3_1_2024 Part 2 Supporting Statement FINAL

Download: docx | pdf

SUPPORTING STATEMENT FOR THE CONFIDENTIALITY OF

SUBSTANCE USE DISORDER PATIENT RECORDS

42 CFR PART 2

1. JUSTIFICATION

1. Circumstances Making the Collection of Information

The HHS Office for Civil Rights (OCR) is requesting OMB approval for the creation of a new information collection for 42 CFR part 2, Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule (“2024 Part 2 Rule”).¹ This information collection is based in part on the previously approved information collection, OMB No. 0930-0092, which expires on March 31, 2026.

Background

The Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR part 2 or “Part 2”) implement section 543 of the Public Health Service Act, 42 United States Code (U.S.C.) § 290dd-2, as amended by section 131 of the Alcohol, Drug Abuse, and Mental Health Administration Reorganization Act (ADAMHA Reorganization Act), Pub. L. 102-321 (July 10, 1992) and section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), Public Law 116-136 (March 27, 2020). The regulations serve to protect the confidentiality of patient records created by federally funded programs for the treatment of substance use disorder (SUD). Under the regulations, “substance use disorder” is a defined term, which refers to a cluster of cognitive, behavioral, and physiological symptoms indicating that an individual continues using a substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. For the purposes of Part 2, this definition does not include tobacco or caffeine use.

Section 3221(i) of the CARES Act required the Secretary to promulgate regulations implementing the March 27, 2020, amendments to 42 U.S.C. 290dd-2.² With the instant Final Rule the Department modifies Part 2 to implement section 3221 of the CARES Act, increase clarity, and decrease compliance burdens for Part 2 programs, covered entities, and business associates. The Department believes the modifications made in the final rule reduce the need for data segmentation within entities subject to the regulatory requirements promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)³ and Part 2 and result in improved care coordination.

Federally conducted, regulated, or assisted SUD programs are required by statute to keep patient records confidential. There are newly required civil and criminal penalties for violations of the regulation. The final rule published with this information collection request implements those statutory provisions and others required by section 3221 of the CARES Act. The statutory authority for the confidentiality of SUD patient records is 42 U.S.C. 290dd-2.

The information collection requirements in the 2024 Part 2 Rule for which OMB approval is requested are § 2.4 (Establishing Process to Receive Complaints); § 2.13 (Training Program Development); § 2.16 (Security for Records and Notification of Breaches); § 2,22 (Notice of Federal Confidentiality Requirements); § 2.25 (Accounting of Disclosures: § 2.26 (Requests for Restrictions); §§ 2.31 – 2.33 (Consent); § 2.36 (PDMP Reporting); § 2.51 (Medical Emergencies Documentation); § 2.52 (Scientific Research); § 2.53 (Financial Audits and Program Evaluation); and § 2.68 (Reports to the Secretary).

2. Purpose and Use of Information Collection

The information disclosed to patients pursuant to § 2.16 (breach notification), § 2.22 (patient confidentiality notice), and § 2.25 (accounting of disclosures) can be used by the patient to take steps to mitigate harm resulting from a breach of their records, understand permitted uses that may be made of their treatment records, and learn what entities have received their SUD treatment records.

The information disclosed to recipients of records under § 2.32(a) will provide notice to each person who receives or maintains such records that the records are protected by Part 2. The copy or explanation of consent disclosed to recipients of records under § 2.32(b) will inform them of the scope of the consent,. Patient information disclosed under § 2.54 can be used to protect and advance public health. Information disclosed to the Secretary under § 2.68 about investigative agencies’ use and disclosure of Part 2 records will help the Department better understand law enforcement uses of Part 2 records and determine whether potential changes may be needed to Part 2.

3. Use of Improved Information Technology and Burden Reduction

The intent is to allow Part 2 programs at different levels of technological sophistication to comply with the requirements of the regulations. Thus, programs are empowered to determine appropriate technologies for their circumstances and implement safeguards in a manner that is reasonable and appropriate for their particular environments, according to the provisions in 42 CFR 2.16.

The provisions of the HIPAA Breach Notification Rule that apply to Part 2 programs in 42 CFR 2.16 permit the use of electronic media as a means for providing individual notification. The Breach Notification Rule permits Part 2 programs to provide patients with notification of a breach via email if the patient agrees to electronic notice and has not withdrawn the agreement. Additionally, Part 2 programs that must provide substitute notification (i.e., when they have insufficient or out-of-date contact information for patients) have the option of providing this notification electronically on the home page of their website. With respect to a program’s obligation to notify the Secretary of breaches, the intention is to receive this information electronically.

4. Effort to Identify Duplication and Use of Similar Information

State law, professional and ethical standards, and the policies of a program or medical care facility may impose standards for maintaining confidentiality of all medical records, in addition to standards imposed for SUD patient records by Federal law and regulations, and also may impose public disclosure requirements. However, this final rule uniformly applies to Federally funded SUD treatment programs (as well as prevention and referral activities) and ensures compliance through civil money penalties and criminal sanctions. Thus, the category of entities subject to this information collection request is different from the pool of licensed SUD treatment professionals and facilities.

Generally, the information collection requirements of the Part 2 regulation do not duplicate those of any other Federal regulation. An unknown number of Part 2 programs that also meet the definition of covered entity under HIPAA are subject to restrictions on the use and disclosure of protected health information. These requirements include providing a HIPAA Notice of Privacy Practices to patients⁴ who are the subject of Part 2 records. However, the Department does not believe this requirement to be duplicative because these entities could meet both HIPAA and Part 2 requirements with a single NPP document.

With respect to the new breach notification requirements, most states have breach notification laws that require similar notification to be made to affected individuals following a breach of security of personal information. However, many of these laws do not specifically require notification following the breach of Part 2 records. The new breach notification requirements are duplicative for Part 2 programs that are also subject to HIPAA; however, compliance with the HIPAA standard will suffice to meet the Part 2 notification standard. Even in cases where a breach of Part 2 records would trigger notification under both state law and Part 2, the Department believes that both the state law notification and the notification under this rule can be satisfied with a single breach notification. Therefore, the notification requirements in this final rule are not duplicative.

5. Impact on Small Businesses or Other Small Entities

The final rule imposes new information collection requirements for all affected facilities, many of which are small entities; however, they also substantially reduce information collection requirements for obtaining multiple consents from each patient. As a result, there is no significant net impact on small entities.

With regard to the requirements under the HIPAA Breach Notification Rule as in § 2.16, the burden upon Part 2 programs of any size to provide the appropriate notifications occurs only when there has been a breach of unsecured records. Programs have no obligations under § 2.16 or the Breach Notification Rule in the absence of a breach. Further, programs can prevent many breaches, and thus avoid the resulting Breach Notification obligations, by implementing reasonable and appropriate protections for records in accordance with 42 CFR part 2. Finally, Part 2 programs that are covered entities are already subject to the Breach Notification Rule, so they will not experience any change in burden as a result of this provision in the final rule.

6. Consequences of Less Frequent Collection

A discussion of less frequent information collection is not applicable to the provisions under 42 CFR §§ 2.16, 2.22, 2.25, 2.26, 2.31, 2.32, 2.51, 2.52, and 2.53 as these disclosures are generated on an “as needed” basis. The requirement that programs notify each affected patient, the Secretary of HHS, and the media (in some instances) in the event of a breach of records requires notification within 60 days of discovery and for breaches affecting less than 500 individuals, annual notification of the Secretary of HHS. The public disclosure requirement that each patient be notified of the effect and limits of the Federal confidentiality laws and regulations in 42 CFR 2.22 and/or 45 CFR 164.520, as applicable, are imposed for each patient admission; less frequent disclosure would not provide each patient with notice. Additionally, less frequent disclosure of patient information than what would be authorized under the provisions of 42 CFR §§ 2.31, 2.32, 2.51, 2.52, and 2.53 would be contrary to the stated goals of the final rule by reducing the ability of patients to receive medical care during emergencies or receive benefits from entities without a treating provider relationship, and negatively impacting individuals and organizations with legitimate research, audit, and evaluation purposes. Reporting of dispensing data to PDMPs on a less-than-quarterly basis would decrease the effectiveness of PDMPs to monitor the use of prescribed, controlled substances. Finally, reporting to the Secretary by investigative agencies that rely on the liability limitation in § 2.3(b) on less than an annual basis would not provide sufficient data about how the safe harbor is being utilized to allow the Secretary to assess whether regulatory changes are needed in the future.

7. Special Circumstances Relating to the Guidelines in 5 CFR 1320.5(d)(2)

This information collection fully complies with 5 CFR 1320.5(d)(2).

8. Comments in Response to the Federal Register Notice/Outside Consultation

The NPRM served as the 60-day Federal Register notice required by 5 CFR 1320.8(d) and was published on December 2, 2022 (87 FR 74216). Public comments on the NPRM and the Department’s responses, including comments affecting cost and burden estimates, are discussed in the final rule, published on February 16, 2024 (89 FR 12472).

9. Explanation of Any Payment/Gift to Respondents

No payments are made to respondents for compliance with this regulation.

10. Assurance of Confidentiality Provided to Respondents

No assurance of confidentiality is provided to those parties required to give notice to each patient (federally conducted, regulated, or assisted SUD programs); or disclose patient records and information to covered entities, business associates, lawful research entities, entities conducting lawful audits and evaluations, law enforcement, or courts. They are the parties upon whom the Federal statutes and regulations impose confidentiality standards for the benefit of patients.

11. Justification for Sensitive Questions

The public disclosure requirements in 42 CFR §§ 2.16, 2.22, and 2.32 provide notice to each patient or recipient of records, respectively, rather than soliciting information. The nature of the records generated in compliance with these provisions of 42 CFR part 2 does not include sensitive material except insofar as the records generated become a part of a SUD patient's record.

The public disclosure requirement in 42 CFR 2.68 requires investigative agencies to report instances when they have received records prior to seeking the requisite court order in the course of investigating a Part 2 program or person holding Part 2 records as provided in § 2.66 and § 2.67. The information disclosed in these reports will identify a program or holder of records as a target of an agency investigation or prosecution, but will not identify patients. Specifically, reports to the Secretary under § 2.68 require disclosure of:

1. The number of applications made under § 2.66(a)(3)(ii) and § 2.67(c)(4) during the calendar year;

2. The number of instances in which such applications were denied, due to findings by the court of violations of this part during the calendar year; and

3. The number of instances in which Part 2 records were returned or destroyed following unknowing receipt without a court order, in compliance with § 2.66(a)(3)(iii),(iv) or (v), respectively during the calendar year.

Section 2.66 requires an application for a court order to use a fictitious name, such as John Doe, to refer to any patient and prohibits the inclusion of any patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny or the patient has provided written consent to that disclosure. Further, both § 2.66 and § 2.67 prohibit any use or disclosure of information obtained under these provisions from being used against the patient.

12. Estimates of Annualized Hour Burden (Total Hours & Wages)

The Department estimates a total program burden associated with all information collections of 672,663 hours and $38,226,922, including capital costs and one-time burdens, across all 16,066 Part 2 programs for 1,864,367 annual patient admissions. On average, this equates to an annual burden of 42 hours and $2,379 per Part 2 program and 0.36 hours and $21 per patient admission. Excluding one-time costs that would be incurred in the first year of the final rule’s implementation, the average annual burden would be 27 hours and $1,176 per Part 2 program and 0.24 hours and $10 per patient admission. In addition to program burdens, the Department’s final rule will increase burdens on investigative agencies for reporting annually to the Secretary in the collective amount of 759 hours of labor and $61,726 in costs for a total cost to all entities of $38,288,648. This would result in a total burden for Part 2 of 672,663⁵ hours in the first year after the rule becomes effective and 439,880 annual burden hours thereafter.

12A. Estimated Annualized Burden Hours

The Department presents, in separate tables below, revised estimates for existing burdens (Table 1), previously unquantified recurring burdens (Table 2), new recurring burdens of the final rule (Table 3), and new nonrecurring burdens of the final rule (Table 4).

Table 1. Annualized Estimates of Current Burdens

This table shows updated hourly burdens of existing information collections that are incurred annually. These are recurring burdens.

Part 2 Provision	Type of Respondent	Respondents	Responses per Respondent	Total Responses	Average Time per Response (hours)	Total Burden Hours
2.22	Patient Notice	1,864,367a	1	1,864,367	0.021	38,841
2.31	Obtaining Consent for TPO Disclosures	1,864,367	1	1,864,367	0.0833	155,364
2.36	PDMPb Reporting	16,066c	176	2,828,050	0.0333	94,268
2.51	Documenting Emergency Tx. Disclosure	16,066	2	32,132	0.167	5,355
2.52	Disclosures for Research - Elec.	125,845d	1	125,845	0.083	10,487
2.52	Disclosures for Research - Paper	13,983e	1	13,983	0.250	3,496
2.53	Disclosures for Audit & Eval. - Elec.	125,845f	1	125,845	0.083	10,487
2.53	Disclosures for Audit & Eval. - Paper	13,983g	1	13,983	0.250	3,496
Total Recurring Burdens, Currently Approved6				6,868,571		321,794

* Not all decimals are shown.

a. Number of annual Part 2 program admissions as a proxy for total number of Part 2 patients.

b. For more information about PDMPs, see https://store.samhsa.gov/product/In-Brief-Prescription-Drug-Monitoring-Programs-A-Guide-for-Healthcare-Providers/SMA16-4997.

c. Estimated total number of Part 2 programs.

d. Estimated number of research disclosures made electronically.

e. Estimated number of research disclosures on paper.

f. Estimated number of disclosures for audit and evaluation made electronically.

g. Estimated number of disclosures for audit and evaluation made on paper.

As shown in Table 1, the Department is adjusting the currently approved burden estimates to reflect an increase in the number of Part 2 programs from 13,585 to 16,066. The respondents for this collection of information are Federally funded, assisted, or regulated SUD treatment programs.⁷ The estimate of the number of such programs (respondents) is based on the results of the 2020 National Survey of Substance Abuse Treatment Services (N-SSATS), which represents an increase of 2,481 program from the 2017 N-SSATS which was the basis for the approved ICR under OMB No. 0930-0335. The average number of annual total responses is based the results of the average number of SUD treatment admissions from SAMHSA’s 2019 Treatment Episode Data Set (TEDS) as the number of annual patient admissions by Part 2 programs (1,864,367 patients).

The estimate in the currently approved ICR includes the time spent with the patient to obtain consent and the time for training for counselors.⁸ The Department is now estimating the time for obtaining consent separately from the burden of training time and applies an average of 5 minutes per patient admission for obtaining consent.

For § 2.31, § 2.52, and § 2.53, the Department is separating out estimates for each provision which were previously reported together and is also adjusting the estimates. For § 2.31, the Department believes that disclosures with written consent for TPO are made for 100 percent of patients; due to the changes to the consent requirements, the Department assumes that programs will experience a decreased burden from an average of 3 consents per admission to 1 consent. The Table above reflects 1 consent for each of the 1,864,367 annual patient admissions (used as a proxy for the estimated number of patients) and a time burden of 5 minutes per consent for a total of 155,364 burden hours. The previously unacknowledged burden of obtaining multiple consents for each patient is shown in Table 2, below.

The Department previously estimated that for § 2.31 (consent), § 2.52 (research), and § 2.53 (audit and evaluation) combined, programs would need to disclose an average of 15 percent of all patients’ records (1,864,367 records x .15 = 279,655 disclosures). The Department is adjusting its estimates to reflect that 15 percent of patients will have records disclosed without consent for research and audits or evaluations and that this will be divided evenly between the two provisions, resulting in 7.5% of 1,864,367 records (or approximately 139,828 disclosures) for § 2.52 disclosures and the same for § 2.53 disclosures. The Department previously estimated that 10 percent of disclosed records would be disclosed in paper form while the remaining 90 percent would be disclosed electronically. The time burden for disclosing a paper record is estimated as 15 minutes and the time for disclosing an electronic record as 5 minutes. For Part 2 programs using paper records, the Department expects that a staff member will need to gather and aggregate the information from paper records, and manually track disclosures; for those Part 2 programs with a health IT system, the Department expects records and tracking information will be available within the system.

For § 2.36, the Department used the average number of opiate treatment admissions from SAMHSA’s 2019 TEDS (565,610 admissions) as the number of respondents and assumed the PDMP databases would need to be accessed and reported once initially and quarterly thereafter for each patient (565,610 x 5 = 2,828,050). Based on discussions with providers, the Department believes accessing and reporting to PDMP databases will take approximately 2 minutes per patient, resulting in a total annual burden of 10 minutes (5 database accesses/updates x 2 minutes per access/update) or 0.166 hours annually per patient. For § 2.51, the time estimate for recordkeeping for a clerk to locate a patient record, record the necessary information, and re-file the record is 10 minutes.

Table 2. Annualized Estimate of Previously Unacknowledged Burden

This table shows an updated estimate of the total hourly burden for the existing information collection, obtaining consent, that was incurred annually under the previous rule.

Part 2 Provision	Type of Respondent	Respondents	Responses per Respondent	Total Responses	Average Time per Response (hours)	Total Burden Hours
2.31	Obtaining Consent	1,864,367a	2.5	4,660,918	0.083	388,410

a. Annual number of Part 2 program admissions as a proxy for total number of Part 2 patients.

As shown in Table 2, for § 2.31 the Department is recognizing for the first time the burden on programs to obtain multiple consents for each patient annually. The previously approved ICR recognized only 1 consent per patient. The Department has revised its estimates to acknowledge that under the previous regulation, for each patient admission to a program a minimum of 3 consents was likely needed for disclosures of records by Part 2 programs—one each for treatment, payment, and health care operations—and .5 consents were needed on average per patient for redisclosures by recipients (covered entities or business associates), as explained below. Thus, under the previous regulation, an estimated average of 3.5 consents was needed per patient.

As shown in Table 1, a burden is already recognized for obtaining consent, but the estimate assumed only 1 consent per admission under the existing regulation and it was combined with estimates for disclosures without consent under § 2.52 (research) and § 2.53 (audit and evaluation). The Department believes its previous calculations underestimated the numbers of consents obtained annually under the previous rule, and thus the Department views its updated estimate of the baseline burden (i.e., adding two consents per patient annually under the existing regulation) as acknowledging a previously unquantified burden. Additionally, recipients of Part 2 records that are covered entities or business associates must obtain consent for redisclosure of these records. The Department estimates an average of one-half of total patients’ records are disclosed to a covered entity or business associate that needs to redisclose the record with consent (1,864,367 x .5), and this also represents a previously unquantified burden. Together, this would result in an increase of 2.5 consents annually per patient. However, this increased baseline burden is offset by the changes in the attached final rule, which result in a reduction in the number of consents by 2.5 per patient, thus resulting in no net change from the currently approved burden of 1 consent per patient.

Table 3. Annualized Estimates for New Recurring Burdens

This table shows hourly burdens for new information collections, representing estimates of recurring annual burdens.

Part 2 Section (applicable Section of HIPAA Breach Notification Rule, where relevant)a-1	Type of Respondent	Number of Respondents	Number of Responses per Respondent	Total Responses	Average burden hours per Response	Total Burden Hours
2.4	Part 2 Programs Receiving a Complaint	1,864	1	1,864	0.167	311
2.16 (164.404)	Individual Notice—Written and E-mail Notice (drafting)	1,170a-2	1	1,170	0.5	585
2.16 (164.404)	Individual Notice—Written and E-mail Notice (preparing and documenting notification)	1,170	1	1,170	0.5	585
2.16 (164.404)	Individual Notice—Written and E-mail Notice (processing and sending)	1,170	1,941	2,270,271b	0.008	18,162
2.16 (164.404)	Individual Notice—Substitute Notice (posting or publishing)	55	1	55	1	55
2.16 (164.404)	Individual Notice—Substitute Notice (staffing toll-free number)	55c	1	55	3.42d	188
2.16 (164.404)	Individual Notice—Substitute Notice (individuals’ voluntary burden to call toll-free number for information)	2,265e	1	2,265	0.125f	283
2.16 (164.406)	Media Notice	5g	1	5	1.25	7
2.16 (164.408)	Notice to Secretary (notice for breaches affecting 500 or more individuals)	5	1	5	1.25	7
2.16 (164.408)	Notice to Secretary (notice for breaches affecting fewer than 500 individuals)	1,164h	1	1,164	1	1,164
2.16 (164.414)	500 or More Affected Individuals (investigating and documenting breach)	5i	1	5.34	50	267
2.16 (164.414)	Less than 500 Affected Individuals (investigating and documenting breach) -- affecting 10-499	50j	1	49.58	8	397
2.16 (164.414)	Less than 500 Affected Individuals (investigating and documenting breach) -- affecting <10	1,115k	1	1,114.72	4	4,459
2.22	Right to Discuss Patient Notice	18,644l	1	18,644	0.12	2,175
2.25	Accounting for Disclosures of Part 2 Records	100m	1	100	0.05	5
2.26	Right to Request Restrictions	1,200n	1	1,200	0.1	120
2.32	Attach consent form with each disclosure (paper records)	186,437 o	3	559,310	0.08	46,609
2.32	Attach consent form with each disclosure (electronic records)	1,677,930p	3	5,033,791	0.01	42,948
2.68	Reports to the Secretary	506q	1	506	1.5	759
TOTAL				7,892,746		118,086

a-1. The estimates for breach reports of Part 2 records are derived from the estimates of breach reports of protected health information under HIPAA, representing the number of Part 2 programs as a percentage of all covered entities (774,331 covered entities / 16,066 Part 2 programs = .02)

a-2. Total number of breach reports submitted to OCR in 2015 (58,482) multiplied by .02 to represent Part 2 breaches.

b. Average number of individuals affected per breach incident reported in 2015 (113,513,562) multiplied by .02.

c. All 267 large breaches and all 2,479 breaches affecting 10-499 individuals (2,746) multiplied by 02.

d. This assumes that 10% of the sum of (a) all individuals affected by large breaches in 2015 (113,250,136) and (b) 5% of individuals affected by small breaches (0.05 x 285,413 = 14,271) will require substitute notification. Thus, the Department calculates 0.10 x (113,250,136 + 14,271) = 11,326,441 affected individuals requiring substitute notification for an average of 4,125 affected individuals per such breach. The Department assumes that 1% of the affected individuals per breach requiring substitute notice annually will follow up with a telephone call, resulting in 41.25 individuals per breach calling the toll-free number. The Department assumes that call center staff will spend 5 minutes per call, with an average of 41 affected individuals per breach requiring substitute notice, resulting in 3.42 hours per breach spent answering calls from affected individuals.

e. As noted in the previous footnote, this number equals 1% of the affected individuals who require substitute notification (0.01 x 11,326,441 = 113,264) multiplied by .02 to represent Part 2 program breaches.

f. This number includes 7.5 minutes for each individual who calls with an average of 2.5 minutes to wait on the line/decide to call back and 5 minutes for the call itself.

g. The total number of breaches affecting 500 or more individuals in 2015, multiplied by .02 to represent the number of Part 2 breaches.

h. The total number of HIPAA breaches affecting fewer than 500 individuals in 2015, multiplied by .02 to represent the number of Part 2 breaches.

i. 267 multiplied by .02.

j. 2,479 multiplied by .02.

k. 55,736 multiplied by .02.

l. The Department estimates that 1 percent of all patients annually would request a discussion of the Patient Notice for an average of 7 minutes per discussion, calculated as .01 x 1,864,367 at the hourly wage of a SUD counselor.

m. The Department estimates that covered entities annually fulfill 5,000 requests from individuals for an accounting of disclosures of their protected health information multiplied by .03 to represent the number of requests from patients for an accounting from Part 2 patients.

n. The Department doubled the estimated number of requests for confidential communications or restrictions on disclosures of PHI per year (to 40,000) due to the effect of the new TPO redisclosure permission and multiplied it by .02 to represent requests from Part 2 patients (800). We then increased this estimate by 50% (400) due to the effects of the new TPO redisclosure permission in this final rule.

o. Calculated as the number of patient admissions multiplied by the number of paper consent forms that need to be attached (10% of total patient admissions and 3 copies of consent forms each).

p. Calculated as the number of patient admissions multiplied by the number of electronic consent forms (or an explanation of consent) that need to be attached (90% of total patient admissions and 3 copies of consent forms each).

q. Estimated number of investigations of programs, used as a proxy for the instances an investigative agency would be in receipt of a record prior to obtaining the required court order.

In Table 3 above, the Department shows an annualized new hourly burden of approximately 94,781 hours due to final rule requirements for receiving complaints, breach notification, accounting of disclosures of records, responding to patient’s requests for restrictions on disclosures, discussing the Patient Notice, attaching a copy or explanation of the consent form with each disclosure made with consent, and required reporting by investigative agencies. These burdens would be recurring. The estimates represent 2 percent of the total estimated by the Department for compliance with the parallel HIPAA requirements for covered entities. This percentage was calculated by dividing the total number of covered entities by the number of Part 2 programs (16,066/774,331 = .02). The Department recognizes that this is an overestimate because an unknown proportion of Part 2 programs are also covered entities. As a result of these calculations, the estimated number of respondents and responses is a not a whole number. The totals were based on calculations that included decimals not shown in the table, resulting in different totals than computed in ROCIS for some line items.

For § 2.32, the Department estimates a new burden for attaching a consent or a clear explanation of the scope of the consent to each disclosure. The Department estimates that each Part 2 program will make three (3) annual disclosures per patient for 1,864,367 patients yearly. The Department also estimates that consent forms or explanations will need to be attached to paper disclosures as well as electronic disclosures and assumes ninety percent (90%) of disclosures are received electronically (totaling 5,033,791 consents or explanations of consent attached to electronic disclosures), while the remaining ten percent (10%) would be received in paper format (totaling 559,310 attached paper disclosures). The Department assumes a receptionist or information clerk will take 5 minutes to attach a consent form or explanation for each paper disclosure and 30 second to attach a consent form or explanation for each electronic disclosure. This will result in a total recurring burden of 46,609 hours for paper disclosures and 41,948 hours for electronic disclosures.

The total number of responses for the accounting of disclosures has been corrected in the table to show 100, whereas the proposed rule erroneously displayed an estimated total of 800. The total in Table 3 also includes the Department’s estimates for a recurring annual burden on investigative agencies of 759 hours, which is an increase from the NPRM, and relies on previous estimates for the burden of reporting breaches of PHI to the Secretary at 1.5 hours per report.

Table 4. Annualized Estimates for Nonrecurring New Burdens

This table shows hourly burdens for new information collections that will be incurred one time only, in the first year of compliance with the final rule.

Part 2 Provision	Type of Respondent	Number of Respondents	Number of Responses per Respondent	Total Responses	Average burden hours per Response	Total Burden Hours
2.4	Complaint Procedures & Nonretaliation- Training (manager)	16,066a	1	16,066	0.75	12,050
2.13	Training Program Development	16,066	1	16,066	5	80,330
2.16	Breach Notice - Training (manager)	16,066	1	16,066	1	16,066
2.22	Patient Notice and Right to Discuss - Training (counselors)	224,231	1	224,231	0.25	56,058
2.22	Patient Notice - Updating(lawyer)	16,066	1	16,066	1	16,066
2.25	Accounting of Disclosures - Training (med. records specialist)	16,066	1	16,066	0.5	8,033
2.26	Requests for Restrictions - Training (receptionist, medical records, & billing)	16,066	3	48,198	0.25	12,050
2.31	Updating Consent Form (lawyer)	16,066	1	16,066	0.67	10,711
2.31	Obtaining Consent - Training (receptionist)	16,066	2	32,132	0.5	16,066
2.32	Notice to Accompany Disclosure - Updating (manager)	16,066	1	16,066	0.333	5,355
TOTAL				417,023		232,784

1. Estimated total number of Part 2 programs.

As shown in Table 4 above, the Department estimates nonrecurring burden increases as a result of changes to § 2.16, § 2.22, § 2.31, and § 2.32 and due to new provisions § 2.25 and § 2.26. The nonrecurring burdens are for training staff on the provisions and for updating forms and notices. The Department estimates that each program will need 5 hours of a training specialist’s time to prepare and present the training for a total of 80,330 burden hours.

For § 2.16, the Department estimates that each program will need to train 1 manager on breach notification requirements for 1 hour, for a total of 16,066 burden hours. For § 2.22, the Department estimates that each program will need 1 hour of a lawyer’s time to update the content of the Patient Notice (for a total of 16,066 burden hours) and 15 minutes to train 224,231 behavioral health and SUD counselors on the new Patient Notice and right to discuss the Patient Notice requirements (for 56,058 total burden hours). This represents an increase of 5,540 from the number of counselors receiving training as estimated in the proposed rule, due to updated occupational data.

For § 2.25, the Department estimates that each program will need to train a medical records specialist on the requirements of accounting of disclosures requirements for 30 minutes, resulting in a total burden of approximately 8,033 hours. For § 2.26, the Department estimates that each program will need to train three staff (a front desk receptionist, a medical records technician, and a billing clerk (16,066 Part 2 programs x 3 staff)) for 15 minutes each on the right of a patient to request restrictions on disclosures for treatment, payment, or health care operations. The base wage rate is an average of the mean hourly rate for the three occupations being trained. This totals approximately 12,050 burden hours.

For § 2.31, each program will need 40 minutes of a lawyer’s time to update the consent to disclosure form (for a total of approximately 10,711 burden hours) and 30 minutes to train an average of 2 front desk receptionists on the changed requirements for consent (for a total of approximately 16,066 burden hours). For § 2.32, the Department estimates that each program will need 20 minutes of a health care manager’s time to update the content of the notice to accompany disclosure with the changed language provided in the final rule, for a total of approximately 5,355 burden hours. This is likely an over-estimate because an alternative, short form of the notice is also provided in regulation, and the language for that form is unchanged such that programs that are using the short form notice could continue using the same notice and avoid any burden increase. In addition, the final rule added a requirement to attach a copy or explanation of the consent form to each disclosure, so that a receptionist will spend, on average, five minutes per paper record, and half a minute attaching a copy of the consent or an explanation of the scope of the consent per electronic record.

Table 5. Total Burden Hours for the Information Collection Request

Burden Tables	Total Burden Hours
Table 1. Annualized Estimates of Current Burdens	321,794
Table 3. Annualized Estimates for New Recurring Burdens	118,086
Table 4. Annualized Estimates for New Nonrecurring Burdens	232,784
TOTAL FOR PART 2 RULE	672,663a

a. Total does not match due to rounding. ROCIS total shows 672,667.

12B. Estimated Annualized Burden Costs

Table 6. Estimated Costs of Currently Approved Burdens

Part 2 Provision	Type of Respondent	Total Burden Hours	Hourly Wage Rate w/ Benefits (Base*2)	Base Wage Rate	Total Respondent Costs
2.22	Patient Notice	38,841	$33.28	$16.64	$1,292,628
2.31	Obtaining Consent for TPO Disclosures	155,364	$33.28	$16.64	$5,170,511
2.36	PDMPb Reporting	94,268	$62.76	$31.38	$5,916,281
2.51	Emergency Treatment Disclosures	5,355	$62.76	$31.38	$336,101
2.52	Disclosures for Research - Elec.	10,487	$54.06	$27.03	$566,931
2.52	Disclosures for Research - Paper	3,496	$54.06	$27.03	$188,977
2.53	Disclosures for Audit & Eval. - Elec.	10,487	$54.06	$27.03	$566,931
2.53	Disclosures for Audit & Eval. - Paper	3,496	$54.06	$27.03	$188,977
TOTAL		321,794			$14,227,335

Table 7. Estimated Costs of New Recurring Burdens

Part 2 Provision	Type of Respondent	Total Burden Hours	Hourly Wage Rate w/ Benefits (Base*2)	Base Wage Rate	Total Respondent Costs
2.4	Covered Entities Receiving a Complaint	1,864	$123.06	$61.53	$38,238
2.16 (see 45 CFR 164.404)	Individual Notice—Written and E-mail Notice (drafting)	585	$93.04	$46.52	$54,412
2.16 (see 45 CFR 164.404)	Individual Notice—Written and E-mail Notice (preparing and documenting notification)	585	$43.80	$21.90	$25,615
2.16 (see 45 CFR 164.404)	Individual Notice—Written and E-mail Notice (processing and sending)	18,162	$43.80	$21.90	$795,503
2.16 (see 45 CFR 164.404)	Individual Notice—Substitute Notice (posting or publishing)	55	$97.82	$48.91	$5,372
2.16 (see 45 CFR 164.404)	Individual Notice—Substitute Notice (staffing toll-free number)	188	$43.80	$21.90	$8,227
2.16 (see 45 CFR 164.404)	Individual Notice—Substitute Notice (individuals’ voluntary burden to call toll-free number for information)	283	$59.52	$29.76	$16,854
2.16 (see 45 CFR 164.406)	Media Notice	7	$81.28	$40.64 Composite	$543
2.16 (see 45 CFR 164.408)	Notice to Secretary (notice for breaches affecting 500 or more individuals)	7	$81.28	$40.64 Composite	$543
2.16 (see 45 CFR 164.408)	Notice to Secretary (notice for breaches affecting fewer than 500 individuals)	1,164	$43.80	$21.90	$50,996
2.16 (see 45 CFR 164.414)	500 or More Affected Individuals (investigating and documenting breach)	267	$123.06	$61.53	$32,857
2.16 (see 45 CFR 164.414)	Less than 500 Affected Individuals (investigating and documenting breach) -- affecting 10-499	397	$123.06	$61.53	$48,811
2.16 (see 45 CFR 164.414)	Less than 500 Affected Individuals (investigating and documenting breach) -- affecting <10	4,459	$123.06	$61.53	$548,710
2.22	Right to Discuss Patient Notice	2,175	$54.06	$27.03	$117,586
2.25	Accounting for Disclosures of Part 2 Records	5	$49.12	$24.56	$246
2.26	Rights to Request Restrictions	120	$41.83	$20.91	$5,019
2.32	Attach consent form with each disclosure (paper record)	46,609	$33.28	$16.64	$1,551,153
2.32	Attach consent form with each disclosure (electronic record)	41,948	$33.28	$16.64	$1,396,038
2.68	Report to Secretary by IA	759	$81.28	$40.64 Composite	$61,726
TOTAL		118,086			$4,720,209

Table 8. Estimated Costs of New Nonrecurring Burdens

Part 2 Provision	Type of Respondent	Total Burden Hours	Hourly Wage Rate w/ Benefits (Base*2)	Base Wage Rate	Total Respondent Costs
2.4	Complaint Procedures & Nonretaliation- Training (manager)	12,050	$123.06	$61.53	$1,482,811
2.13	Training Program Development	80,330	$67.18	$33.59	$5,396,569
2.16	Breach Notice - Training (manager)	16,066	$123.06	$61.53	$1,977,082
2.22	Patient Notice and Right to Discuss - Training (counselor)	56,058	$54.06	$27.03	$3,030,475
2.22	Patient Notice - Updating (lawyer)	16,066	$157.48	$78.74	$2,530,074
2.25	2.25 Accounting of Disclosures - Training (med. records specialist)	8,033	$49.12	$24.56	$394,581
2.26	Requests for Restrictions - Training (receptionist, medical records, & billing)	12,050	$41.83	$20.91	$503,990
2.31	Consent Form – Updating (lawyer)	10,711	$157.48	$78.74	$1,686,716
2.31	Obtaining Consent - Training (receptionist)	16,066	$33.28	$16.64	$534,676
2.32	Notice to Accompany Disclosure - Updating (manager)	5,355	$123.06	$61.53	$659,027
TOTAL		232,784			$18,196,003

Table 9. Total Costs of the Information Collection Request, Excluding Capital Expenses

Cost Tables	Total Costs
Table 6. Total Estimated Costs of Currently Approved Burdens	$14,227,335
Table 7. Total Estimated Costs of New Recurring Burdens	$4,720,209
Table 8. Total Estimated Costs of New Nonrecurring Burdens	$18,196,003
TOTAL COSTS FOR PART 2, EXCLUDING CAPITAL EXPENSES	$37,143,547

13. Estimates of Other Total Annual Cost Burden to Respondents or Record Keepers/Capital Costs

Table 9. Capital Expenses*

Part 2 Section (Breach Rule Section)	Cost Elements	Number of Breaches	Average Cost per Breach	Total Breach Cost
2.16 (164.404)	Individual Notice—Postage, Paper, and Envelopes	1,170	$765.04	$894,822
2.16 (164.404)	Individual Notice—Substitute Notice Media Posting	55	$510.06	$28,012
2.16 (164.404)	Individual Notice—Substitute Notice—Toll-Free Number	55	$79.10	$4,344
Total Breach				$927,178
Part 2 Section	Activity	Number of Notices	Average Cost per Notice	Total Notice Cost
2.22	Printing Patient Notice	932,184	$0.11	$99,056
2.31	Printing Consent Form	932,184	$0.11	$99,056
2.32	Printing Notice to Accompany Disclosure	186,437	$0.11	$19,811
Total Part 2 Forms				$217,922
TOTAL CAPITAL COSTS				$1,145,100

* Not all decimal places are shown.

As shown above in Table 8, Part 2 programs will incur new capital costs for providing breach notification. The table also reflects existing burdens for printing the Patient Notice, the Notice to Accompany Disclosure, and Consents. The Department has estimated 50 percent of forms used will be printed on paper, taking into account the notable increase in the use of telehealth services for the delivery of SUD treatment and the expectation that the demand for telehealth will continue.⁹

14. Annualized Cost to Federal Government

The Department was not previously authorized to enforce 42 CFR part 2, so the current ICR estimated costs to the government for implementation of only $33,205, which includes a portion of the time for two staff to provide technical assistance and respond to inquiries. The Department will receive complaints, conduct compliance reviews, and impose civil money penalties for violations of the regulation, and thus will incur related compliance and enforcement staff and technology costs.

In addition to promulgating the current regulation, the Department is responsible for developing guidance and conducting outreach to educate the regulated community and the public. The Department also is required to investigate and resolve complaints and compliance reviews as part of its new responsibility for Part 2 compliance and enforcement. The Department estimates that implementing the final rule will require two full-time policy employees (or contractors) at the OPM General Schedule (GS) GS-14 or equivalent level who will develop guidance and national-level outreach. Additionally, the Department estimates needing eight full-time employees (or contractors) for enforcement at a GS-13 or equivalent level to investigate, train investigators, and provide local outreach to regulated entities.¹⁰ The Department also estimates costs for hiring a contractor to create a breach portal or a Part 2 module for the existing HIPAA breach portal. The initial posting of such breaches is automated, and the Department pays a contractor approximately $13,814 annually to maintain the database to receive reports of breaches from covered entities. The Department estimates approximately $13,814 to hire another contractor to maintain the database to receive reports of breaches from Part 2 programs. Additionally, the Department drafts and posts summaries of each large breach on the website at a labor cost of approximately $32,107 per year. To implement these policies, the Department estimates that initial Federal costs will be approximately $2,214,100 million. The Department estimates that based on the GS within grade step increases for each of the GS-13 and GS-14 employees the Federal costs will be approximately $11,808,508 million over 5 years.

1. Explanation for Program Changes or Adjustments

Although this information collection is newly created for the final rule, the Department analyzed the request in light of the currently approved ICR for 42 CFR part 2. Currently, there are 579,524 burden hours in the OMB inventory for 42 CFR part 2. The Department is requesting an addition of 388,410 hours to this baseline due to a previously underestimated burden for obtaining multiple consents to disclose records for purposes of treatment, payment, and health care operations (including consent for redisclosures by holders of records for such purposes) and adjustments to how existing burdens are estimated. This results in a new baseline of 967,934 burden hours.

All of the current burdens are recurring. Due to changes in the final rule, the Department is requesting 439,880 recurring hours for a decrease of 139,644 from the currently approved burden and a decrease of 528,054 hours from the adjusted baseline of 967,934 annual burden hours. The adjusted baseline hours are set off by an estimated decrease in the number of consents obtained by Part 2 programs as well as a decrease in the number of consents or authorizations obtained by covered entities or business associates that redisclose records received from Part 2 programs. The amount of decrease due to reduced consents is equal to the hours added to the baseline (388,410). The adjustment in requested hours also reflects new recurring burdens (118,086 hours) for receiving complaints, breach notification, attaching a copy of consent with disclosures, right to request restrictions on disclosures, right to discuss the patient notice, accounting of disclosures, and reporting to the Secretary. The changes to consent and the new breach notification requirements are statutory. Additionally, some requested changes are due to adopting estimates for provisions that parallel HIPAA requirements, which the Department based on data used by OCR in its 2021 HIPAA ICR.¹¹

The total burden hours (recurring and nonrecurring) requested is 672,663, which is an increase of 93,179 hours from the currently approved burden and a decrease of 293,271 hours from the adjusted baseline of 967,934.

15. Plans for Tabulation and Publication and Project Time Schedule

The information collections in this regulation are not used for statistical purposes nor are they published.

15. Reason(s) Display of OMB Expiration Date is Inappropriate

The OMB expiration date may be displayed.

15. Exceptions to Certification for Paperwork Reduction Act Submissions

There are no exceptions to the certification.

B. COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS

Not applicable. This collection of information does not employ statistical methodology.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified	0000-00-00
File Created	2025-12-30