December 10, 2018
Private Health Information and Prescription Drug Monitoring
Programs (PDMPs)
Prescription drug monitoring programs (PDMPs) maintain
while all uses and disclosures of PHI that are not expressly
statewide electronic databases of prescriptions dispensed
permitted under the rule require an individual’s prior
for controlled substances (i.e., prescription drugs of abuse
written authorization. Generally, covered entities may share
that are subject to stricter government regulation).
PHI between and among themselves for the purposes of
Information collected by PDMPs may be used to support
treatment, payment, or health care operations, with few
access to and legitimate medical use of controlled
restrictions (and specifically, without the individual’s
substances; to identify or prevent drug abuse and diversion;
authorization) (45 C.F.R. §164.506). Health care operations
to facilitate the identification of prescription drug-addicted
include a number of activities as they relate to covered
individuals and enable intervention and treatment; to
functions; for example, conducting quality assessment or
outline drug use and abuse trends to inform public health
improvement activities, reviewing the competence of health
initiatives; or to educate individuals about prescription drug
care professionals, and business planning and development.
use, abuse, and diversion, as well as about PDMPs. For
Express authorization is required for the use and disclosure
more information about PDMPs, see CRS Report R42593,
of psychotherapy notes and for marketing or sale purposes
Prescription Drug Monitoring Programs.
(45 C.F.R. §164.508).
PDMPs have elicited numerous concerns about patient
Certain other uses and disclosures (e.g., sharing PHI with
privacy, including issues around the scope and breadth of
family members and friends) are permitted, but they require
authorized access—and specifically, by law enforcement
the covered entity to give the individual the opportunity to
agencies—as well as the potential for unauthorized access
object or agree to the PHI’s use or disclosure [45 C.F.R.
or breaches. While PDMPs are seen as a valuable source of
§164.510). In two cases, covered entities are required to
information in the effort to address improper prescribing of
disclose PHI. They must disclose PHI to the individual who
controlled substances, concerns exist about the potential
is the subject of the information in certain circumstances
deterrent effect on timely access to needed medication due
and they must disclose PHI to the Secretary of the
to fear that sensitive health information will be shared with
Department of Health and Human Services (HHS) for
PDMPs, and may be subsequently legally disclosed or
purposes of determining compliance with the rule [45
illegally accessed through a breach.
C.F.R. §164.502(a)(2)).
PDMPs have varying requirements with respect to the
Covered Entity Reporting of PHI to PDMPs Under
security and authorized use and disclosure of their stored
the Rule
information. These are governed by state law. PDMPs
The Privacy Rule also recognizes that PHI may be useful in
receive protected health information (PHI) from
other circumstances aside from health care treatment and
pharmacists and other health care providers (HIPAA
payment for a given individual. For this reason, the rule
[Health Insurance Portability and Accountability Act]
lists a number of “national priority purposes” for which
Privacy Rule-covered entities) who are subject to the
covered entities may disclose PHI without an individual’s
federal HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart
authorization or opportunity to agree or object (45 C.F.R.
E). In addition, individually identifiable health information
§164.512). PDMPs may receive PHI from covered entities
that is generated pursuant to treatment at substance abuse
under authority of one or more of these exceptions.
facilities is subject to stricter privacy requirements
Relevant exceptions identified in the rule may include
established by the “Part 2” rule (PHSA Section 543 [42
disclosures required by law—in this case, state PDMP laws,
U.S.C. §290dd-2]; 45 C.F.R. Part 2).
disclosures to a public health authority for public health
activities, or disclosures to health oversight agencies for
The HIPAA Privacy Rule and PDMPs
oversight activities, among others.
The HIPAA Privacy Rule governs covered entities’ (health
care plans, providers, and clearinghouses) and their
Generally, the rule requires disclosures of PHI to be limited
business associates’ use and disclosure of PHI. Protected
to only the minimum amount necessary to meet the purpose
health information is defined as individually identifiable
of the disclosure. With respect to disclosures to public
health information created or received by a covered entity
officials to meet the national priority purposes (e.g., for
that is transmitted by electronic media, maintained in
public health activities), the covered entity may assume the
electronic media, or transmitted or maintained in any other
requested information is the minimum necessary if the
form or medium (45 C.F.R. §160.103).
requesting official represents that it is (45 C.F.R.
§164.514).
The rule describes multiple situations in which covered
entities may use or disclose PHI without authorization,
https://crsreports.congress.gov
Private Health Information and Prescription Drug Monitoring Programs (PDMPs)
Some states expressly note that they rely on these
disorders (42 C.F.R. §2.12(b)). Most of the nation’s alcohol
exceptions to receive PHI from HIPAA-covered entities to
and drug treatment programs are covered by the Part 2 rule,
populate the PDMP. Specifically, Virginia’s Department of
comprising more than 12,000 hospitals, outpatient treatment
Health Professions notes that the rule allows for disclosure
centers, and residential treatment facilities. While Part 2
of PHI by covered entities without authorization for
does not apply to general medical facilities or practices, it
specified public health activities and purposes and to health
does cover specialized substance use disorder treatment
oversight agencies for oversight activities in law, and that
units (and staff) within such facilities, and specifically those
these two exceptions allow for covered entities’ disclosure
who hold themselves out as providing, and provide,
of PHI to their PDMP.
substance use disorder diagnosis, treatment, or referral for
treatment. “Federally assisted programs” include any
In addition, the Department of Veterans Affairs (VA)
program that is carried out in whole or in part by the federal
published an interim final rule in 2013 implementing
government or supported by federal funds. One exception
provisions of the Consolidated Appropriations Act, 2012
to this is that the Part 2 rule does not apply to information
(P.L. 112-74), that together authorized the VA to report
maintained in connection with care provided by the VA;
protected information to PDMPs. The rule notes that
those records are governed by 38 U.S.C. §7332.
despite these authorizations in law, the authority is subject
in addition to the HIPAA Privacy Rule, stating that “VA’s
The Part 2 rule strictly regulates the disclosure and
authority to disclose the information to PDMPs under the
redisclosure of patient identifying information held by Part
HIPAA Privacy Rule is contained in 45 C.F.R. 164.512(b),
2 entities. The Part 2 rule allows Part 2 programs to disclose
which allows disclosures to an agency or authority
this information only either (1) with patient consent or (2)
responsible for public health matters as part of its official
pursuant to exceptions in regulation (e.g., for a medical
mandate” (78 Federal Register 9589, February 11, 2013).
emergency, in connection with a crime on a Part 2 premise,
for research). A general authorization for the release of
Security, Use, and Disclosure of PHI Held by
medical information does not satisfy the rule’s requirement
PDMPs
for written consent. Further, it strictly prohibits the
A PDMP is not a HIPAA-covered entity, nor is it a business
subsequent redisclosure of information received from a Part
associate as defined by HIPAA, and therefore the
2 program without consent from the patient, and a
requirements and standards for maintaining the security of
notification clearly prohibiting this redisclosure by the
the PHI—or for its redisclosure—that apply to HIPAA
receiving entity travels with any disclosed Part 2
covered entities do not apply to PDMPs. A business
information.
associate under the rule must be providing services to or for
a covered entity or an organized health care arrangement in
The requirement for patient consent for essentially all
which the covered entity participates, or must be creating,
disclosures may be a logistical deterrent to the submission
receiving, maintaining, or transmitting PHI on behalf of a
of patient identifying information held by Part 2 programs
covered entity (45 C.F.R. §160.103).
to PDMPs. In addition, since PDMPs are designed to share
information with registered and authorized users, the Part 2
HHS’s National Committee on Vital and Health Statistics
rule’s prohibition on redisclosure without patient consent
noted in a February 2018 report on health information
discourages federally assisted substance abuse programs
privacy that “[w]hile PDMPs are not typically thought of as
from contributing to PDMPs’ information about controlled
a big data resource, the databases collectively contain large
substances dispensed for the treatment of opioid addiction
amounts of personally identifiable health information not
(i.e., methadone or buprenorphine) due to concerns that
regulated by HIPAA because no covered entity maintains
authorized redisclosures of the data could not be prevented.
the data.” The requirements relating to securing stored
information in PDMPs and for its subsequent use and
Although submitting Part 2 information to a PDMP, with
disclosure are addressed in the individual state laws
appropriate written consent and the required accompanying
governing PDMPs.
notice prohibiting redisclosure, would not violate the rule,
SAMHSA in a 2011 guidance letter discouraged Opioid
42 C.F.R. Part 2 and PDMPs
Treatment Programs (OTPs) from submitting information to
Stricter federal privacy requirements—commonly known as
PDMPs, stating that it would not be “feasible” to ensure
the “Part 2” rule—apply to individually identifiable patient
that the information will not be subsequently redisclosed.
information received or acquired by federally assisted
Stakeholders note that this omission results in providers
substance abuse programs. Specifically, the Part 2 rule
who access PDMPs not receiving all relevant information
applies to any information that would identify a patient as
about a patient. Given the role OTPs play in dispensing
having or having had a substance use disorder, and that is
controlled substances, many observers say the lack of this
obtained or maintained by a federally assisted substance
information in PDMPs affects the overall effectiveness of
abuse program for the purpose of treating a substance use
the programs. Privacy advocates note, on the other hand,
disorder, making a diagnosis for that treatment, or making a
that this is a necessary step to ensure patient privacy.
referral for that treatment (42 C.F.R. §2.12(a)).
Amanda K. Sarata, Specialist in Health Policy
Part 2 applies to any individual or entity (other than a
general medical facility) that is federally assisted and
IF11042
provides—and holds itself out as providing—diagnosis,
treatment, or referral for treatment of substance use
https://crsreports.congress.gov
Private Health Information and Prescription Drug Monitoring Programs (PDMPs)
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11042 · VERSION 3 · NEW