Skip to Main Content

Office of Mental Health

New York State Office of Mental Health HIPAA Preemption Analysis

Federal Law HIPAA Regulation Compatability Analysis
Federal Protection and Advocacy for the Mentally ill:
42 USCA §10806: An eligible system which has access to records which, under federal or State law, are required to be maintained in a confidential manner by a provider of health services shall, except as provided in subsection (b) of this section, maintain the confidentiality such records to the same extent as is required of the provider of services.

A system established in a State under section 10803 of this title to protect and advocate the rights of individuals with mental illness shall….(4) in accordance with section 10806 of this title, have access to all records of…(A) any individual who is a client of the system if such individual, or the legal guardian, conservator, or other legal representative of such individual, has authorized the system to have such access; (B) any individual(including an individual whose whereabouts are unknown) (i) who, by reason of the mental or physical condition of such individual is unable to authorize the system to have such access; (ii) who does not have a legal guardian, conservator, or other legal representative, or for whom the legal guardian is the State; and (iii) with respect to whom a complaint has been received by the system or with respect to whom as a result of monitoring or other activities…there is probable cause to believe that such individual has been subject to abuse or neglect; and (C) any individual with a mental illness, who has a legal guardian, conservator, or other legal representative, with respect to whom a complaint has been received bv the system or with respect to whom there is probable cause to believe the health or safety of the individual is in serious and immediate jeopardy, whenever (i) such representative has been contacted by such system upon receipt of the name and address of the representative; (ii) such system has offered assistance to such representative to resolve the situation; and (iii) such representative has failed or refused to act on behalf of the individual.

§164.502(a)(1): A covered entity is permitted to use/disclose PHI to the patient (including a patient's personal representative, i.e., someone authorized to act on patient's behalf to make health care decisions).

§164.508(a)(1): Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose PHI without an authorization that is valid under this section. (p. 82811:1)

§164.512(c)(1): Disclosures about victims of abuse, neglect, or domestic violence. Except for reports of child abuse or neglect….a covered entity may disclose PHI about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: (i) to the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law; (ii) if the individual agrees to the disclosure; or (iii) to the extent the disclosure is expressly authorized by statute or regulation and: (A) the covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims or (B) if the individual is unable to agree because of incapacity, a law enforcement official or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. (continued, next row)

§164.512(c)(2) Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been/will be made, except if: (i) the covered entity, in the exercise of professional judgment, believes informing the individual would place him/her at serious risk of harm; or (ii) the covered entity would be informing a personal representative and the covered entity reasonably believes he/she is the perpetrator and informing him/her would not be in the patient's best interests, using professional judgment

§164.512(j): A covered entity may, consistent with applicable law and standards of ethical conduct, use/disclose PHI if it believes, in good faith, that the use/disclosure (i)(A) is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and (B) is to a person(s) reasonably able to prevent/lessen the threat.

The two sets of federal regulations appear similar, in that disclosures to PAMI systems are not permitted unless the patient has authorized the disclosure, or in instances involving abuse that are accommodated in HIPAA; however, HIPAA should be followed to ensure requisite attempts to notify the individual are made.
42 CFR PART 2: Confidentiality of Alcohol and Drug Abuse Patient Records
§2.4 Criminal penalty for violation. Under 42 USC 290ee-3(f) and 42 USC 290-dd3(f), any person who violates any provision of those statutes or these regulations shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense. §160.312(a)(2): If a covered entity fails to adhere to the privacy regulations, it is subject to civil/criminal penalties initiated by HHS. Non-compliant entities are subject to civil monetary penalties ranging from $100 to $25,000, depending on the extent of non-compliance. Misdemeanor or felony criminal penalties apply if a covered entity wrongfully/knowingly discloses PHI in violation of HIPAA. Criminal violations are punishable by fines up to $250,000 or imprisonment (a maximum of 10 years) or both. HIPAA penalties are more severe than those under 42 CFR Part 2; it is unclear which penalties would apply to a program covered by both in the event of an unauthorized use/disclosure of PHI, but may be fact dependent.
§2.11 Definitions

Diagnosis: means any reference to an individual's alcohol/drug abuse or to a condition which is identified as having been caused by that abuse which is made for the purpose of treatment or referral to treatment.

Patient identifying information: means the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. The term does not include a number assigned to a patient by a program, if that number does not consist of, or contain numbers (such as a social security, or driver's license number) which could be used to identify a patient with reasonable accuracy and speed from sources external to the program.

Record means any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program.

Federally assisted : means an alcohol drug program that (1) receives federal funds in any form, even if the funds do not directly pay for the alcohol/drug services; or (2) is assisted by the IRS through grant of tax exempt status or allowance of tax deductions for contributions; or (3) is authorized to conduct business by the federal government; or (4) is conducted directly by the federal government.

§160.103: Covered entity means: (1) a health plan; (2) a health care clearinghouse; (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

§160.103: Health Information means any information, whether oral or recorded in any medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

§160.103: Individually identifiable health information: is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, emploher, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

§160.103: Protected health information: is individually identifiable health information that is transmitted or maintained in any medium.

§164.514(b): Requirements for de-identification of PHI: (2)(i): [Information is considered de-identifying if] …the following identifiersare removed: (A) Names; (B) all geographic subdivisions smaller than a State…; (C)all elements of dates, except year for dates directly related to an individual..;(D) telephone #s; (E)fax #s; (F) e-mail addresses; (G) SS#s; (H) medical record #s; (I) health plan beneficiary #s; (J) account #s; (K) certificate/license #s; (L)vehicle identifiers and serial #s…; (M)device identifers and serial #s; (N)URLs; (O) IP address #s; (P)biometric identifers; (Q) full face photographic images and any comparable images; and (R) any other unique identifying #, characteristic or code; and (ii) the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.

1. HIPAA broadly applies to "covered entities;" 42 CFR Part 2 applies to "federally assisted alcohol/drug program." Hence, unless a covered entity is also a federally assisted alcohol/drug program, it is not bound by 42 CFR Part 2. A federally assisted alcohol/drug program that is also a covered entity is bound both by HIPAA and 42 CFR Part 2.

2. The HIPAA definition of "protected health information" covers a wider scope of information than does 42 CFR Part 2. Hence, the HIPAA definition of PHI preempts the definition of "patient identifying information" in 42 CFR Part 2.

§2.11 Definitions

Patient means any individual who has applied for or been given diagnosis or treatment for alcohol/drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an alcohol/drug abuser in order to determine that person's eligibility to participate in a program.

§164.501: Individual means the person who is the subject of protected health information.

§164.502(g):A "personal representative" can fulfill the role of the individual about whom PHI pertains if the representative has authority to act on behalf of the individual in making decisions about health care.

1. The definitions of "patient" and "individual" are similar; although in some respects the 42 CFR Part 2 definition is more broad; therefore, a provider covered by both should follow the 42 CFR Part 2 definition.

2. Both regulations permit "personal representatives" to stand in the patient's shoes with regard to consenting for the use/disclosure of health information. However, the HIPAA definition is more narrow in that it defines a "personal representatives" as a person who has authority to act on behalf of the individual in making decisions about health care. 42 CFR Part 2 would permit a person with power of attorney over fiscal affairs (i.e., he/she is authorized under law to act in the patient's behalf, albeit in limited regard) to provide such consent. Therefore, the HIPAA definition of "personal representative" is more stringent than 42 CFR Part 2 and controls.

§2.11 Definitions

Qualified Service organization: means a person which: (a) provides services to a program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting or other professional services, or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy; and (b) Has entered into a written agreement with a program under which that person: (1) acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by 42 CFR Part 2; and (2) if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as provided by 42 CFR Part 2.

§2.12(c)(4): The restrictions on disclosure in these regulations do not apply to communications between a program and a QSOA of information needed by the organization to provide services to the program.

§160.103 Business Associate means a person or entity other than a member of the covered entity's workforce that performs or assists in performing a function or activity on behalf of the covered entity that involves the use or disclosure of PHI.

§164.504: Uses & disclosures; organizational requirements (e)(1): Business associate contracts: Business associate contracts must: (1) establish the BA's permitted and required uses and disclosures of PHI; (2) prohibit the BA from using/further disclosing PHI, except as permitted by HIPAA; (3) BA must use appropriate safeguards to prevent unauthorized use/disclosure of the information; (4) BA must report to the covered entity if it becomes aware of any use/disclosure of PHI in violation of the contract; (5) BA must ensure that its agents/subcontractors agree to the same restrictions on use/disclosure of PHI; (6) BA must make PHI available for amendment and incorporate any amendments to PHI; (7) BA's internal practices, books, and records relating to use/disclosure of PHI must be made to the HHS for purposes of determining compliance; (8) at termination of the contract: (a) if feasible, return or destroy all PHI the BA maintains in any form and retain no such copies of such information; (b) or, if return/destruction is not feasible, continue the protections of the contract to the PHI and limit further uses/disclosures to the purposes that make return or destruction of the PHI infeasible; (9) the contract must allow the covered entity to terminate the contract if the covered entity determines that the BA has violated a material term.

Preamble: A covered entity may disclose PHI to a business associate, consistent with the other requirements of the final rule, as necessary to permit the business associate to perform functions and activities for or on behalf of the covered entity…..a business associate may only use the PHI it receives in its capacity as a business associate to a covered entity as permitted by its contract or agreement with the covered entity. (p. 82504:2)

1. A "qualified services organization" is a subset of a "business associate;" the HIPAA term "business associate" is more broad than is QSOA. Therefore, programs covered by both HIPAA and 42 CFR Part 2 should follow the definition of "business associate" in making determinations as to entities with which it needs to have formalized agreements.

2. Business Associate agreements under HIPAA have 9 required elements, while QSOAs under 42 CFR Part 2 have only 2. Therefore, programs covered by both will need to ensure all 11 elements are addressed in their formalized agreements.

3. If an entity covered by both HIPAA and 42 CFR has a QSOA relationship, but PHI is not necessarily needed in order to perform that service (which is not a requirement for something to be considered a QSOA) it would not constitute a "business associate" relationship for purposes of HIPAA. Hence, disclosures would not be permitted without patient authorization. In this regard, HIPAA is more stringent than 42 CFR Part 2 and prevails.

§2.12(c)(1) Applicability: Veterans Administration: These regulations do not apply to information on alcohol and drug abuse patients maintained in connection with the Veterans Administration provisions of hospital care, nursing home care, domiciliary care, and medical services under title 38, United States Code. Those records are governed by 38 U.S.C. 4132 and regulations issued under that authority by the Administrator of Veterans Affairs. §160.103: Health Information means any information, whether oral or recorded in any medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Further analysis is required to determine whether or not the provisions of 38 U.S.C. 4132 and corresponding regulations are equally, or more, stringent than HIPAA. If they are, this provision of 42 CFR Part 2 cannot be followed. If they are not, however, this provision of 42 CFR Part 2 will, in fact, prevail.
§2.12(c)(2) Applicability: Exceptions Armed Forces: These regulations apply to any information which was obtained by any component of the Armed Forces during a period when the patient was subject to the Uniform Code of Military Justice except: (i) any interchange of that information within the Armed Forces; and (ii) any interchange of that information between the Armed Forces and those components of the Veterans Administration furnishing health care to veterans. §160.103: Health Information means any information, whether oral or recorded in any medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. HIPAA applies to all health information; to the extent 42 CFR Part 2 "carves out" a subset of health information, depending on where/how it was obtained, to which the regulations do not apply, it provides less protection/access to health records than does HIPAA, and programs covered by both sets of regulations should comply with HIPAA in this regard.
§2.12(c)(3) Applicability: Exceptions Communication within a program or between a program and an entity having direct administrative control over that program. The restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol/drug abuse if the communications are (1) within a program; or (2) between a program and an entity that has direct administrative control over the program. §164.502 (b)(2) Minimum necessary does not apply to: (i) disclosures to or requests by a health care provider for treatment….

§164.504 (a) Definitions: Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.

Common ownership exists if an entity …possesses an ownership or equity interest of 5% or more in another entity.

(d)(1) Affiliated covered entities. Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of this subpart. (2)(i) legally separate covered entities may designate themselves …as a single affiliated covered entity …if all of the covered entities designated are under common ownership or control.

Programs covered by both 42 CFR Part 2 and HIPAA should follow 42 CFR Part 2 in regard to intra-program communications; while both rules are similar, 42 CFR Part 2 more strictly defines the concept of an affiliated entity.
§2.12(c)(5) Applicability: Crimes on program premises: The restrictions on disclosure and use …do not apply to communications from program personnel to law enforcement officers which (i) are directly related to a patient's commission of a crime on the premises of the program or against program personnel or to a threat to commit such a crime; and (ii) are limited to the circumstances of the incident, including the patient status of the individual committing/threatening to commit the crime, that individual's name and address, and that individual's last known whereabouts. §164.512(f)(5): Crime on program premises. A covered entity may disclose to a law enforcement official PHI that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. Programs covered by both 42 CFR Part 2 and HIPAA should follow 42 CFR Part 2 in regard to reporting crimes on program premises. While the rules are similar, 42 CFR Part 2 contains limitations on the amount of information that can be so disclosed.
§2.12(c)(6) Applicability: Exceptions: Reports of suspected child abuse or neglect. The restrictions on disclosure and use in these regulations do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. However, the restrictions continue to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse or neglect. §164.512(b): A covered entity may disclose PHI for the public health activities and purposes described in this paragraph to: (ii) a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. Programs covered by both 42 CFR Part 2 and HIPAA should follow 42 CFR Part 2 in regard to child abuse reporting; while both rules are similar, 42 CFR Part 2 reinforces the confidentiality of such records for any purpose beyond the making of the report.
§2.12(d) Applicability: Applicability to recipients of information (1) Restriction on use of information. The restriction on the use of any information subject to these regulations to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient applies to any person who obtains that information from a federally assisted alcohol or drug abuse program, regardless of the status of the person obtaining the information or of whether the information was obtained in accordance with these regulations. This restriction on use bars, …the introduction of that information as evidence in a criminal proceeding and any other use of that information to investigate or prosecute a patient with respect to a suspected crime. Information obtained by undercover agents or informants..or through patient access..is subject to the restriction on use. No comparable provision. Programs covered by both 42 CFR Part 2 and HIPAA should follow this provision of 42 CFR Part 2.
§2.12(d) Applicability: Applicability to recipients of information (2) Restriction on disclosures - Third party payers, administrative entities, and others. The restrictions on disclosure in these regulations apply to: (1) 3rd party payers with regard to records disclosed to them by federally assisted alcohol or drug abuse programs; (2) Entities having direct administrative control over programs with regard to information communicated to them by the program under §2.12(c)(3), (3) persons who receive patient records directly from a federally assisted alcohol or drug abuse program and who are notified of the restrictions on redisclosure of the records in accordance with §2.32 of these regulations. §160.103: Covered entity means: (1) a health plan; (2) a health care clearinghouse; (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. Programs covered by both 42 CFR Part 2 and HIPAA should follow this provision of 42 CFR Part 2; it is broader in reach than is HIPAA and would cover all health care providers, regardless of whether or not they engage in electronic transactions.
§2.12(e) Explanation of applicability (1) Coverage: These regulations cover any information (including information on referral and intake) about alcohol and drug abuse patients obtained by a program, (a defined term) if the program is federally assisted in any manner (a defined term). Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and do provide, alcohol/drug abuse diagnosis, treatment, or referral for treatment. However, these regulations would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of alcohol/drug abuse diagnosis, treatment or referral and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services. §160.103: Health Information means any information, whether oral or recorded in any medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. HIPAA covers a much wider range of providers and information than does 42 C.F.R. Part 2. Programs covered by both 42 CFR Part 2 and HIPAA should continue to follow this provision of 42 CFR Part 2 for guidance as to what information that is under the jurisdiction of such regulation.
§2.12(e) Explanation of applicability (2) Federal assistance to program required: If a patient's alcohol/drug abuse diagnosis, treatment, or referral for treatment is not provided by a program which is federally conducted, regulated, or supported in a manner which constitutes federal assistance…..that patient's record is not covered by this regulation…. §160.103: Covered entity means: (1) a health plan; (2) a health care clearinghouse; (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. HIPAA covers a much wider range of providers and entities than does 42 C.F.R. Part 2. Programs covered by both 42 CFR Part 2 and HIPAA should continue to follow this provision of 42 CFR Part 2 for guidance as to what providers/entities under the jurisdiction of such regulation.
§2.12(e) Explanation of applicability (3) Information to which restrictions are applicable. Whether a restriction is on use/disclosure affects the type of information which may be available (sic). The restrictions on disclosure apply to any information which would identify a patient as an alcohol/drug abuser. The restriction on use of information to bring criminal charges against a patient for a crime applies to any information obtained by the program for the purpose of diagnosis, treatment or referral for treatment of alcohol/drug abuse. §160.103: Individually identifiable health information: is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, emploher, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

§160.103: Protected health information: is individually identifiable health information that is transmitted or maintained in any medium.

Programs covered by both 42 CFR Part 2 and HIPAA should follow this provision of 42 CFR Part 2
§2.12(e) Explanation of applicability (4) How type of diagnosis affects coverage. These regulations cover any record of a diagnosis identifying a patient as an alcohol/drug abuser which is prepared in connection with the treatment/referral for treatment of alcohol/drug abuse. A diagnosis prepared for the purpose of treatment or referral for treatment but which is not so used is covered by these regulations. The following are not covered by these regulations: (i) diagnosis which is made solely for the purpose of providing evidence for use by law enforcement authorities; or (ii) a diagnosis of drug overdose or alcohol intoxication which clearly shows that the individual involved is not an alcohol/drug abuser (e.g. involuntary ingestion of alcohol/drugs or reaction to a prescribed dosage of one or more drugs). §160.103: Individually identifiable health information: is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, emploher, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

§160.103: Protected health information: is individually identifiable health information that is transmitted or maintained in any medium.

42 C.F.R. Part 2 "excepts out" a portion of information that is not given privacy protection under this regulation; HIPAA covers all individually identifiable health information used/disclosed by a covered entity or Business Associate. Programs covered by both must either extend HIPAA coverage to the information excepted out of 42 CFR Part 2 in this provision, or extend the reach of 42 CFR Part 2 to this excepted information.
§2.13 Confidentiality restrictions. (a) General. The patient records to which these regulations apply may be disclosed/used only as permitted …and may not otherwise be disclosed/used in any civil, criminal, administrative, or legislative proceedings conducted by any Federal, State, or local authority. Any disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure. §164.502(b) Minimum Necessary: (1)When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure, or request. (2) This does not apply to: (i) Disclosures to/ requests by a health care provider for treatment; (ii) Uses or disclosures made to the individual, as required by paragraph (a)(2)(i) of this section, or pursuant to an authorization; (iii) Disclosures made to the Secretary of HHS; (iv) Uses or disclosures that are required by law, and (v) Uses or disclosures that are required for compliance with applicable requirements of this Subchapter. (p. 82805,82806) Programs covered by both 42 CFR Part 2 and HIPAA should contined to follow this provision of 42 CFR Part 2, since it is more stringent than HIPAA.
§2.13 Confidentiality restrictions. (b) Unconditional compliance required. The restrictions on disclosure and use in these regulations apply whether the holder of the information believes that the person seeking the information already has it, has other means of obtaining it, is a law enforcement or other official, has obtained a subpoena, or asserts any other justification for a disclosure or use which is not permitted by these regulations. No comparable provision. Programs covered by both 42 CFR Part 2 and HIPAA should follow this provision of 42 CFR Part 2.
§2.13 Confidentiality restrictions. (c) Acknowledging the presence of patients: Responding to requestsl (1) The presence of an identified patient in a facility/component of a facility which is publicly identified as a place where only alcohol/drug abuse diagnosis, treatment or referral is provided may be acknowledged only if the patient's written consent is obtained in accordance with subpart C of these regulations or if an authorizing court order is entered in accordance with subpart E of these regulations. The regulations permit acknowledgment of the presence of an identified patient in a facility or part of a facility if the facility is not publicly identified as only an alcohol/drug abuse diagnosis, treatment or referral facility, and if the acknowledgment does not reveal that the patient is an alcohol/drug abuser. (2) Any answer to a request for a disclosure of patient records which is not permissible under these regulations must be made in a way that will not affirmatively reveal that an identified individual has been, or is being diagnosed or treated for alcohol/drug abuse. An inquiring party may be given a copy of these regulations and advised that they restrict the disclosure of alcohol/drug abuse patient records, but may not be told affirmatively that the regulations restrict the disclosure of the records of an identified patient. The regulations do not restrict a disclosure that an identified individual is not and has never been a patient. §164.510(a) Use/Disclosure for Facility Directories: (1) Except when an objection is expressed….a covered health care provider may: (i) Use the following PHI to maintain a directory of individuals in its facility: Individual's name;location in the facility; condition described in general terms that does not communicate specific medical information; religious affiliation; and (ii) Disclose for directory purposes such information: to members of the clergy;or except for religious affiliation, to other persons who ask for the individual by name.

§164.508(a)(1): Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose PHI without an authorization that is valid under this section. (p. 82811:1)

Generally, providers covered by both 42 CFR Part 2 and HIPAA should follow the former with regard to these provisions. However, HIPAA supersedes the provision in 42 CFR Part 2 which permits acknowledgment of the presence of an identified patient in a facility or part of a facility if the facility is not publicly identified as only an alcohol/drug abuse program and if the acknowledgment does not reveal that the patient is an alcohol/drug abuser. Under HIPAA, this is not permitted unless the individual has been given an opportunity to agree or object to these disclosures.
§2.14 Minor patients. (a) Definition of minor. As used in these regulations the term "minor" means a person who has not attained the age of majority specified in the applicable State law, or if no age of majority is specified in the applicable State law, the age of eighteen years.
(b) State law not requiring parental consent to treatment. If a minor patient acting alone has the legal capacity under the applicable State law to apply for and obtain alcohol or drug abuse treatment, any written consent for disclosure authorized under Subpart C of these regulations may be given only by the minor patient. This restriction includes, but is not limited to, any disclosure of patient identifying information to the parent or guardian of a minor patient for the purpose of obtaining financial reimbursement. These regulations do not prohibit a program from refusing to provide treatment until the minor patient consents to the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a State or local law requiring the program to furnish the service irrespective of ability to pay.
(c) State law requiring parental consent to treatment.(1) Where State law requires consent of a parent, guardian, or other person for a minor to obtain alcohol or drug abuse treatment, any written consent for disclosure authorized under Subpart C of these regulations must be given by both the minor and his or her parent, guardian, or other person authorized under State law to act in the minor's behalf.
(2) Where State law requires parental consent to treatment the fact of a minor's application for treatment may be communicated to the minor's parent, guardian, or other person authorized under State law to act in the minor's behalf only if:(i) The minor has given written consent to the disclosure in accordance with Subpart C of these regulations or (ii) The minor lacks the capacity to make a rational choice regarding such consent as judged by the program director under paragraph (d) of this section

(d) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a threat to the life or physical well being of the applicant or any other individual may be disclosed to the parent, guardian, or other person authorized under State law to act in the minor's behalf if the program director judges that:

(1) A minor applicant for services lacks capacity because of extreme youth or mental or physical condition to make a rational decision on whether to consent to a disclosure under Subpart C of these regulations to his or her parent, guardian, or other person authorized under State law to act in the minor's behalf, and
(2) The applicant's situation poses a substantial threat to the life or physical well being of the applicant or any other individual which may be reduced by communicating relevant facts to the minor's parent, guardian, or other person authorized under State law to act in the minor's behalf.

Not originally addressed in final rule, but see recent amendments: (8/02)

§164.502: (g)(1)(ii) Implementation specification: unemancipated minors…(A).A covered entity may disclose PHI about an unemancipated minor to a parent, guardian, or other person acting in loco parentis if the applicable provision of State law or other law, including applicable case law, permits or requires such disclosure, and (B) a covered entity may not disclose PHI about about an unemancipated minor to a parent, guardian, or other person acting in loco parentis if the applicable provision of State law or other law, including applicable case law, prohibits such disclosure.

Regulations are consistent: Inasmuch the adoption of recent amendments to HIPAA defer to State law with regard to parental consent/access to records of minors, and 42 CFR Part 2 essentially does the same, with additional more stringent provisions, 42 CFR and State law (MHL §22.11) control.
§ 2.15 Incompetent and deceased patients. (a) Incompetent patients other than minors (1) Adjudication of incompetence. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to manage his or her own affairs, any consent which is required under these regulations may be given by the guardian or other person authorized under State law to act in the patient's behalf.
(2) No adjudication of incompetency. For any period for which the program director determines that a patient, other than a minor or one who has been adjudicated incompetent, suffers from a medical condition that prevents knowing or effective action on his or her own behalf, the program director may exercise the right of the patient to consent to a disclosure under Subpart C of these regulations for the sole purpose of obtaining payment for services from a third party payer.
(b) Deceased patients
(1) Vital statistics. These regulations do not restrict the disclosure of patient identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.
(2) Consent by personal representative. Any other disclosure of information identifying a deceased patient as an alcohol or drug abuser is subject to these regulations. If a written consent to the disclosure is required, that consent may be given by an executor, administrator, or other personal representative appointed under applicable State law. If there is no such appointment the consent may be given by the patient's spouse or, if none, by any responsible member of the patient's family.
§164.502(g) (1) :A "personal representative" can fulfill the role of the individual about whom PHI pertains; (2) If, under applicable law, a person has authority to act on behalf of an individual who is an adult or an emancipated minor im making decisions related to health care, a covered entity must treat such person as a personal representative with respect to PHI relevant to such personal representation.

§164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the covered health care provider is required by law to treat the individual, or if a covered health care provider is unable to obtain consent due to substantial barriers to communication and the covered health provider determines, in its professional judgment, that the patient's consent is inferred by the circumstances, and the covered health care provider attempts to obtain such consent but is unable to obtain such consent, a covered health care provider may use/disclose PHI to carry out treatment, payment, or health care operations without patient consent.

Note: Recent amendments eliminate this requirement.

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02

§164.512(g): A covered entity may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining cause of death, or other duties as authorized by law. (P. 82816: 1)

1. HIPAA acknowledges consent by "personal representatives," defined as persons authorized to make health care decisions for the individual. 42 CFR, however, is both more narrow and more broad than HIPAA in that it requires adjudication that a person is unable to manage his/her own affairs; HIPAA does not. However, HIPAA only permits personal representation if the representative can make health care decisions for the individual, whereas 42 CFR Part 2 uses the term "manage affairs," so in this respect HIPAA prevails.

2. HIPAA would permit provisions of 42 CFR Part 2 which allow a program director to use PHI for payment purposes without patient consent for the sole purpose of seeking payment, under the "substantial barriers to communication" exception. HIPAA would permit use/disclosure in these circumstances for treatment and health care operations purposes as well, but 42 CFR Part 2 would not, and hence that aspect of the latter regulation would prevail.

3. HIPAA and 42 CFR Part 2 are generally consistent with regard to disclosures about decedents for purposes of investigating cause of death; programs covered by both should follow 42 CFR Part 2. It should be noted, however, that HIPAA contains no provisions with regard to who may consent to the release of PHI upon a person's death; therefore, it is not clear if the provisions under 42 CFR Part 2 allowing such consent by an executor, personal representative, spouse or family member are permissible.

§ 2.16 Security for written records.
(a) Written records which are subject to these regulations must be maintained in a secure room, locked file cabinet, safe or other similar container when not in use; and
(b) Each program shall adopt in writing procedures which regulate and control access to and use of written records which are subject to these regulations.
§164.530(c)(1): Safeguards: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.(2) A covered entity must reasonably safeguard PHI from any intentional use/disclosure that is in violation of these standards, implementation specifications, or other requirements of this subpart. The security provisions of 42 CFR Part 2 apply only to written records. Once an entity is covered by HIPAA, the privacy protections apply to records created/stored/transmitted in any medium. Therefore, HIPAA would supersede 42 CFR Part 2 and programs covered by both should comply with the HIPAA safeguard requirements.
§ 2.17 Undercover agents and informants.
(a) Restrictions on placement. Except as specifically authorized by a court order granted under § 2.67 of these regulations, no program may knowingly employ, or enroll as a patient, any undercover agent or informant.
(b) Restriction on use of information. No information obtained by an undercover agent or informant, whether or not that undercover agent or informant is placed in a program pursuant to an authorizing court order, may be used to criminally investigate or prosecute any patient.
No comparable provision Programs covered by both HIPAA and 42 CFR Part 2 are bound by 42 CFR Part 2 with regard to this provision.
§ 2.18 Restrictions on the use of identification cards.
No person may require any patient to carry on his or her person while away from the program premises any card or other object which would identify the patient as an alcohol or drug abuser. This section does not prohibit a person from requiring patients to use or carry cards or other identification objects on the premises of a program.
No comparable provision Programs covered by both HIPAA and 42 CFR Part 2 are bound by 42 CFR Part 2 with regard to this provision
§ 2.19 Disposition of records by discontinued programs.

(a) General. If a program discontinues operations or is taken over or acquired by another program, it must purge patient identifying information from its records or destroy the records unless--
(1) The patient who is the subject of the records gives written consent (meeting the requirements of § 2.31) to a transfer of the records to the acquiring program or to any other program designated in the consent (the manner of obtaining this consent must minimize the likelihood of a disclosure of patient identifying information to a third party); or
(2) There is a legal requirement that the records be kept for a period specified by law which does not expire until after the discontinuation or acquisition of the program.

(b) Procedure where retention period required by law. If paragraph (a)(2) of this section applies, the records must be:
(1) Sealed in envelopes or other containers labeled as follows: "Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]"; and
(2) Held under the restrictions of these regulations by a responsible person who must, as soon as practicable after the end of the retention period specified on the label, destroy the records.

§164.530(c)(1): Safeguards: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.(2) A covered entity must reasonably safeguard PHI from any intentional use/disclosure that is in violation of these standards, implementation specifications, or other requirements of this subpart. It would appear that a program covered by both HIPAA and 42 CFR Part 2 could comply with both provisions; however, applicable provisions of the HIPAA security regulation, when finalized, may impact this analysis.
§2.21 Relationship to Federal statutes protecting research subjects against compulsory disclosure of their identity.(a) Research privilege description. There may be concurrent coverage of patient identifying information by these regulations and by administrative action taken under: Section 303(a) of the Public Health Service Act…and implementing regulations at 42 CFR Part 2a); or section 502(c) of the Controlled Substances Act (21 USC 872(c) and the implementing regulations at 21 CFR 1316.21. These "research privilege" statutes confer on the Secretary of Health and Human Services and on the Attorney General, respectively, the power to authorize researchers conducting certain types of research to withhold from all persons not connected with the research the names and other identifying information concerning individuals who are the subjects of the research.(b) Effect of concurrent coverage. These regulations restrict the disclosure and use of information about patients, while administrative action taken under the research privilege statutes and implementing regulations protects a person engaged in applicable research from being compelled to disclose any identifying characteristics of the individuals who are the subjects of that research. The issuance under Subpart E of these regulations of a court order authorizing a disclosure of information about a patient does not affect an exercise of authority under these research privilege statutes. However, the research privilege granted under 21 CFR 291.505(g) Leaving OMH site to treatment programs using methadone for maintenance treatment does not protect from compulsory disclosure any information which is permitted to be disclosed under those regulations. Thus, if a court order entered in accordance with Subpart E of these regulations authorizes a methadone maintenance treatment program to disclose certain information about its patients, that program may not invoke the research privilege under 21 CFR 291.505(g)as a defense to a subpoena for that information. Covered entities subject to these rules are also subject to other statutes and regulations. Thus, covered entities will need to determine how the privacy regulation will affect their ability to comply with these other laws…Ordinarily, later, general statutes will not repeal the special provisions of an earlier, specific statute. In somce cases, when a later, general statute creates an irreconcilable conflict or is manifestly inconsistent with the earlier, specific statute in a manner that represents a clear and manifest Congressional intent to repeal the earlier statute, courts will find that the later statute repeals the earlier statute by implication. In these cases, the latest legislative action may prevail and repeal the prior law, but only to the extent of the conflict. (Preamble, p. 82481) As the federal research statutes identified in 42 CFR Part 2 do not appear inconsistent with, or contrary to the HIPAA privacy regulations, providers subject to both HIPAA and 42 CFR Part 2 should continue to follow this provision.
§2.22 Notice to patients of Federal confidentiality requirements.(a) Notice required. At the time of admission or as soon thereafter as the patient is capable of rational communication. each program shall:(1) Communicate to the patient that Federal law and regulations protect the confidentiality of alcohol and drug abuse patient records; and
(2) Give to the patient a summary in writing of the Federal law and regulations.
(b) Required elements of written summary. The written summary of the Federal law and regulations must include:
(1) A general description of the limited circumstances under which a program may acknowledge that an individual is present at a facility or disclose outside the program information identifying a patient as an alcohol or drug abuser.
(2) A statement that violation of the Federal law and regulations by a program is a crime and that suspected violations may be reported to appropriate authorities in accordance with these regulations.
(3) A statement that information related to a patient's commission of a crime on the premises of the program or against personnel of the program is not protected.(4) A statement that reports of suspected child abuse and neglect made under State law to appropriate State or local authorities are not protected.(5) A citation to the Federal law and regulations.(c) Program options. The program may devise its own notice or may use the sample notice in paragraph (d) to comply with the requirement to provide the patient with a summary in writing of the Federal law and regulations. In addition, the program may include in the written summary information concerning State law and any program policy not inconsistent with State and Federal law on the subject of confidentiality of alcohol and drug abuse patient records.
(d) Sample notice….(is provided)
§164.520 Notice of privacy practices for PHI

1. An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity, and the individual's rights and the covered entity's legal duties with respect to PHI.

2. The notice must contain the following statement as a header or otherwise prominently displayed: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

3. The notice must be written in plain language and contain: (1) a description, including at least 1 example, of the types of uses/disclosures that the covered entity is permitted to make for treatment, payment & health care operations purposes; (2) a description of each of the other purposes for which the covered entity is permitted/required to use/disclose PHI w/out the person's consent/authorization; (3) if a use/disclosure is prohibited or materially limited by other applicable law, the description of such use/disclosure must reflect the more stringent; (4) for each purpose described the description must include sufficient detail to place the person on notice of the uses/disclosures that are permitted/required by HIPAA and other applicable law; (5) a statement that other uses/disclosures will be made only with the person's written authorization and that the individual may revoke such authorization.

4. If the covered entity intends to engage in any of the following, the description must include a separate statement, as applicable, that (1) the covered entity may contact the individual to provide appointment reminders; (2) the covered entity may contact the individual to raise funds; (3) a group health plan..may disclose PHI to the sponsor.

5. The notice must contain a statement of the individual's rights with respect to PHI and a brief description of how the person can exercise those rights (i.e., right to request restrictions, right to receive confidential communications, right to inspect/copy PHI, right to amend PHI, right to receive accounting of disclosures, and right to receive paper copy of the notice, if notice is received electronically).

6. The notice must contain covered entity requirements (i.e, statement that the covered entity is required by law to maintain the privacy of PHI and to provide the notice of its legal duties and privacy practices; a statement that the covered entity is required to abide by the terms of the notice; in order for the covered entity to apply a change in its privacy practices, a statement that it reserves the right to change the terms of its notice and to make the new notice provision effective for all PHI it maintains (must also describe how it will provide persons with a new notice).

7. Complaints. The notice must contain a statement that individuals may complain to the covered entity and the Secretary of HHS if they believe their privacy rights have been violated; a brief description of how to file a complaint with the covered entity; and advise of nonretaliation for filing a complaint.

8. Contact. The notice must contain a contact name, or title, and telephone # of a person/office to contact for further information.

9. Effective date. The notice must contain the date on which the notice is first in effect, which cannot be earlier than the date on which it is printed/published.

10. Provisions for optional contents are also included.

11. A covered health care provider with a direct treatment relationship with the patient must provide the notice no later than the date of first service delivery, and, except in an emergency situation, make a good faith effort to obtain a written acknowledgment.

12. Whenever the notice is revised, the notice must be made available upon request on or after the effective date of the revision and promptly comply with the acknowledgment requirements.

13. Electronic notice is permitted.

It would appear that a program covered by both HIPAA and 42 CFR Part 2 could comply with both provisions; however,extensive revision of the notice required under 42 CFR is required in order to comport with the HIPAA notice requirements.
§ 2.23 Patient access and restrictions on use.
(a) Patient access not prohibited. These regulations do not prohibit a program from giving a patient access to his or her own records, including the opportunity to inspect and copy any records that the program maintains about the patient. The program is not required to obtain a patient's written consent or other authorization under these regulations in order to provide such access to the patient.
(b) Restriction on use of information. Information obtained by patient access to his or her patient record is subject to the restriction on use of his information to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under § 2.12(d)(1).
§164.524(b)(1): The covered entity must permit an individual to request access to inspect or obtain a copy of the PHI about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.

§164.524(c)(1): The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the PHI about them in designated record sets.

§164.524(c)(2)(i): The covered entity must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format; if not, a readable hard copy form or such other form or format as agreed to by the covered entity and the individual.

It would appear that a program covered by both HIPAA and 42 CFR Part 2 could comply with both provisions; however, HIPAA provides an articulated right to access while 42 CFR Part 2 simply indicates a program is not prohibited from providing such access. Additional provisions of HIPAA give an individual the right to request access to information in a specific format. Therefore, a program covered by both regulations should refer to both to determine how to respond to requests for access to a record by a patient and to ensure compliance with patient rights under HIPAA.
§ 2.31 Form of written consent.
(a) Required elements. A written consent to a disclosure under these regulations must include:
(1) The specific name or general designation of the program or person permitted to make the disclosure.
(2) The name or title of the individual or the name of the organization to which disclosure is to be made.
(3) The name of the patient.
(4) The purpose of the disclosure.
(5) How much and what kind of information is to be disclosed.
(6) The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under § 2.15 in lieu of the patient.(7) The date on which theconsent is signed.
(8) A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third party payer

(9) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given.

(b) Sample consent form. The following form complies with paragraph (a) of this section, but other elements may be added.1. I (name of patient) ()Request "( )" Authorize:2. (name or general designation of program which is to make the disclosure)
3. To disclose: (kind and amount of information to be disclosed)
4. To: (name or title of the person or organization to which disclosure is to be made)5. For (purpose of the disclosure)6. Date (on which this consent is signed)7. Signature of patient 8. Signature of parent or guardian (where required)

9. Signature of person authorized to sign in lieu of the patient (where required)
10. This consent is subject to revocation at any time except to the extent that the program which is to make the disclosure has already taken action in reliance on it. If not previously revoked, this consent will terminate upon: (specific date, event, or condition(c) Expired, deficient, or false consent. A disclosure may not be made on the basis of a consent which:
(1) Has expired:
(2) On its face substantially fails to conform to any of the requirements set forth in paragraph (a) of this section;
(3) Is known to have been revoked; or
(4) Is known, or through a reasonable effort could be known, by the person holding the records to be materially false.

§164.506(c): Consent: Content requirements.A consent under this section must be in plain language and: (1) Inform the individual that PHI may be used/disclosed to carry out treatment, payment, and health care operations; (2) refer the individual to the notice required by §164.520 for a more complete description of such uses/disclosures and state that the individual has the right to review the notice prior to signing the consent; (3) if the covered entity has reserved the right to change its privacy practices that are described in the notice in accordance with §164.520(b)(1)(v)(C), state that the terms of its notice may change and describe how the individual may obtain a revised notice; (4) state that: (i) the individual has the right to request that the covered entity restrict how PHI is used/disclosed to carry out treatment, payment, or health care operations; (ii) the covered entity is not required to agree to requested restrictions; and (iii) if the covered entity agrees to a requested restriction, the restriction is binding on the covered entity; (5) state that the individual has the right to revoke the consent in writing, except to the extent the covered entity has acted in reliance on it; and (6) be signed by the individual and dated. ( Note: Recent amendments eliminate this requirement).

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02

§164.508(c): Authorization: Core elements and requirements: A valid authorization under this section must contain at least the following elements: (i) a description of the information to be used/disclosed that identifies the information in a specific and meaningful fashion (ii) the name/other specific identification of the person(s) or class of person authorized to make the requested use/disclosure; (iii) the name/other specific identification of the person(s) or class of persons to whom the covered entity may make the requested use/disclosure; (iv) an expiration date/expiration event that relates to the individual/purpose of use/disclosure; (v) a statement of the individual's right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization; (vi) a statement that information used/disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by HIPAA; (vii) signature of individual and date; and (viii) if the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual. (2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

(i) The individual's right to revoke the authorization in writing, and either:

(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or

(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by section 164.520, a reference to the covered entity's notice.

(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:

(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or

(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.

(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this rule.

(3) Plain language requirement. The authorization must be written in plain language.

(4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. revised 8/02

With a limited exception, programs covered by both 42 CFR Part 2 and HIPAA should follow 42 CFR Part 2 with regard to form of consent. However, since a "consent" under 42 CFR Part 2 more closely resembles a HIPAA "authorization" than a HIPAA "consent," a program covered by both needs to ensure that its consent form includes all of the elements necessary for a valid HIPAA authorization for all uses/disclosures of PHI for which a patient authorization is needed under HIPAA.

A 42 CFR Part 2 "consent" is more stringent than a HIPAA consent, in light of the amount of detail it requires. Furthermore, the "minimum necessary" rule, which does not apply to HIPAA uses/disclosures for payment, and health care operations purposes, continues to apply to all 42 CFR Part 2 uses and disclosures, with no exceptions. Therefore, the "minimum necessary" rule of 42 CFR Part 2 should continue to be applied in all uses/disclosures for which a consent is needed under 42 CFR Part 2 and a consent/authorization is needed under HIPAA.

42 CFR Part 2 does not require any type of consent for use/disclosure of PHI for treatment purposes; this is consistent with the recent amendments to HIPAA. Thus, the two sets of regulations are consistent on this point.

§ 2.32 Prohibition on redisclosure.

Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by the following written statement:
This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.

No comparable provision. Programs covered by both sets of federal regulations should continue to follow 42 CFR Part 2 with regard to this requirement.
§ 2.34 Disclosures to prevent multiple enrollments in detoxification and maintenance treatment programs.

(a) Definitions. For purposes of this section:
Central registry means an organization which obtains from two or more member programs patient identifying information about individuals applying for maintenance treatment or detoxification treatment for the purpose of avoiding an individual's concurrent enrollment in more than one program.
Detoxification treatment means the dispensing of a narcotic drug in decreasing doses to an individual in order to reduce or eliminate adverse physiological or psychological effects incident to withdrawal from the sustained use of a narcotic drug.
Maintenance treatment means the dispensing of a narcotic drug in the treatment of an individual for dependence upon heroin or other morphine-like drugs.
Member program means a detoxification treatment or maintenance treatment program which reports patient identifying information to a central registry and which is in the same State as that central registry or is not more than 125 miles from any border of the State in which the central registry is located.
(b) Restrictions on disclosure. A program may disclose patient records to a central registry or to any detoxification or maintenance treatment program not more than 200 miles away for the purpose of preventing the multiple enrollment of a patient only if:
(1) The disclosure is made when:
(i) The patient is accepted for treatment;
(ii) The type or dosage of the drug is changed; or
(iii) The treatment is interrupted, resumed or terminated.(2) The disclosure is limited to:
(i) Patient identifying information:
(ii) Type and dosage of the drug; and
(iii) Relevant dates.
(3) The disclosure is made with the patient's written consent meeting the requirements of § 2.31, except that:
(i) The consent must list the name and address of each central registry and each known detoxification or maintenance treatment program to which a disclosure will be made; and
(ii) The consent may authorize a disclosure to any detoxification or maintenance treatment program established within 200 miles of the program after the consent is given

without naming any such program.

(c) Use of information limited to prevention of multiple enrollments. A central registry and any detoxification or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not redisclose or use patient identifying information for any purpose other than the prevention of multiple enrollments unless authorized by a court order under Subpart E of these regulations.
(d) Permitted disclosure by a central registry to prevent a multiple enrollment. When a member program asks a central registry if an identified patient is enrolled in another member program and the registry determines that the patient is so enrolled, the registry may disclose--
(1) The name, address, and telephone number of the member program(s) in which the patient is already enrolled to the inquiring member program; and
(2) The name, address, and telephone number of the inquiring member program to the member program(s) in which the patient is already enrolled. The member programs may communicate as necessary to verify that no error has been made and to prevent or eliminate any multiple enrollment.
(e) Permitted disclosure by a detoxification or maintenance treatment program to prevent a multiple enrollment. A detoxification or maintenance treatment program which has received a disclosure under this section and has determined that the patient is already enrolled may communicate as necessary with the program making the disclosure to verify that no error has been made and to prevent or eliminate any multiple enrollment

NYS Mental Hygiene Law §19.16 Methadone registry. The office shall establish and maintain, either directly or through contract, a central registry for purposes of preventing multiple enrollment in methadone programs. The office shall require all methadone programs to utilize such registry and shall have the power to assess methadone programs such fees as are necessary and appropriate.

§160.203 General rule and exceptions

A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law . This general rule applies, except if one or more of the following conditions is met: (a) A determination is made by the Secretary under §160.204 that the provision of State law:…(2) Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 USC 802), or that is deemed a controlled substance by State law.

Although HIPAA appears to require a written determination by the Secretary, it appears likely that reports to the methadone registry will continue to be permitted under HIPAA in accordance with this provision.
§ 2.35 Disclosures to elements of the criminal justice system which have referred patients. (a) A program may disclose information about a patient to those persons within the criminal justice system which have made participation in the program a condition of the disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if:
(1) The disclosure is made only to those individuals within the criminal justice system who have a need for the information in connection with their duty to monitor the patient's progress (e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or posttrial release, probation or parole officers responsible for supervision of the patient); and
(2) The patient has signed a written consent meeting the requirements of § 2.31 (except paragraph (a)(8) which is inconsistent with the revocation provisions of paragraph (c) of this section) and the requirements of paragraphs (b) and (c) of this section.(b) Duration of consent. The written consent must state the period during which it remains in effect. This period must be reasonable, taking into account:
(1) The anticipated length of the treatment;
(2) The type of criminal proceeding involved, the need for the information in connection with the final disposition of that proceeding, and when the final disposition will occur; and
(3) Such other factors as the program, the patient, and the person(s) who will receive the disclosure consider pertinent.
(c) Revocation of consent. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given.
(d) Restrictions on redisclosure and use. A person who receives patient information under this section may redisclose and use it only to carry out that person's official duties with regard to the patient's conditional release or other action in connection with which the consent was given.
§164.501: Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. If the disclosures back to a court regarding treatment are mandated in a court order, HIPAA would permit these disclosures without patient consent.

In contrast, 42 CFR Part 2 would require patient consent for such disclosures, but does not permit revocation of such consent until a specified date or event. Since the provision requiring consent for these disclosures is more stringent, this part of 42 CFR Part 2 would apply.

However, under HIPAA, authorizations are revocable by the patient at any time. Compliance with both HIPAA and 42 CFR Part 2 would require providers to utilize consents/authorizations that meet the requirements of both. Therefore, it would appear that criminal justice consents, like any HIPAA consent/authorization, would be revocable by patients at any time.

§ 2.51 Medical emergencies. (a) General Rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel who have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention. (b) Special Rule. Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers.
(c) Procedures. Immediately following disclosure, the program shall document the disclosure in the patient's records, setting forth in writing:
(1) The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;
(2) The name of the individual making the disclosure;
(3) The date and time of the disclosure;

and
(4) The nature of the emergency (or error, if the report was to FDA).

§164.506(a)(3)(i)(A): A covered health care provider may use/disclose PHI without patient consent in emergency treatment situations, if the covered health care provider attempts to obtain consent as soon as reasonably practical after the delivery of treatment.

Note recent amendments to this requirement :

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02

§164.512(b): A covered entity may disclose PHI for the public health activities and purposes described in this paragraph to: (ii) a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.,,,(iii) a person subject to the jurisdiction of the FDA (A) to report adverse events….

§164.512(j): A covered entity may, consistent with applicable law and standards of ethical conduct, use/disclose PHI if it believes, in good faith, that the use/disclosure (i)(A) is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and (B) is to a person(s) reasonably able to prevent/lessen the threat.

In general, programs covered by 42 CFR Part 2 and HIPAA can continue to follow the provisions of 42 CFR Part 2 with regard to disclosures for medical emergencies.
§ 2.52 Research activities.
(a) Patient identifying information may be disclosed for the purpose of conducting scientific research if the program director makes a determination that the recipient of the patient identifying information:
(1) Is qualified to conduct the research;
(2) Has a research protocol under which the patient identifying information:
(i) Will be maintained in accordance with the security requirements of § 2.16 of these regulations (or more stringent requirements); and
(ii) Will not be redisclosed except as permitted under paragraph (b) of this section; and
(3) Has provided a satisfactory written statement that a group of three or more individuals who are independent of the research project has reviewed the protocol and determined that:
(i) The rights and welfare of patients will be adequately protected; and
(ii) The risks in disclosing patient identifying information are outweighed by the potential benefits of the research.
(b) A person conducting research may disclose patient identifying information obtained under paragraph (a) of this section only back to the program from which that information was obtained and may not identify any individual patient in any report of that research or otherwise disclose patient identities.
§164.512(h): A covered entity may use/disclose PHI for research, regardless of the source of the funding of the research, provided that (i) Board approval of a waiver of authorization: The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use/disclosure of PHI has been approved by either (A) an IRB established in accordance with….(B) a privacy board that: (1) has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests; (2) includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities and; (3) does not have any member participating in a review of any project in which the member has a conflict of interest….

(2) Documentation of waiver approval. For a use/disclosure to be permitted,…documentation must include.. Ii) Waiver criteria: A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: (A) the use/disclosure of PHI involves no more than minimal risk to the individuals;(B) the alteration/waiver will not adversely affect the privacy rights/welfare of the individuals; (C) the research could not practicably be conducted without the alteration/waiver; (D) the research could not practicably be conducted without access to/use of the PHI; (E) the privacy risks to individuals whose PHI are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research; (F) there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and (H there is adequate written assurances that the PHI will not be reused/disclosed to any person/entity except as required by law, for authorized oversight of the research project, or for other research for which the use/disclosure of the PHI would be permitted by this subpart.

In this instance, HIPAA is generally more restrictive on use/disclosure of PHI for research purposes. Therefore, programs covered by both 42 CFR Part 2 and HIPAA should refer to HIPAA in determining how to respond to requests for PHI for research purposes. It should be noted, however, the 42 CFR Part 2

permits redisclosure of PHI only back to the program from which that information was obtained and may not identify any individual patient in any report of that research or otherwise disclose patient identities; this requirement is more restrictive than HIPAA and thus would prevail.

§ 2.53 Audit and evaluation activities.
(a) Records not copied or removed. If patient records are not copied or removed, patient identifying information may be disclosed in the course of a review of records on program premises to any person who agrees in writing to comply with the limitations on redisclosure and use in paragraph (d) of this section and who:(1) Performs the audit or evaluation activity on behalf of:

(i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate its activities; or(ii) Any private person which provides financial assistance to the program, which is a third party payer covering patients in the program, or which is a quality improvement organization performing a utilization or quality control review; or(2) Is determined by the program director to be qualified to conduct the audit or evaluation activities.

(b) Copying or removal of records. Records containing patient identifying information may be copied or removed from program premises by any person who:
(1) Agrees in writing to:(i) Maintain the patient identifying information in accordance with the security requirements provided in § 2.16 of these regulations (or more stringent

requirements);(ii) Destroy all the patient identifying information upon completion of the audit or evaluation; and
(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and
(2) Performs the audit or evaluation activity on behalf of:
(i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate its activities; or(ii) Any private person which provides financial assistance to the program, which is a third part payer covering patients in the program, or which is a quality improvement organization performing a utilization or quality control review.

§164.501: Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory…or a person or entity operating under a grant of authority from or contract with such public agency….that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

§164.512(d) A covered entity may disclose PHI to a health oversight agency for oversight activities authorized by law.

§164.506 A covered entity must obtain the consent of a patient to use or disclose PHI for treatment, payment, or health care operations purposes (p.82810:1)

Note: Recent amendments eliminate this requirement.

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02

With regard to audit and evaluation activities, 42 CFR Part 2 is generally more restrictive on use/disclosure of PHI for these purposes. Therefore, programs covered by both 42 CFR Part 2 and HIPAA should refer to 42 CFR Part 2 in determining how to respond to requests for PHI for audit and evaluation activities.
(c) Medicare or Medicaid audit or evaluation.
(1) For purposes of Medicare or Medicaid audit or evaluation under this section, audit or evaluation includes a civil or administrative investigation of the program by any Federal, State, or local agency responsible for oversight of the Medicare or Medicaid program and includes administrative enforcement, against the program by the agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.
(2) Consistent with the definition of program in § 2.11, program includes an employee of, or provider of medical services under, the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section.(3) If a disclosure to a person is authorized under this section for a Medicare or Medicaid audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section, then a quality improvement organization which obtains the information under paragraph (a) or (b) may disclose the information to that person but only for purposes of Medicare or Medicaid audit or evaluation.
(4) The provisions of this paragraph do not authorize the agency, the program, or any other person to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the Medicare or Medicaid audit or evaluation activity as specified in this paragraph.
(d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66 of these regulations
   
§ 2.61 Legal effect of order. (a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited by 42 U.S.C. 290ee-3, 42 U.S.C. 290dd-3 and these regulations. Such an order does not compel disclosure. A subpoena or a similar legal mandate must be issued in order to compel disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under these regulations.
(b) Examples.
(1) A person holding records subject to these regulations receives a subpoena for those records: a response to the subpoena is not permitted under the regulations unless an authorizing court order is entered. The person may not disclose the records in response to the subpoena unless a court of competent jurisdiction enters an authorizing order under these regulations.
(2) An authorizing court order is entered under these regulations, but the person authorized does not want to make the disclosure. If there is no subpoena or other compulsory process or a subpoena for the records has expired or been quashed, that person may refuse to make the disclosure. Upon the entry of a valid subpoena or other compulsory process the person authorized to disclose must disclose, unless there is a valid legal defense to the process other than the confidentiality restrictions of these regulations.
§164.501: Required by law: a mandate contained in law that compels a covered entity to make a use/disclosure of PHI and that is enforceable in a court of law; includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a gov'tal…inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation…; and statutes/ regulations that require the production of information, including statutes/ regulations that require such information if payment is sought under a government program providing public benefits.

§164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited to the relevant requirements of such law.

Because 42 CFR Part 2 is more strict than HIPAA in specifying the necessary content of court orders under which PHI can be disclosed, programs covered by both 42 CFR Part 2 and HIPAA should continue to refer to the former when releasing PHI pursuant to court order.
§ 2.62 Order not applicable to records disclosed without consent to researchers, auditors and evaluators. A court order under these regulations may not authorize qualified personnel, who have received patient identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. However, a court order under § 2.66 may authorize disclosure and use of records to investigate or prosecute qualified personnel holding the records. §164.501: Required by law: a mandate contained in law that compels a covered entity to make a use/disclosure of PHI and that is enforceable in a court of law; includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a gov'tal…inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation…; and statutes/ regulations that require the production of information, including statutes/ regulations that require such information if payment is sought under a government program providing public benefits.

§164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited to the relevant requirements of such law.

Because 42 CFR Part 2 is more strict than HIPAA in restricting the ability of court orders to authorize disclosure of PHI in certain circumstances, programs covered by both 42 CFR Part 2 and HIPAA should continue to refer to the former when considering releases of PHI obtained in the course of research, audit, or evaluation activities in the context of criminal investigations of patients.
§ 2.63 Confidential communications. (a) A court order under these regulations may authorize disclosure of confidential communications made by a patient to a program in the course of diagnosis, treatment, or referral for treatment only if:
(1) The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties;
(2) The disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or
(3) The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.
§164.501: Required by law: a mandate contained in law that compels a covered entity to make a use/disclosure of PHI and that is enforceable in a court of law; includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a gov'tal…inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation…; and statutes/ regulations that require the production of information, including statutes/ regulations that require such information if payment is sought under a government program providing public benefits.

§164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited to the relevant requirements of such law.

In limiting the scope of authorizing court orders, 42 CFR Part 2 is more strict than HIPAA, which provides for no such limitations. Therefore, for programs covered by both regulations, 42 CFR Part 2 shall continue to control in this circumstance.
§ 2.64 Procedures and criteria for orders authorizing disclosures for noncriminal purposes.
(a) Application. An order authorizing the disclosure of patient records for purposes other than criminal investigation or prosecution may be applied for by any person having a legally recognized interest in the disclosure which is sought. The application may be filed separately or as part of a pending civil action in which it appears that the patient records are needed to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the patient is the applicant or has given a written consent (meeting the requirements of these regulations) to disclosure or the court has ordered the record of the proceeding sealed from public scrutiny.
(b) Notice. The patient and the person holding the records from whom disclosure is sought must be given:
(1) Adequate notice in a manner which will not disclose patient identifying information to other persons: and
(2) An opportunity to file a written response to the application, or to appear in person, for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order.
(c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or hearing on the application must be held in the judge's chambers or in some manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceeding, the patient, or the person holding the record, unless the patient requests an open hearing in a manner which meets the written consent requirements of these regulations. The proceeding may include an examination by the judge of the patient records referred to in the application.(d) Criteria for entry of order. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find that:
(1) Other ways of obtaining the information are not available or would not be effective; and
(2) The public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services.(e) Content of order. An order authorizing a disclosure must:(1) Limit disclosure to those parts of the patient's record which are essential to fulfill the objective of the order.
(2) Limit disclosure to those persons whose need for information is the basis for the order;

and
(3) Include such other measures as are necessary to limit disclosure for the protection of the patient, the physician-patient relationship and the treatment services; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.

No comparable provision.

but see:

§164.501: Required by law: a mandate contained in law that compels a covered entity to make a use/disclosure of PHI and that is enforceable in a court of law; includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a gov'tal…inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation…; and statutes/ regulations that require the production of information, including statutes/ regulations that require such information if payment is sought under a government program providing public benefits.

§164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited to the relevant requirements of such law.

Programs covered by both HIPAA and 42 CFR Part 2 should continue to refer to 42 CFR Part 2 with regard to the procedure/criteria for authorizing court orders for disclosures for noncriminal purposes.
§ 2.66 Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a program or the person holding the records.
(a) Application. (1) An order authorizing the disclosure or use of patient records to criminally or administratively investigate or prosecute a program or the person holding the records (or employees or agents of that program or person) may be applied for by any administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the program's or person's activities.
(2) The application may be filed separately or as part of a pending civil or criminal action against a program or the person holding the records (or agents or employees of the program or person) in which it appears that the patient records are needed to provide material evidence. The application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny or the patient has given a written consent (meeting the requirements of § 2.31 of these regulations) to that disclosure.(b) Notice not required. An application under this section may, in the discretion of the court, be granted without notice. Although no express notice is required to the program, to the person holding the records, or to any patient whose records are to be disclosed, upon implementation of an order so granted any of the above persons must be afforded an opportunity to seek revocation or amendment of that order, limited to the presentation of evidence on the statutory and regulatory criteria for the issuance of the court order.
(c) Requirements for order. An order under this section must be entered in accordance with, and comply with the requirements of, paragraphs (d) and (e) of § 2.64 of these regulations.
(d) Limitations on disclosure and use of patient identifying information:(1) An order entered under this section must require the deletion of patient identifying information from any documents made available to the public.
(2) No information obtained under this section may be used to conduct any investigation or prosecution of a patient, or be used as the basis for an application for an order under § 2.65 of these regulations.
No comparable provision.

but see:

§160.501:Law enforcement official means an officer or employee of any agency or authority, of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an official inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

§164.512(f)(1): A covered entity may

disclose PHI for a law enforcement purpose to a law enforcement official…(i) in compliance with and as limited by the relevant requirements of:(A) a court order or court-ordered subpoena or summons issued by a judicial officer; (B) a grand jury subpoena; or(C) an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:(1) the information sought is relevant and material to a legitimate law enforcement inquiry;(2)the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and(3)de-identified information could not reasonably be used.

§164.501: Required by law: a mandate contained in law that compels a covered entity to make a use/disclosure of PHI and that is enforceable in a court of law; includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a gov'tal…inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation…; and statutes/ regulations that require the production of information, including statutes/ regulations that require such information if payment is sought under a government program providing public benefits.

§164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited to the relevant requirements of such law.

Programs covered by both HIPAA and 42 CFR Part 2 should continue to refer to 42 CFR Part 2 with regard to the procedure/criteria for authorizing court orders for disclosures for prosecutorial purposes.
§ 2.67 Orders authorizing the use of undercover agents and informants to criminally investigate employees or agents of a program.

(a) Application. A court order authorizing the placement of an undercover agent or informant in a program as an employee or patient may be applied for by any law enforcement or prosecutorial agency which has reason to believe that employees or agents of the program are engaged in criminal misconduct.
(b) Notice. The program director must be given adequate notice of the application and an opportunity to appear and be heard (for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order), unless the application asserts a belief that:
(1) The program director is involved in the criminal activities to be investigated by the undercover agent or informant; or
(2) The program director will intentionally or unintentionally disclose the proposed placement of an undercover agent or informant to the employees or agents who are suspected of criminal activities.

(c) Criteria. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find:
(1) There is reason to believe that an employee or agent of the program is engaged in criminal activity;
(2) Other ways of obtaining evidence of this criminal activity are not available or would not be effective; and
(3) The public interest and need for the placement of an undercover agent or informant in the program outweigh the potential injury to patients of the program, physician-patient relationships and the treatment services.(d) Content of order. An order authorizing the placement of an undercover agent or informant in a program must:
(1) Specifically authorize the placement of an undercover agent or an informant;
(2) Limit the total period of the placement to six months;
(3) Prohibit the undercover agent or informant from disclosing any patient identifying information obtained from the placement except as necessary to criminally investigate or prosecute employees or agents of the program; and
(4) Include any other measures which are appropriate to limit any potential disruption of the program by the placement and any potential for a real or apparent breach of patient confidentiality; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.
(e) Limitation on use of information. No information obtained by an undercover agent or informant placed under this section may be used to criminally investigate or prosecute any patient or as the basis for an application for an order under § 2.65 of these regulations.

No comparable provisions. Programs covered by both HIPAA and 42 CFR Part 2 should continue to refer to 42 CFR Part 2 with regard to the procedure/criteria for orders authorizing the use of undercover agents and informants.
Patient Access to Records

Not addressed in 42 CFR Part 2.

§164.524(b)(1): The covered entity must permit an individual to request access to inspect or obtain a copy of the PHI about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.

§164.524(b)(2): The covered entity must act on a request for access no later than 30 days after receipt of the request.

Programs covered by both 42 CFR Part 2 and HIPAA must follow the HIPAA rules in reqard to this requirement.
Right to request Restrictions

Not addressed in 42 CFR Part 2.

§164.522 (a)(1) Right to request restrictions. A covered entity must permit an individual to request that the covered entity restrict (1) uses/disclosures of PHI about the individual to carry out treatment, payment and health care operations and (2) disclosures of PHI for involvement in the individual's care and notification purposes. A covered entity does not haveto agree to these restrictions. Programs covered by both 42 CFR Part 2 and HIPAA must follow the HIPAA rules in reqard to this requirement.
Right to request Accountings

Not addressed in 42 CFR Part 2.

§164.528 (a)(1) Right to request accountings. An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the 6 years prior to the date on which an accounting is requested, except for disclosures: (1) to carry out treatment, payment, and health care operations; (2) to the individuals themselves; (3) that are made for national security or intelligence purposes; (4) that are related to certain custodial situations; (5) to correctional institutions and law enforcement officials; and (6) which occurred prior to the compliancedate for the covered entity.

§164.528 (c): The covered entity must act on the individual's request for an accounting no later than 60 days after receipt of such request by providing the accounting or requesting an extension of no more than 30 days. The first accounting must be provided without charge, and thereafter a reasonable, cost-based fee for each subsequent accounting may be charged if the individual is informed in advance of the fee and an opportunity to modify the request to reduce or avoid the fee.

§164.528 (d): Documentation. A covered entity must retain documentation of the information required to be included in an accounting, the written accounting provided to the individual, and titles of persons or responsible officers who process/receive accountings.

Programs covered by both 42 CFR Part 2 and HIPAA must follow the HIPAA rules in reqard to this requirement.
Administrative Requirements:

Not addressed, (or in the case of safeguard requirements, not adequately addressed), in 42 CFR Part 2.

§164.530 (a)(1): Personnel Designations: A covered entity myst designate a privacy official who is responsible for the development and implementation of the policies/procedures of the entity.

§164.530 (a)(2) Documentation: A covered entity must document the required personnel designations.

§164.530 (a)(3) Training: A covered entity must train all members of its workforce on the policies/procedures with respect to PHI required by HIPAA, as necessary and appropriate to carry out their functions within the covered entity. The workforce must be trained prior to the compliance date; new members must be trained within a reasonable time after joining the workforce….. Such training must be documented.

§164.530 (c) Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI

§164.530 (d)(1): Complaints. A covered entity must provide a process for individuals to make complaints concerning: (1) the covered entity's policies and procedures required by HIPAA and (2) its compliance with such policies and procedures or the requirements of HIPAA.

§164.530 (d)(2) Documentation of complaints: A covered entity must document all complaints received, as well as their disposition.

§164.530 (e)(1),(2) Sanctions: A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with HIPAA… Those sanctions must be documented.

§164.530 (f): Mitigation: A covered entity must mitigate, to the extent practicable, any harmful effects known to the covered entity of a use/disclosure of PHI in violation of its policies/procedures or HIPAA by the covered entity or its business associate.

§164.530 (g) Retaliatory acts: A covered entity may not intimidate, threaten, coerce, discriminate against, or take retaliatory action against any

individual for exercising his/her rights or for filing a complaint with HHS

§164.530 (h): Waiver: A covered entity may not require individuals to waive their rights to file complaints or any other rights under HIPAA as a condition of provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

§164.530 (i)(1),(2),(3),(4) Policies and procedures: A covered entity must implement policies and procedures with respect to PHI designed to comply with the requirements of HIPAA…. Such policies/procedures must be changed as necessary to comply with changes in the law ..must document and implement the revised policies/procedures promptly….and must revise its Notice of Privacy Practices.

§164.530 (j)(1),(2) Retention of policies: A covered entity must maintain the required policies/procedures in written or electronic form, copies of communications HIPAA requires, and records of any action, activity, or designation HIPAA requires to be documented. Such documentation must be retained for 6 years from date of creation or date last in effect, whichever is later.

Programs covered by both 42 CFR Part 2 and HIPAA must follow the HIPAA rules in reqard to these requirements.