ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given. (d) Restrictions on redisclosure and use. A person who receives patient information under this section may redisclose and use it only to carry out that person's official duties with regard to the patient's conditional release or other action in connection with which the consent was given. Subpart D-Disclosures Without Patient Consent §2.51 Medical emergencies. (a) General Rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel who have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention. (b) Special Rule. Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers. (c) Procedures. Immediately following disclosure, the program shall document the disclosure in the patient's records, setting forth in writing: (1) The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility; (2) The name of the individual making the disclosure; (3) The date and time of the disclosure; and (4) The nature of the emergency (or error, if the report was to FDA). (Approved by the Office of Management and Budget under control number 0930-0099) §2.52 Research activities. (a) Patient identifying information may be disclosed for the purpose of conducting scientific research if the program director makes a determination that the recipient of the patient identifying information: (1) Is qualified to conduct the research; (2) Has a research protocol under which the patient identifying information: (i) Will be maintained in accordance with the security requirements of §2.16 of these regulations (or more stringent requirements); and (ii) Will not be redisclosed except as permitted under paragraph (b) of this section; and (3) Has provided a satisfactory written statement that a group of three or more individuals who are independent of the research project has reviewed the protocol and determined that: (i) The rights and welfare of patients will be adequately protected; and (ii) The risks in disclosing patient identifying information are outweighed by the potential benefits of the research. (b) A person conducting research may disclose patient identifying information obtained under paragraph (a) of this section only back to the program from which that information was obtained and may not identify any individual patient in any report of that research or otherwise disclose patient identities. [52 FR 21809, June 9, 1987, as amended at 52 FR 41997, Nov. 2, 1987] §2.53 Audit and evaluation activities. (a) Records not copied or removed. If patient records are not copied or removed, patient identifying information may be disclosed in the course of a review of records on program premises to any person who agrees in writing to comply with the limitations on redisclosure and use in paragraph (d) of this section and who: (1) Performs the audit or evaluation activity on behalf of: (i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate its activities; or (ii) Any private person which provides financial assistance to the program, which is a third party payer covering patients in the program, or which is a peer review organization performing a utilization or quality control review; or (2) Is determined by the program director to be qualified to conduct the audit or evaluation activities. (b) Copying or removal of records. Records containing patient identifying information may be copied or removed from program premises by any person who: (1) Agrees in writing to: (i) Maintain the patient identifying information in accordance with the security requirements provided in §2.16 of these regulations (or more stringent requirements); (ii) Destroy all the patient identifying information upon completion of the audit or evaluation; and (iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and (2) Performs the audit or evaluation activity on behalf of: (i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate its activities; or (ii) Any private person which provides financial assistance to the program, which is a third part payer covering patients in the program, or which is a peer review organization performing a utilization or quality control review. (c) Medicare or Medicaid audit or evaluation. (1) For purposes of Medicare or Medicaid audit or evaluation under this section, audit or evaluation inIcludes a civil or administrative investigation of the program by any Federal, State, or local agency responsible for oversight of the Medicare or Medicaid program and includes administrative enforcement, against the program by the agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation. (2) Consistent with the definition of program in §2.11, program includes an employee of, or provider of medical services under, the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section. (3) If a disclosure to a person is authorized under this section for a Medicare or Medicaid audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section, then a peer review organization which obtains the information under paragraph (a) or (b) may disclose the information to that person but only for purposes of Medicare or Medicaid audit or evaluation. (4) The provisions of this paragraph do not authorize the agency, the program, or any other person to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the Medicare or Medicaid audit or evaluation activity as specified in this paragraph. (d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under §2.66 of these regulations. Subpart E-Court Orders §2.61 Legal effect of order. (a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited by 42 U.S.C. 290ee-3, 42 U.S.C. 290dd-3 and these regulations. Such an order does not compel disclosure. A subpoena or a similar legal mandate must be issued in order to compel disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under these regulations. (b) Examples. (1) A person holding records subject to these regulations receives a subpoena for those records: a response to the subpoena is not permitted under the regulations unless an authorizing court order is entered. The person may not disclose the records in response to the subpoena unless a court of competent jurisdiction enters an authorizing order under these regulations. (2) An authorizing court order is entered under these regulations, but the person authorized does not want to make the disclosure. If there is no subpoena or other compulsory process or a subpoena for the records has expired or been quashed, that person may refuse to make the disclosure. Upon the entry of a valid subpoena or other compulsory process the person authorized to disclose must disclose, unless there is a valid legal defense to the process other than the confidentiality restrictions of these regulations. [52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] § 2.62 Order not applicable to records disclosed without consent to researchers, auditors and evaluators. A court order under these regulations may not authorize qualified personnel, who have received patient identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. However, a court order under §2.66 may authorize disclosure and use of records to investigate or prosecute qualified personnel holding the records. §2.63 Confidential communications. (a) A court order under these regulations may authorize disclosure of confidential communications made by a patient to a program in the course of diagnosis, treatment, or referral for treatment only if: (1) The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties; (2) The disclosure is necessary in connection with investigation or prosecu tion of an extremely serious crime, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or (3) The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications. (b) [Reserved] §2.64 Procedures and criteria for orders authorizing disclosures for noncriminal purposes. (a) Application. An order authorizing the disclosure of patient records for purposes other than criminal investigation or prosecution may be applied for by any person having a legally recognized interest in the disclosure which is sought. The application may be filed separately or as part of a pending civil action in which it appears that the patient records are needed to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the patient is the applicant or has given a written consent (meeting the requirements of these regulations) to disclosure or the court has ordered the record of the proceeding sealed from public scrunity. (b) Notice. The patient and the person holding the records from whom disclosure is sought must be given: (1) Adequate notice in a manner which will not disclose patient identifying information to other persons; and (2) An opportunity to file a written response to the application, or to appear in person, for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order. (c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or hearing on the application must be held in the judge's chambers or in some manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceeding, the patient, or the person holding the record, unless the patient requests an open hearing in a 190-164 D-00--2 §2.65 manner which meets the written consent requirements of these regulations. The proceeding may include an examination by the judge of the patient records referred to in the application. (d) Criteria for entry of order. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find that: (1) Other ways of obtaining the information are not available or would not be effective; and (2) The public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services. (e) Content of order. An order authorizing a disclosure must: (1) Limit disclosure to those parts of the patient's record which are essential to fulfill the objective of the order; (2) Limit disclosure to those persons whose need for information is the basis for the order; and (3) Include such other measures as are necessary to limit disclosure for the protection of the patient, the physician-patient relationship and the treatment services; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered. $2.65 Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients. (a) Application. An order authorizing the disclosure or use of patient records to criminally investigate or prosecute a patient may be applied for by the person holding the records or by any person conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws. The application may be filed separately, as part of an application for a subpoena or other compulsory process, or in a pending criminal action. An application must use a fictitious name such as John Doe, to refer to any patient and may not contain or otherwise disclose patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny. (b) Notice and hearing. Unless an order under §2.66 is sought with an 24 42 CFR Ch. I (10-1-00 Edition) order under this section, the person holding the records must be given: (1) Adequate notice (in a manner which will not disclose patient identifying information to third parties) of an application by a person performing a law enforcement function; (2) An opportunity to appear and be heard for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order; and (3) An opportunity to be represented by counsel independent of counsel for an applicant who is a person performing a law enforcement function. (c) Review of evidence: Conduct of hearings. Any oral argument, review of evidence, or hearing on the application shall be held in the judge's chambers or in some other manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceedings, the patient. or the person holding the records. The proceeding may include an examination by the judge of the patient records referred to in the application. (d) Criteria. A court may authorize the disclosure and use of patient records for the purpose of conducting a criminal investigation or prosecution of a patient only if the court finds that all of the following criteria are met: (1) The crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect. (2) There is a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution. (3) Other ways of obtaining the information are not available or would not be effective. (4) The potential injury to the patient, to the physician-patient relationship and to the ability of the program to provide services to other patients is outweighed by the public interest and the need for the disclosure. (5) If the applicant is a person performing a law enforcement function that: (i) The person holding the records has been afforded the opportunity to be represented by independent counsel; and (ii) Any person holding the records which is an entity within Federal, State, or local government has in fact been represented by counsel independent of the applicant. (e) Content of order. Any order authorizing a disclosure or use of patient records under this section must: (1) Limit disclosure and use to those parts of the patient's record which are essential to fulfill the objective of the order; (2) Limit disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigation and prosecution of extremely serious crime or suspected crime specified in the application; and (3) Include such other measures as are necessary to limit disclosure and use to the fulfillment of only that public interest and need found by the court. [52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] §2.66 Procedures and criteria for or ders authorizing disclosure and use of records to investigate or prosecute a program or the person holding the records. (a) Application. (1) An order authorizing the disclosure or use of patient records to criminally or administratively investigate or prosecute a program or the person holding the records (or employees or agents of that program or person) may be applied for by any administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the program's or person's activities. (2) The application may be filed separately or as part of a pending civil or criminal action against a program or the person holding the records (or agents or employees of the program or person) in which it appears that the patient records are needed to provide material evidence. The application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny or the patient has given a written consent (meeting the requirements of §2.31 of these regulations) to that disclosure. (b) Notice not required. An application under this section may, in the discretion of the court, be granted without notice. Although no express notice is required to the program, to the person holding the records, or to any patient whose records are to be disclosed, upon implementation of an order so granted any of the above persons must be afforded an opportunity to seek revocation or amendment of that order, limited to the presentation of evidence on the statutory and regulatory criteria for the issuance of the court order. (c) Requirements for order. An order under this section must be entered in accordance with, and comply with the requirements of, paragraphs (d) and (e) of §2.64 of these regulations. (d) Limitations on disclosure and use of patient identifying information: (1) An order entered under this section must require the deletion of patient identifying information from any documents made available to the public. (2) No information obtained under this section may be used to conduct any investigation or prosecution of a patient, or be used as the basis for an application for an order under §2.65 of these regulations. §2.67 Orders authorizing the use of undercover agents and informants to criminally investigate employees or agents of a program. (a) Application. A court order authorizing the placement of an undercover agent or informant in a program as an employee or patient may be applied for by any law enforcement or prosecutorial agency which has reason to believe that employees or agents of the program are engaged in criminal misconduct. (b) Notice. The program director must be given adequate notice of the application and an opportunity to appear and be heard (for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order), unless the application asserts a belief that: |