Collapse to view only § 2.17 - Undercover agents and informants.
- § 2.11 - Definitions.
- § 2.12 - Applicability.
- § 2.13 - Confidentiality restrictions and safeguards.
- § 2.14 - Minor patients.
- § 2.15 - Patients who lack capacity and deceased patients.
- § 2.16 - Security for records and notification of breaches.
- § 2.17 - Undercover agents and informants.
- § 2.18 - Restrictions on the use of identification cards.
- § 2.19 - Disposition of records by discontinued programs.
- § 2.20 - Relationship to state laws.
- § 2.21 - Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.
- § 2.22 - Notice to patients of Federal confidentiality requirements.
- § 2.23 - Patient access and restrictions on use and disclosure.
- § 2.24 - Requirements for intermediaries.
- § 2.25 - Accounting of disclosures.
- § 2.26 - Right to request privacy protection for records.
§ 2.11 - Definitions.
For purposes of the regulations in this part:
Breach has the same meaning given that term in 45 CFR 164.402.
Business associate has the same meaning given that term in 45 CFR 160.103.
Central registry means an organization which obtains from two or more member programs patient identifying information about individuals applying for withdrawal management or maintenance treatment for the purpose of avoiding an individual's concurrent enrollment in more than one treatment program.
Covered entity has the same meaning given that term in 45 CFR 160.103.
Diagnosis means any reference to an individual's substance use disorder or to a condition which is identified as having been caused by that substance use disorder which is made for the purpose of treatment or referral for treatment.
Disclose means to communicate any information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.
Federally assisted—see § 2.12(b).
Health care operations has the same meaning given that term in 45 CFR 164.501.
HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the privacy and security provisions in subtitle D of title XIII of the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5 (“HITECH Act”).
HIPAA regulations means the regulations at 45 CFR parts 160 and 164 (commonly known as the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules or “HIPAA Rules”).
Informant means a person:
(1) Who is a patient or employee of a part 2 program or who becomes a patient or employee of a part 2 program at the request of a law enforcement agency or official; and
(2) Who at the request of a law enforcement agency or official observes one or more patients or employees of the part 2 program for the purpose of reporting the information obtained to the law enforcement agency or official.
Intermediary means a person, other than a part 2 program, covered entity, or business associate, who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.
Investigative agency means a Federal, state, Tribal, territorial, or local administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding records under this part.
Lawful holder means a person who is bound by this part because they have received records as the result of one of the following:
(1) Written consent in accordance with § 2.31 with an accompanying notice of disclosure.
(2) One of the exceptions to the written consent requirements in 42 U.S.C. 290dd-2 or this part.
Maintenance treatment means long-term pharmacotherapy for individuals with substance use disorders that reduces the pathological pursuit of reward and/or relief and supports remission of substance use disorder-related symptoms.
Member program means a withdrawal management or maintenance treatment program which reports patient identifying information to a central registry and which is in the same state as that central registry or is in a state that participates in data sharing with the central registry of the program in question.
Minor, as used in the regulations in this part, means an individual who has not attained the age of majority specified in the applicable state law, or if no age of majority is specified in the applicable state law, the age of 18 years.
Part 2 program means a federally assisted program (federally assisted as defined in § 2.12(b) and program as defined in this section). See § 2.12(e)(1) for examples.
Part 2 program director means:
(1) In the case of a part 2 program that is a natural person, that person.
(2) In the case of a part 2 program that is an entity, the person designated as director or managing director, or person otherwise vested with authority to act as chief executive officer of the part 2 program.
Patient means any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a part 2 program. Patient includes any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual's eligibility to participate in a part 2 program. This definition includes both current and former patients. In this part where the HIPAA regulations apply, patient means an individual as that term is defined in 45 CFR 160.103.
Patient identifying information means the name, address, Social Security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information.
Payment has the same meaning given that term in 45 CFR 164.501.
Person has the same meaning given that term in 45 CFR 160.103.
Personal representative means a person who has authority under applicable law to act on behalf of a patient who is an adult or an emancipated minor in making decisions related to health care. Within this part, a personal representative would have authority only with respect to patient records relevant to such personal representation.
Program means:
(1) A person (other than a general medical facility) that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or
(2) An identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or
(3) Medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.
Public health authority has the same meaning given that term in 45 CFR 164.501.
Qualified service organization means a person who:
(1) Provides services to a part 2 program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, accounting, population health management, medical staffing, or other professional services, or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and
(2) Has entered into a written agreement with a part 2 program under which that person:
(i) Acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records from the part 2 program, it is fully bound by the regulations in this part; and
(ii) If necessary, will resist in judicial proceedings any efforts to obtain access to patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by the regulations in this part.
(3) Qualified service organization includes a person who meets the definition of business associate in 45 CFR 160.103, paragraphs (1), (2), and (3), for a part 2 program that is also a covered entity, with respect to the use and disclosure of protected health information that also constitutes a “record” as defined by this section.
Records means any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts), and including patient identifying information, provided, however, that information conveyed orally by a part 2 program to a provider who is not subject to this part for treatment purposes with the consent of the patient does not become a record subject to this part in the possession of the provider who is not subject to this part merely because that information is reduced to writing by that provider who is not subject to this part. Records otherwise transmitted by a part 2 program to a provider who is not subject to this part retain their characteristic as records in the hands of the provider who is not subject to this part, but may be segregated by that provider.
Substance use disorder (SUD) means a cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. For the purposes of the regulations in this part, this definition does not include tobacco or caffeine use.
Substance use disorder (SUD) counseling notes means notes recorded (in any medium) by a part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a private SUD counseling session or a group, joint, or family SUD counseling session and that are separated from the rest of the patient's SUD and medical record. SUD counseling notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Third-party payer means a person, other than a health plan as defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of the patient's family or on the basis of the patient's eligibility for Federal, state, or local governmental benefits.
Treating provider relationship means that, regardless of whether there has been an actual in-person encounter:
(1) A patient is, agrees to be, or is legally required to be diagnosed, evaluated, or treated, or agrees to accept consultation, for any condition by a person; and
(2) The person undertakes or agrees to undertake diagnosis, evaluation, or treatment of the patient, or consultation with the patient, for any condition.
Treatment has the same meaning given that term in 45 CFR 164.501.
Undercover agent means any federal, state, or local law enforcement agency or official who enrolls in or becomes an employee of a part 2 program for the purpose of investigating a suspected violation of law or who pursues that purpose after enrolling or becoming employed for other purposes.
Unsecured protected health information has the same meaning given that term in 45 CFR 164.402.
Unsecured record means any record, as defined in this part, that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under Public Law 111-5, section 13402(h)(2).
Use means, with respect to records, the sharing, employment, application, utilization, examination, or analysis of the information contained in such records that occurs either within an entity that maintains such information or in the course of civil, criminal, administrative, or legislative proceedings as described at 42 U.S.C. 290dd-2(c).
Withdrawal management means the use of pharmacotherapies to treat or attenuate the problematic signs and symptoms arising when heavy and/or prolonged substance use is reduced or discontinued.
§ 2.12 - Applicability.
(a) General— (1) Restrictions on use and disclosure. The restrictions on use and disclosure in the regulations in this part apply to any records which:
(i) Would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person; and
(ii) Contain substance use disorder information obtained by a federally assisted substance use disorder program after March 20, 1972 (part 2 program), or contain alcohol use disorder information obtained by a federally assisted alcohol use disorder or substance use disorder program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment.
(2) Restriction on use or disclosure. The restriction on use or disclosure of information to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c)) applies to any information, whether or not recorded, which is substance use disorder information obtained by a federally assisted substance use disorder program after March 20, 1972 (part 2 program), or is alcohol use disorder information obtained by a federally assisted alcohol use disorder or substance use disorder program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for the treatment, or making a referral for the treatment.
(b) Federal assistance. A program is considered to be federally assisted if:
(1) It is conducted in whole or in part, whether directly or by contract or otherwise by any department or agency of the United States (but see paragraphs (c)(1) and (2) of this section relating to the Department of Veterans Affairs and the Uniformed Services);
(2) It is being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including but not limited to:
(i) Participating provider in the Medicare program;
(ii) Authorization to conduct maintenance treatment or withdrawal management; or
(iii) Registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of substance use disorders;
(3) It is supported by funds provided by any department or agency of the United States by being:
(i) A recipient of federal financial assistance in any form, including financial assistance which does not directly pay for the substance use disorder diagnosis, treatment, or referral for treatment; or
(ii) Conducted by a state or local government unit which, through general or special revenue sharing or other forms of assistance, receives federal funds which could be (but are not necessarily) spent for the substance use disorder program; or
(4) It is assisted by the Internal Revenue Service of the Department of the Treasury through the allowance of income tax deductions for contributions to the program or through the granting of tax exempt status to the program.
(c) Exceptions— (1) Department of Veterans Affairs. These regulations do not apply to information on substance use disorder patients maintained in connection with the Department of Veterans Affairs' provision of hospital care, nursing home care, domiciliary care, and medical services under Title 38, U.S.C. Those records are governed by 38 U.S.C. 7332 and regulations issued under that authority by the Secretary of Veterans Affairs.
(2) Uniformed Services. The regulations in this part apply to any information described in paragraph (a) of this section which was obtained by any component of the Uniformed Services during a period when the patient was subject to the Uniform Code of Military Justice except:
(i) Any interchange of that information within the Uniformed Services and within those components of the Department of Veterans Affairs furnishing health care to veterans; and
(ii) Any interchange of that information between such components and the Uniformed Services.
(3) Communication within a part 2 program or between a part 2 program and an entity having direct administrative control over that part 2 program. The restrictions on use and disclosure in the regulations in this part do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an entity that has direct administrative control over the program.
(4) Qualified service organizations. The restrictions on use and disclosure in the regulations in this part do not apply to the communications between a part 2 program and a qualified service organization of information needed by the qualified service organization to provide services to or on behalf of the program.
(5) Crimes on part 2 program premises or against part 2 program personnel. The restrictions on use and disclosure in the regulations in this part do not apply to communications from part 2 program personnel to law enforcement agencies or officials which:
(i) Are directly related to a patient's commission of a crime on the premises of the part 2 program or against part 2 program personnel or to a threat to commit such a crime; and
(ii) Are limited to the circumstances of the incident, including the patient status of the individual committing or threatening to commit the crime, that individual's name and address, and that individual's last known whereabouts.
(6) Reports of suspected child abuse and neglect. The restrictions on use and disclosure in the regulations in this part do not apply to the reporting under state law of incidents of suspected child abuse and neglect to the appropriate state or local authorities. However, the restrictions continue to apply to the original substance use disorder patient records maintained by the part 2 program including their use and disclosure for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect.
(d) Applicability to recipients of information— (1) Restriction on use and disclosure of records. The restriction on the use and disclosure of any record subject to the regulations in this part to initiate or substantiate criminal charges against a patient or to conduct any criminal investigation of a patient, or to use in any civil, criminal, administrative, or legislative proceedings against a patient, applies to any person who obtains the record from a part 2 program, covered entity, business associate, intermediary, or other lawful holder, regardless of the status of the person obtaining the record or whether the record was obtained in accordance with subpart E of this part. This restriction on use and disclosure bars, among other things, the introduction into evidence of a record or testimony in any criminal prosecution or civil action before a Federal or state court, reliance on the record or testimony to inform any decision or otherwise be taken into account in any proceeding before a Federal, state, or local agency, the use of such record or testimony by any Federal, state, or local agency for a law enforcement purpose or to conduct any law enforcement investigation, and the use of such record or testimony in any application for a warrant, absent patient consent or a court order in accordance with subpart E of this part. Records obtained by undercover agents or informants, § 2.17, or through patient access, § 2.23, are subject to the restrictions on uses and disclosures.
(2) Restrictions on uses and disclosures—(i) Third-party payers, administrative entities, and others. The restrictions on use and disclosure in the regulations in this part apply to:
(A) Third-party payers, as defined in this part, with regard to records disclosed to them by part 2 programs or under § 2.31(a)(4)(i);
(B) Persons having direct administrative control over part 2 programs with regard to information that is subject to the regulations in this part communicated to them by the part 2 program under paragraph (c)(3) of this section; and
(C) Persons who receive records directly from a part 2 program, covered entity, business associate, intermediary, or other lawful holder of patient identifying information and who are notified of the prohibition on redisclosure in accordance with § 2.32. A part 2 program, covered entity, or business associate that receives records based on a single consent for all treatment, payment, and health care operations is not required to segregate or segment such records.
(ii) Documentation of SUD treatment by providers who are not part 2 programs. Notwithstanding paragraph (d)(2)(i)(C) of this section, a treating provider who is not subject to this part may record information about a SUD and its treatment that identifies a patient. This is permitted and does not constitute a record that has been redisclosed under this part. The act of recording information about a SUD and its treatment does not by itself render a medical record which is created by a treating provider who is not subject to this part, subject to the restrictions of this part.
(e) Explanation of applicability—(1) Coverage. These regulations cover any information (including information on referral and intake) about patients receiving diagnosis, treatment, or referral for treatment for a substance use disorder created by a part 2 program. Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, or referral for treatment. However, the regulations in this part would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of substance use disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services.
(2) Federal assistance to program required. If a patient's substance use disorder diagnosis, treatment, or referral for treatment is not provided by a part 2 program, that patient's record is not covered by the regulations in this part. Thus, it is possible for an individual patient to benefit from federal support and not be covered by the confidentiality regulations because the program in which the patient is enrolled is not federally assisted as defined in paragraph (b) of this section. For example, if a federal court placed an individual in a private for-profit program and made a payment to the program on behalf of that individual, that patient's record would not be covered by the regulations in this part unless the program itself received federal assistance as defined by paragraph (b) of this section.
(3) Information to which restrictions are applicable. Whether a restriction applies to the use or disclosure of a record affects the type of records which may be disclosed. The restrictions on use and disclosure apply to any records which would identify a specified patient as having or having had a substance use disorder. The restriction on use and disclosure of records to bring a civil action or criminal charges against a patient in any civil, criminal, administrative, or legislative proceedings applies to any records obtained by the part 2 program for the purpose of diagnosis, treatment, or referral for treatment of patients with substance use disorders. (Restrictions on use and disclosure apply to recipients of records as specified under paragraph (d) of this section.)
(4) How type of diagnosis affects coverage. These regulations cover any record reflecting a diagnosis identifying a patient as having or having had a substance use disorder which is initially prepared by a part 2 program in connection with the treatment or referral for treatment of a patient with a substance use disorder. A diagnosis prepared by a part 2 program for the purpose of treatment or referral for treatment, but which is not so used, is covered by the regulations in this part. The following are not covered by the regulations in this part:
(i) Diagnosis which is made on behalf of and at the request of a law enforcement agency or official or a court of competent jurisdiction solely for the purpose of providing evidence; or
(ii) A diagnosis of drug overdose or alcohol intoxication which clearly shows that the individual involved does not have a substance use disorder (e.g., involuntary ingestion of alcohol or drugs or reaction to a prescribed dosage of one or more drugs).
§ 2.13 - Confidentiality restrictions and safeguards.
(a) General. The patient records subject to the regulations in this part may be used or disclosed only as permitted by the regulations in this part and may not otherwise be used or disclosed in any civil, criminal, administrative, or legislative proceedings conducted by any Federal, state, or local authority. Any use or disclosure made under the regulations in this part must be limited to that information which is necessary to carry out the purpose of the use or disclosure.
(b) Unconditional compliance required. The restrictions on use and disclosure in the regulations in this part apply whether or not the part 2 program or other lawful holder of the patient identifying information believes that the person seeking the information already has it, has other means of obtaining it, is a law enforcement agency or official or other government official, has obtained a subpoena, or asserts any other justification for a use or disclosure which is not permitted by the regulations in this part.
(c) Acknowledging the presence of patients: Responding to requests.(1) The presence of an identified patient in a health care facility or component of a health care facility that is publicly identified as a place where only substance use disorder diagnosis, treatment, or referral for treatment is provided may be acknowledged only if the patient's written consent is obtained in accordance with subpart C of this part or if an authorizing court order is entered in accordance with subpart E of this part. The regulations permit acknowledgment of the presence of an identified patient in a health care facility or part of a health care facility if the health care facility is not publicly identified as only a substance use disorder diagnosis, treatment, or referral for treatment facility, and if the acknowledgment does not reveal that the patient has a substance use disorder.
(2) Any answer to a request for a disclosure of patient records which is not permissible under the regulations in this part must be made in a way that will not affirmatively reveal that an identified individual has been, or is being, diagnosed or treated for a substance use disorder. An inquiring party may be provided a copy of the regulations in this part and advised that they restrict the disclosure of substance use disorder patient records, but may not be told affirmatively that the regulations restrict the disclosure of the records of an identified patient.
§ 2.14 - Minor patients.
(a) State law not requiring parental consent to treatment. If a minor patient acting alone has the legal capacity under the applicable state law to apply for and obtain substance use disorder treatment, any written consent for use or disclosure authorized under subpart C of this part may be given only by the minor patient. This restriction includes, but is not limited to, any disclosure of patient identifying information to the parent or guardian of a minor patient for the purpose of obtaining financial reimbursement. The regulations in this paragraph (a) do not prohibit a part 2 program from refusing to provide treatment until the minor patient consents to a use or disclosure that is necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local law requiring the program to furnish the service irrespective of ability to pay.
(b) State law requiring parental consent to treatment. (1) Where state law requires consent of a parent, guardian, or other person for a minor to obtain treatment for a substance use disorder, any written consent for use or disclosure authorized under subpart C of this part must be given by both the minor and their parent, guardian, or other person authorized under state law to act on the minor's behalf.
(2) Where state law requires parental consent to treatment, the fact of a minor's application for treatment may be communicated to the minor's parent, guardian, or other person authorized under state law to act on the minor's behalf only if:
(i) The minor has given written consent to the disclosure in accordance with subpart C of this part; or
(ii) The minor lacks the capacity to make a rational choice regarding such consent as determined by the part 2 program director under paragraph (c) of this section.
(c) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a substantial threat to the life or physical well-being of the minor applicant or any other person may be disclosed to the parent, guardian, or other person authorized under state law to act on the minor's behalf if the part 2 program director determines that:
(1) A minor applicant for services lacks capacity because of extreme youth or mental or physical condition to make a rational decision on whether to consent to a disclosure under subpart C of this part to their parent, guardian, or other person authorized under state law to act on the minor's behalf; and
(2) The minor applicant's situation poses a substantial threat to the life or physical well-being of the minor applicant or any other person which may be reduced by communicating relevant facts to the minor's parent, guardian, or other person authorized under state law to act on the minor's behalf.
§ 2.15 - Patients who lack capacity and deceased patients.
(a) Adult patients who lack capacity to make health care decisions—(1) Adjudication by a court. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to make their own health care decisions, any consent which is required under the regulations in this part may be given by the personal representative.
(2) No adjudication by a court. In the case of a patient, other than a minor or one who has been adjudicated as lacking the capacity to make health care decisions, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a use or disclosure under subpart C of this part for the sole purpose of obtaining payment for services from a third-party payer or health plan.
(b) Deceased patients—(1) Vital statistics. These regulations do not restrict the disclosure of patient identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.
(2) Consent by personal representative. Any other use or disclosure of information identifying a deceased patient as having a substance use disorder is subject to the regulations in this part. If a written consent to the use or disclosure is required, that consent may be given by the personal representative.
§ 2.16 - Security for records and notification of breaches.
(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information.
(1) Requirements for formal policies and procedures. These policies and procedures must address all of the following:
(i) Paper records, including:
(A) Transferring and removing such records;
(B) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable;
(C) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;
(D) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and
(E) Rendering patient identifying information de-identified in accordance with the requirements of 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a particular patient.
(ii) Electronic records, including:
(A) Creating, receiving, maintaining, and transmitting such records;
(B) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;
(C) Using and accessing electronic records or other electronic media containing patient identifying information; and
(D) Rendering the patient identifying information de-identified in accordance with the requirements of 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient.
(2) Exception for certain lawful holders. Family, friends, and other informal caregivers who are lawful holders as defined in this part are not required to comply with paragraph (a) of this section.
(b) The provisions of 45 CFR part 160 and subpart D of 45 CFR part 164 shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a covered entity with respect to breaches of unsecured protected health information.
§ 2.17 - Undercover agents and informants.
(a) Restrictions on placement. Except as specifically authorized by a court order granted under § 2.67, no part 2 program may knowingly employ, or enroll as a patient, any undercover agent or informant.
(b) Restriction on use and disclosure of information. No information obtained by an undercover agent or informant, whether or not that undercover agent or informant is placed in a part 2 program pursuant to an authorizing court order, may be used or disclosed to criminally investigate or prosecute any patient.
§ 2.18 - Restrictions on the use of identification cards.
No person may require any patient to carry in their immediate possession while away from the part 2 program premises any card or other object which would identify the patient as having a substance use disorder. This section does not prohibit a person from requiring patients to use or carry cards or other identification objects on the premises of a part 2 program.
§ 2.19 - Disposition of records by discontinued programs.
(a) General. If a part 2 program discontinues operations or is taken over or acquired by another program, it must remove patient identifying information from its records or destroy its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16, unless:
(1) The patient who is the subject of the records gives written consent (meeting the requirements of § 2.31) to a transfer of the records to the acquiring program or to any other program designated in the consent (the manner of obtaining this consent must minimize the likelihood of a disclosure of patient identifying information to a third party);
(2) There is a legal requirement that the records be kept for a period specified by law which does not expire until after the discontinuation or acquisition of the part 2 program; or
(3) The part 2 program is transferred, retroceded, or reassumed pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), 25 U.S.C. 5301 et seq., and its implementing regulations in 25 CFR part 900.
(b) Special procedure where retention period required by law. If paragraph (a)(2) of this section applies:
(1) Records in non-electronic (e.g., paper) form must be:
(i) Sealed in envelopes or other containers labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]”.
(A) All hard copy media from which the paper records were produced, such as printer and facsimile ribbons, drums, etc., must be sanitized to render the data non-retrievable.
(B) [Reserved]
(ii) Held under the restrictions of the regulations in this part by a responsible person who must, as soon as practicable after the end of the required retention period specified on the label, destroy the records and sanitize any associated hard copy media to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16.
(2) All of the following requirements apply to records in electronic form:
(i) Records must be:
(A) Transferred to a portable electronic device with implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; or
(B) Transferred, along with a backup copy, to separate electronic media, so that both the records and the backup copy have implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key.
(ii) Within one year of the discontinuation or acquisition of the program, all electronic media on which the patient records or patient identifying information resided prior to being transferred to the device specified in paragraph (b)(2)(i)(A) of this section or the original and backup electronic media specified in paragraph (b)(2)(i)(B) of this section, including email and other electronic communications, must be sanitized to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16.
(iii) The portable electronic device or the original and backup electronic media must be:
(A) Sealed in a container along with any equipment needed to read or access the information, and labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date];” and
(B) Held under the restrictions of the regulations in this part by a responsible person who must store the container in a manner that will protect the information (e.g., climate-controlled environment).
(iv) The responsible person must be included on the access control list and be provided a means for decrypting the data. The responsible person must store the decryption tools on a device or at a location separate from the data they are used to encrypt or decrypt.
(v) As soon as practicable after the end of the required retention period specified on the label, the portable electronic device or the original and backup electronic media must be sanitized to render the patient identifying information non-retrievable consistent with the policies established under § 2.16.
§ 2.20 - Relationship to state laws.
The statute authorizing the regulations in this part (42 U.S.C. 290dd-2) does not preempt the field of law which they cover to the exclusion of all state laws in that field. If a use or disclosure permitted under the regulations in this part is prohibited under state law, neither the regulations in this part nor the authorizing statute may be construed to authorize any violation of that state law. However, no state law may either authorize or compel any use or disclosure prohibited by the regulations in this part.
§ 2.21 - Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.
(a) Research privilege description. There may be concurrent coverage of patient identifying information by the regulations in this part and by administrative action taken under section 502(c) of the Controlled Substances Act (21 U.S.C. 872(c) and the implementing regulations at 21 CFR part 1316); or section 301(d) of the Public Health Service Act (42 U.S.C. 241(d) and the implementing regulations at 42 CFR part 2a). These research privilege statutes confer on the Secretary of Health and Human Services and on the Attorney General, respectively, the power to authorize researchers conducting certain types of research to withhold from all persons not connected with the research the names and other identifying information concerning individuals who are the subjects of the research.
(b) Effect of concurrent coverage. The regulations in this part restrict the use and disclosure of information about patients, while administrative action taken under the research privilege statutes and implementing regulations in paragraph (a) of this section protects a person engaged in applicable research from being compelled to disclose any identifying characteristics of the individuals who are the subjects of that research. The issuance under subpart E of this part of a court order authorizing a disclosure of information about a patient does not affect an exercise of authority under these research privilege statutes.
§ 2.22 - Notice to patients of Federal confidentiality requirements.
(a) Notice required. At the time of admission to a part 2 program or, in the case that a patient does not have capacity upon admission to understand their medical status, as soon thereafter as the patient attains such capacity, each part 2 program shall inform the patient that Federal law protects the confidentiality of substance use disorder patient records.
(b) Content of notice. In addition to the communication required in paragraph (a) of this section, a part 2 program shall provide notice, written in plain language, of the program's legal duties and privacy practices, as specified in this paragraph (b).
(1) Required elements. The notice must include the following content:
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed.
Notice of Privacy Practices of [Name of Part 2 Program]This notice describes:
• HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
• YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
• HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION
YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH [ENTER NAME OR TITLE] AT [PHONE AND EMAIL] IF YOU HAVE ANY QUESTIONS.
(ii) Uses and disclosures. The notice must contain:
(A) A description of each of the purposes for which the part 2 program is permitted or required by this part to use or disclose records without the patient's written consent.
(B) If a use or disclosure for any purpose described in paragraph (b)(1)(ii)(A) of this section is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law.
(C) For each purpose described in accordance with paragraphs (b)(1)(ii)(A) and (B) of this section, the description must include sufficient detail to place the patient on notice of the uses and disclosures that are permitted or required by this part and other applicable law.
(D) A description, including at least one example, of the types of uses and disclosures that require written consent under this part.
(E) A statement that a patient may provide a single consent for all future uses or disclosures for treatment, payment, and health care operations purposes.
(F) A statement that the part 2 program will make uses and disclosures not described in the notice only with the patient's written consent.
(G) A statement that the patient may revoke written consent as provided by §§ 2.31 and 2.35.
(H) A statement that includes the following information:
(1) Records, or testimony relaying the content of such records, shall not be used or disclosed in any civil, administrative, criminal, or legislative proceedings against the patient unless based on specific written consent or a court order;
(2) Records shall only be used or disclosed based on a court order after notice and an opportunity to be heard is provided to the patient or the holder of the record, where required by 42 U.S.C. 290dd-2 and this part; and
(3) A court order authorizing use or disclosure must be accompanied by a subpoena or other similar legal mandate compelling disclosure before the record is used or disclosed.
(iii) Separate statements for certain uses or disclosures. If the part 2 program intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(D) of this section must include a separate statement as follows:
(A) Records that are disclosed to a part 2 program, covered entity, or business associate pursuant to the patient's written consent for treatment, payment, and health care operations may be further disclosed by that part 2 program, covered entity, or business associate, without the patient's written consent, to the extent the HIPAA regulations permit such disclosure.
(B) A part 2 program may use or disclose records to fundraise for the benefit of the part 2 program only if the patient is first provided with a clear and conspicuous opportunity to elect not to receive fundraising communications.
(iv) Patient rights. The notice must contain a statement of the patient's rights with respect to their records and a brief description of how the patient may exercise these rights, as follows:
(A) Right to request restrictions of disclosures made with prior consent for purposes of treatment, payment, and health care operations, as provided in § 2.26.
(B) Right to request and obtain restrictions of disclosures of records under this part to the patient's health plan for those services for which the patient has paid in full, in the same manner as 45 CFR 164.522 applies to disclosures of protected health information.
(C) Right to an accounting of disclosures of electronic records under this part for the past 3 years, as provided in § 2.25, and a right to an accounting of disclosures that meets the requirements of 45 CFR 164.528(a)(2) and (b) through (d) for all other disclosures made with consent.
(D) Right to a list of disclosures by an intermediary for the past 3 years as provided in § 2.24.
(E) Right to obtain a paper or electronic copy of the notice from the part 2 program upon request.
(F) Right to discuss the notice with a designated contact person or office identified by the part 2 program pursuant to paragraph (b)(1)(vii) of this section.
(G) Right to elect not to receive fundraising communications.
(v) Part 2 program's duties. The notice must contain:
(A) A statement that the part 2 program is required by law to maintain the privacy of records, to provide patients with notice of its legal duties and privacy practices with respect to records, and to notify affected patients following a breach of unsecured records;
(B) A statement that the part 2 program is required to abide by the terms of the notice currently in effect; and
(C) For the part 2 program to apply a change in a privacy practice that is described in the notice to records that the part 2 program created or received prior to issuing a revised notice, a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for records that it maintains. The statement must also describe how it will provide patients with a revised notice.
(vi) Complaints. The notice must contain a statement that patients may complain to the part 2 program and to the Secretary if they believe their privacy rights have been violated, a brief description of how the patient may file a complaint with the program, and a statement that the patient will not be retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, telephone number, and email address of a person or office to contact for further information about the notice.
(viii) Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
(2) Optional elements. (i) In addition to the content required by paragraph (b)(1) of this section, if a part 2 program elects to limit the uses or disclosures that it is permitted to make under this part, the part 2 program may describe its more limited uses or disclosures in its notice, provided that the part 2 program may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted to be made for emergency treatment.
(ii) For the part 2 program to apply a change in its more limited uses and disclosures to records created or received prior to issuing a revised notice, the notice must include the statements required by paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The part 2 program must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the patient's rights, the part 2 program's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.
(c) Implementation specifications: Provision of notice. A part 2 program must make the notice required by this section available upon request to any person and to any patient; and
(1) A part 2 program must provide the notice:
(i) No later than the date of the first service delivery, including service delivered electronically, to such patient after the compliance date for the part 2 program; or
(ii) In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
(2) If the part 2 program maintains a physical service delivery site:
(i) Have the notice available at the service delivery site for patients to request to take with them; and
(ii) Post the notice in a clear and prominent location where it is reasonable to expect patients seeking service from the part 2 program to be able to read the notice in a manner that does not identify the patient as receiving treatment or services for substance use disorder; and
(iii) Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(ii) of this section, if applicable.
(3) Specific requirements for electronic notice include all the following:
(i) A part 2 program that maintains a website that provides information about the part 2 program's customer services or benefits must prominently post its notice on the website and make the notice available electronically through the website.
(ii) A part 2 program may provide the notice required by this section to a patient by email, if the patient agrees to electronic notice and such agreement has not been withdrawn. If the part 2 program knows that the email transmission has failed, a paper copy of the notice must be provided to the patient. Provision of electronic notice by the part 2 program will satisfy the provision requirements of this paragraph (c) when timely made in accordance with paragraph (c)(1) or (2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the part 2 program must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice.
(iv) The patient who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a part 2 program upon request.
§ 2.23 - Patient access and restrictions on use and disclosure.
(a) Patient access not prohibited. These regulations do not prohibit a part 2 program from giving a patient access to their own records, including the opportunity to inspect and copy any records that the part 2 program maintains about the patient. The part 2 program is not required to obtain a patient's written consent or other authorization under the regulations in this part in order to provide such access to the patient.
(b) Restriction on use and disclosure of information. Information obtained by patient access to their record is subject to the restriction on use and disclosure of records to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under § 2.12(d)(1).
§ 2.24 - Requirements for intermediaries.
Upon request, an intermediary must provide to patients who have consented to the disclosure of their records using a general designation, pursuant to § 2.31(a)(4)(ii)(B), a list of persons to which their records have been disclosed pursuant to the general designation.
(a) Under this section, patient requests:
(1) Must be made in writing; and
(2) Are limited to disclosures made within the past 3 years.
(b) Under this section, the entity named on the consent form that discloses information pursuant to a patient's general designation (the entity that serves as an intermediary) must:
(1) Respond in 30 or fewer days of receipt of the written request; and
(2) Provide, for each disclosure, the name(s) of the entity(ies) to which the disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed.
§ 2.25 - Accounting of disclosures.
(a) General rule. Subject to the limitations in paragraph (b) of this section, a part 2 program must provide to a patient, upon request, an accounting of all disclosures made with consent under § 2.31 in the 3 years prior to the date of the request (or a shorter time period chosen by the patient). The accounting of disclosures must meet the requirements of 45 CFR 164.528(a)(2) and (b) through (d).
(b) Accounting of disclosures for treatment, payment, and health care operations. (1) A part 2 program must provide a patient with an accounting of disclosures of records for treatment, payment, and health care operations only where such disclosures are made through an electronic health record.
(2) A patient has a right to receive an accounting of disclosures described in paragraph (b)(1) of this section during only the 3 years prior to the date on which the accounting is requested.
§ 2.26 - Right to request privacy protection for records.
(a)(1) A part 2 program must permit a patient to request that the part 2 program restrict uses or disclosures of records about the patient to carry out treatment, payment, or health care operations, including when the patient has signed written consent for such disclosures.
(2) Except as provided in paragraph (a)(6) of this section, a part 2 program is not required to agree to a restriction.
(3) A part 2 program that agrees to a restriction under paragraph (a)(1) of this section may not use or disclose records in violation of such restriction, except that, if the patient who requested the restriction is in need of emergency treatment and the restricted record is needed to provide the emergency treatment, the part 2 program may use the restricted record, or may disclose information derived from the record to a health care provider, to provide such treatment to the patient.
(4) If information from a restricted record is disclosed to a health care provider for emergency treatment under paragraph (a)(3) of this section, the part 2 program must request that such health care provider not further use or disclose the information.
(5) A restriction agreed to by a part 2 program under paragraph (a) of this section is not effective under this subpart to prevent uses or disclosures required by law or permitted by this part for purposes other than treatment, payment, and health care operations.
(6) A part 2 program must agree to the request of a patient to restrict disclosure of records about the patient to a health plan if:
(i) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
(ii) The record pertains solely to a health care item or service for which the patient, or person other than the health plan on behalf of the patient, has paid the part 2 program in full.
(b) A part 2 program may terminate a restriction, if one of the following applies:
(1) The patient agrees to or requests the termination in writing.
(2) The patient orally agrees to the termination and the oral agreement is documented.
(3) The part 2 program informs the patient that it is terminating its agreement to a restriction, except that such termination is:
(i) Not effective for records restricted under paragraph (a)(6) of this section; and
(ii) Only effective with respect to records created or received after it has so informed the patient.