Relationship between Programs and Qualified Service Organizations
Programs may disclose information to a qualified service organization (QSO) without the patient’s consent. The QSO concept is similar to the business associate framework under HIPAA. A QSO is a person or agency that provides services—such as data processing, dosage preparation, laboratory analyses, vocational counseling, or legal, medical, accounting, or other professional services—to a program that the program does not provide for itself. The QSO must enter a written agreement with the program in which it acknowledges that it is bound by the Part 2 Rules, promises not to redisclose patient-identifying information to which it gains access, and promises to resist unauthorized efforts to gain access to any patient-identifying information that may come into its possession.26
Any person who violates the Part 2 Rules may be subject to a criminal fine of up to $500 for the first offense and up to $5,000 for each subsequent offense.27 Criminal penalties may be imposed only if there is criminal intent. There is no private civil right of action.