(a) Records not copied or removed. If patient records are not downloaded, copied or removed from the premises of a part 2 program or other lawful holder, or forwarded electronically to another electronic system or device, patient identifying information, as defined in § 2.11, may be disclosed in the course of a review of records on the premises of a part 2 program or other lawful holder to any individual or entity who agrees in writing to comply with the limitations on re-disclosure and use in paragraph (f) of this section and who:
(1) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local governmental agency that provides financial assistance to a part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder;
(ii) Any individual or entity which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a QIO review, or the contractors, subcontractors, or legal representatives of such individual, entity, or quality improvement organization.
(iii) An entity with direct administrative control over the part 2 program or lawful holder.
(2) Is determined by the part 2 program or other lawful holder to be qualified to conduct an audit or evaluation of the part 2 program or other lawful holder.
(b) Copying, removing, downloading, or forwarding patient records. Records containing patient identifying information, as defined in § 2.11, may be copied or removed from the premises of a part 2 program or other lawful holder or downloaded or forwarded to another electronic system or device from the part 2 program's or other lawful holder's electronic records by any individual or entity who:
(1) Agrees in writing to:
(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;
(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and
(iii) Comply with the limitations on disclosure and use in paragraph (f) of this section; and
(2) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local governmental agency that provides financial assistance to the part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder; or
(ii) Any individual or entity which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a QIO review, or the contractors, subcontractors, or legal representatives of such individual, entity, or quality improvement organization.
(iii) An entity with direct administrative control over the part 2 program or lawful holder.
(c) Activities included. Audits and evaluations under this section may include, but are not limited to:
(1) Activities undertaken by a federal, state, or local governmental agency, or a third-party payer entity, in order to:
(i) Identify actions the agency or third-party payer entity can make, such as changes to its policies or procedures, to improve care and outcomes for patients with SUDs who are treated by part 2 programs;
(ii) Ensure that resources are managed effectively to care for patients; or
(iii) Determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD.
(2) Reviews of appropriateness of medical care, medical necessity, and utilization of services.
(d) Quality assurance entities included. Entities conducting audits or evaluations in accordance with paragraphs (a) and (b) of this section may include accreditation or similar types of organizations focused on quality assurance.
(e) Medicare, Medicaid, Children's Health Insurance Program (CHIP), or related audit or evaluation.
(1) Patient identifying information, as defined in § 2.11, may be disclosed under paragraph (e) of this section to any individual or entity for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the individual or entity agrees in writing to comply with the following:
(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;
(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and
(iii) Comply with the limitations on disclosure and use in paragraph (f) of this section.
(2) A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil or administrative investigation of a part 2 program by any federal, state, or local government agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes administrative enforcement, against the part 2 program by the government agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.
(3) An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must be conducted in accordance with the following:
(i) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must:
(A) Have in place administrative and/or clinical systems; and
(B) Have in place a leadership and management structure, including a governing body and chief executive officer with responsibility for oversight of the organization's management and for ensuring compliance with and adherence to the terms and conditions of the Participation Agreement or similar documentation with CMS; and
(ii) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must have a signed Participation Agreement or similar documentation with CMS, which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE):
(A) Is subject to periodic evaluations by CMS or its agents, or is required by CMS to evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures;
(B) Must designate an executive who has the authority to legally bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and this part and the terms and conditions of the Participation Agreement in order to receive patient identifying information from CMS or its agents;
(C) Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part;
(D) Must ensure that any audit or evaluation involving patient identifying information occurs in a confidential and controlled setting approved by the designated executive;
(E) Must ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification (e.g., through the use of codes) of a patient as having or having had a substance use disorder; and
(F) Must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in paragraph (e)(1) of this section.
(4) Program, as defined in § 2.11, includes an employee of, or provider of medical services under the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (e)(2) of this section.
(5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (e)(2) of this section, the individual or entity may further disclose the patient identifying information that is received for such purposes to its contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may disclose the information to that individual or entity (or, to such individual's or entity's contractors, subcontractors, or legal representatives, but only for the purposes of this section).
(6) The provisions of this paragraph do not authorize the part 2 program, the federal, state, or local government agency, or any other individual or entity to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation as specified in paragraph (e) of this section.
(f) Limitations on disclosure and use. Except as provided in paragraph (e) of this section, patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.
(g) Audits and evaluations mandated by statute or regulation. Patient identifying information may be disclosed to federal, state, or local government agencies, and the contractors, subcontractors, and legal representatives of such agencies, in the course of conducting audits or evaluations mandated by statute or regulation, if those audits or evaluations cannot be carried out using deidentified information.
[82 FR 6115, Jan. 18, 2017, as amended at 83 FR 252, Jan. 3, 2018; 85 FR 43039, July 15, 2020]