(a) Notwithstanding other provisions of this part, including paragraph (b)(2) of this section, patient identifying information may be disclosed for the purposes of the recipient conducting scientific research if:

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

(1) The individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer or their designee, of a part 2 program or other lawful holder of part 2 data, makes a determination that the recipient of the patient identifying information is:

(i) A HIPAA-covered entity or business associate that has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable;

(ii) Subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), and provides documentation either that the researcher is in compliance with the requirements of 45 CFR part 46, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.104) or any successor regulations;

(iii) Subject to the FDA regulations regarding the protection of human subjects (21 CFR parts 50 and 56) and provides documentation that the research is in compliance with the requirements of the FDA regulations, including the requirements related to informed consent or an exception to, or waiver of, consent (21 CFR part 50) and any successor regulations; or

(iv) Any combination of a HIPAA covered entity or business associate, and/or subject to the HHS regulations regarding the protection of human subjects, and/or subject to the FDA regulations regarding the protection of human subjects; and has met the requirements of paragraph (a)(1)(i), (ii) (iii), and/or (iv) of this section, as applicable.

(2) The part 2 program or other lawful holder of part 2 data is a HIPAA covered entity or business associate, and the disclosure is made in accordance with the HIPAA Privacy Rule requirements at 45 CFR 164.512(i).

(3) If neither paragraph (a)(1) or (2) of this section apply to the receiving or disclosing party, this section does not apply.

(b) Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section:

(1) Is fully bound by the regulations in this part and, if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the regulations in this part.

(2) Must not re-disclose patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under paragraph (c) of this section.

(3) May include part 2 data in research reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

(4) Must maintain and destroy patient identifying information in accordance with the security policies and procedures established under § 2.16.

(5) Must retain records in compliance with applicable federal, state, and local record retention laws.

(c) Data linkages—(1) Researchers. Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section that requests linkages to data sets from a data repository(-ies) holding patient identifying information must:

(i) Have the request reviewed and approved by an Institutional Review Board (IRB) registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified. Upon request, the researcher may be required to provide evidence of the IRB approval of the research project that contains the data linkage component.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Data repositories. For purposes of this section, a data repository is fully bound by the provisions of part 2 upon receipt of the patient identifying data and must:

(i) After providing the researcher with the linked data, destroy or delete the linked data from its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16 Security for records.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Except as provided in paragraph (c) of this section, a researcher may not redisclose patient identifying information for data linkages purposes.

[82 FR 6115, Jan. 18, 2017, as amended at 85 FR 43038, July 15, 2020]