Prescription drug monitoring programs (PDMPs) maintain statewide electronic databases of prescriptions dispensed for controlled substances (i.e., prescription drugs of abuse that are subject to stricter government regulation). Information collected by PDMPs may be used to support access to legitimate medical use of controlled substances; to identify or prevent drug abuse and diversion; to facilitate the identification of prescription drug-addicted individuals and enable intervention and treatment; to outline drug use and abuse trends to inform public health initiatives; or to educate individuals about prescription drug use, abuse, and diversion (see CRS Report R42593, Prescription Drug Monitoring Programs). PDMPs have raised concerns about patient privacy, including issues around the scope and breadth of authorized access—specifically, by law enforcement agencies—as well as the potential for unauthorized access or breaches. While PDMPs are seen as valuable in the effort to address improper prescribing of controlled substances, concern persists about both legal disclosure of and illegal access to health information in PDMPs.
PDMPs have varying requirements with respect to the security and authorized use and disclosure of their stored information. These are governed by state law. PDMPs receive protected health information (PHI) from pharmacists and other health care providers (HIPAA [Health Insurance Portability and Accountability Act] covered entities) who are subject to the federal HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E). Challenges have arisen with reporting individually identifiable health information related to treatment at certain substance use disorder (SUD) facilities to PDMPs, as this information is subject to stricter privacy requirements under the "Part 2" rule (42 C.F.R. Part 2, implementing Public Health Service Act [PHSA] Section 543 [42 U.S.C. §290dd-2]). A July 2020 final rule amending the Part 2 rule made changes that facilitate this reporting (85 Federal Register, 42986).
The HIPAA Privacy Rule and PDMPs
The HIPAA Privacy Rule (the Rule) governs covered entities' (health care plans, providers, and clearinghouses) and their business associates' use and disclosure of PHI. To meet the definition of "covered entity" under the Rule, a health care provider must electronically transmit health information in connection with certain standard transactions. PHI is defined as individually identifiable health information created or received by a covered entity that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium (45 C.F.R. §160.103).
The Rule describes multiple situations in which covered entities may use or disclose PHI without authorization, while all uses and disclosures of PHI that are not expressly permitted under the rule require an individual's prior written authorization. Generally, covered entities may share PHI between and among themselves for the purposes of treatment, payment, or health care operations, with few restrictions (and specifically, without the individual's authorization) (45 C.F.R. §164.506). Health care operations include a number of activities as they relate to covered functions; for example, conducting quality assessment or improvement activities, reviewing the competence of health care professionals, and business planning and development. Express authorization is required for use and disclosure of psychotherapy notes and for marketing or sale purposes.
Certain other uses and disclosures (e.g., sharing PHI with family members and friends) are permitted, but they require a covered entity to give the individual the opportunity to object or agree to the PHI's use or disclosure (45 C.F.R. §164.510). In two cases, covered entities are required to disclose PHI: to the individual who is the subject of the information in certain circumstances and to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining compliance with the rule (45 C.F.R. §164.502(a)(2)).
Covered Entity Reporting of PHI to PDMPs
The Privacy Rule recognizes that PHI may be useful in other circumstances aside from health care treatment and payment for a given individual. For this reason, the Rule lists a number of "national priority purposes" for which covered entities may disclose PHI without an individual's authorization or opportunity to agree or object (45 C.F.R. §164.512). PDMPs may receive PHI from covered entities under authority of one or more of these exceptions. Relevant exceptions identified in the Rule may include disclosures required by law (e.g., state PDMP laws) or those to a public health authority for public health activities. Generally, the Rule requires disclosures of PHI to be limited to the minimum amount necessary to meet the purpose of the disclosure. With respect to disclosures to public officials to meet the national priority purposes (e.g., for public health activities), the covered entity may assume the requested information is the minimum necessary if the requesting official represents that it is (45 C.F.R. §164.514).
Some states expressly note that they rely on these exceptions to receive PHI from HIPAA-covered entities to populate their PDMP. For example, Virginia's Department of Health Professions notes that the Rule allows for disclosure of PHI by covered entities without authorization for specified public health activities and purposes and to health oversight agencies for oversight activities in law, and that these two exceptions allow for covered entities' disclosure of PHI to its PDMP.
In addition, the Department of Veterans Affairs (VA) published an interim final rule in 2013 implementing provisions of the Consolidated Appropriations Act, 2012 (P.L. 112-74), that together authorized the VA to report protected information to PDMPs. The interim final rule notes that these disclosures are permissible under the HIPAA Privacy Rule, stating that "VA's authority to disclose the information to PDMPs under the HIPAA Privacy Rule is contained in 45 C.F.R. §164.512(b), which allows disclosures to an agency or authority responsible for public health matters as part of its official mandate" (78 Federal Register 9589, February 11, 2013).
Security, Use, and Disclosure of PHI Held by PDMPs
A PDMP is not a HIPAA-covered entity, nor is it a business associate as defined by HIPAA, and therefore the requirements and standards for maintaining the security of the PHI—or for its redisclosure—that apply to HIPAA covered entities do not apply to PDMPs. A business associate under the Rule must be providing services to or for a covered entity or an organized health care arrangement in which the covered entity participates, or must be creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity (45 C.F.R. §160.103). HHS's National Committee on Vital and Health Statistics noted in a February 2018 report on health information privacy that "[w]hile PDMPs are not typically thought of as a big data resource, the databases collectively contain large amounts of personally identifiable health information not regulated by HIPAA because no covered entity maintains the data." State law includes requirements relating to securing data in PDMPs and the data's use and disclosure.
42 C.F.R. Part 2 and PDMPs
Stricter federal privacy requirements—commonly known as the "Part 2" rule—apply to individually identifiable patient information received or acquired by federally assisted substance abuse programs. Specifically, the Part 2 rule applies to any information that would identify a patient as having or having had a SUD, and that is obtained or maintained by a federally assisted substance abuse program for the purpose of treating a SUD, making a diagnosis for that treatment, or making a referral for that treatment (42 C.F.R. §2.12(a)). Part 2 applies to any individual or entity (other than a general medical facility) that is (1) federally assisted, and (2) provides, and holds itself out as providing, diagnosis, treatment, or referral for treatment of SUDs (42 C.F.R. §2.12(b)). Most of the nation's alcohol and drug treatment programs are covered by the Part 2 rule. While Part 2 does not apply to general medical facilities or practices, it does cover specialized SUD treatment units (and staff) within such facilities, and specifically those who hold themselves out as providing, and provide, SUD diagnosis, treatment, or referral for treatment. "Federally assisted programs" include any program that is carried out in whole or in part by the federal government or supported by federal funds. One exception to this is that the Part 2 rule does not apply to information maintained in connection with care provided by the VA; those records are instead governed by 38 U.S.C. §7332.
The Part 2 rule strictly regulates the disclosure and redisclosure of Part 2 records. It allows Part 2 programs to disclose this information only either (1) with patient consent or (2) pursuant to exceptions in law (e.g., for a medical emergency). A general authorization for the release of medical information does not satisfy the rule's requirement for written consent. Lawful holders—recipients of Part 2 records—must protect Part 2 records according to Part 2 requirements. The rule prohibits lawful holders from redisclosing Part 2 records without written consent from the patient. A written notice prohibiting subsequent redisclosure by the receiving entity must accompany disclosed Part 2 records.
The Substance Abuse and Mental Health Services Administration (SAMHSA) in a 2011 guidance letter discouraged Opioid Treatment Programs (OTPs) from submitting Part 2 records to PDMPs. This letter stated that it would not be "feasible" to ensure that the information would not be subsequently redisclosed, even though such a disclosure would violate the Part 2 rule, because PDMPs are designed to share information with registered and authorized users. Stakeholders say this omission resulted in incomplete information in PDMPs, and specifically, given the role of OTPs in dispensing controlled substances, observers argue the lack of completeness affects the effectiveness of the programs. Privacy advocates assert, on the other hand, that this is a necessary step to ensure patient privacy.
Recent Activity
Both Congress and SAMHSA have taken steps recently to address barriers to information sharing with PDMPs. The Coronavirus Aid, Relief, and Economic Security Act (CARES, P.L. 116-136, §3221) made changes to PHSA Section 543 to allow Part 2 programs, covered entities, and business associates to use or disclose Part 2 records for purposes of treatment, payment, and health care operations with an initial patient consent, consistent with related HIPAA Privacy Rule requirements. The Secretary must revise the Part 2 regulations so the changes apply with respect to uses and disclosures of covered records after March 27, 2021. However, SAMHSA recently noted that regulations will likely be published later this year, and that the current Part 2 requirements remain in effect in the interim. The new regulation could help clarify if and how these changes may affect HIPAA covered entity sharing of Part 2 records with PDMPs. Additionally, a SAMHSA July 2020 final rule amended the Part 2 rule to expressly permit a Part 2 program to report relevant information to a PDMP, if (1) required by applicable state law, and (2) patient consent is obtained (42 C.F.R. §2.36). The consent requirement may continue to create a deterrent to submission of Part 2 records to PDMPs; clarifying that this disclosure is specifically permitted may facilitate reporting.