Private Health Information and Prescription Drug Monitoring Programs (PDMPs)




Updated April 30, 2021
Private Health Information and Prescription Drug Monitoring
Programs (PDMPs)

Prescription drug monitoring programs (PDMPs) maintain
The Rule describes multiple situations in which covered
statewide electronic databases of prescriptions dispensed
entities may use or disclose PHI without authorization,
for controlled substances (i.e., prescription drugs of abuse
while all uses and disclosures of PHI that are not expressly
that are subject to stricter government regulation).
permitted under the rule require an individual’s prior
Information collected by PDMPs may be used to support
written authorization. Generally, covered entities may share
access to legitimate medical use of controlled substances; to
PHI between and among themselves for the purposes of
identify or prevent drug abuse and diversion; to facilitate
treatment, payment, or health care operations, with few
the identification of prescription drug-addicted individuals
restrictions (and specifically, without the individual’s
and enable intervention and treatment; to outline drug use
authorization) (45 C.F.R. §164.506). Health care operations
and abuse trends to inform public health initiatives; or to
include a number of activities as they relate to covered
educate individuals about prescription drug use, abuse, and
functions; for example, conducting quality assessment or
diversion (see CRS Report R42593, Prescription Drug
improvement activities, reviewing the competence of health
Monitoring Programs). PDMPs have raised concerns about
care professionals, and business planning and development.
patient privacy, including issues around the scope and
Express authorization is required for use and disclosure of
breadth of authorized access—specifically, by law
psychotherapy notes and for marketing or sale purposes.
enforcement agencies—as well as the potential for
unauthorized access or breaches. While PDMPs are seen as
Certain other uses and disclosures (e.g., sharing PHI with
valuable in the effort to address improper prescribing of
family members and friends) are permitted, but they require
controlled substances, concern persists about both legal
a covered entity to give the individual the opportunity to
disclosure of and illegal access to health information in
object or agree to the PHI’s use or disclosure (45 C.F.R.
PDMPs.
§164.510). In two cases, covered entities are required to
disclose PHI: to the individual who is the subject of the
PDMPs have varying requirements with respect to the
information in certain circumstances and to the Secretary of
security and authorized use and disclosure of their stored
the Department of Health and Human Services (HHS) for
information. These are governed by state law. PDMPs
purposes of determining compliance with the rule (45
receive protected health information (PHI) from
C.F.R. §164.502(a)(2)).
pharmacists and other health care providers (HIPAA
[Health Insurance Portability and Accountability Act]
Covered Entity Reporting of PHI to PDMPs
covered entities) who are subject to the federal HIPAA
The Privacy Rule recognizes that PHI may be useful in
Privacy Rule (45 C.F.R. Part 164, Subpart E). Challenges
other circumstances aside from health care treatment and
have arisen with reporting individually identifiable health
payment for a given individual. For this reason, the Rule
information related to treatment at certain substance use
lists a number of “national priority purposes” for which
disorder (SUD) facilities to PDMPs, as this information is
covered entities may disclose PHI without an individual’s
subject to stricter privacy requirements under the “Part 2”
authorization or opportunity to agree or object (45 C.F.R.
rule (42 C.F.R. Part 2, implementing Public Health Service
§164.512). PDMPs may receive PHI from covered entities
Act [PHSA] Section 543 [42 U.S.C. §290dd-2]). A July
under authority of one or more of these exceptions.
2020 final rule amending the Part 2 rule made changes that
Relevant exceptions identified in the Rule may include
facilitate this reporting (85 Federal Register, 42986).
disclosures required by law (e.g., state PDMP laws) or
those to a public health authority for public health activities.
The HIPAA Privacy Rule and PDMPs
Generally, the Rule requires disclosures of PHI to be
The HIPAA Privacy Rule (the Rule) governs covered
limited to the minimum amount necessary to meet the
entities’ (health care plans, providers, and clearinghouses)
purpose of the disclosure. With respect to disclosures to
and their business associates’ use and disclosure of PHI. To
public officials to meet the national priority purposes (e.g.,
meet the definition of “covered entity” under the Rule, a
for public health activities), the covered entity may assume
health care provider must electronically transmit health
the requested information is the minimum necessary if the
information in connection with certain standard
requesting official represents that it is (45 C.F.R.
transactions. PHI is defined as individually identifiable
§164.514).
health information created or received by a covered entity
that is transmitted by electronic media, maintained in
Some states expressly note that they rely on these
electronic media, or transmitted or maintained in any other
exceptions to receive PHI from HIPAA-covered entities to
form or medium (45 C.F.R. §160.103).
populate their PDMP. For example, Virginia’s Department
of Health Professions notes that the Rule allows for
disclosure of PHI by covered entities without authorization
https://crsreports.congress.gov

Private Health Information and Prescription Drug Monitoring Programs (PDMPs)
for specified public health activities and purposes and to
does not apply to information maintained in connection
health oversight agencies for oversight activities in law, and
with care provided by the VA; those records are instead
that these two exceptions allow for covered entities’
governed by 38 U.S.C. §7332.
disclosure of PHI to its PDMP.
The Part 2 rule strictly regulates the disclosure and
In addition, the Department of Veterans Affairs (VA)
redisclosure of Part 2 records. It allows Part 2 programs to
published an interim final rule in 2013 implementing
disclose this information only either (1) with patient
provisions of the Consolidated Appropriations Act, 2012
consent or (2) pursuant to exceptions in law (e.g., for a
(P.L. 112-74), that together authorized the VA to report
medical emergency). A general authorization for the release
protected information to PDMPs. The interim final rule
of medical information does not satisfy the rule’s
notes that these disclosures are permissible under the
requirement for written consent. Lawful holders—recipients
HIPAA Privacy Rule, stating that “VA’s authority to
of Part 2 records—must protect Part 2 records according to
disclose the information to PDMPs under the HIPAA
Part 2 requirements. The rule prohibits lawful holders from
Privacy Rule is contained in 45 C.F.R. §164.512(b), which
redisclosing Part 2 records without written consent from the
allows disclosures to an agency or authority responsible for
patient. A written notice prohibiting subsequent
public health matters as part of its official mandate” (78
redisclosure by the receiving entity must accompany
Federal Register 9589, February 11, 2013).
disclosed Part 2 records.
Security, Use, and Disclosure of PHI Held by
The Substance Abuse and Mental Health Services
PDMPs
Administration (SAMHSA) in a 2011 guidance letter
A PDMP is not a HIPAA-covered entity, nor is it a business
discouraged Opioid Treatment Programs (OTPs) from
associate as defined by HIPAA, and therefore the
submitting Part 2 records to PDMPs. This letter stated that
requirements and standards for maintaining the security of
it would not be “feasible” to ensure that the information
the PHI—or for its redisclosure—that apply to HIPAA
would not be subsequently redisclosed, even though such a
covered entities do not apply to PDMPs. A business
disclosure would violate the Part 2 rule, because PDMPs
associate under the Rule must be providing services to or
are designed to share information with registered and
for a covered entity or an organized health care
authorized users. Stakeholders say this omission resulted in
arrangement in which the covered entity participates, or
incomplete information in PDMPs, and specifically, given
must be creating, receiving, maintaining, or transmitting
the role of OTPs in dispensing controlled substances,
PHI on behalf of a covered entity (45 C.F.R. §160.103).
observers argue the lack of completeness affects the
HHS’s National Committee on Vital and Health Statistics
effectiveness of the programs. Privacy advocates assert, on
noted in a February 2018 report on health information
the other hand, that this is a necessary step to ensure patient
privacy that “[w]hile PDMPs are not typically thought of as
privacy.
a big data resource, the databases collectively contain large
amounts of personally identifiable health information not
Recent Activity
regulated by HIPAA because no covered entity maintains
Both Congress and SAMHSA have taken steps recently to
the data.” State law includes requirements relating to
address barriers to information sharing with PDMPs. The
securing data in PDMPs and the data’s use and disclosure.
Coronavirus Aid, Relief, and Economic Security Act
(CARES, P.L. 116-136, §3221) made changes to PHSA
42 C.F.R. Part 2 and PDMPs
Section 543 to allow Part 2 programs, covered entities, and
Stricter federal privacy requirements—commonly known as
business associates to use or disclose Part 2 records for
the “Part 2” rule—apply to individually identifiable patient
purposes of treatment, payment, and health care operations
information received or acquired by federally assisted
with an initial patient consent, consistent with related
substance abuse programs. Specifically, the Part 2 rule
HIPAA Privacy Rule requirements. The Secretary must
applies to any information that would identify a patient as
revise the Part 2 regulations so the changes apply with
having or having had a SUD, and that is obtained or
respect to uses and disclosures of covered records after
maintained by a federally assisted substance abuse program
March 27, 2021. However, SAMHSA recently noted that
for the purpose of treating a SUD, making a diagnosis for
regulations will likely be published later this year, and that
that treatment, or making a referral for that treatment (42
the current Part 2 requirements remain in effect in the
C.F.R. §2.12(a)). Part 2 applies to any individual or entity
interim. The new regulation could help clarify if and how
(other than a general medical facility) that is (1) federally
these changes may affect HIPAA covered entity sharing of
assisted, and (2) provides, and holds itself out as providing,
Part 2 records with PDMPs. Additionally, a SAMHSA July
diagnosis, treatment, or referral for treatment of SUDs (42
2020 final rule amended the Part 2 rule to expressly permit
C.F.R. §2.12(b)). Most of the nation’s alcohol and drug
a Part 2 program to report relevant information to a PDMP,
treatment programs are covered by the Part 2 rule. While
if (1) required by applicable state law, and (2) patient
Part 2 does not apply to general medical facilities or
consent is obtained (42 C.F.R. §2.36). The consent
practices, it does cover specialized SUD treatment units
requirement may continue to create a deterrent to
(and staff) within such facilities, and specifically those who
submission of Part 2 records to PDMPs; clarifying that this
hold themselves out as providing, and provide, SUD
disclosure is specifically permitted may facilitate reporting.
diagnosis, treatment, or referral for treatment. “Federally
assisted programs” include any program that is carried out
Amanda K. Sarata, Specialist in Health Policy
in whole or in part by the federal government or supported
by federal funds. One exception to this is that the Part 2 rule
IF11042
https://crsreports.congress.gov

Private Health Information and Prescription Drug Monitoring Programs (PDMPs)


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF11042 · VERSION 4 · UPDATED