaluators.
§2.63   Confidential communications.
§2.64   Procedures and criteria for orders authorizing disclosures for noncriminal purposes.
§2.65   Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients.
§2.66   Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a part 2 program or the person holding the records.
§2.67   Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

Authority: 42 U.S.C. 290dd-2.

Source: 82 FR 6115, Jan. 18, 2017, unless otherwise noted.

Subpart A—Introduction

§2.1   Statutory authority for confidentiality of substance use disorder patient records.

Title 42, United States Code, Section 290dd-2(g) authorizes the Secretary to prescribe regulations. Such regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this statute, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.

§2.2   Purpose and effect.

(a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in this part impose restrictions upon the disclosure and use of substance use disorder patient records which are maintained in connection with the performance of any part 2 program. The regulations in this part include the following subparts:

(1) Subpart B of this part: General Provisions, including definitions, applicability, and general restrictions;

(2) Subpart C of this part: Disclosures with Patient Consent, including disclosures which require patient consent and the consent form requirements;

(3) Subpart D of this part: Disclosures without Patient Consent, including disclosures which do not require patient consent or an authorizing court order; and

(4) Subpart E of this part: Court Orders Authorizing Disclosure and Use, including disclosures and uses of patient records which may be made with an authorizing court order and the procedures and criteria for the entry and scope of those orders.

(b) Effect. (1) The regulations in this part prohibit the disclosure and use of patient records unless certain circumstances exist. If any circumstance exists under which disclosure is permitted, that circumstance acts to remove the prohibition on disclosure but it does not compel disclosure. Thus, the regulations do not require disclosure under any circumstances.

(2) The regulations in this part are not intended to direct the manner in which substantive functions such as research, treatment, and evaluation are carried out. They are intended to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.

(3) Because there is a criminal penalty for violating the regulations, they are to be construed strictly in favor of the potential violator in the same manner as a criminal statute (see M. Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)).

§2.3   Criminal penalty for violation.

Under 42 U.S.C. 290dd-2(f), any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined in accordance with Title 18 of the U.S. Code.

§2.4   Reports of violations.

(a) The report of any violation of the regulations in this part may be directed to the United States Attorney for the judicial district in which the violation occurs.

(b) The report of any violation of the regulations in this part by an opioid treatment program may be directed to the United States Attorney for the judicial district in which the violation occurs as well as to the Substance Abuse and Mental Health Services Administration (SAMHSA) office responsible for opioid treatment program oversight.

Subpart B—General Provisions

§2.11   Definitions.

For purposes of the regulations in this part:

Central registry means an organization which obtains from two or more member programs patient identifying information about individuals applying for withdrawal management or maintenance treatment for the purpose of avoiding an individual's concurrent enrollment in more than one treatment program.

Diagnosis means any reference to an individual's substance use disorder or to a condition which is identified as having been caused by that substance use disorder which is made for the purpose of treatment or referral for treatment.

Disclose means to communicate any information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.

Federally assisted—see §2.12(b).

Informant means an individual:

(1) Who is a patient or employee of a part 2 program or who becomes a patient or employee of a part 2 program at the request of a law enforcement agency or official; and

(2) Who at the request of a law enforcement agency or official observes one or more patients or employees of the part 2 program for the purpose of reporting the information obtained to the law enforcement agency or official.

Maintenance treatment means long-term pharmacotherapy for individuals with substance use disorders that reduces the pathological pursuit of reward and/or relief and supports remission of substance use disorder-related symptoms.

Member program means a withdrawal management or maintenance treatment program which reports patient identifying information to a central registry and which is in the same state as that central registry or is in a state that participates in data sharing with the central registry of the program in question.

Minor, as used in the regulations in this part, means an individual who has not attained the age of majority specified in the applicable state law, or if no age of majority is specified in the applicable state law, the age of 18 years.

Part 2 program means a federally assisted program (federally assisted as defined in §2.12(b) and program as defined in this section). See §2.12(e)(1) for examples.

Part 2 program director means:

(1) In the case of a part 2 program that is an individual, that individual.

(2) In the case of a part 2 program that is an entity, the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer of the part 2 program.

Patient means any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a part 2 program. Patient includes any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual's eligibility to participate in a part 2 program. This definition includes both current and former patients.

Patient identifying information means the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information. The term does not include a number assigned to a patient by a part 2 program, for internal use only by the part 2 program, if that number does not consist of or contain numbers (such as a social security, or driver's license number) that could be used to identify a patient with reasonable accuracy from sources external to the part 2 program.

Person means an individual, partnership, corporation, federal, state or local government agency, or any other legal entity, (also referred to as “individual or entity”).

Program means:

(1) An individual or entity (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or

(2) An identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or

(3) Medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.

Qualified service organization means an individual or entity who:

(1) Provides services to a part 2 program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, accounting, population health management, medical staffing, or other professional services, or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and

(2) Has entered into a written agreement with a part 2 program under which that individual or entity:

(i) Acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records from the part 2 program, it is fully bound by the regulations in this part; and

(ii) If necessary, will resist in judicial proceedings any efforts to obtain access to patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by the regulations in this part.

Records means any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts). For the purpose of the regulations in this part, records include both paper and electronic records.

Substance use disorder means a cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. For the purposes of the regulations in this part, this definition does not include tobacco or caffeine use.

Third-party payer means an individual or entity who pays and/or agrees to pay for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of the patient's family or on the basis of the patient's eligibility for federal, state, or local governmental benefits.

Treating provider relationship means that, regardless of whether there has been an actual in-person encounter:

(1) A patient is, agrees to, or is legally required to be diagnosed, evaluated, and/or treated, or agrees to accept consultation, for any condition by an individual or entity, and;

(2) The individual or entity undertakes or agrees to undertake diagnosis, evaluation, and/or treatment of the patient, or consultation with the patient, for any condition.

Treatment means the care of a patient suffering from a substance use disorder, a condition which is identified as having been caused by the substance use disorder, or both, in order to reduce or eliminate the adverse effects upon the patient.

Undercover agent means any federal, state, or local law enforcement agency or official who enrolls in or becomes an employee of a part 2 program for the purpose of investigating a suspected violation of law or who pursues that purpose after enrolling or becoming employed for other purposes.

Withdrawal management means the use of pharmacotherapies to treat or attenuate the problematic signs and symptoms arising when heavy and/or prolonged substance use is reduced or discontinued.

§2.12   Applicability.

(a) General—(1) Restrictions on disclosure. The restrictions on disclosure in the regulations in this part apply to any information, whether or not recorded, which:

(i) Would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person; and

(ii) Is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 program), or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment.

(2) Restriction on use. The restriction on use of information to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c)) applies to any information, whether or not recorded, which is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 program), or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for the treatment, or making a referral for the treatment.

(b) Federal assistance. A program is considered to be federally assisted if:

(1) It is conducted in whole or in part, whether directly or by contract or otherwise by any department or agency of the United States (but see paragraphs (c)(1) and (2) of this section relating to the Department of Veterans Affairs and the Armed Forces);

(2) It is being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including but not limited to:

(i) Participating provider in the Medicare program;

(ii) Authorization to conduct maintenance treatment or withdrawal management; or

(iii) Registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of substance use disorders;

(3) It is supported by funds provided by any department or agency of the United States by being:

(i) A recipient of federal financial assistance in any form, including financial assistance which does not directly pay for the substance use disorder diagnosis, treatment, or referral for treatment; or

(ii) Conducted by a state or local government unit which, through general or special revenue sharing or other forms of assistance, receives federal funds which could be (but are not necessarily) spent for the substance use disorder program; or

(4) It is assisted by the Internal Revenue Service of the Department of the Treasury through the allowance of income tax deductions for contributions to the program or through the granting of tax exempt status to the program.

(c) Exceptions— (1) Department of Veterans Affairs. These regulations do not apply to information on substance use disorder patients maintained in connection with the Department of Veterans Affairs' provision of hospital care, nursing home care, domiciliary care, and medical services under Title 38, U.S.C. Those records are governed by 38 U.S.C. 7332 and regulations issued under that authority by the Secretary of Veterans Affairs.

(2) Armed Forces. The regulations in this part apply to any information described in paragraph (a) of this section which was obtained by any component of the Armed Forces during a period when the patient was subject to the Uniform Code of Military Justice except:

(i) Any interchange of that information within the Armed Forces; and

(ii) Any interchange of that information between the Armed Forces and those components of the Department of Veterans Affairs furnishing health care to veterans.

(3) Communication within a part 2 program or between a part 2 program and an entity having direct administrative control over that part 2 program. The restrictions on disclosure in the regulations in this part do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are:

(i) Within a part 2 program; or

(ii) Between a part 2 program and an entity that has direct administrative control over the program.

(4) Qualified service organizations. The restrictions on disclosure in the regulations in this part do not apply to communications between a part 2 program and a qualified service organization of information needed by the qualified service organization to provide services to the program.

(5) Crimes on part 2 program premises or against part 2 program personnel. The restrictions on disclosure and use in the regulations in this part do not apply to communications from part 2 program personnel to law enforcement agencies or officials which:

(i) Are directly related to a patient's commission of a crime on the premises of the part 2 program or against part 2 program personnel or to a threat to commit such a crime; and

(ii) Are limited to the circumstances of the incident, including the patient status of the individual committing or threatening to commit the crime, that individual's name and address, and that individual's last known whereabouts.

(6) Reports of suspected child abuse and neglect. The restrictions on disclosure and use in the regulations in this part do not apply to the reporting under state law of incidents of suspected child abuse and neglect to the appropriate state or local authorities. However, the restrictions continue to apply to the original substance use disorder patient records maintained by the part 2 program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect.

(d) Applicability to recipients of information— (1) Restriction on use of information. The restriction on the use of any information subject to the regulations in this part to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient applies to any person who obtains that information from a part 2 program, regardless of the status of the person obtaining the information or whether the information was obtained in accordance with the regulations in this part. This restriction on use bars, among other things, the introduction of that information as evidence in a criminal proceeding and any other use of the information to investigate or prosecute a patient with respect to a suspected crime. Information obtained by undercover agents or informants (see §2.17) or through patient access (see §2.23) is subject to the restriction on use.

(2) Restrictions on disclosures—(i) Third-party payers, administrative entities, and others. The restrictions on disclosure in the regulations in this part apply to:

(A) Third-party payers with regard to records disclosed to them by part 2 programs or under §2.31(a)(4)(iii)(A);

(B) Entities having direct administrative control over part 2 programs with regard to information that is subject to the regulations in this part communicated to them by the part 2 program under paragraph (c)(3) of this section; and

(C) Individuals or entities who receive patient records directly from a part 2 program or other lawful holder of patient identifying information and who are notified of the prohibition on re-disclosure in accordance with §2.32.

(ii) [Reserved]

(e) Explanation of applicability—(1) Coverage. These regulations cover any information (including information on referral and intake) about patients receiving diagnosis, treatment, or referral for treatment for a substance use disorder created by a part 2 program. Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, or referral for treatment. However, the regulations in this part would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of substance use disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services.

(2) Federal assistance to program required. If a patient's substance use disorder diagnosis, treatment, or referral for treatment is not provided by a part 2 program, that patient's record is not covered by the regulations in this part. Thus, it is possible for an individual patient to benefit from federal support and not be covered by the confidentiality regulations because the program in which the patient is enrolled is not federally assisted as defined in paragraph (b) of this section. For example, if a federal court placed an individual in a private for-profit program and made a payment to the program on behalf of that individual, that patient's record would not be covered by the regulations in this part unless the program itself received federal assistance as defined by paragraph (b) of this section.

(3) Information to which restrictions are applicable. Whether a restriction applies to use or disclosure affects the type of information which may be disclosed. The restrictions on disclosure apply to any information which would identify a patient as having or having had a substance use disorder. The restriction on use of information to bring criminal charges against a patient for a crime applies to any information obtained by the part 2 program for the purpose of diagnosis, treatment, or referral for treatment of patients with substance use disorders. (Note that restrictions on use and disclosure apply to recipients of information under paragraph (d) of this section.)

(4) How type of diagnosis affects coverage. These regulations cover any record of a diagnosis identifying a patient as having or having had a substance use disorder which is initially prepared by a part 2 provider in connection with the treatment or referral for treatment of a patient with a substance use disorder. A diagnosis prepared for the purpose of treatment or referral for treatment but which is not so used is covered by the regulations in this part. The following are not covered by the regulations in this part:

(i) Diagnosis which is made solely for the purpose of providing evidence for use by law enforcement agencies or officials; or

(ii) A diagnosis of drug overdose or alcohol intoxication which clearly shows that the individual involved does not have a substance use disorder (e.g., involuntary ingestion of alcohol or drugs or reaction to a prescribed dosage of one or more drugs).

§2.13   Confidentiality restrictions and safeguards.

(a) General. The patient records subject to the regulations in this part may be disclosed or used only as permitted by the regulations in this part and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority. Any disclosure made under the regulations in this part must be limited to that information which is necessary to carry out the purpose of the disclosure.

(b) Unconditional compliance required. The restrictions on disclosure and use in the regulations in this part apply whether or not the part 2 program or other lawful holder of the patient identifying information believes that the person seeking the information already has it, has other means of obtaining it, is a law enforcement agency or official or other government official, has obtained a subpoena, or asserts any other justification for a disclosure or use which is not permitted by the regulations in this part.

(c) Acknowledging the presence of patients: Responding to requests. (1) The presence of an identified patient in a health care facility or component of a health care facility which is publicly identified as a place where only substance use disorder diagnosis, treatment, or referral for treatment is provided may be acknowledged only if the patient's written consent is obtained in accordance with subpart C of this part or if an authorizing court order is entered in accordance with subpart E of this part. The regulations permit acknowledgement of the presence of an identified patient in a health care facility or part of a health care facility if the health care facility is not publicly identified as only a substance use disorder diagnosis, treatment, or referral for treatment facility, and if the acknowledgement does not reveal that the patient has a substance use disorder.

(2) Any answer to a request for a disclosure of patient records which is not permissible under the regulations in this part must be made in a way that will not affirmatively reveal that an identified individual has been, or is being, diagnosed or treated for a substance use disorder. An inquiring party may be provided a copy of the regulations in this part and advised that they restrict the disclosure of substance use disorder patient records, but may not be told affirmatively that the regulations restrict the disclosure of the records of an identified patient.

(d) List of disclosures. Upon request, patients who have consented to disclose their patient identifying information using a general designation pursuant to §2.31(a)(4)(iii)(B)(3) must be provided a list of entities to which their information has been disclosed pursuant to the general designation.

(1) Under this paragraph (d), patient requests:

(i) Must be made in writing; and

(ii) Are limited to disclosures made within the past two years;

(2) Under this paragraph (d), the entity named on the consent form that discloses information pursuant to a patient's general designation (the entity that serves as an intermediary, as described in §2.31(a)(4)(iii)(B)) must:

(i) Respond in 30 or fewer days of receipt of the written request; and

(ii) Provide, for each disclosure, the name(s) of the entity(-ies) to which the disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed.

(3) The part 2 program is not responsible for compliance with this paragraph (d); the entity that serves as an intermediary, as described in §2.31(a)(4)(iii)(B), is responsible for compliance with the list of disclosures requirement.

§2.14   Minor patients.

(a) State law not requiring parental consent to treatment. If a minor patient acting alone has the legal capacity under the applicable state law to apply for and obtain substance use disorder treatment, any written consent for disclosure authorized under subpart C of this part may be given only by the minor patient. This restriction includes, but is not limited to, any disclosure of patient identifying information to the parent or guardian of a minor patient for the purpose of obtaining financial reimbursement. These regulations do not prohibit a part 2 program from refusing to provide treatment until the minor patient consents to the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local law requiring the program to furnish the service irrespective of ability to pay.

(b) State law requiring parental consent to treatment. (1) Where state law requires consent of a parent, guardian, or other individual for a minor to obtain treatment for a substance use disorder, any written consent for disclosure authorized under subpart C of this part must be given by both the minor and their parent, guardian, or other individual authorized under state law to act in the minor's behalf.

(2) Where state law requires parental consent to treatment, the fact of a minor's application for treatment may be communicated to the minor's parent, guardian, or other individual authorized under state law to act in the minor's behalf only if:

(i) The minor has given written consent to the disclosure in accordance with subpart C of this part; or

(ii) The minor lacks the capacity to make a rational choice regarding such consent as judged by the part 2 program director under paragraph (c) of this section.

(c) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a substantial threat to the life or physical well-being of the minor applicant or any other individual may be disclosed to the parent, guardian, or other individual authorized under state law to act in the minor's behalf if the part 2 program director judges that:

(1) A minor applicant for services lacks capacity because of extreme youthor mental or physical condition to make a rational decision on whether to consent to a disclosure under subpart C of this part to their parent, guardian, or other individual authorized under state law to act in the minor's behalf; and

(2) The minor applicant's situation poses a substantial threat to the life or physical well-being of the minor applicant or any other individual which may be reduced by communicating relevant facts to the minor's parent, guardian, or other individual authorized under state law to act in the minor's behalf.

§2.15   Incompetent and deceased patients.

(a) Incompetent patients other than minors—(1) Adjudication of incompetence. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to manage their own affairs, any consent which is required under the regulations in this part may be given by the guardian or other individual authorized under state law to act in the patient's behalf.

(2) No adjudication of incompetency. In the case of a patient, other than a minor or one who has been adjudicated incompetent, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a disclosure under subpart C of this part for the sole purpose of obtaining payment for services from a third-party payer.

(b) Deceased patients—(1) Vital statistics. These regulations do not restrict the disclosure of patient identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.

(2) Consent by personal representative. Any other disclosure of information identifying a deceased patient as having a substance use disorder is subject to the regulations in this part. If a written consent to the disclosure is required, that consent may be given by an executor, administrator, or other personal representative appointed under applicable state law. If there is no such applicable state law appointment, the consent may be given by the patient's spouse or, if none, by any responsible member of the patient's family.

[82 FR 6115, Jan. 18, 2017, as amended at 83 FR 251, Jan. 3, 2018]

§2.16   Security for records.

(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. These formal policies and procedures must address:

(1) Paper records, including:

(i) Transferring and removing such records;

(ii) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable;

(iii) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;

(iv) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and

(v) Rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(2) Electronic records, including:

(i) Creating, receiving, maintaining, and transmitting such records;

(ii) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;

(iii) Using and accessing electronic records or other electronic media containing patient identifying information; and

(iv) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(b) [Reserved]

§2.17   Undercover agents and informants.

(a) Restrictions on placement. Except as specifically authorized by a court order granted under §2.67, no part 2 program may knowingly employ, or enroll as a patient, any undercover agent or informant.

(b) Restriction on use of information. No information obtained by an undercover agent or informant, whether or not that undercover agent or informant is placed in a part 2 program pursuant to an authorizing court order, may be used to criminally investigate or prosecute any patient.

§2.18   Restrictions on the use of identification cards.

No person may require any patient to carry in their immediate possession while away from the part 2 program premises any card or other object which would identify the patient as having a substance use disorder. This section does not prohibit a person from requiring patients to use or carry cards or other identification objects on the premises of a part 2 program.

§2.19   Disposition of records by discontinued programs.

(a) General. If a part 2 program discontinues operations or is taken over or acquired by another program, it must remove patient identifying information from its records or destroy its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under §2.16, unless:

(1) The patient who is the subject of the records gives written consent (meeting the requirements of §2.31) to a transfer of the records to the acquiring program or to any other program designated in the consent (the manner of obtaining this consent must minimize the likelihood of a disclosure of patient identifying information to a third party); or

(2) There is a legal requirement that the records be kept for a period specified by law which does not expire until after the discontinuation or acquisition of the part 2 program.

(b) Special procedure where retention period required by law. If paragraph (a)(2) of this section applies:

(1) Records, which are paper, must be:

(i) Sealed in envelopes or other containers labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]”;

(A) All hard copy media from which the paper records were produced, such as printer and facsimile ribbons, drums, etc., must be sanitized to render the data non-retrievable; and

(B) [Reserved]

(ii) Held under the restrictions of the regulations in this part by a responsible person who must, as soon as practicable after the end of the required retention period specified on the label, destroy the records and sanitize any associated hard copy media to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under §2.16.

(2) Records, which are electronic, must be:

(i) Transferred to a portable electronic device with implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; or

(ii) Transferred, along with a backup copy, to separate electronic media, so that both the records and the backup copy have implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; and

(iii) Within one year of the discontinuation or acquisition of the program, all electronic media on which the patient records or patient identifying information resided prior to being transferred to the device specified in (i) above or the original and backup electronic media specified in (ii) above, including email and other electronic communications, must be sanitized to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under §2.16; and

(iv) The portable electronic device or the original and backup electronic media must be:

(A) Sealed in a container along with any equipment needed to read or access the information, and labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date];” and

(B) Held under the restrictions of the regulations in this part by a responsible person who must store the container in a manner that will protect the information (e.g., climate controlled environment); and

(v) The responsible person must be included on the access control list and be provided a means for decrypting the data. The responsible person must store the decryption tools on a device or at a location separate from the data they are used to encrypt or decrypt; and

(vi) As soon as practicable after the end of the required retention period specified on the label, the portable electronic device or the original and backup electronic media must be sanitized to render the patient identifying information non-retrievable consistent with the policies established under §2.16.

§2.20   Relationship to state laws.

The statute authorizing the regulations in this part (42 U.S.C. 290dd-2) does not preempt the field of law which they cover to the exclusion of all state laws in that field. If a disclosure permitted under the regulations in this part is prohibited under state law, neither the regulations in this part nor the authorizing statute may be construed to authorize any violation of that state law. However, no state law may either authorize or compel any disclosure prohibited by the regulations in this part.

§2.21   Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.

(a) Research privilege description. There may be concurrent coverage of patient identifying information by the regulations in this part and by administrative action taken under section 502(c) of the Controlled Substances Act (21 U.S.C. 872(c) and the implementing regulations at 21 CFR part 1316); or section 301(d) of the Public Health Service Act (42 U.S.C. 241(d) and the implementing regulations at 42 CFR part 2a). These research privilege statutes confer on the Secretary of Health and Human Services and on the Attorney General, respectively, the power to authorize researchers conducting certain types of research to withhold from all persons not connected with the research the names and other identifying information concerning individuals who are the subjects of the research.

(b) Effect of concurrent coverage. These regulations restrict the disclosure and use of information about patients, while administrative action taken under the research privilege statutes and implementing regulations protects a person engaged in applicable research from being compelled to disclose any identifying characteristics of the individuals who are the subjects of that research. The issuance under subpart E of this part of a court order authorizing a disclosure of information about a patient does not affect an exercise of authority under these research privilege statutes.

§2.22   Notice to patients of federal confidentiality requirements.

(a) Notice required. At the time of admission to a part 2 program or, in the case that a patient does not have capacity upon admission to understand his or her medical status, as soon thereafter as the patient attains such capacity, each part 2 program shall:

(1) Communicate to the patient that federal law and regulations protect the confidentiality of substance use disorder patient records; and

(2) Give to the patient a summary in writing of the federal law and regulations.

(b) Required elements of written summary. The written summary of the federal law and regulations must include:

(1) A general description of the limited circumstances under which a part 2 program may acknowledge that an individual is present or disclose outside the part 2 program information identifying a patient as having or having had a substance use disorder;

(2) A statement that violation of the federal law and regulations by a part 2 program is a crime and that suspected violations may be reported to appropriate authorities consistent with §2.4, along with contact information;

(3) A statement that information related to a patient's commission of a crime on the premises of the part 2 program or against personnel of the part 2 program is not protected;

(4) A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected; and

(5) A citation to the federal law and regulations.

(c) Program options. The part 2 program must devise a notice to comply with the requirement to provide the patient with a summary in writing of the federal law and regulations. In this written summary, the part 2 program also may include information concerning state law and any of the part 2 program's policies that are not inconsistent with state and federal law on the subject of confidentiality of substance use disorder patient records.

§2.23   Patient access and restrictions on use.

(a) Patient access not prohibited. These regulations do not prohibit a part 2 program from giving a patient access to their own records, including the opportunity to inspect and copy any records that the part 2 program maintains about the patient. The part 2 program is not required to obtain a patient's written consent or other authorization under the regulations in this part in order to provide such access to the patient.

(b) Restriction on use of information. Information obtained by patient access to his or her patient record is subject to the restriction on use of this information to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under §2.12(d)(1).

Subpart C—Disclosures With Patient Consent

§2.31   Consent requirements.

(a) Required elements for written consent. A written consent to a disclosure under the regulations in this part may be paper or electronic and must include:

(1) The name of the patient.

(2) The specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or individual(s) permitted to make the disclosure.

(3) How much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed.

(4)(i) The name(s) of the individual(s) to whom a disclosure is to be made; or

(ii) Entities with a treating provider relationship with the patient. If the recipient entity has a treating provider relationship with the patient whose information is being disclosed, such as a hospital, a health care clinic, or a private practice, the name of that entity; or

(iii) Entities without a treating provider relationship with the patient.

(A) If the recipient entity does not have a treating provider relationship with the patient whose information is being disclosed and is a third-party payer, the name of the entity; or

(B) If the recipient entity does not have a treating provider relationship with the patient whose information is being disclosed and is not covered by paragraph (a)(4)(iii)(A) of this section, such as an entity that facilitates the exchange of health information or a research institution, the name(s) of the entity(-ies); and

(1) The name(s) of an individual participant(s); or

(2) The name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or

(3) A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed.

(i) When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed pursuant to the general designation (see §2.13(d)).

(ii) [Reserved]

(5) The purpose of the disclosure. In accordance with §2.13(a), the disclosure must be limited to that information which is necessary to carry out the stated purpose.

(6) A statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer

(7) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is provided.

(8) The signature of the patient and, when required for a patient who is a minor, the signature of an individual authorized to give consent under §2.14; or, when required for a patient who is incompetent or deceased, the signature of an individual authorized to sign under §2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.

(9) The date on which the consent is signed.

(b) Expired, deficient, or false consent. A disclosure may not be made on the basis of a consent which:

(1) Has expired;

(2) On its face substantially fails to conform to any of the requirements set forth in paragraph (a) of this section;

(3) Is known to have been revoked; or

(4) Is known, or through reasonable diligence could be known, by the individual or entity holding the records to be materially false.

§2.32   Prohibition on re-disclosure.

(a) Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by one of the following written statements:

(1) This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see §2.31). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at §§2.12(c)(5) and 2.65; or

(2) 42 CFR part 2 prohibits unauthorized disclosure of these records.

(b) [Reserved]

[83 FR 251, Jan. 3, 2018]

§2.33   Disclosures permitted with written consent.

(a) If a patient consents to a disclosure of their records under §2.31, a part 2 program may disclose those records in accordance with that consent to any person or category of persons identified or generally designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§2.34 and 2.35, respectively.

(b) If a patient consents to a disclosure of their records under §2.31 for payment and/or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or health care operations on behalf of such lawful holder. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are not permitted under this section. In accordance with §2.13(a), disclosures under this section must be limited to that information which is necessary to carry out the stated purpose of the disclosure.

(c) Lawful holders who wish to disclose patient identifying information pursuant to paragraph (b) of this section must have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information. In making any such disclosures, the lawful holder must furnish such recipients with the notice required under §2.32; require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder. The lawful holder may only disclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.

[83 FR 251, Jan. 3, 2018]

§2.34   Disclosures to prevent multiple enrollments.

(a) Restrictions on disclosure. A part 2 program, as defined in §2.11, may disclose patient records to a central registry or to any withdrawal management or maintenance treatment program not more than 200 miles away for the purpose of preventing the multiple enrollment of a patient only if:

(1) The disclosure is made when:

(i) The patient is accepted for treatment;

(ii) The type or dosage of the drug is changed; or

(iii) The treatment is interrupted, resumed or terminated.

(2) The disclosure is limited to:

(i) Patient identifying information;

(ii) Type and dosage of the drug; and

(iii) Relevant dates.

(3) The disclosure is made with the patient's written consent meeting the requirements of §2.31, except that:

(i) The consent must list the name and address of each central registry and each known withdrawal management or maintenance treatment program to which a disclosure will be made; and

(ii) The consent may authorize a disclosure to any withdrawal management or maintenance treatment program established within 200 miles of the program, but does not need to individually name all programs.

(b) Use of information limited to prevention of multiple enrollments. A central registry and any withdrawal management or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not re-disclose or use patient identifying information for any purpose other than the prevention of multiple enrollments unless authorized by a court order under subpart E of this part.

(c) Permitted disclosure by a central registry to prevent a multiple enrollment. When a member program asks a central registry if an identified patient is enrolled in another member program and the registry determines that the patient is so enrolled, the registry may disclose:

(1) The name, address, and telephone number of the member program(s) in which the patient is already enrolled to the inquiring member program; and

(2) The name, address, and telephone number of the inquiring member program to the member program(s) in which the patient is already enrolled. The member programs may communicate as necessary to verify that no error has been made and to prevent or eliminate any multiple enrollments.

(d) Permitted disclosure by a withdrawal management or maintenance treatment program to prevent a multiple enrollment. A withdrawal management or maintenance treatment program which has received a disclosure under this section and has determined that the patient is already enrolled may communicate as necessary with the program making the disclosure to verify that no error has been made and to prevent or eliminate any multiple enrollments.

§2.35   Disclosures to elements of the criminal justice system which have referred patients.

(a) A part 2 program may disclose information about a patient to those individuals within the criminal justice system who have made participation in the part 2 program a condition of the disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if:

(1) The disclosure is made only to those individuals within the criminal justice system who have a need for the information in connection with their duty to monitor the patient's progress (e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or post-trial release, probation or parole officers responsible for supervision of the patient); and

(2) The patient has signed a written consent meeting the requirements of §2.31 (except paragraph (a)(6) of this section which is inconsistent with the revocation provisions of paragraph (c) of this section) and the requirements of paragraphs (b) and (c) of this section.

(b) Duration of consent. The written consent must state the period during which it remains in effect. This period must be reasonable, taking into account:

(1) The anticipated length of the treatment;

(2) The type of criminal proceeding involved, the need for the information in connection with the final disposition of that proceeding, and when the final disposition will occur; and

(3) Such other factors as the part 2 program, the patient, and the individual(s) within the criminal justice system who will receive the disclosure consider pertinent.

(c) Revocation of consent. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given.

(d) Restrictions on re-disclosure and use. An individual within the criminal justice system who receives patient information under this section may re-disclose and use it only to carry out that individual's official duties with regard to the patient's conditional release or other action in connection with which the consent was given.

[82 FR 6115, Jan. 18, 2017, as amended at 83 FR 251, Jan. 3, 2018]

Subpart D—Disclosures Without Patient Consent

§2.51   Medical emergencies.

(a) General rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient's prior informed consent cannot be obtained.

(b) Special rule. Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers.

(c) Procedures. Immediately following disclosure, the part 2 program shall document, in writing, the disclosure in the patient's records, including:

(1) The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;

(2) The name of the individual making the disclosure;

(3) The date and time of the disclosure; and

(4) The nature of the emergency (or error, if the report was to FDA).

§2.52   Research.

(a) Notwithstanding other provisions of this part, including paragraph (b)(2) of this section, patient identifying information may be disclosed by the part 2 program or other lawful holder of part 2 data, for the purpose of conducting scientific research if the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer or their designee makes a determination that the recipient of the patient identifying information:

(1) If a HIPAA-covered entity or business associate, has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable; or

(2) If subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), either provides documentation that the researcher is in compliance with the requirements of the HHS regulations, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.101(b) and any successor regulations; or

(3) If both a HIPAA covered entity or business associate and subject to the HHS regulations regarding the protection of human subjects, has met the requirements of paragraphs (a)(1) and (2) of this section; and

(4) If neither a HIPAA covered entity or business associate or subject to the HHS regulations regarding the protection of human subjects, this section does not apply.

(b) Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section:

(1) Is fully bound by the regulations in this part and, if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the regulations in this part.

(2) Must not re-disclose patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under paragraph (c) of this section.

(3) May include part 2 data in research reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

(4) Must maintain and destroy patient identifying information in accordance with the security policies and procedures established under §2.16.

(5) Must retain records in compliance with applicable federal, state, and local record retention laws.

(c) Data linkages—(1) Researchers. Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section that requests linkages to data sets from a data repository(-ies) holding patient identifying information must:

(i) Have the request reviewed and approved by an Institutional Review Board (IRB) registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified. Upon request, the researcher may be required to provide evidence of the IRB approval of the research project that contains the data linkage component.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Data repositories. For purposes of this section, a data repository is fully bound by the provisions of part 2 upon receipt of the patient identifying data and must:

(i) After providing the researcher with the linked data, destroy or delete the linked data from its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under §2.16 Security for records.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Except as provided in paragraph (c) of this section, a researcher may not redisclose patient identifying information for data linkages purposes.

§2.53   Audit and evaluation.

(a) Records not copied or removed. If patient records are not downloaded, copied or removed from the premises of a part 2 program or other lawful holder, or forwarded electronically to another electronic system or device, patient identifying information, as defined in §2.11, may be disclosed in the course of a review of records on the premises of a part 2 program or other lawful holder to any individual or entity who agrees in writing to comply with the limitations on re-disclosure and use in paragraph (d) of this section and who:

(1) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local governmental agency that provides financial assistance to a part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder;

(ii) Any individual or entity which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review, or such individual's or entity's or quality improvement organization's contractors, subcontractors, or legal representatives.

(2) Is determined by the part 2 program or other lawful holder to be qualified to conduct an audit or evaluation of the part 2 program or other lawful holder.

(b) Copying, removing, downloading, or forwarding patient records. Records containing patient identifying information, as defined in §2.11, may be copied or removed from the premises of a part 2 program or other lawful holder or downloaded or forwarded to another electronic system or device from the part 2 program's or other lawful holder's electronic records by any individual or entity who:

(1) Agrees in writing to:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under §2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and

(2) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local governmental agency that provides financial assistance to the part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder; or

(ii) Any individual or entity which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review, or such individual's or entity's or quality improvement organization's contractors, subcontractors, or legal representatives.

(c) Medicare, Medicaid, Children's Health Insurance Program (CHIP), or related audit or evaluation. (1) Patient identifying information, as defined in §2.11, may be disclosed under paragraph (c) of this section to any individual or entity for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the individual or entity agrees in writing to comply with the following:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under §2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section.

(2) A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil or administrative investigation of a part 2 program by any federal, state, or local government agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes administrative enforcement, against the part 2 program by the government agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.

(3) An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must be conducted in accordance with the following:

(i) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must:

(A) Have in place administrative and/or clinical systems; and

(B) Have in place a leadership and management structure, including a governing body and chief executive officer with responsibility for oversight of the organization's management and for ensuring compliance with and adherence to the terms and conditions of the Participation Agreement or similar documentation with CMS; and

(ii) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must have a signed Participation Agreement or similar documentation with CMS, which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE):

(A) Is subject to periodic evaluations by CMS or its agents, or is required by CMS to evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures;

(B) Must designate an executive who has the authority to legally bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and this part and the terms and conditions of the Participation Agreement in order to receive patient identifying information from CMS or its agents;

(C) Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part;

(D) Must ensure that any audit or evaluation involving patient identifying information occurs in a confidential and controlled setting approved by the designated executive;

(E) Must ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification (e.g., through the use of codes) of a patient as having or having had a substance use disorder; and

(F) Must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in paragraph (c)(1) of this section.

(4) Program, as defined in §2.11, includes an employee of, or provider of medical services under the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section.

(5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section, the individual or entity may further disclose the patient identifying information that is received for such purposes to its contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may disclose the information to that individual or entity (or, to such individual's or entity's contractors, subcontractors, or legal representatives, but only for the purposes of this section).

(6) The provisions of this paragraph do not authorize the part 2 program, the federal, state, or local government agency, or any other individual or entity to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation as specified in paragraph (c) of this section.

(d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under §2.66.

[82 FR 6115, Jan. 18, 2017, as amended at 83 FR 252, Jan. 3, 2018]

Subpart E—Court Orders Authorizing Disclosure and Use

§2.61   Legal effect of order.

(a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in this part. Such an order does not compel disclosure. A subpoena or a similar legal mandate must be issued in order to compel disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under the regulations in this part.

(b) Examples. (1) A person holding records subject to the regulations in this part receives a subpoena for those records. The person may not disclose the records in response to the subpoena unless a court of competent jurisdiction enters an authorizing order under the regulations in this part.

(2) An authorizing court order is entered under the regulations in this part, but the person holding the records does not want to make the disclosure. If there is no subpoena or other compulsory process or a subpoena for the records has expired or been quashed, that person may refuse to make the disclosure. Upon the entry of a valid subpoena or other compulsory process the person holding the records must disclose, unless there is a valid legal defense to the process other than the confidentiality restrictions of the regulations in this part.

§2.62   Order not applicable to records disclosed without consent to researchers, auditors and evaluators.

A court order under the regulations in this part may not authorize qualified personnel, who have received patient identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. However, a court order under §2.66 may authorize disclosure and use of records to investigate or prosecute qualified personnel holding the records.

§2.63   Confidential communications.

(a) A court order under the regulations in this part may authorize disclosure of confidential communications made by a patient to a part 2 program in the course of diagnosis, treatment, or referral for treatment only if:

(1) The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties;

(2) The disclosure is necessary in connection with investigation or prosecution of an extremely serious crime allegedly committed by the patient, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or

(3) The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.

(b) [Reserved]

§2.64   Procedures and criteria for orders authorizing disclosures for noncriminal purposes.

(a) Application. An order authorizing the disclosure of patient records for purposes other than criminal investigation or prosecution may be applied for by any person having a legally recognized interest in the disclosure which is sought. The application may be filed separately or as part of a pending civil action in which the applicant asserts that the patient records are needed to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the patient is the applicant or has given written consent (meeting the requirements of the regulations in this part) to disclosure or the court has ordered the record of the proceeding sealed from public scrutiny.

(b) Notice. The patient and the person holding the records from whom disclosure is sought must be provided:

(1) Adequate notice in a manner which does not disclose patient identifying information to other persons; and

(2) An opportunity to file a written response to the application, or to appear in person, for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order as described in §2.64(d).

(c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or hearing on the application must be held in the judge's chambers or in some manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceeding, the patient, or the person holding the record, unless the patient requests an open hearing in a manner which meets the written consent requirements of the regulations in this part. The proceeding may include an examination by the judge of the patient records referred to in the application.

(d) Criteria for entry of order. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find that:

(1) Other ways of obtaining the information are not available or would not be effective; and

(2) The public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services.

(e) Content of order. An order authorizing a disclosure must:

(1) Limit disclosure to those parts of the patient's record which are essential to fulfill the objective of the order;

(2) Limit disclosure to those persons whose need for information is the basis for the order; and

(3) Include such other measures as are necessary to limit disclosure for the protection of the patient, the physician-patient relationship and the treatment services; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.

§2.65   Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients.

(a) Application. An order authorizing the disclosure or use of patient records to investigate or prosecute a patient in connection with a criminal proceeding may be applied for by the person holding the records or by any law enforcement or prosecutorial officials who are responsible for conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws. The application may be filed separately, as part of an application for a subpoena or other compulsory process, or in a pending criminal action. An application must use a fictitious name such as John Doe, to refer to any patient and may not contain or otherwise disclose patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny.

(b) Notice and hearing. Unless an order under §2.66 is sought in addition to an order under this section, the person holding the records must be provided:

(1) Adequate notice (in a manner which will not disclose patient identifying information to other persons) of an application by a law enforcement agency or official;

(2) An opportunity to appear and be heard for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order as described in §2.65(d); and

(3) An opportunity to be represented by counsel independent of counsel for an applicant who is a law enforcement agency or official.

(c) Review of evidence: Conduct of hearings. Any oral argument, review of evidence, or hearing on the application shall be held in the judge's chambers or in some other manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceedings, the patient, or the person holding the records. The proceeding may include an examination by the judge of the patient records referred to in the application.

(d) Criteria. A court may authorize the disclosure and use of patient records for the purpose of conducting a criminal investigation or prosecution of a patient only if the court finds that all of the following criteria are met:

(1) The crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect.

(2) There is a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution.

(3) Other ways of obtaining the information are not available or would not be effective.

(4) The potential injury to the patient, to the physician-patient relationship and to the ability of the part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure.

(5) If the applicant is a law enforcement agency or official, that:

(i) The person holding the records has been afforded the opportunity to be represented by independent counsel; and

(ii) Any person holding the records which is an entity within federal, state, or local government has in fact been represented by counsel independent of the applicant.

(e) Content of order. Any order authorizing a disclosure or use of patient records under this section must:

(1) Limit disclosure and use to those parts of the patient's record which are essential to fulfill the objective of the order;

(2) Limit disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigation and prosecution of the extremely serious crime or suspected crime specified in the application; and

(3) Include such other measures as are necessary to limit disclosure and use to the fulfillment of only that public interest and need found by the court.

§2.66   Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a part 2 program or the person holding the records.

(a) Application. (1) An order authorizing the disclosure or use of patient records to investigate or prosecute a part 2 program or the person holding the records (or employees or agents of that part 2 program or person holding the records) in connection with a criminal or administrative matter may be applied for by any administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the program's or person's activities.

(2) The application may be filed separately or as part of a pending civil or criminal action against a part 2 program or the person holding the records (or agents or employees of the part 2 program or person holding the records) in which the applicant asserts that the patient records are needed to provide material evidence. The application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny or the patient has provided written consent (meeting the requirements of §2.31) to that disclosure.

(b) Notice not required. An application under this section may, in the discretion of the court, be granted without notice. Although no express notice is required to the part 2 program, to the person holding the records, or to any patient whose records are to be disclosed, upon implementation of an order so granted any of the above persons must be afforded an opportunity to seek revocation or amendment of that order, limited to the presentation of evidence on the statutory and regulatory criteria for the issuance of the court order in accordance with §2.66(c).

(c) Requirements for order. An order under this section must be entered in accordance with, and comply with the requirements of, paragraphs (d) and (e) of §2.64.

(d) Limitations on disclosure and use of patient identifying information. (1) An order entered under this section must require the deletion of patient identifying information from any documents made available to the public.

(2) No information obtained under this section may be used to conduct any investigation or prosecution of a patient in connection with a criminal matter, or be used as the basis for an application for an order under §2.65.

§2.67   Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

(a) Application. A court order authorizing the placement of an undercover agent or informant in a part 2 program as an employee or patient may be applied for by any law enforcement or prosecutorial agency which has reason to believe that employees or agents of the part 2 program are engaged in criminal misconduct.

(b) Notice. The part 2 program director must be given adequate notice of the application and an opportunity to appear and be heard (for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order in accordance with §2.67(c)), unless the application asserts that:

(1) The part 2 program director is involved in the suspected criminal activities to be investigated by the undercover agent or informant; or

(2) The part 2 program director will intentionally or unintentionally disclose the proposed placement of an undercover agent or informant to the employees or agents of the program who are suspected of criminal activities.

(c) Criteria. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find all of the following:

(1) There is reason to believe that an employee or agent of the part 2 program is engaged in criminal activity;

(2) Other ways of obtaining evidence of the suspected criminal activity are not available or would not be effective; and

(3) The public interest and need for the placement of an undercover agent or informant in the part 2 program outweigh the potential injury to patients of the part 2 program, physician-patient relationships and the treatment services.

(d) Content of order. An order authorizing the placement of an undercover agent or informant in a part 2 program must:

(1) Specifically authorize the placement of an undercover agent or an informant;

(2) Limit the total period of the placement to six months;

(3) Prohibit the undercover agent or informant from disclosing any patient identifying information obtained from the placement except as necessary to investigate or prosecute employees or agents of the part 2 program in connection with the suspected criminal activity; and

(4) Include any other measures which are appropriate to limit any potential disruption of the part 2 program by the placement and any potential for a real or apparent breach of patient confidentiality; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.

(e) Limitation on use of information. No information obtained by an undercover agent or informant placed in a part 2 program under this section may be used to investigate or prosecute any patient in connection with a criminal matter or as the basis for an application for an order under §2.65.

Need assistance?