HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 23506-23553 [2023-07517]
Download as PDF
<![CDATA[
23506
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0945–AA20
HIPAA Privacy Rule To Support
Reproductive Health Care Privacy
Office for Civil Rights (OCR),
Office of the Secretary, Department of
Health and Human Services.
ACTION: Notice of proposed rulemaking;
notice of Tribal consultation.
AGENCY:
The Department of Health and
Human Services (HHS or ‘‘Department’’)
is issuing this notice of proposed
rulemaking (NPRM) to solicit comment
on its proposal to modify the Standards
for Privacy of Individually Identifiable
Health Information (‘‘Privacy Rule’’)
under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA)
and the Health Information Technology
for Economic and Clinical Health Act of
2009 (HITECH Act). The proposal
would modify existing standards
permitting uses and disclosures of
protected health information (PHI) by
limiting uses and disclosures of PHI for
certain purposes where the use or
disclosure of information is about
reproductive health care that is lawful
under the circumstances in which such
health care is provided. The proposal
would modify existing standards by
prohibiting uses and disclosures of PHI
for criminal, civil, or administrative
investigations or proceedings against
individuals, covered entities or their
business associates (collectively,
‘‘regulated entities’’), or other persons
for seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which it is provided.
DATES:
Comments: Submit comments on or
before June 16, 2023.
Meeting: Pursuant to Executive Order
13175, Consultation and Coordination
with Indian Tribal Governments, the
Department of Health and Human
Services’ Tribal Consultation Policy,
and the Department’s Plan for
Implementing Executive Order 13175,
the Office for Civil Rights solicits input
from Tribal officials as the Department
develops the modifications to the
HIPAA Privacy Rule at 45 CFR parts 160
and 164, subparts A and E. The Tribal
consultation meeting will be held on
May 17, 2023, at 2 p.m. to 3:30 p.m.
EDT.
ADDRESSES: You may submit comments,
identified by RIN Number 0945–AA20,
lotter on DSK11XQN23PROD with PROPOSALS2
SUMMARY:
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
by any of the following methods. Please
do not submit duplicate comments.
To participate in the Tribal
consultation meeting, you must register
in advance at https://
www.zoomgov.com/meeting/register/
vJItf-2hqD8jHfdtmYaUoWidy9
odBZMYQ4Q.
• Federal eRulemaking Portal: You
may submit electronic comments at
https://www.regulations.gov by searching
for the Docket ID number HHS–OCR–
0945–AA20. Follow the instructions at
https://www.regulations.gov for
submitting electronic comments.
Attachments should be in Microsoft
Word or Portable Document Format
(PDF).
• Regular, Express, or Overnight Mail:
You may mail written comments to the
following address only: U.S. Department
of Health and Human Services, Office
for Civil Rights, Attention: HIPAA and
Reproductive Health Care Privacy
NPRM, Hubert H. Humphrey Building,
Room 509F, 200 Independence Avenue
SW, Washington, DC 20201. Please
allow sufficient time for mailed
comments to be timely received in the
event of delivery or security delays.
Please note that comments submitted
by fax or email and those submitted
after the comment period will not be
accepted.
Inspection of Public Comments: All
comments received by the accepted
methods and due date specified above
may be posted without change to
content to https://www.regulations.gov,
which may include personal
information provided about the
commenter, and such posting may occur
after the closing of the comment period.
However, the Department may redact
certain non-substantive content from
comments or attachments to comments
before posting, including: threats, hate
speech, profanity, sensitive health
information, graphic images,
promotional materials, copyrighted
materials, or individually identifiable
information about a third-party
individual other than the commenter. In
addition, comments or material
designated as confidential or not to be
disclosed to the public will not be
accepted. Comments may be redacted or
rejected as described above without
notice to the commenter, and the
Department will not consider in
rulemaking any redacted or rejected
content that would not be made
available to the public as part of the
administrative record.
Docket: For complete access to
background documents or posted
comments, go to https://
www.regulations.gov and search for
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
Docket ID number HHS–OCR–0945–
AA20.
FOR FURTHER INFORMATION CONTACT:
Lester Coffer at (202) 240–3110 or (800)
537–7697 (TDD).
SUPPLEMENTARY INFORMATION: The
discussion below includes an Executive
Summary, a description of relevant
statutory and regulatory authority and
history, the justification for this
proposed regulation, a section-bysection description of the proposed
modifications, and a regulatory impact
analysis and other required regulatory
analyses. The Department solicits public
comment on all aspects of the proposed
rule. The Department requests that
persons commenting on the provisions
of the proposed rule label their
discussion of any particular provision or
topic with a citation to the section of the
proposed rule being addressed and
identify the particular request for
comment being addressed, if applicable.
I. Executive Summary
A. Overview
B. Applicability
C. Table of Abbreviations/Commonly Used
Acronyms in This Document
II. Statutory Authority and Regulatory
History
A. Statutory Authority and History
1. Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
2. The Health Information Technology for
Economic and Clinical Health (HITECH)
Act
B. Rulemaking Authority and Regulatory
History
1. The Department’s Rulemaking Authority
Under HIPAA
2. Regulatory History
III. Justification for This Proposed
Rulemaking
A. HIPAA Encourages Trust by Carefully
Balancing Individuals’ Privacy Interests
With Others’ Interests in Using or
Disclosing PHI
B. Developments in the Legal Environment
are Eroding Individuals’ Trust in the
Health Care System
C. To Protect the Trust Between
Individuals and Health Care Providers,
the Department Proposes To Restrict
Certain Uses and Disclosures of PHI for
Non-Health Care Purposes
IV. Section-by-Section Description of
Proposed Amendments to the Privacy
Rule
A. Section 160.103—Definitions
1. Clarifying the Definition of ‘‘Person’’
2. Interpreting Terms Used in Section
1178(b) of the Social Security Act
3. Adding a Definition of ‘‘Reproductive
Health Care’’
4. Request for Comment
B. Section 164.502—Uses and Disclosures
of Protected Health Information: General
Rules
1. Clarifying When PHI May Be Used or
Disclosed by Regulated Entities
2. Adding a New Category of Prohibited
Uses and Disclosures
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
3. Clarifying Personal Representative
Status in the Context of Reproductive
Health Care
4. Request for Comment
C. Section 164.509—Uses and Disclosures
for Which an Attestation Is Required
(Proposed Heading)
1. Current Provision and Issues To Address
2. Proposal
3. Request for Comment
D. Section 164.512—Uses and Disclosures
for Which an Authorization or
Opportunity To Agree or Object Is Not
Required
1. Applying the Proposed Prohibition and
Attestation Requirement to Certain
Permitted Uses and Disclosures
2. Making a Technical Correction to the
Heading of 45 CFR 164.512(c) and
Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse,
Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures
Based on Administrative Processes
4. Request for Comment
E. Section 164.520—Notice of Privacy
Practices for Protected Health
Information
1. Current Provision and Issues To Address
2. Proposal
3. Request for Comment
V. Executive Order 12866 and Related
Executive Orders on Regulatory Review
A. Regulatory Impact Analysis
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Proposed Rule
4. Request for Comment
B. Regulatory Alternatives to the Proposed
Rule
C. Regulatory Flexibility Act—Small Entity
Analysis
D. Executive Order 13132—Federalism
E. Assessment of Federal Regulation and
Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized
Burden Hours
VI. Request for Comment
VII. Public Participation
I. Executive Summary
lotter on DSK11XQN23PROD with PROPOSALS2
A. Overview
In this notice of proposed rulemaking
(NPRM), the Department of Health and
Human Services (HHS or ‘‘Department’’)
proposes modifications to the Standards
for Privacy of Individually Identifiable
Health Information (‘‘Privacy Rule’’),
issued pursuant to section 264 of the
Administrative Simplification
provisions of title II, subtitle F, of the
Health Insurance Portability and
Accountability Act of 1996 (HIPAA).1
1 Subtitle F of title II of HIPAA (Pub. L. 104–191,
110 Stat. 1936 (Aug. 21, 1996)) added a new part
C to title XI of the Social Security Act (SSA), Public
Law 74–271, 49 Stat. 620 (Aug. 14, 1935), (see
sections 1171–1179 of the SSA (codified at 42
U.S.C. 1320d–1320d–8)), as well as promulgating
section 264 of HIPAA (codified at 42 U.S.C. 1320d–
2 note), which authorizes the Secretary to
promulgate regulations with respect to the privacy
of individually identifiable health information. The
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
The Privacy Rule 2 is one of several
rules, collectively known as the HIPAA
Rules,3 that protect the privacy and
security of individuals’ protected health
information 4 (PHI), which is
individually identifiable health
information 5 (IIHI) transmitted by or
maintained in electronic media or any
other form or medium, with certain
exceptions.6
Under its statutory authority to
administer and enforce the HIPAA
Rules, the Department modifies the
HIPAA Rules as needed, but not more
than once every 12 months.7 The
Department makes the determination
that such modifications may be needed
using information it receives on an
ongoing basis—from the public,
regulated entities, media reports, and its
own analysis of the state of privacy for
IIHI. Based on information the
Department has received in recent
months, we believe it may be necessary
to modify the Privacy Rule to avoid the
circumstance where an existing
provision of the Privacy Rule is used to
request the use or disclosure of an
individual’s PHI as a pretext for
obtaining PHI related to reproductive
health care for a non-health care
purpose where such use or disclosure
would be detrimental to any person.
The proposals in this NPRM would
amend provisions of the Privacy Rule to
strengthen privacy protections for
individuals’ PHI related to reproductive
health care.
The Supreme Court’s decision in
Dobbs v. Jackson Women’s Health
Privacy Rule has subsequently been amended
pursuant to the Genetic Information
Nondiscrimination Act of 2008 (GINA), title I,
section 105, Public Law 110–233, 122 Stat. 881
(May 21, 2008) (codified at 42 U.S.C. 2000ff), and
the Health Information Technology for Economic
and Clinical Health (HITECH) Act of 2009, Public
Law 111–5, 123 Stat. 226 (Feb. 17, 2009) (codified
at 42 U.S.C. 139w–4(0)(2)).
2 45 CFR parts 160 and 164, subparts A and E. For
a history of the Privacy Rule, see Section II.B.2.,
‘‘Regulatory History,’’ below.
3 See also the HIPAA Security Rule, 45 CFR parts
160 and 164, subparts A and C; the HIPAA Breach
Notification Rule, 45 CFR part 164, subpart D; and
the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
4 45 CFR 160.103 (definition of ‘‘Protected health
information’’).
5 42 U.S.C. 1320d. See also 45 CFR 160.103
(definition of ‘‘Individually identifiable health
information’’).
6 At times throughout this NPRM, the Department
uses the terms ‘‘health information’’ or
‘‘individuals’ health information’’ to refer
generically to health information pertaining to an
individual or individuals. In contrast, the
Department’s use of the term ‘‘IIHI’’ refers to a
category of health information defined in HIPAA,
and ‘‘PHI’’ is used to refer specifically to a category
of IIHI that is defined by and subject to the privacy
and security standards promulgated in the HIPAA
Rules.
7 45 CFR 160.104.
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
23507
Organization 8 (Dobbs) makes it more
likely than before that individuals’ PHI
may be disclosed in ways that cause
harm to the interests that HIPAA seeks
to protect but that are not adequately
addressed in this context,9 such as
criminal, civil, or administrative
investigations or proceedings that chill
access to lawful health care and full
communication between individuals
and health care providers. These
developments in the legal environment
increase the potential for uses or
disclosures about an individual’s
reproductive health to undermine
access to and the quality of health care
generally. Some states have already
imposed criminal, civil, or
administrative liability for, or created
private rights of action against,
individuals who obtain certain
reproductive health care, including
pregnancy termination; the health care
providers who furnish such
reproductive health care; or other
persons who facilitate the furnishing or
receipt of certain reproductive health
care.10 Other states may follow suit in
the future. And in yet other states, law
enforcement agencies may attempt to
use general criminal laws to prosecute
individuals for seeking or obtaining
such reproductive health care.11
After Dobbs, the Department has
heard concerns that civil, criminal, or
administrative investigations or
proceedings have been instituted or
threatened on the basis of reproductive
health care that is lawful under the
circumstances in which it is provided.
The threat that PHI will be obtained and
used in such an investigation or
proceeding is likely to chill individuals’
willingness to seek lawful treatment or
to provide full information to their
8 597 U.S. __, 142 S. Ct. 2228 (2022) (No. 19–
1392) (June 24, 2022).
9 See National Committee on Vital and Health
Statistics (NCVHS or ‘‘Committee’’) discussion
below, section II.A.1., expressing concern for harm
caused by disclosing identifiable health information
for non-health care purposes.
10 See, e.g., S.C. Code Ann. sec. 44–41–80(b), NRS
200.220, Tex. Health & Safety Code Ann. sec.
171.208 (2021); 63 OK Stat sec. 1–745.34–35 (2022).
See also Abortion Policy Tracker, Kaiser Family
Foundation (Jan. 20, 2023), https://www.kff.org/
other/state-indicator/abortion-policy-tracker/
?currentTimeframe=0&
sortModel=%7B%22colId%22:%22Location
%22,%22sort%22:%22asc%22%7D.
11 See Laura Huss, Farah Diaz-Tello, Goleen
Samari, ‘‘Self-Care, Criminalized: August 2022
Preliminary Findings,*’’ If/When/How: Lawyering
for Reproductive Justice (2022), https://
www.ifwhenhow.org/resources/self-carecriminalized-preliminary-findings/; Caroline
Kitchener and Ellen Francis, ‘‘Talk of prosecuting
women for abortion pills roils antiabortion
movement,’’ The Washington Post (Jan. 11. 2023),
https://www.washingtonpost.com/nation/2023/01/
11/alabama-abortion-pills-prosecution/.
E:\FR\FM\17APP2.SGM
17APP2
23508
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
health care providers when obtaining
that treatment.
A positive, trusting relationship
between individuals and their health
care providers is essential to an
individual’s health and well-being.12
The prospect of releasing highly
sensitive PHI can result in medical
mistrust and the deterioration of the
confidential, safe environment that is
necessary to quality health care, a
functional health care system, and the
public’s health generally.13 That is even
more true in the context of reproductive
health care, given the potential for
stigmatization and other adverse
consequences to individuals resulting
from disclosures they do not want or
expect.14
Experience shows that medical
mistrust—especially in vulnerable
communities that have been negatively
affected by historical and current health
care disparities 15—can create damaging
and chilling effects on individuals’
willingness to seek appropriate and
lawful care for medical conditions that
can worsen without treatment.16 If
12 See Fallon E. Chipidza, Rachel S. Wallwork,
Theodore A. Stern, ‘‘Impact of the Doctor-Patient
Relationship,’’ The Primary Care Companion for
CNS Disorders (Oct. 2015), https://
www.psychiatrist.com/pcc/delivery/patientphysician-communication/impact-doctor-patientrelationship/.
13 See, e.g., Kim Bellware, ‘‘Doctor says she
shouldn’t have to turn over patients’ abortion
records,’’ The Washington Post (Nov. 19, 2022),
https://www.washingtonpost.com/politics/2022/11/
19/caitlin-bernard-rokita-lawsuit/ (citing the
testimony of pediatric bioethics expert Kyle
Brothers about the potential negative effects
requests for this type of sensitive medical record
could have on individuals: ‘‘This kind of
disclosure, especially for a minor, is just
heartbreaking.’’). See also Eric Boodman, ‘‘In a
doctor’s suspicion after a miscarriage, a glimpse of
expanding medical mistrust,’’ STAT News (June 29,
2022), https://www.statnews.com/2022/06/29/
doctor-suspicion-after-miscarriage-glimpse-ofexpanding-medical-mistrust/ (Sarah Prager,
professor of obstetrics and gynecology at the
University of Washington said that it’s a bad
precedent if clinical spaces become unsafe for
patients because, ‘‘[a health care provider’s] ability
to take care of patients relies on trust, and that will
be impossible moving forward.’’).
14 See Letter from NCVHS Chair Simon P. Cohn
to HHS Secretary Michael O. Leavitt (Feb. 20, 2008)
(listing categories of health information that are
commonly considered to contain sensitive
information), p. 5, https://ncvhs.hhs.gov/wpcontent/uploads/2014/05/080220lt.pdf.
15 See Lisa P. Oakley, Marie Harvey, Daniel F.
Lopez-Cevallos, ‘‘Racial and Ethnic Discrimination,
Medical Mistrust, and Satisfaction with Birth
Control Services among Young Adult Latinas,’’
Women’s Health Issues (July–August 2018), p. 313,
https://www.sciencedirect.com/science/article/abs/
pii/S1049386717305443; and Cynthia Prather,
Taleria R. Fuller, Khiya J. Marshall, et al., ‘‘The
Impact of Racism on the Sexual and Reproductive
Health of African American Women,’’ Journal of
Women’s Health (July 2016), p. 664, https://
www.liebertpub.com/doi/abs/10.1089/jwh.2015.
5637.
16 See Texas Maternal Mortality and Morbidity
Review Committee and Department of State Health
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
individuals believe that their PHI may
be disclosed without their knowledge or
consent to initiate criminal, civil, or
administrative investigations or
proceedings against them or others
based primarily upon their receipt of
lawful reproductive health care, they are
likely to be less open, honest, or
forthcoming about their symptoms and
medical history. As a result, individuals
may refrain from sharing critical
information with their health care
providers, regardless of whether they
are seeking reproductive health care that
is lawful under the circumstances in
which it is provided. For instance, an
individual who has obtained a lawful
abortion in one state may fear receiving
emergency care in a state where
abortion is unlawful because providing
information to a health care provider in
such a state could place them into legal
jeopardy, even if that information is
relevant to the immediate health
emergency. If an individual believes
they cannot be honest about their health
history, the health care provider cannot
conduct an appropriate health
assessment to reach a sound diagnosis
and recommend the best course of
action for that individual. Heightened
confidentiality and privacy protections
enable an individual to develop a trustbased relationship with their health care
provider and to be open and honest
with their health care provider. That
health care provider is then more likely
to provide a correct diagnosis and aid
the individual in making informed
treatment decisions.
Similarly, if a health care provider
believes that an individual’s highly
sensitive PHI is likely to be disclosed
without the individual’s or the health
care provider’s knowledge or consent in
connection with a criminal, civil, or
administrative investigation or
proceeding against the individual, their
health care provider, or others primarily
because of the type of health care the
individual received or sought, the
health care provider is more likely to
omit information about an individual’s
medical history or condition, leave gaps,
or include inaccuracies when preparing
the individual’s medical records. And if
an individual’s medical records lack
complete information about the
individual’s health history, a
subsequent health care provider may
not be able to conduct an appropriate
health assessment to reach a sound
diagnosis and recommend the best
Services Joint Biennial Report 2022, Texas
Department of State Health Services (Dec. 2022), p.
41, https://www.dshs.texas.gov/sites/default/files/
legislative/2022-Reports/Joint-Biennial-MMMRCReport-2022.pdf.
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
course of action for the individual.
Alternatively, a health care provider
may even withhold from an individual
full and complete information about
their treatment options because of
liability fears stemming from concerns
about the level of privacy afforded to
PHI.17 Heightened confidentiality and
privacy protections enable a health care
provider to feel confident maintaining
full and complete medical records. With
complete medical records, an individual
is more likely to receive appropriate
ongoing or future health care, including
correct diagnoses, and obtain
appropriate guidance, empowering the
individual in making informed
treatment decisions. This further
enables the individual to access lawful
health care—and health care providers
to practice medicine—in an
environment that promotes social,
environmental, mental, and physical
wellness.
Furthermore, an individual’s lack of
trust in their health care provider to
maintain the confidentiality of the
individual’s most sensitive medical
information and a lack of trust in the
medical system more generally may
have significant repercussions for the
public’s health more generally.
Individuals who are not candid with
their health care providers about their
reproductive health care may also
withhold information about other
matters that have public health
implications, such as sexually
transmitted infections or vaccinations.18
When proposing the initial Privacy
Rule, the Department described its
policy choices as being motivated to
develop and maintain a relationship of
trust between individuals and health
care providers. ‘‘A fundamental
assumption of this regulation is that the
greatest benefits of improved privacy
protection will be realized in the future
as patients gain increasing trust in
health care practitioner’s ability to
17 See Brief for Zurawski at p. 10, Zurawski v.
State of Texas (No. D–1–GN–23–000968) (W.D. Tex.
2023) (stating that ‘‘[i]n every interaction with their
medical team in Texas, Lauren M. and her husband
felt confused and frustrated and could not get direct
answers,’’ and that ‘‘[i]t was apparent that their
doctors, nurses, and counselors were all fearful of
speaking directly and openly about abortion for fear
of liability under Texas’s abortion bans.’’).
18 See Letter from NCVHS Chair Simon P. Cohn
to HHS Secretary Michael O. Leavitt (June 22,
2006), p. 2 (with forwarded NCVHS
recommendations, ‘‘Individual trust in the privacy
and confidentiality of their personal health
information also promotes public health, because
individuals with potentially contagious or
communicable diseases are not inhibited from
seeking treatment.’’), https://ncvhs.hhs.gov/rrp/
june-22-2006-letter-to-the-secretaryrecommendations-regarding-privacy-andconfidentiality-in-the-nationwide-healthinformation-network/.
E:\FR\FM\17APP2.SGM
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
maintain the confidentiality of their
health information.’’ 19 The Department
also described the benefits of increasing
individuals’ access to their own health
care information in the development
and maintenance of that trust. Providing
individuals with ‘‘[o]pen access to
[their] health information can benefit
both the individuals and the covered
entities. [ . . . ] It can increase
communication, thereby enhancing
individuals’ trust in their health care
providers and increasing compliance
with the providers’ instructions.’’ 20 The
Department reiterated this need for trust
between individuals and health care
providers in the 2000 Privacy Rule,
noting that ‘‘[t]he provision of highquality health care requires the
exchange of personal, often-sensitive
information between an individual and
a skilled practitioner. Vital to that
interaction is the patient’s ability to
trust that the information shared will be
protected and kept confidential.’’ 21 As
the Department also stated, ‘‘[h]ealth
care professionals who lose the trust of
their patients cannot deliver highquality care.’’ 22
However, the Department also noted
that the policy choices it made when
issuing the 2000 Privacy Rule were a
result of balancing the interests of the
individual in the privacy of their PHI
with the interests of society in
disclosures of PHI for non-health care
purposes. Thus, the 2000 Privacy Rule
included permissions for regulated
entities to disclose PHI under certain
conditions for judicial and
administrative proceedings and law
enforcement purposes. As the
Department explained at that time,
‘‘Individuals’ right to privacy in
information about themselves is not
absolute. It does not, for instance,
prevent reporting of public health
information on communicable diseases
or stop law enforcement from getting
information when due process has been
observed.’’ 23
The proposed modifications to the
Privacy Rule in this NPRM directly
advance the purposes of HIPAA. From
their inception, the Department’s
regulations implementing the statute
have sought to ensure that individuals
do not forgo lawful health care when
needed—or withhold important
information from their health care
providers that may affect the quality of
health care they receive—out of a fear
that their sensitive information would
19 See
64 FR 59918, 60006 (Nov. 3, 1999).
64 FR 59980.
21 See 65 FR 82462, 82463 (Dec. 28, 2000).
22 See 65 FR 82468.
23 65 FR 82464.
20 See
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
23509
be revealed outside of their
relationships with their health care
providers. In the past, the Department
generally has applied the same privacy
standards to nearly all PHI, regardless of
the type of health care at issue. But the
Department has also recognized that
some forms of PHI may be particularly
sensitive and thus may warrant
heightened protections. For example,
the Department has accorded ‘‘special
protections’’ to psychotherapy notes
under the Privacy Rule, owing in part to
the ‘‘particularly sensitive information’’
those notes contain.24
Many individuals regard information
about their reproductive health as
highly private and personal. That
information is likely to come up in a
wide variety of encounters between
individuals and their health care
providers, including routine physicals,
gynecological examinations, and a range
of other encounters that do not involve
an individual’s effort to obtain health
care, such as an abortion, that is illegal
under some post-Dobbs state laws.
However, if individuals do not trust that
their health care providers will keep
their sensitive information private, they
may withhold important health
information from their health care
providers, leading to incomplete and
inaccurate medical records and
potentially substandard health care.
Some individuals may refrain from or
defer obtaining necessary health care,
which could lead to worse health
outcomes and exacerbate health
disparities.25 Others may withhold
aspects of their medical history from
their health care providers, which could
impede the ability of health care
professionals to make fully informed
medical judgments and provide full and
complete information about treatment
options. Similarly, health care providers
may omit information about an
individual’s medical history or
condition, or leave gaps or include
inaccuracies, when preparing medical
records, out of fear that the individual’s
PHI is likely to be disclosed without the
individual’s or the health care
provider’s knowledge or consent for use
in criminal or civil proceedings against
the individual, their health care
provider, or others. In so doing, they
increase the risk that the individual will
receive substandard ongoing or future
health care. Regardless of how it occurs,
the result is substandard health care and
worse health outcomes.
Such deferrals or avoidance of lawful
health care are not only problematic for
individuals’ health, but they are also
problematic for public health. As
discussed in greater detail below, the
objective of public health is to protect
and improve the health of people and
their communities. Barriers that
undermine the willingness of
individuals to seek lawful health care in
a timely manner or to provide complete
and accurate health information to their
health care providers undermine the
overall objective of public health. Thus,
based on the longstanding purposes of
HIPAA, there is a compelling need to
provide additional protections to this
especially sensitive category of
information.
Following the Dobbs decision in 2022,
laws enacted or effective in a number of
states 26 raised the prospect that highly
sensitive PHI would be disclosed under
circumstances that did not exist before
the Supreme Court’s decision,
generating significant confusion for
individuals, health care providers,
family, friends, and caregivers regarding
their ability to privately seek, obtain,
provide, or facilitate health care. The
Department has received questions from
regulated entities, Members of Congress,
and others about the state of privacy
protections, particularly for information
about an individual’s reproductive
health or about reproductive health care
an individual may have received. While
the Department has already taken steps
to address some of the confusion,27 we
have received additional inquiries and
reports that indicate further clarification
is needed to resolve this confusion and
strengthen privacy protections. In light
of this confusion, the Department
believes that there is a need to reaffirm
and clarify that maintaining the privacy
of an individual’s PHI is important to
providing high-quality health care. To
do so, the Department believes it is
24 The special protections for psychotherapy
notes and the Department’s rationale for them are
discussed at greater length in section III of this
preamble.
25 See Jessica Winter, ‘‘The Dobbs Decision Has
Unleashed Legal Chaos for Doctors and Patients,’’
The New Yorker (July 2, 2022) (Chloe Akers, a
criminal defense attorney in Tennessee, discussing
agencies authorized to investigate offenses related
to abortion ‘‘[t]hat leads to a serious concern about
privacy at ob-gyn offices and for other health-care
providers.’’), https://www.newyorker.com/news/
news-desk/the-dobbs-decision-has-unleashed-legalchaos-for-doctors-and-patients.
26 See ‘‘After Roe Fell: Abortion Laws by State,’’
Center for Reproductive Rights (updated in real
time) (describing actions taken by states, including
that ‘‘some states and territories never repealed
their pre-Roe abortion bans’’ that have now gone
into effect.), https://reproductiverights.org/maps/
abortion-laws-by-state/.
27 See Press Release, ‘‘HHS Issues Guidance to
Protect Patient Privacy in Wake of Supreme Court
Decision on Roe,’’ U.S. Dep’t of Health and Human
Servs. (June 29, 2022), https://www.hhs.gov/about/
news/2022/06/29/hhs-issues-guidance-to-protectpatient-privacy-in-wake-of-supreme-court-decisionon-roe.html.
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
E:\FR\FM\17APP2.SGM
17APP2
23510
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
necessary to provide heightened
protections for another especially
sensitive category of health
information—PHI sought for the
purposes of conducting a criminal, civil,
or administrative investigation into or
proceeding against any person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which it is provided.
These proposed modifications would
provide heightened protections for
individuals’ health information privacy
under the defined circumstances; foster
an open and honest exchange of
information between the individual and
health care provider, who—with that
information—could employ evidencebased clinical practice guidelines; and
increase access to high-quality, lawful
health care.
The Department has determined, in
accordance with other Federal agencies,
that information about reproductive
health care is particularly sensitive and
requires heighted protections. For
example, the Federal Trade Commission
(FTC) has recognized that information
related to personal reproductive matters
is ‘‘particularly sensitive.’’ 28 In business
guidance, FTC staff explained that
‘‘[t]he exposure of health information
and medical conditions, especially data
related to sexual activity or reproductive
health, may subject people to
discrimination, stigma, mental anguish,
or other serious harms.’’ 29 As a result,
the FTC has committed to using the full
scope of its authorities to protect
consumers’ privacy, including the
privacy of their health information and
other sensitive data.30
The Department of Defense (DOD) has
also recognized such privacy concerns.
In a memorandum to DOD leaders, the
Secretary of Defense directed the DOD
to ‘‘[e]stablish additional privacy
protections for reproductive health care
information’’ for service members and
‘‘[d]isseminate guidance that directs
Department of Defense health care
providers that they may not notify or
disclose reproductive health
information to commanders unless this
presumption is overcome by specific
exceptions set forth in policy.’’ 31 The
28 Kristin Cohen, ‘‘Location, health, and other
sensitive information: FTC committed to fully
enforcing the law against illegal use and sharing of
highly sensitive data,’’ Federal Trade Commission
Business Blog (July 11, 2022), https://www.ftc.gov/
business-guidance/blog/2022/07/location-healthand-other-sensitive-information-ftc-committedfully-enforcing-law-against-illegal (last accessed
Nov. 15, 2022).
29 Id.
30 Id.
31 Memorandum Re: Ensuring Access to
Reproductive Health Care, Dep’t of Defense (Oct.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
guidance repeatedly emphasizes not
only the importance of privacy for such
highly sensitive information but also the
importance of privacy in making highly
sensitive reproductive health care
decisions.32
The Department recognizes that the
need for heightened protections for
highly sensitive PHI is now more acute
than it was before, given the actions
taken by states to regulate, and even
criminalize, reproductive health care.33
Before the Supreme Court’s decision,
the range of circumstances in which
persons attempted to seek or use highly
sensitive PHI in criminal, civil, and
administrative investigations or
proceedings in connection with the
provision of reproductive health care
was much narrower. The general HIPAA
privacy protections provided the
necessary trust to promote access to and
receipt of high-quality and lawful health
care in that environment. As states take
steps to more broadly regulate
reproductive health care, some
individuals and their health care
providers are at greater risk and have
increased fear that especially sensitive
PHI detailing the individual’s need for,
or receipt of, lawful reproductive health
care will be used or disclosed without
their knowledge or consent.34
The Department carefully analyzed
state prohibitions or restrictions on an
individual’s ability to obtain health care
and the effects on health information
privacy, access to high-quality health
care, and the relationships between
individuals and their health care
providers after Dobbs; and conducted a
thorough review of the history and text
of HIPAA and the Privacy Rule. The
Department has also engaged in
extensive discussions with HHS
agencies and other Federal departments,
including the Department of Justice;
examined media reports on state activity
affecting privacy protections for
reproductive health information; held
listening sessions with and reviewed
correspondence from stakeholders,
including covered entities, requesting
technical assistance from the
Department and urging the Department
to clarify and strengthen privacy
protections for PHI; and reviewed
correspondence to HHS from Members
of Congress who have urged the same.
The proposals contained within this
NPRM are the result of this work.
20, 2022), p. 1, (emphasis in original), https://
media.defense.gov/2022/Oct/20/2003099747/-1/-1/
1/MEMORANDUM-ENSURING-ACCESS-TOREPRODUCTIVE-HEALTH-CARE.PDF.
32 Id.
33 See ‘‘Talk of prosecuting women for abortion
pills roils antiabortion movement,’’ supra note 11.
34 Id.
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
B. Applicability
The effective date of a final rule
would be 60 days after publication.35
Regulated entities would have until the
‘‘compliance date’’ to establish and
implement policies and practices to
achieve compliance with any new or
modified standards. Except as otherwise
provided, 45 CFR 160.105 provides that
regulated entities must comply with the
applicable new or modified standards or
implementation specifications no later
than 180 days from the effective date of
any such change. The Department has
previously noted that the 180-day
general compliance period for new or
modified standards would not apply
where a different compliance period is
provided in the regulation for one or
more provisions.36 However, the
compliance period cannot be less than
the statutory minimum of 180 days.37
The Department does not believe that
the proposed rule would pose unique
implementation challenges that would
justify an extended compliance period
(i.e., a period longer than the standard
180 days provided in 45 CFR 160.105).
Further, the Department believes that
adherence to the standard compliance
period is necessary to timely address the
circumstances described in this NPRM.
Thus, the Department proposes to apply
the standard compliance date of 180
days after the effective date of a final
rule.38 The Department seeks comment
on this time frame for compliance.
If any provision in this rulemaking is
held to be invalid or unenforceable
facially, or as applied to any person,
plaintiff, or circumstance, the provision
shall be severable from the remainder of
this rulemaking, and shall not affect the
remainder thereof, and the invalidation
of any specific application of a
provision shall not affect the application
of the provision to other persons or
circumstances.
C. Table of Abbreviations/Commonly
Used Acronyms in This Document
As used in this preamble, the
following terms and abbreviations have
the meanings noted below.
35 See Office of the Federal Register, A Guide to
the Rulemaking Process (2011), p. 8, https://
www.federalregister.gov/uploads/2011/01/the_
rulemaking_process.pdf.
36 See 78 FR 5566, 5569 (Jan. 25, 2013).
37 See 42 U.S.C. 1320d–4(b)(2).
38 See 45 CFR 160.104(c)(1), which requires the
Secretary to provide at least a 180-day period for
covered entities to comply with modifications to
standards and implementation specifications in the
HIPAA Rules.
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
Term
Meaning
AMA ...............
American Medical Association.
Bureau of Labor Statistics.
Centers for Disease Control
and Prevention.
Department of Defense.
U.S. Department of Health
and Human Services.
Electronic Health Record.
Executive Order.
Federal Trade Commission.
Genetic Information Nondiscrimination Act of 2008.
Health Information Technology.
Health Information Technology for Economic and
Clinical Health Act of
2009.
Health Insurance Portability
and Accountability Act of
1996.
Information Collection Request.
Individually Identifiable
Health Information.
National Committee on Vital
and Health Statistics.
Notice of Privacy Practices.
Notice of Proposed Rulemaking.
Office for Civil Rights.
Office of Management and
Budget.
Portable Document Format.
Protected Health Information.
Paperwork Reduction Act of
1995.
Pharmacy Services Administration Organization.
Regulatory Flexibility Act.
Regulatory Impact Analysis.
Small Business Administration.
Social Security Act of 1935.
Unfunded Mandates Reform
Act of 1995.
Department of Veterans Affairs.
BLS ................
CDC ...............
DOD ...............
HHS or Department.
EHR ...............
E.O .................
FTC ................
GINA ..............
Health IT ........
HITECH Act ...
HIPAA ............
ICR .................
IIHI .................
NCVHS or
Committee.
NPP ................
NPRM ............
OCR ...............
OMB ...............
PDF ................
PHI .................
PRA ................
PSAO .............
RFA ................
RIA .................
SBA ................
SSA ................
UMRA ............
VA ..................
II. Statutory Authority and Regulatory
History
lotter on DSK11XQN23PROD with PROPOSALS2
A. Statutory Authority and History
1. Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA 39
to reform the health care delivery
system. In so doing, Congress intended
to make health insurance more portable
and accessible for consumers, to
improve its quality, and to simplify its
administration.40 As noted by a leading
39 See
HIPAA, supra note 1.
H. Rept. 104–736, 104th Cong. (1996) at
177. See also 142 Cong. Rec. H3038 (daily ed. Mar.
28, 1996), (statement of Rep. McDermott) (speaking
about how privacy protection is essential to
improving health care quality, one of the purposes
of the H.R. 3103, Health Coverage Availability and
40 See
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
proponent of the bill during final debate
leading up to passage of the law, ‘‘[o]ur
objective, then, is to initiate
fundamental reforms in access to health
care without doing irreversible harm to
quality, research and technology.’’ 41
At the time, the health care system
was moving from paper-based to
electronic medical records. Congress
recognized the need to reduce the
burden of the transition on health care
providers, encourage health care
provider adoption of technology by
addressing concerns for potential
liability for use of new systems, and
ensure patient confidentiality of
electronic data to foster trust in health
care providers and support patient
access to health care.42 Congressional
statements leading up to HIPAA’s
enactment demonstrate Congress’ desire
that the law enhance individuals’ trust
in health care providers: ‘‘The bill
would also establish strict security
standards for health information
because Americans clearly want to make
sure that their health care records can
only be used by the medical
professionals that treat them. Often we
assume that because doctors take an
oath of confidentiality that in fact all
who touch their records operate by the
same standards. Clearly they do not.’’ 43
To address these needs, Congress
enacted HIPAA’s Administrative
Simplification provisions 44 in subtitle
F, sections 261 through 264, which
contained requirements for standards to
support the electronic exchange of
health information. Section 261 states,
in part, that ‘‘[i]t is the purpose of this
subtitle to improve [ . . . ] the efficiency
and effectiveness of the health care
system, by encouraging the
development of a health information
system through the establishment of
standards and requirements for the
electronic transmission of certain health
information [ . . . ].’’ 45
HIPAA protects individuals’ health
information in various ways. Congress
prohibited, among other things, the
disclosure of ‘‘individually identifiable
Affordability Act of 1996, the precursor to HIPAA);
142 Cong. Rec. H9568 (daily ed. Aug. 1, 1996)
(statement of Rep. Ganske).
41 See 142 Cong. Rec. S9505 (daily ed. Aug. 2,
1996) (statement of Sen. Roth).
42 See H.Rept. 104–736 at 177 and 264, supra note
40. See also 142 Cong. Rec. H9780 (daily ed., No.
116 Part II, Aug. 1, 1996) (statement of Rep.
Sawyer); 142 Cong. Rec. H9792 (daily ed. Aug. 1,
1996) (statement of Rep. McDermott); and 142 Cong.
Rec. S9515–16 (daily ed. Aug. 2, 1996) (statement
of Sen. Simon).
43 142 Cong. Rec. H9780 (statement of Rep.
Sawyer), supra note 42.
44 See HIPAA, supra note 1.
45 42 U.S.C. 1320d note (Statutory Notes and
Related Subsidiaries: Purpose). Subtitle F also
amended related provisions of the SSA.
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
23511
health information to another person’’ 46
and provided for severe penalties for
violations, including prison sentences of
up to 10 years and monetary fines of up
to $250,000.47 Congress also put in
place numerous protections for the
privacy of individuals’ health
information and directed HHS to
promulgate rules, recognizing the
importance of standards for security and
privacy in the developing electronic
environment, when Congress did not
enact detailed privacy requirements
within a specified period.48
HIPAA’s preemption provisions
reflect Congress’ intent to protect
individuals’ health care privacy. The
statute provides a ‘‘[g]eneral rule’’ that,
with certain exceptions, HIPAA’s
provisions ‘‘supersede any contrary
provision of State law.’’ 49 One
exception to HIPAA’s preemption
provisions is for ‘‘state privacy laws that
are contrary to and more stringent than
the corresponding federal standard,
requirement, or implementation
specification.’’ 50 ‘‘The effect of these
provisions is to let the law that is most
protective of privacy control.’’ 51 Thus,
HIPAA created privacy standards that
safeguard the health information of all
Americans, while respecting the ability
46 42
U.S.C. 1320d–6(a).
U.S.C. 1320d–6(b).
48 See, e.g., 42 U.S.C. 1320a–7c(a)(3)(B)(ii)
(creating a fraud and abuse control program with
measures to protect, among other things, the
confidentiality of the information and the privacy
of individuals receiving health care services and
items.); H.Rept. 104–736 at 242, supra note 40
(explaining that such program ‘‘would ensure the
confidentiality of information [ . . . ] as well as the
privacy of individuals receiving health care
services’’); 42 U.S.C. 1320a–7e(b)(3) (creating a
health care fraud and abuse data collection program
with procedures to assure the protection of the
privacy of individuals receiving health care
services.); H.Rept. 104–736 at 252, supra note 40
(explaining that such program would ‘‘protect the
privacy of individuals receiving health care
services’’); section 264(a) of Public Law 104–191,
(codified at 42 U.S.C. 1320d–2 note) (requiring the
Secretary of HHS to submit recommendations on
privacy standards for individually identifiable
health information); section 264(c) of Public Law
104–191, (codified at 42 U.S.C. 1320d–2 note)
(requiring the Secretary to issue regulations
containing such privacy standards if Congress does
not); H.Rept. 104–736 at 265, supra note 40
(recognizing that ‘‘certain uses of individually
identifiable information are appropriate, and do not
compromise the privacy of an individual[,]’’ such
as ‘‘the transfer of information when making
referrals from primary care to specialty care’’).
49 42 U.S.C. 1320d–7(a)(1) (providing the general
rule that, with limited exceptions, a provision or
requirement under HIPAA supersedes any contrary
provision of state law.) See also section 264(c)(2) of
Public Law 104–191 (codified at 42 U.S.C. 1320d–
2 note).
50 65 FR 82580 (the exception applies under
section 1178(a)(2)(B) of the SSA and section
264(c)(2) of HIPAA).
51 Id.
47 42
E:\FR\FM\17APP2.SGM
17APP2
23512
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
of states to provide individuals with
additional privacy protection.
The Conference Report resolving
differences in House and Senate bill
language provides further evidence that
Congress gave great weight to the need
for privacy standards that adequately
protect individual health information
privacy at a Federal level but allow for
greater health information privacy
protection by states. Congressional
references to ‘‘rapidly’’ progressing
technological innovation 52 and the
need to balance the privacy interests of
individuals and the benefits of sharing
data in certain circumstances (e.g.,
sharing IIHI for treatment or aggregated
data for research 53) demonstrate that
Congress considered that health care
reform would require a carefully
calibrated and appropriate method for
exchanging data. Similarly,
congressional deliberations demonstrate
that Congress viewed individual
privacy, confidentiality, and data
security as critical for orderly
administrative simplification.54 As
noted by one Member of Congress,
privacy standards would add an
additional layer of protection beyond
the oath pledged by health care
providers to keep information secure
and, as described by another Member,
would further protect information from
being used in a ‘‘malicious or
discriminatory manner.’’ 55
Congress applied the Administrative
Simplification provisions directly to
three types of entities known as
‘‘covered entities’’—health plans, health
care clearinghouses, and health care
providers who transmit information
electronically in connection with a
transaction for which HHS has adopted
a standard.56 Congress also required the
Secretary, no later than 12 months from
the date of enactment, to identify
‘‘detailed’’ recommendations for Federal
52 See H.Rept. 104–736 at 270, supra note 40. See
also South Carolina Med. Ass’n v. Thompson, 327
F.3d 346, 354 (4th Cir. 2003) (‘‘Recognizing the
importance of protecting the privacy of health
information in the midst of the rapid evolution of
health information systems, Congress passed
HIPAA in August 1996.’’), cert. denied, 540 U.S.
981 (2003).
53 See H.Rept. 104–736 at 265, supra note 40.
54 On a resolution waiving points of order against
the Conference Report to H.R. 3103, members
debated an ‘‘erosion of privacy’’ balanced against
the administrative simplification provisions. See
142 Cong. Rec. H9777 and H9780, supra note 42.
55 See comment from Rep. Sawyer, supra note 42.
See also statement of Sen. Simon, supra note 42.
56 See section 262 of Public Law 104–191, adding
section 1172 to the SSA (codified at 42 U.S.C.
1320d–1). See also section 13404 of the American
Recovery and Reinvestment Act of 2009, Public
Law 111–5, 123 Stat. 115 (Feb. 17, 2009) (codified
at 42 U.S.C. 17934) (applying privacy provisions
and penalties to business associates of covered
entities).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
standards to protect the privacy and
security of IIHI nationwide addressing,
at least, (1) the rights that an individual
who is a subject of IIHI should have; (2)
the procedures that should be
established for the exercise of such
rights; and (3) the uses and disclosures
of such information that should be
authorized or required. Congress further
directed the Secretary to promulgate
standards to govern the privacy of
information no later than 42 months
after HIPAA’s enactment if Congress
itself had not done so via additional
legislation.57
HIPAA section 264(d) required the
Secretary to consult with the
Department’s National Committee on
Vital and Health Statistics (NCVHS) 58
in carrying out the requirements of
section 264.59 Like Congress, NCVHS
considered the appropriateness of
permitting identifiable health
information to be used for certain
purposes and not others and requiring
‘‘substantive and procedural barriers’’
for still others. For example, NCVHS
recommended that ‘‘strong substantive
and procedural protections’’ be imposed
if health information were to be
disclosed to law enforcement, and,
where identifiable health information
57 See section 264 of Public Law 104–191
(codified at 42 U.S.C. 1320d–2 note). Although the
original regulations were enacted in 2001, more
than 42 months from HIPAA’s enactment, ‘‘HHS’s
delay in promulgating the final Privacy Rule did not
deprive the agency of the power to act.’’ Ass’n of
Am. Physicians & Surgeons, Inc. v. HHS, 224 F.
Supp. 2d 1115, 1127 (S.D. Tex. 2002), aff’d, 67 F.
App’x 253 (5th Cir. 2003) (noting that HHS’s delay,
‘‘particularly in the face of huge administrative
burdens . . . do[es] not result in the invalidation
of HHS’s authority to promulgate the Privacy Rule’’)
(citing Regions Hospital v. Shalala, 522 U.S. 448,
459 n.2 (1998); Brock v. Pierce Cnty., 476 U.S. 253,
260 (1986)).
58 See section 264(a) and (d) of Public Law 104–
191 (codified at 42 U.S.C. 1320d–2 note). The law
also required the Secretary to consult with the U.S.
Attorney General.
59 42 U.S.C. 242k(k) established the NCVHS as an
18-member committee within the Office of the
Secretary. The statute requires the committee to
include persons with expertise in the following
fields: health statistics, electronic interchange of
health care information, privacy and security of
electronic information, population-based public
health, purchasing or financing health care services,
integrated computerized health information
systems, health services research, consumer
interests in health information, health data
standards, epidemiology, and the provision of
health services. NCVHS committee members are
appointed to serve four-year terms. NCVHS serves
as the statutory public advisory body to the
Secretary ‘‘for health data, statistics, privacy, and
national health information policy and the Health
Insurance Portability and Accountability Act.’’ In
addition, the Committee advises the Secretary,
‘‘reports regularly to Congress on HIPAA
implementation, and serves as a forum for
interaction between HHS and interested private
sector groups on a range of health data issues.’’
National Comm. on Vital and Health Statistics,
About NCVHS, https://ncvhs.hhs.gov/.
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
would be made available for non-health
purposes, individuals should be
afforded assurances that their data
would not be used against them.60
Ultimately, NCVHS ‘‘unanimously’’
believed, ‘‘[ . . . ] the Secretary and the
Administration [should] assign the
highest priority to the development of a
strong position on health privacy that
provides the highest possible level of
protection for the privacy rights of
patients.’’ 61 NCVHS further noted that
failure to do so would ‘‘undermine
public confidence in the health care
system, expose patients to continuing
invasions of privacy, subject record
keepers to potentially significant legal
liability, and interfere with the ability of
health care providers and others to
operate the health care delivery and
payment system in an effective and
efficient manner,’’ which would
undermine what Congress intended
when it enacted HIPAA.62
The NCVHS explicitly stated that:
The Committee strongly supports limiting
use and disclosure of identifiable information
to the minimum amount necessary to
accomplish the purpose. The Committee also
strongly believes that when identifiable
health information is made available for nonhealth uses, patients deserve a strong
assurance that the data will not be used to
harm them.63
NCVHS acknowledged that secondary
uses of individuals’ health information
could provide benefits to society but
recognized that these uses posed the
potential for harm to individuals in
certain circumstances. As NCVHS
described it, ‘‘[a] restriction prohibiting
secondary use against the record subject
is an essential part of the ‘bargain’ that
allows use of the data for socially
beneficial purposes while protecting
individual patients.’’ 64 Thus, NCVHS
strongly recommended restrictions of
the ability of third parties to use
information against the individual for
purposes unrelated to health,
particularly for law enforcement and
other governmental purposes.
In its recommendations, NCVHS
acknowledged that there might be
difficulty in distinguishing between
categories of users, but it also
recognized the importance of doing so.65
NCVHS recommended that ‘‘any rules
60 Letter from NCVHS Chair Don E. Detmer to
HHS Secretary Donna E. Shalala (June 27, 1997)
(forwarding NCVHS recommendations), https://
ncvhs.hhs.gov/rrp/june-27-1997-letter-to-thesecretary-with-recommendations-on-health-privacyand-confidentiality/.
61 Id. at Principal Findings and
Recommendations.
62 Id.
63 Id. at Executive Summary.
64 Id. at E.
65 Id. at F.
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
regulating disclosures of identifiable
health information be as clear and as
narrow as possible. Each group of users
must be required to justify their need for
health information and must accept
reasonable substantive and procedural
limitations on access.’’ 66 This would
allow for the disclosures that society
deemed necessary and appropriate
while providing individuals with clear
expectations regarding their health
information privacy.
2. The Health Information Technology
for Economic and Clinical Health
(HITECH) Act
On February 17, 2009, Congress
enacted the Health Information
Technology for Economic and Clinical
Health Act of 2009 (HITECH Act) 67 to
promote the widespread adoption and
standardization of health information
technology (health IT). In passing the
law, Congress instructed that any new
health IT standards take into account
the privacy and security requirements of
the HIPAA Rules.68
Within the HITECH Act, Congress
enacted new HIPAA privacy and
security requirements for covered
entities and business associates and
expanded certain rights of individuals
with respect to their PHI. The HITECH
Act affirmed that ‘‘[t]he standards
governing the privacy and security of
individually identifiable health
information promulgated by the
Secretary under sections 262(a) and
264’’ of HIPAA ‘‘shall remain in effect
to the extent that they are consistent
with this subtitle’’ and directed the
Secretary to ‘‘amend such Federal
regulations as required to make such
regulations consistent with this
subtitle.’’ 69 The HITECH Act further
provided that ‘‘[t]his title may not be
construed as having any effect on the
authorities of the Secretary under
HIPAA privacy and security law,’’
defined to include ‘‘section 264 of the
[HIPAA]’’ and ‘‘regulations under [that]
provision[ ].’’ 70
Congress understood the relationship
between a connected health IT
lotter on DSK11XQN23PROD with PROPOSALS2
66 Id.
67 Title XIII of Division A and Title IV of Division
B of the American Recovery and Reinvestment Act
of 2009, Public Law 111–5, 123 Stat. 115 (Feb. 17,
2009) (codified at 42 U.S.C. 201 note).
68 Section 3009(a)(1)(B) of the HITECH Act
(codified at 42 U.S.C. 300jj–19(a)(1)) requires that
the health IT standards and implementation
specifications adopted under section 3004 take into
account the requirements of HIPAA privacy and
security law.
69 Section 13421(b) of the HITECH Act (codified
at 42 U.S.C. 17951).
70 Section 3009(a) of the HITECH Act (codified at
42 U.S.C. 300jj–19(a)), which, as stated above,
preserves the Secretary’s authority to modify the
privacy regulations under 45 CFR 160.104(a).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
landscape, a necessary and vital
component of health care reform,71 and
privacy and security standards when it
enacted the HITECH Act. The Purpose
statement of an accompanying House of
Representatives report 72 on the Energy
and Commerce Recovery and
Reinvestment Act 73 recognizes that
‘‘[i]n addition to costs, concerns about
the security and privacy of health
information have also been regarded as
an obstacle to the adoption of [health
IT].’’ The Senate Report for S. 336 74
similarly acknowledges that
‘‘[i]nformation technology systems
linked securely and with strong privacy
protections can improve the quality and
efficiency of health care while
producing significant cost savings.’’ 75
As the Department explained in the
2013 regulation referred to as the
‘‘Omnibus Rule’’ 76 and discussed in
greater detail below, the HITECH Act’s
new HIPAA privacy and security
requirements 77 supported Congress’
goal to promote widespread adoption
and interoperability of health IT by
‘‘strengthen[ing] the privacy and
security protections for health
information established by HIPAA.’’ 78
B. Rulemaking Authority and
Regulatory History
1. The Department’s Rulemaking
Authority Under HIPAA
In passing HIPAA, Congress
recognized the importance of privacy for
IIHI by requiring the Secretary to issue
regulations on privacy in the event that
Congress itself did not enact specific
privacy legislation.79 That statutory
directive complemented the Secretary’s
71 C. Stephen Redhead, ‘‘The Health Information
Technology for Economic and Clinical Health
(HITECH) Act,’’ Congressional Research Service
(updated Apr. 27, 2009), https://crsreports.
congress.gov/product/pdf/R/R40161/9 (‘‘[Health
IT], which generally refers to the use of computer
applications in medical practice, is widely viewed
as a necessary and vital component of health care
reform.’’).
72 H.Rept. 111–7, accompanying H.R. 629, 111th
Cong., at 74 (2009).
73 H.R. 629, Energy and Commerce Recovery and
Reinvestment Act of 2009, introduced in the House
on January 22, 2009, contained nearly identical
provisions to subtitle D of the HITECH Act.
74 Congress enacted the American Recovery and
Reinvestment Act of 2009, which included the
HITECH Act, on February 17, 2009. While it was
the House version of the bill, H.R. 1, that was
enacted, the Senate version, S. 336, contained
nearly identical provisions to subtitle D of the
HITECH Act.
75 S.Rept. 111–3, 111th Cong. accompanying S.
336, 111th Cong., at 59 (2009).
76 78 FR 5566.
77 Subtitle D of title XIII of the HITECH Act
(codified at 42 U.S.C. 17921, 42 U.S.C. 17931–
17941, and 42 U.S.C. 17951–17953).
78 78 FR 5568.
79 See Section 264(c)(1) of Public Law 104–191
(codified at 42 U.S.C. 1320d–2 note).
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
23513
general rulemaking authority to ‘‘make
and publish such rules and regulations,
not inconsistent with this chapter, as
may be necessary to the efficient
administration of the functions with
which each is charged under this
chapter.’’ 80
Congress further contemplated that
related rulemaking authorities would
not be static. Indeed, in a closely
analogous section of the HIPAA
Administrative Simplification
provisions—related to enabling the
electronic exchange of health
information—Congress built in a
mechanism to adapt such regulations as
technology and health care evolve,
directing that the Secretary review and
modify the Administrative
Simplification standards as determined
appropriate, but not more frequently
than once every 12 months.81 The
Department recognized how intertwined
these particular Administrative
Simplification standards would be with
the standards for the privacy of
individually identifiable health
information, and thus promulgated a
regulatory standard that limits
modifications to all of the rules
promulgated under the Administrative
Simplification provisions to no more
frequently than once every 12 months.82
The Secretary exercised each of these
rulemaking authorities in 2000 to adopt
45 CFR 160.104(a), which reserves the
Secretary’s power to modify any
‘‘standard or implementation
specification adopted under this
subchapter’’ of these regulations,
including the Administrative
Simplification provisions. The Secretary
invoked this modification authority to
amend the Privacy Rule in 2002.83
Subsequently, as discussed above,
Congress affirmed that the HIPAA
Rules—including 45 CFR 160.104(a)—
are to remain in effect to the extent that
they are consistent with the HITECH
Act and directed the Secretary to revise
the HIPAA Rules as necessary for
consistency with the HITECH Act.84 At
the same time, Congress also confirmed
that the new law was not intended to
have any effect on authorities already
granted under HIPAA to the
Department, including section 264 of
that statute and the regulations issued
under that provision. Congress’
affirmation of the Secretary’s
rulemaking power, including the
80 Section 1102 of the SSA (codified at 42 U.S.C.
1302).
81 See Section 1174(b)(1) of Public Law 104–191
(codified at 42 U.S.C. 1320d–3).
82 45 CFR 160.104.
83 See 67 FR 53182 (Aug. 14, 2002).
84 Section 13421(b) of the HITECH Act (codified
at 42 U.S.C. 17951).
E:\FR\FM\17APP2.SGM
17APP2
23514
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
authority to modify the Secretary’s own
regulations, thus confirms that the
Secretary retains the authority to modify
the Privacy Rule as often as every 12
months when appropriate, including to
strengthen privacy and security
protections for IIHI. In fact, after the
enactment of the HITECH Act, the
Secretary exercised this authority to
modify the Privacy Rule again in 2013.85
To properly execute the HIPAA
statutory mandate, and in accordance
with the regulatory authority granted to
it by Congress, the Department regularly
evaluates the interaction of the Privacy
Rule and state statutes and regulations
governing the privacy of health
information. In keeping with the
Department’s practice, this NPRM
attempts to accommodate state
autonomy to the extent consistent with
the need to maintain rules for health
information privacy that serve HIPAA’s
objectives. The proposed regulation, if
finalized, would thus preempt state law
only to the extent necessary to achieve
the national objectives of HIPAA.
The Secretary has delegated authority
to administer the HIPAA Rules and to
make decisions regarding their
implementation, interpretation, and
enforcement to the HHS Office for Civil
Rights (OCR).86
2. Regulatory History
The 2000 Privacy Rule
As directed by HIPAA, the
Department provided a series of
recommendations to Congress for a
potential new law that would address
the confidentiality of individually
identifiable health information.87
Congress did not act within its threeyear self-imposed deadline. As a result,
the Department published a proposed
rule setting forth the required standards
on November 3, 1999,88 and issued the
first final rule establishing ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (‘‘2000 Privacy
Rule’’) on December 28, 2000.89
The final rule announced ‘‘standards
to protect the privacy of individually
85 See
78 FR 5566.
U.S. Dep’t of Health and Human Servs.,
Office of the Secretary, Office for Civil Rights;
Statement of Delegation of Authority, 65 FR 82381
(Dec. 28, 2000); U.S. Dep’t of Health and Human
Servs., Office of the Secretary, Office for Civil
Rights; Delegation of Authority, 74 FR 38630 (Aug.
4, 2009); U.S. Dep’t of Health and Human Servs.,
Office of the Secretary, Statement of Organization,
Functions and Delegations of Authority, 81 FR
95622 (Dec. 28, 2016).
87 See Confidentiality of Individually Identifiable
Health Information, U.S. Dep’t of Health and
Human Servs., Section I.A. (Sept. 1997), https://
aspe.hhs.gov/reports/confidentiality-individuallyidentifiable-health-information.
88 64 FR 59918.
89 65 FR 82462.
lotter on DSK11XQN23PROD with PROPOSALS2
86 See
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
identifiable health information’’ to
‘‘begin to address growing public
concerns that advances in electronic
technology and evolution in the health
care industry are resulting, or may
result, in a substantial erosion of the
privacy surrounding’’ health
information.90 On the eve of that rule’s
issuance, the President issued an
Executive order recognizing the
importance of protecting patient
privacy, explaining that ‘‘[p]rotecting
the privacy of patients’ protected health
information promotes trust in the health
care system. It improves the quality of
health care by fostering an environment
in which patients can feel more
comfortable in providing health care
professionals with accurate and detailed
information about their personal
health.’’ 91 Thus, the primary goal of the
Privacy Rule was to provide greater
protections to individuals’ privacy and
to engender a trusting relationship
between individuals and health care
providers.92
The final rule announced ‘‘standards
to protect the privacy of individually
identifiable health information’’ to
‘‘begin to address growing public
concerns that advances in electronic
technology and evolution in the health
care industry are resulting, or may
result, in a substantial erosion of the
privacy surrounding’’ health
information.93
Since promulgation, the Privacy Rule
has protected PHI 94 by limiting the
circumstances under which covered
entities and their business associates
(collectively, ‘‘regulated entities’’) are
permitted or required to use or disclose
PHI and by requiring covered entities to
have safeguards in place to protect the
privacy of PHI. In adopting these
regulations, the Department
acknowledged the need to balance
several competing factors, including
existing legal expectations, individuals’
privacy expectations, and societal
expectations.95 The Department noted
‘‘the large number of comments from
individuals and groups representing
individuals demonstrate the deep public
concern about the need to protect the
privacy of individually identifiable
health information’’ and ‘‘evidence
about the importance of protecting
90 65
FR 82462.
Order 13181 (Dec. 20, 2000), 65 FR
91 Executive
81321.
92 Id.
93 65 FR 82462.
94 PHI includes individuals’ IIHI transmitted by or
maintained in electronic media or any other form
or medium, with certain exceptions. See 45 CFR
160.103 (definition of ‘‘Protected health
information’’).
95 See 65 FR 82471.
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
privacy and the potential adverse
consequences to individuals and their
health if such protections are not
extended.’’ 96 The Department struck a
balance between the ‘‘competing
interests—the necessity of protecting
privacy and the public interest in using
identifiable health information for vital
public and private purposes—in a way
that is also workable for the varied
stakeholders[.]’’ 97
The Department established ‘‘general
rules’’ for uses and disclosures of PHI,
codified at 45 CFR 164.502, in the 2000
Privacy Rule.98 The 2000 Privacy Rule
also specified the circumstances in
which a covered entity was required to
obtain an individual’s consent,99
authorization,100 or the opportunity for
the individual to agree or object.101
Additionally, it established rules for
when a covered entity is permitted to
use or disclose PHI without an
individual’s consent, authorization, or
opportunity to agree or object.102 In
particular, the Privacy Rule permits
certain uses and disclosures of PHI,
without the individual’s authorization,
for identified activities that benefit the
community, such as public health
activities, law enforcement purposes,
judicial and administrative proceedings,
and research.
The Privacy Rule also established the
rights of individuals with respect to
their PHI, including the right to receive
adequate notice of a covered entity’s
privacy practices, the right to request
restrictions of uses and disclosures, the
right to access (i.e., to inspect and obtain
a copy of) their PHI, the right to request
an amendment of their PHI, and the
right to receive an accounting of
disclosures.103
As part of the final rule, the
Department provided that covered
entities were to comply with the 2000
Privacy Rule no later than 24 months
following its effective date.104
The 2002 Privacy Rule
After publication of the 2000 Privacy
Rule, the Department received many
96 65
FR 82472.
97 Id.
98 65
FR 82462.
CFR 164.506 was originally titled ‘‘Consent
for uses or disclosures to carry out treatment,
payment, or health care operations.’’
100 45 CFR 164.508.
101 45 CFR 164.510.
102 45 CFR 164.512.
103 See 45 CFR 164.520, 164.522, 164.524,
164.526, and 164.528.
104 The effective date of the Privacy Rule was
updated to April 14, 2001. A covered entity meeting
the definition of a small health plan was given 36
months to comply with the Privacy Rule. The
compliance date for most covered entities was April
14, 2003. See 66 FR 12434 (Feb. 26, 2001).
99 45
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
inquiries and unsolicited comments
about the Rule’s impact and operation.
As a result, the Department opened the
2000 Privacy Rule for further comment
in March 2001, less than one month
before the effective date and 25 months
before the compliance date, for most
covered entities and issued clarifying
guidance on the Rule’s
implementation.105 NCVHS’
Subcommittee on Privacy,
Confidentiality and Security held public
hearings about the 2000 Privacy Rule.
From those hearings, the Department
learned more about concerns related to
key provisions and their potential
unintended consequences on health
care quality and access.106 In March
2002, the Department proposed
modifications to the 2000 Privacy Rule
to clarify the requirements and correct
potential problems that could threaten
access to, or quality of, health care.107
In response to the comments on the
proposed rule, the Department finalized
modifications on August 14, 2002
(‘‘2002 Privacy Rule’’).108 This final rule
clarified HIPAA’s requirements while
‘‘maintain[ing] strong protections for the
privacy of individually identifiable
health information.’’ 109 These
modifications addressed certain
workability issues, including but not
limited to clarifying distinctions
between health care operations and
marketing; modifying the minimum
necessary standard to exclude
disclosures authorized by individuals
and clarify its operation; clarifying that
consent is not required for treatment,
payment, or health care operations, and
to otherwise clarify the role of consent
in the Privacy Rule; and making other
modifications and conforming
amendments consistent with the
proposed rule. The Department also
included modifications to the
provisions permitting the use or
disclosure of PHI for public health
activities and for research activities
without consent, authorization, or an
opportunity to agree or object.
2013 Omnibus Final Rule
Following the enactment of the
HITECH Act, the Department issued an
NPRM, entitled ‘‘Modifications to the
HIPAA Privacy, Security, and
lotter on DSK11XQN23PROD with PROPOSALS2
105 66
FR 12738 (Feb. 28, 2001).
FR 53183.
107 67 FR 14775 (Mar. 27, 2002).
108 67 FR 53182. See the final rule for changes in
the entirety. The 2002 Privacy Rule was issued
before the compliance date for the 2000 Privacy
Rule. Thus, covered entities never implemented the
2000 Privacy Rule. Instead, they implemented the
2000 Privacy Rule as modified by the 2002 Privacy
Rule.
109 67 FR 53182.
106 67
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
Enforcement Rules Under the Health
Information Technology for Economic
and Clinical Health [HITECH] Act’’
(‘‘2010 NPRM’’),110 to propose
implementation of certain HITECH Act
requirements. In 2013, the Department
issued the Modifications to the HIPAA
Privacy, Security, Enforcement, and
Breach Notification Rules Under the
Health Information Technology for
Economic and Clinical Health [HITECH]
Act and the Genetic Information
Nondiscrimination Act, and Other
Modifications to the HIPAA Rules—
Final Rule (‘‘2013 Omnibus Rule’’),111
which implemented many of the new
HITECH Act requirements, including
strengthening individuals’ privacy
rights as related to their PHI.
The Department also finalized
regulatory provisions not required by
the HITECH Act, but necessary to
address the ‘‘workability and
effectiveness’’ of the HIPAA Rules and
‘‘to increase flexibility for and decrease
burden on regulated entities.’’ 112 In the
2010 NPRM, the Department noted that
it had not amended the HIPAA Privacy
and Security Rules since 2002 and 2003,
respectively, other than to amend the
Enforcement Rule through a 2009
interim final rule.113 It further explained
that information gleaned from contact
with the public since that time,
enforcement experience, and technical
corrections required to eliminate
ambiguity provided the impetus for the
Department’s actions to make certain
regulatory changes.114
For example, the Department
modified its prior interpretation of the
Privacy Rule requirement at 45 CFR
164.508(c)(1)(iv) that a description of a
research purpose must be ‘‘study
specific.’’ The Department explained
that, under its new interpretation, the
research purposes need only be
described adequately so that it would be
‘‘reasonable for the individual to expect
that his or her protected health
FR 40867 (July 14, 2010).
FR 5565. In addition to finalizing
requirements of the HITECH Act that were
proposed in the NPRM, the Department adopted
modifications to the Enforcement Rule not
previously adopted in an earlier interim final rule,
74 FR 56123 (Oct. 30, 2009), and to the Breach
Notification Rule not previously adopted in an
interim final rule, 74 FR 42739 (Aug. 24, 2009). The
Department also finalized previously proposed
Privacy Rule modifications as required by GINA, 74
FR 51698 (Oct. 7, 2009).
112 78 FR 5566. The Department’s general
rulemaking authority is codified in HIPAA section
264(c), and OCR conducts rulemaking under HIPAA
based on authority granted by the Secretary.
113 See 75 FR 40871. See also 74 FR 56123. The
Department issued an interim final rule on October
30, 2009, to implement HITECH Act statutory
changes to the HIPAA Enforcement Rule.
114 75 FR 40871.
23515
information could be used or disclosed
for such future research.’’ 115 The
Department attributed its changed
interpretation to the expressed concerns
from covered entities, researchers, and
other commenters to the 2010 NPRM
that the former requirement did not
represent current research practices.
The Department expressed a similar
rationale for the Privacy Rule
modifications permitting certain
disclosures of student immunization
records to schools without an
authorization,116 and another provision
redefining the definition of PHI to
exclude information regarding an
individual who has been deceased for
more than 50 years.117 For the latter, the
Department noted that it was balancing
the privacy interests of decedents’ living
relatives and other affected individuals
against the legitimate needs of public
archivists to obtain records.
None of the above-described changes
were expressly required by the HITECH
Act. Rather, the Department determined
them to be necessary pursuant to its
ongoing general rulemaking
authority.118
III. Justification for This Proposed
Rulemaking
HIPAA and the HIPAA Rules promote
access to health care by establishing
standards for the privacy of PHI in order
to protect the confidentiality of
individuals’ health information. These
protections promote the development
and maintenance of confidence and
trust between individuals and their
health care providers and health plans,
and help improve the completeness and
accuracy of patient records.119 The
Privacy Rule, as it has been amended
over time, carefully balances the
interests of individuals and society in
identifiable health information by
establishing conditions for when and
how such information may be used and
110 75
111 78
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
115 78
FR 5612.
at 5616–17. See also 45 CFR 164.512(b)(1).
117 78 FR 5614. See also 45 CFR 164.502(f) and
the definition of ‘‘Protected health information’’ at
45 CFR 160.103, excluding IIHI regarding a person
who has been deceased for more than 50 years.
118 In addition to the rulemakings discussed here,
the Department has modified the HIPAA Privacy
Rule for workability purposes and in response to
changes in circumstances on two other occasions,
and it issued another notice of proposed rulemaking
in 2021 for the same reasons. See 79 FR 7289 (Feb.
6, 2014), 81 FR 382 (Jan. 6, 2016), and 86 FR 6446
(Jan. 21, 2021).
119 See 65 FR 82463. See also H. Rept. 104–736
at 177 and 264, supra note 40. See also 142 Cong.
Rec. H9780 (statement of Rep. Sawyer), supra note
42; 142 Cong. Rec. H9792 (statement of Rep.
McDermott), supra note 42; and 142 Cong. Rec.
S9515–16 (statement of Sen. Simon), supra note 42.
116 Id.
E:\FR\FM\17APP2.SGM
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
23516
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
disclosed—with and without the
individual’s permission.
The Privacy Rule is balanced to
protect an individual’s privacy while
allowing the use or disclosure of PHI for
certain non-health care purposes,
including in certain criminal, civil, and
administrative investigations and
proceedings. The Privacy Rule permits,
but does not require, covered entities to
disclose PHI to law enforcement
officials, without the individual’s
written authorization, under specific
circumstances.120 For example, a
covered entity is permitted to disclose
PHI to law enforcement in compliance
with, and as limited by, the relevant
requirements of a court order. A covered
entity is also permitted to disclose
certain limited types of PHI in response
to a law enforcement official’s request
for such information for the limited
purpose of identifying or locating a
suspect, fugitive, material witness, or
missing person. Such disclosures are
also currently permitted, under certain
circumstances, for health oversight
purposes,121 judicial and administrative
proceedings,122 or to coroners and
medical examiners.123 Except when
required by law, the disclosures
summarized above are subject to a
minimum necessary determination by
the covered entity.124 When reasonable
to do so, the covered entity may rely
upon the representations of the public
health authority, law enforcement
official, or other public official as to
what information is the minimum
necessary for their lawful purpose.125
Moreover, if the law enforcement
official making the request for
information is not known to the covered
entity, the covered entity must verify
the identity and authority of such
person prior to disclosing the
information.126
However, the Department believes
that developments in the legal
environment have disrupted the
balance. On one hand, there is the
individual’s interest in the privacy of
their health information and that of
society in fostering trust between
individuals and health care providers to
promote public health. On the other
hand, there is the interest of others in
using or disclosing that information to
achieve certain public policy goals, in
this case, for purposes of criminal, civil,
and administrative investigations or
120 See
45 CFR 164.152(f).
CFR 164.512(d).
122 45 CFR 164.512(e).
123 45 CFR 164.512(g)(1).
124 45 CFR 164.502(b) and 164.514(d).
125 45 CFR 164.514(d)(3)(iii)(A).
126 45 CFR 164.514(h).
121 45
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
proceedings. Those developments have
made information related to
reproductive health care, which has
long been considered highly
sensitive,127 more likely to be of interest
for punitive non-health care purposes,
and thus more likely to be disclosed if
sought for a purpose permitted under
the Privacy Rule today. The interest in
this sensitive health information is
likely to remain high, even where the
reproductive health care has been
provided under circumstances in which
it was lawful to do so. The Department
believes PHI will be increasingly
targeted by those seeking evidence for
criminal, civil, or administrative
investigations into or proceedings
against persons in connection with
seeking, obtaining, providing, or
facilitating reproductive health care—or
identifying persons for such purposes,
thereby jeopardizing the relationships
between individuals and their health
care providers, even when such health
care is lawfully obtained.
To address these developments, the
Department is proposing to protect this
sensitive PHI and preserve that balance
by establishing a new purpose for which
disclosures are prohibited in certain
circumstances—that is, the use or
disclosure of PHI for the criminal, civil,
or administrative investigation of or
proceeding against an individual,
regulated entity, or other person for
seeking, obtaining, providing, or
facilitating reproductive health care, as
well as the identification of any person
for the purpose of initiating such an
investigation or proceeding. Such
disclosures of PHI would be prohibited
when the reproductive health care: (1) is
provided outside of the state where the
investigation or proceeding is
authorized and where such health care
is lawfully provided; (2) is protected,
required, or authorized by Federal law,
regardless of the state in which such
health care is provided; or (3) is
provided in the state in which the
investigation or proceeding is
authorized and that is permitted by the
law of that state. In these circumstances,
the state lacks any substantial interest in
seeking the disclosure. Protecting
against disclosures of PHI in these
circumstances thus directly advances
the long-understood purpose of the
HIPAA privacy protections without
unduly interfering with legitimate state
prerogatives.
To assist in effectuating this
prohibition, the Department proposes to
require covered entities in certain
circumstances to obtain an attestation
from the person requesting the use or
127 See
PO 00000
Letter from NCVHS, supra note 14.
Frm 00012
Fmt 4701
Sfmt 4702
disclosure that the use or disclosure is
not for a prohibited purpose.
Additionally, the Department proposes
to clarify the definition of ‘‘person’’ and
certain other terms that distinguish
between state laws that are contrary to
the Privacy Rule and are therefore
preempted by it and those that are
excepted from preemption. The
Department also discusses its view of
‘‘child abuse’’ for the purposes of the
Privacy Rule and which persons a
covered entity may decline to recognize
as an individual’s personal
representative under particular
circumstances. This NPRM contains
proposals for minor technical
corrections that reflect the Department’s
long-standing interpretation of the
Privacy Rule. Lastly, the Department
proposes to require modifications to the
Notice of Privacy Practices (NPP) to
ensure that individuals are aware of and
understand the proposed prohibition.
A. HIPAA Encourages Trust by Carefully
Balancing Individuals’ Privacy Interests
With Others’ Interests in Using or
Disclosing PHI
It is well established that a
functioning health care system depends
in part on patients trusting their health
care providers and health care
systems.128 According to the American
Medical Association (AMA), a key
element of patient trust is privacy
protection, ‘‘a crucial element for honest
health discussions.’’ 129 Privacy is the
core foundation of the relationship
between individuals and their health
care providers.130 The original
Hippocratic Oath required physicians to
pledge to maintain the confidentiality of
information they learn about their
patients.131 Individuals’ health privacy
concerns affect their trust in health care
providers, and thus, their willingness to
provide complete and accurate
information to health care providers.132
128 See Jennifer Richmond, Marcella H. Boynton,
Sachiko Ozawa, et al., ‘‘Development and
Validation of the Trust in My Doctor, Trust in
Doctors in General, and Trust in the Health Care
Team Scales,’’ Social Science & Medicine (Apr.
2022), https://www.sciencedirect.com/science/
article/abs/pii/S0277953622001332?via%3Dihub.
129 See ‘‘Patient Perspectives Around Data
Privacy,’’ American Medical Association (2022),
https://www.ama-assn.org/system/files/amapatient-data-privacy-survey-results.pdf.
130 Id.
131 Warren T. Reich, editor. Vol. 5. Macmillan;
New York, NY: 1995. Oath of Hippocrates; p. 2632.
(Encyclopedia of Bioethics).
132 See ‘‘Development and Validation of the Trust
in My Doctor, Trust in Doctors in General, and
Trust in the Health Care Team Scales,’’ supra note
128; Bradley E. Iott, Celeste Campos-Castillo,
Denise L. Anthony, ‘‘Trust and Privacy: How
Patient Trust in Providers is Related to Privacy
Behaviors and Attitudes,’’ AMIA Annual
Symposium Proceedings (Mar. 2020), https://
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Individuals must disclose sensitive
information to their health care
providers to obtain appropriate health
care.133 If individuals do not trust that
the sensitive information they disclose
to their health care providers will be
kept private, they may be deterred from
seeking or obtaining needed health care
or withhold information from their
health care providers, compromising the
quality of the health care they
receive.134 Similarly, if a health care
provider does not trust that the
information they include in an
individual’s medical records will not be
kept private, the health care provider
might leave gaps or include inaccuracies
when preparing medical records,
creating a risk that ongoing or future
health care would be compromised.
Thus, the Privacy Rule promotes access
to higher quality health care by
protecting the privacy of individuals’
health information in order to engender
trust between individuals and health
care providers and to help improve the
completeness and accuracy of
individuals’ medical records. The
Federal Government has a strong
interest in ensuring that individuals
have access to high-quality health
care,135 and from its inception, the
Privacy Rule has recognized the
www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/;
Pamela Sankar, Susan Mora, Jon F. Merz, et al.,
‘‘Patient perspectives of medical confidentiality: a
review of the literature,’’ Journal of General Internal
Medicine (Aug. 2003), p. 659–69, https://
pubmed.ncbi.nlm.nih.gov/12911650/.
133 See ‘‘Recommendations on Privacy and
Confidentiality, 2006–2008,’’ Nat’l Comm. on Vital
and Health Stats. (May 2009), p. 4, https://
ncvhs.hhs.gov/wp-content/uploads/2014/05/
privacyreport0608.pdf; See also Letter from NCVHS
(forwarding NCVHS recommendations) (‘‘As a
practical matter, it is often essential for individuals
to disclose sensitive, even potentially embarrassing,
information to a health care provider to obtain
appropriate care’’), supra note 18.
134 See 64 FR 60019 (In the 1999 Privacy Rule
NPRM, the Department discussed confidentiality as
an important component of trust between
individuals and health care providers and cited a
1994 consumer privacy survey that indicated that
a lack of privacy may deter patients from obtaining
preventive care and treatment.); ‘‘Trust and Privacy:
How Patient Trust in Providers is Related to Privacy
Behaviors and Attitudes,’’ supra note 132.
135 See Testimony (transcribed) of Peter R. Orszag,
Director, Congressional Budget Office, Hearing on
Comparative Clinical Effectiveness before House of
Representatives Committee on Ways and Means,
Subcommittee on Health, 2007 WL 1686358 (June
12, 2007) (‘‘because federal health insurance
programs play a large role in financing medical care
and represent a significant expenditure, the federal
government itself has an interest in evaluations of
the effectiveness of different health care
approaches’’); Statement of Sen. Durenberger
introducing S.1836, American Health Quality Act of
1991 and reading bill text, 137 Cong. Rec. S26720
(Oct. 17, 1991) (‘‘[T]he Federal Government has a
demonstrated interest in assessing the quality of
care, access to care, and the costs of care through
the evaluative activities of several Federal
agencies.’’).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
importance of trust to health care
quality.
Of course, health information—and
PHI in particular—can be useful for
purposes other than an individual’s own
health care. Indeed, society also benefits
when individuals trust their health care
providers to keep highly sensitive
information private for the same reasons
that individuals benefit. After all, it is
to society’s benefit that individuals seek
out necessary medical care, and that
when they do, they receive high-quality
health care based on information that is
more likely to be complete and accurate
when individuals trust their health care
providers. Individuals’ lack of trust in
health care providers and the health
care system can have serious
consequences for society.136
There is also significant interest in
using PHI to address non-health care
concerns, such as for research, law
enforcement purposes, judicial and
administrative proceedings, health
oversight activities, and others. As the
Department explained in the 1999
Privacy Rule NPRM, ‘‘The information
may be sought well before a trial or
hearing, to permit the party to discover
the existence or nature of testimony or
physical evidence, or in conjunction
with the trial or hearing, in order to
obtain the presentation of testimony or
other evidence. These uses of health
information are clearly necessary to
allow the smooth functioning of the
legal system.’’ 137 For example, in the
absence of a permission to use or
disclose PHI for judicial and
administrative proceedings, a regulated
entity would be dependent upon an
individual’s authorization to use or
disclose PHI to defend itself against a
medical malpractice claim brought by
the individual, rendering the regulated
entity dependent upon the very person
bringing the claim against them. The
Department believes that there is
societal benefit to permitting such uses
and disclosures where such uses and
disclosures do not undermine the public
policy goals set by Congress when it
passed HIPAA—that is, where they do
not undermine the trust of individuals
in the health care system and the ability
of individuals to receive high-quality
health care.138 The Department has long
permitted uses and disclosures of PHI
Letter from NCVHS, supra note 18.
FR 59959.
138 See Letter from NCVHS, at Executive
Summary, supra note 60 (with forwarded NCVHS
recommendations, ‘‘The importance of trust in the
provider-patient relationship must be preserved.
Health records are used to improve the quality of
health care [ . . . ] protect the public health, and
assure public accountability of the health care
system.’’).
23517
for non-health care purposes in such
circumstances, subject to certain
limitations because of the potential
harm they could cause to individuals.
As discussed in section II of this
preamble, the Privacy Rule represents
the Department’s careful balancing of
individuals’ interests and the interests
of others in a way that engenders
individuals’ trust and enables highquality health care, while also allowing
others to use individuals’ PHI for certain
public policy purposes. The Department
recognized the need for trust between
patients and health care providers in the
2000 Privacy Rule, noting that ‘‘[t]he
provision of high-quality health care
requires the exchange of personal, oftensensitive information between an
individual and a skilled practitioner.
Vital to that interaction is the patient’s
ability to trust that the information
shared will be protected and kept
confidential.’’ 139 Further, if individuals
do not trust that the sensitive
information they give their health care
providers will be kept private, they may
be deterred from seeking needed health
care.140 And when individuals do seek
health care, they may be reluctant to be
completely forthcoming with their
health care providers, thus
compromising the quality of the health
care they receive. As the Department
also stated, ‘‘[h]ealth care professionals
who lose the trust of their patients
cannot deliver high-quality care.’’ 141
And when the trust of individuals is
lost, the public’s health as a whole is
jeopardized.
Throughout the preamble to the 2000
Privacy Rule and the preambles to the
rules revising the Privacy Rule, the
Department described and explained its
efforts to balance those interests. In the
2002 Privacy Rule, the Department
discussed its re-evaluation of the
balance established by the 2000 Privacy
Rule and revised certain provisions
because of concerns that arose as
regulated entities prepared to
implement its requirements. The
Department made certain revisions to
protect the privacy interests of
individuals by strengthening the
requirements for covered entities to
inform individuals of their privacy
practices through an NPP. These
revisions afforded individuals the
opportunity to engage in discussions
136 See
137 64
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
139 65
FR 82463.
64 FR 60019 (In the 1999 Privacy Rule
NPRM, the Department discussed confidentiality as
an important component of trust between
individuals and health care providers and cited a
1994 consumer privacy survey that indicated that
a lack of privacy may deter patients from obtaining
preventive care and treatment.).
141 65 FR 82468.
140 See
E:\FR\FM\17APP2.SGM
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
23518
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
regarding the use and disclosure of their
PHI, while protecting the interests of
covered entities by allowing activities
that are essential to the provision of
high-quality health care to occur
unimpeded, reducing the burden on
such entities.142 The Department made
other revisions to ‘‘balance an
individual’s privacy expectations with a
covered entity’s need for information for
reimbursement and quality
purposes.’’ 143 In that same rulemaking,
in addressing comments on still other
revisions, the Department clearly stated,
‘‘Patient privacy must be balanced
against other public goods, such as
research and the risk of compromising
such research projects if researchers
could not continue to use such data.’’ 144
In more recent rulemakings, the
Department has continued its efforts to
build and maintain individuals’ trust in
the health care system by balancing the
interests of individuals with those of
others as it further revised the Privacy
Rule. For example, in explaining
revisions made as part of the 2013
Omnibus Rule, the Department stated,
‘‘The Privacy Rule, at § 164.512(b),
recognizes that covered entities must
balance protecting the privacy of health
information with sharing health
information with those responsible for
ensuring public health and safety.’’ 145
As another example from that same rule,
the Department revised the
requirements for the distribution of the
NPP because ‘‘[w]e believe these
distribution requirements best balance
the right of individuals to be informed
of their privacy rights with the burden
on health plans to provide the revised
[Notice of Privacy Practices].’’ 146 In the
2014 CLIA Program and HIPAA Privacy
Rule; Patients’ Access to Test Reports
Final Rule, the Department further
balanced the interests of individuals
and those of others by providing
individuals (or their personal
representatives) with the right to access
test reports directly from laboratories
subject to HIPAA.147 This rulemaking
afforded the Department with the
opportunity to demonstrate the
supremacy of the individual’s right of
access over the potential burden
imposed on others, in this case, the
laboratory. And still more recently, the
primary focus of the 2016 HIPAA
Privacy Rule and the National Instant
Criminal Background Check System
(NICS) Final Rule was to issue a
FR 53209.
FR 53216.
144 67 FR 53226.
145 78 FR 5616.
146 78 FR 5625.
147 79 FR 7290 (Feb. 6, 2014).
143 67
17:22 Apr 14, 2023
148 81
FR 382, 386 (Jan. 6, 2016).
45 CFR 164.501 (definition of
‘‘Psychotherapy notes’’) (explicitly providing that
psychotherapy notes are separated from the
individual’s medical record).
150 64 FR 59941.
151 Id.
152 45 CFR 164.508(a)(2).
149 See
142 67
VerDate Sep<11>2014
narrowly tailored rule that appropriately
balanced public safety goals with
individuals’ privacy interests to ensure
that individuals are not discouraged
from seeking voluntary treatment for
mental health needs.148
As part of balancing individuals’
interests with those of society, the
Department has recognized that it may
be necessary to provide certain types of
health information with special
protection because they are particularly
sensitive. For example, while the
Department usually applies the same
privacy standards to all PHI regardless
of the type of health care at issue, it
affords ‘‘special protections’’ to
psychotherapy notes. These protections
are afforded in part because of the
‘‘particularly sensitive information’’
those notes contain and in part because
of the unique function of these records,
which are by definition maintained
separately from an individual’s medical
record.149 As the Department explained
when it proposed these protections,
‘‘[p]sychotherapy notes are of primary
value to the specific provider and the
promise of strict confidentiality helps to
ensure that the patient will feel
comfortable freely and completely
disclosing very personal information
essential to successful treatment.’’ 150
The Department elaborated that,
‘‘[b]ecause of the sensitive nature of the
problems for which individuals consult
psychotherapists,’’ and the
‘‘embarrassment or disgrace’’
engendered by ‘‘disclosure of
confidential communications made
during counseling sessions,’’ even ‘‘the
mere possibility of disclosure may
impede development of the confidential
relationship necessary for successful
treatment.’’ 151 To support the
development and maintenance of an
individual’s trust and protect the
relationship between an individual and
their therapist, psychotherapy notes
may be disclosed without an
individual’s authorization only in
limited circumstances, such as to avert
a serious and imminent threat to health
or safety. Those limited circumstances
do not include judicial and
administrative proceedings or law
enforcement purposes unless the
disclosure is ‘‘necessary to prevent or
lessen a serious and imminent threat to
the health or safety of a person or the
public.’’ 152
Jkt 259001
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
Information related to an individual’s
reproductive health and associated
health care is also especially sensitive
and has long been recognized as such.
As stated in the AMA’s Principles of
Medical Ethics, the ‘‘decision to
terminate a pregnancy should be made
privately within the relationship of trust
between patient and physician in
keeping with the patient’s unique values
and needs and the physician’s best
professional judgment.153 NCVHS first
noted it as an example of a category of
health information commonly
considered to contain sensitive
information in 2008.154 From 2005–
2010, NCVHS held nine hearings that
addressed questions about sensitive
information in medical records and
identified additional categories of
sensitive information beyond those
addressed in Federal and state law,
including ‘‘sexuality and reproductive
health information,’’ which NCVHS
elaborated on in a 2010 letter to the
Secretary:
Some reproductive issues may expose
people to political controversy [ . . . ], and
public knowledge of an individual’s
reproductive history may place [them] at risk
of stigmatization. Additionally, individuals
may wish to have their reproductive history
segmented so that it is not viewed by family
members who otherwise have access to their
records. Parents may wish to delay telling
their offspring about adoption, gamete
donation, or the use of other forms of assisted
reproduction technology in their conception,
and, thus, it may be important to have the
capacity to segment these records.155
At that time, the general privacy
standards promulgated under HIPAA
adequately protected information
related to reproductive health care.
Based on settled Federal constitutional
law in 2000, the Department did not see
a need to treat uses or disclosures of PHI
related to reproductive health care, such
as information about a pregnancy
termination, differently from other uses
or disclosures of PHI related to other
categories of health care when
establishing the Federal standards for
privacy as mandated by HIPAA.156 HHS
knew that individuals generally could
legally access reproductive health care
nationwide. And because such health
care generally was legal and
constitutionally protected, HHS was
confident that law enforcement or other
153 Amendment to Opinion 4.2.7, Abortion H–
140.823, American Medical Association (2022),
https://policysearch.amaassn.org/policyfinder/
detail/%224.2.7%20Abortion%22?uri=
%2FAMADoc%2FHOD.xml-H-140.823.xml.
154 See Letter from NCVHS, supra note 14.
155 See Letter from NCVHS Chair Justine M. Carr
to HHS Secretary Kathleen Sebelius (Nov. 10, 2010)
(forwarding NCVHS recommendations).
156 See 65 FR 82464–70.
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
third parties typically would not seek
individuals’ health information for
purposes of investigating violations of
criminal or civil laws related to highly
sensitive types of health care, such as
the provision of or access to
reproductive health care, except in
certain limited circumstances aimed at
ensuring the quality and safety of such
health care. Therefore, until states’
recent efforts to regulate and criminalize
the provision of or access to
reproductive health care, effectuating
the purposes of HIPAA did not require
regulatory provisions that restricted
uses and disclosures of PHI related to
those activities.
B. Developments in the Legal
Environment Are Eroding Individuals’
Trust in the Health Care System
The Supreme Court’s decision in
Dobbs on June 24, 2022, created new
concerns about the privacy of PHI
related to reproductive health care. In
that decision, the Court overruled Roe v.
Wade 157 and Planned Parenthood of
Southeastern Pennsylvania v. Casey 158
and held that constitutional challenges
to state abortion regulations are subject
to rational-basis review.159 But the
Court’s decision did not disturb other
longstanding constitutional principles,
such as those protecting the right of
interstate travel or the right to use
contraception.160 Nor did it displace
Federal statutes, such as Emergency
Medical Treatment and Active Labor
Act 161 (EMTALA), that protect access to
reproductive health care in particular
circumstances.
Following the Supreme Court’s
decision, states have taken actions,
some tacitly and some explicitly, that
could interfere with individuals’
longstanding expectations created by
HIPAA and the Privacy Rule with
respect to the privacy of their PHI.162
The Department is aware of reports that
persons or authorities have reached or
intend to reach beyond their own states’
157 410
U.S. 113 (1973).
U.S. 833 (1992).
159 Dobbs, 142 S. Ct. at 2283–2284.
160 See id. at 2309 (Kavanaugh, J., concurring).
161 Public Law 99–272, 100 Stat. 164 (Apr. 7,
1986) (codified at 42 U.S.C. 1395dd). For further
discussion of a health care provider’s obligations
under the EMTALA statute, see https://
www.hhs.gov/sites/default/files/emergencymedical-care-letter-to-health-care-providers.pdf.
162 See, e.g., Kayte Spector-Bagdady, Michelle M.
Mello, ‘‘Protecting the Privacy of Reproductive
Health Information After the Fall of Roe v Wade,’’
JAMA Network (June 30, 2022), https://
jamanetwork.com/journals/jama-health-forum/
fullarticle/2794032; Lisa G. Gill, ‘‘What does the
overturn of Roe v. Wade mean for you?,’’ Consumer
Reports (June 24, 2022), https://www.consumer
reports.org/health-privacy/what-does-the-overturnof-roe-v-wade-mean-for-you-a1957506408/.
lotter on DSK11XQN23PROD with PROPOSALS2
158 505
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
borders to investigate reproductive
health care that has been performed in
other states where that health care is
legal.163 These actions present new
concerns nationwide for the protection
of health information privacy mandated
by HIPAA. Because the Privacy Rule
currently permits uses and disclosures
of PHI for certain purposes,164 including
when another law requires a regulated
entity to make the use or disclosure,165
regulated entities after Dobbs might be
compelled to use or disclose PHI to law
enforcement or other persons who may
use that health information against an
individual, a regulated entity, or another
person who has sought, obtained,
provided, or facilitated reproductive
health care, even when such health care
is lawful in the circumstances in which
the health care is obtained.166
One significant consequence of the
developments in Federal and state law
is the erosion of individuals’ trust in
health care providers to protect their
health information privacy, creating
barriers or disincentives for individuals
to obtain health care, including legal
reproductive health care, and increasing
the potential for health care providers to
possess incomplete or inaccurate
medical records. A 2023 qualitative
study of individuals who obtained
abortions after the passage of a law
significantly restricting abortion access
in Texas highlighted the concerns of
such individuals with respect to the
163 See, e.g., Giulia Carbonaro, ‘‘Texas bill
targeting internet abortion access ‘attacks individual
liberty’,’’ Newsweek (Mar. 3, 2023), https://
www.newsweek.com/texas-bill-targeting-internetabortion-access-attacks-individual-liberty-1785254;
Alice Miranda Ollstein and Megan Messerly,
‘‘Missouri wants to stop out-of-state abortions.
Other states could follow,’’ Politico (Mar. 19, 2022),
https://www.politico.com/news/2022/03/19/travelabortion-law-missouri-00018539. For pending bills
that would impose limitations on the ability of
individuals to travel to obtain reproductive health
care, see, e.g., H.B. 2012, Missouri 101st General
Assembly (2022) (would have permitted a private
citizen to sue a person who provides or facilitates
an abortion for a Missouri resident, including an
out-of-state physician or person who transports an
individual across state lines to a health care
provider); H.B. No. 787, Texas State Legislature
(2023) (prohibiting the receipt of tax incentives by
a business entity that assists an employee in
obtaining an abortion, including through funding
out-of-state travel for the procedure); and H.B. 90
and S.B. 600, Tennessee General Assembly (2023)
(prohibiting local governments from spending
money to assist ‘‘a person in obtaining an abortion,’’
including through funding out-of-state travel for the
procedure).
164 45 CFR 164.502(a)(1).
165 45 CFR 164.512(a).
166 See Eleanor Klibanoff, ‘‘Lawyers preparing for
abortion prosecutions warn about health care, data
privacy,’’ The Texas Tribune (July 25, 2022),
https://www.texastribune.org/2022/07/25/abortionprosecution-data-health-care/(discussing the fact
that the most common way PHI is obtained by law
enforcement is through health care provider
disclosures).
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
23519
privacy of PHI related to reproductive
health care they received.167 In fact, a
recently filed complaint details the
decision made by the plaintiff’s out-ofstate health care provider to describe the
plaintiff’s condition as something other
than an abortion, even though the
abortion was lawful in the state in
which it was provided because the
health care provider was concerned
about the ramifications of documenting
the health care provided as an
abortion.168 Another significant
consequence is the risk that individual
medical records will not be maintained
with completeness and accuracy,
including as they relate to legal
reproductive health care. The
developments discussed above have
increased uncertainty nationwide for
individuals, regulated entities, and
other persons about the privacy of an
individual’s PHI. Recent state actions
now place individuals and health care
providers in potential civil or criminal
jeopardy when PHI related to an
individual’s reproductive health is used
and disclosed, regardless of whether the
health care services are obtained or
performed legally.
In the past, some law enforcement
officials exercised their authority under
general criminal statutes to obtain PHI
for use against pregnant individuals on
the basis of their pregnancy status or
pregnancy outcomes.169 But more recent
developments in law have created an
environment in which law enforcement
and others are increasingly likely to
request PHI from regulated entities for
use against individuals,170 health care
167 Courtney C. Baker, Emma Smith, Mitchell D.
Creinin, et al., ‘‘Texas Senate Bill 8 and Abortion
Experiences in Patients with Fetal Diagnoses: A
Qualitative Analysis,’’ Obstetrics & Gynecology
(Mar. 2023), https://pubmed.ncbi.nlm.nih.gov/
36735418 (citing a representative statement made
by a study participant, ‘‘ ‘I would joke around and
say, well don’t sue me, but halfway mean it.’ ’’).
168 See Brief for Zurawski at p. 2 (One plaintiff
had to travel out of state for an abortion to save the
life of one of her twins, and afterwards, fearful of
documenting her abortion, her health care provider
instead described her condition as ‘‘vanishing twin
syndrome.’’).
169 See ‘‘Self-Care, Criminalized: August 2022
Preliminary Findings,*’’ supra note 11;
‘‘Confronting Pregnancy Criminalization: A
Practical Guide for Healthcare Providers, Lawyers,
Medical Examiners, Child Welfare Workers, and
Policymakers,’’ Pregnancy Justice (June 2022),
https://www.pregnancyjusticeus.org/confrontingpregnancy-criminalization/.
170 See, e.g., S.C. Code Ann. sec. 44–41–80(b) and
NRS 200.220. See also ‘‘Self-Care, Criminalized:
August 2022 Preliminary Findings,*’’ supra note
11, p. 2–3 (From 2000 to 2020, out of 54 cases, 74%
of the adult cases involved the criminalization of
the person for self-managing their own abortion,
and 39% of the cases reported to law enforcement
were by health care providers.); ‘‘Talk of
prosecuting women for abortion pills roils
antiabortion movement,’’ supra note 11.
E:\FR\FM\17APP2.SGM
17APP2
23520
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
providers, and others, solely because
such persons sought, obtained,
provided, or facilitated lawful
reproductive health care.171 This
environment of increased demand for
PHI for these purposes is not limited to
states in which those legal
developments have occurred. Rather,
these legal developments have
nationwide implications because of the
overall effects on the relationship
between health care providers and
individuals and the flow of health
information across state lines. Examples
of such cross-state health information
flows include disclosures from health
care providers to health plans with a
multi-state presence or between health
care providers in different states to treat
individuals as they travel across the
country.
This reality is in tension with many
individuals’ expectation that they have
or should have the right to health
information privacy, including the right
to determine who has access to that
information. In fact, in its most recent
annual survey on patient privacy, the
AMA found that, of 1,000 patients
surveyed: (1) nearly 75% are concerned
about protecting the privacy of their
own health information; and (2) 59% of
patients worry about health data being
used by companies to discriminate
against them or their loved ones.172 In
its report on the survey, the AMA
opines that a lack of health information
privacy raises many questions about
circumstances that could put patients
and physicians in legal peril, and that
the ‘‘primary purpose of increasing
[health information] privacy is to build
public trust, not inhibit data
exchange.’’ 173 The mismatch between
privacy expectations and current legal
protections for health information
privacy undermines trust between
individuals and health care providers
nationwide, thereby decreasing access
171 The Department believes that those
investigating or bringing proceedings against
individuals, health care providers, or other persons
for seeking, obtaining, providing, or facilitating
reproductive health care will increasingly seek to
access PHI as part of their investigation or
proceeding. See, e.g., Karen Brooks Harper, ‘‘Texas
abortion foes use legal threats and propose more
laws to increase pressure on providers and their
allies,’’ The Texas Tribune (July 18, 2022), https://
www.texastribune.org/2022/07/18/texas-abortionlaws-pressure-campaign/; Timothy Bella, ‘‘Doctor
in 10-year-old rape victim’s abortion faces AG
inquiry, threats,’’ The Washington Post (July 27,
2022), https://www.washingtonpost.com/politics/
2022/07/27/abortion-doctor-girl-rape-caitlinbernard-investigation/; ‘‘Doctor says she shouldn’t
have to turn over patients’ abortion records,’’ supra
note 13.
172 See ‘‘Patient Perspectives Around Data
Privacy,’’ supra note 129.
173 Id. at 2.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
to, and effectiveness of, health care for
individuals.
The present situation also has
resulted in ambiguity and confusion for
individuals and health care providers,
many of whom are uncertain about
when health information is protected
under the HIPAA Rules given recent
legal developments.174 This confusion
undermines access to health care and
individual privacy—including for
individuals seeking or obtaining health
care that is lawful nationwide. For
example, the Department is aware that
some health care providers, both
clinicians and pharmacies, are hesitant
to prescribe or fill prescriptions for
medications that can result in
pregnancy loss, even when those
prescriptions are intended to treat
individuals for other health matters,
because of fear of law enforcement
action.175 As a result, these health care
providers are either denying access to
prescriptions that affect an individual’s
quality of life or requiring additional
PHI to justify an individual’s need for
such prescriptions for purposes that are
permissible under state law.176
Although most health care providers,
including pharmacies, are subject to the
HIPAA Rules, and thus, limited in the
purposes for which they are permitted
174 See Press Release, American Medical
Association, American Pharmacists Association,
American Society of Health-System Pharmacists,
and National Community Pharmacists Association,
‘‘Statement on state laws impacting patient access
to necessary medicine’’ (Sept. 8, 2022), https://
www.ama-assn.org/press-center/press-releases/
statement-state-laws-impacting-patient-accessnecessary-medicine. See also Abigail Higgins,
‘‘Abortion rights advocates fear access to birth
control could be curtailed,’’ The Washington Post
(June 24, 2022), https://www.washingtonpost.com/
nation/2022/06/24/birth-control-access-supremecourt-abortion-ruling/.
175 See Interview with Donald Miller, PharmD,
‘‘Methotrexate access becomes challenging for some
patients following Supreme Court decision on
abortion,’’ Pharmacy Times (July 20, 2022), https://
www.pharmacytimes.com/view/methotrexateaccess-becomes-challenging-for-patients-followingsupreme-court-decision-on-abortion; Jamie
Ducharme, ‘‘Abortion restrictions may be making it
harder for patients to get a cancer and arthritis
drug,’’ Time (July 6, 2022), https://time.com/
6194179/abortion-restrictions-methotrexate-cancerarthritis/; Katie Shepherd and Frances Stead
Sellers, ‘‘Abortion bans complicate access to drugs
for cancer, arthritis, even ulcers,’’ The Washington
Post (Aug. 8, 2022), https://www.washingtonpost.
com/health/2022/08/08/abortion-bansmethotrexate-mifepristone-rheumatoid-arthritis/.
176 See, e.g., Jen Christensen, ‘‘Women with
chronic conditions struggle to find medications
after abortion laws limit access,’’ CNN Health (July
22, 2022), https://www.cnn.com/2022/07/22/health/
abortion-law-medications-methotrexate/;
Brittni Frederiksen, Matthew Rae, Tatyana Roberts,
et al., ‘‘Abortion Bans May Limit Essential
Medications for Women with Chronic Conditions,’’
Kaiser Family Foundation (Nov. 17, 2022), https://
www.kff.org/womens-health-policy/issue-brief/
abortion-bans-may-limit-essential-medications-forwomen-with-chronic-conditions/.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
to use or disclose such PHI, an
individual’s privacy is necessarily
reduced as an increasing number of
persons have access to an increasing
amount of their PHI. Additionally,
individuals face an increasing risk to the
security of their PHI as the number of
information technology systems in
which the PHI is stored increases. As
the number of persons and information
technology systems with access to this
PHI increases, this expands the number
and types of regulated entities from
which law enforcement and others may
try to seek disclosure of this highly
sensitive information. Individual trust
in regulated entities is eroded when
individuals’ access to health care is
questioned and their PHI is subject to
disclosures that previously were
unnecessary.
Impingements on health information
privacy related to reproductive health
care are likely to have a
disproportionately greater effect on
women, individuals of reproductive age,
and individuals from communities that
have been historically underserved,
marginalized, or subject to
discrimination or systemic disadvantage
by virtue of their race, disability, social
or economic status, geographic location,
or environment.177 Historically
underserved and marginalized
individuals are also more likely to be
the subjects of investigations and
proceedings about any suspected
interest in, or obtaining of, reproductive
health care, even where such health care
is lawful under the circumstances in
which it is provided.178 They are also
less likely to have adequate access to
legal counsel to defend themselves from
177 See Christine Dehlendorf, Lisa H. Harris,
Tracy A. Weitz, ‘‘Disparities in Abortion Rates: A
Public Health Approach,’’ American Journal of
Public Health. (Oct. 2013), https://
www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/.
See also Kiara Alfonseca, ‘‘Why Abortion
Restrictions Disproportionately Impact People of
Color, ABC News (June 24, 2022), https://
abcnews.go.com/Health/abortion-restrictionsdisproportionately-impact-people-color/
story?id=84467809; Susan A. Cohen, ‘‘Abortion and
Women of Color: The Bigger Picture,’’ Guttmacher
Institute (Aug. 6, 2008), https://
www.guttmacher.org/gpr/2008/08/abortion-andwomen-color-bigger-picture; ‘‘The Disproportionate
Harm of Abortion Bans: Spotlight on Dobbs v.
Jackson Women’s Health,’’ Center for Reproductive
Rights (Nov. 29, 2021), https://reproductiverights.
org/supreme-court-case-mississippi-abortion-bandisproportionate-harm/.
178 See Brief of Amici Curiae for Organizations
Dedicated to the Fight for Reproductive Justice—
Mississippi in Action, et al. at *59–60, Dobbs, 142
S. Ct. (discussing the likelihood that those who
terminate their pregnancies and anyone who assists
them may face criminal investigation or arrest,
exacerbating the mass incarceration of marginalized
people in Mississippi and Louisiana, particularly in
light of the states’ disproportionate rates of
incarceration for people of color).
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
such actions.179 Such individuals are
thus especially likely to be concerned
that information they give to their
health care providers regarding their
reproductive health care will not remain
private. This is particularly true in light
of the historic lack of trust that members
of marginalized communities have for
the health care system; 180 such
individuals are more likely to be
deterred from seeking or obtaining
health care—or from giving their health
care providers full information when
they do obtain it.
The recent legal landscape that
increases the potential for disclosures of
PHI to impose liability for seeking,
obtaining, providing, or facilitating
reproductive health care risks eroding
health information privacy and trust in
health care providers that has long been
supported and advanced by the Privacy
Rule. The Department issued guidance
in 2022 to clarify its longstanding
179 See ‘‘Equal access to justice: ensuring
meaningful access to counsel in civil cases,
including immigration proceedings,’’ Columbia Law
School Human Rights Institute and Northeastern
University School of Law Program on Human
Rights and the Global Economy (July 2014), https://
hri.law.columbia.edu/sites/default/files/
publications/equal_access_to_justice_-_cerd_
shadow_report.pdf. See also ‘‘Report: State
Abortion Bans Will Harm Women and Families’
Economic Security Across the U.S.’’ (Aug. 25,
2022), https://www.americanprogress.org/article/
state-abortion-bans-will-harm-women-and-familieseconomic-security-across-the-us/.
180 See Leslie Read, Heather Nelson, Leslie
Korenda, The Deloitte Ctr. for Health Solutions,
‘‘Rebuilding Trust in Health Care: What Do
Consumers Want—and Need—Organizations to
Do?’’ (Aug. 5, 2021), p. 3 (With focus groups of 525
individuals in the United States who identify as
Black, Hispanic, Asian, or Native American, ‘‘Fiftyfive percent reported a negative experience where
they lost trust in a health care provider.’’), https://
www2.deloitte.com/us/en/insights/industry/healthcare/trust-in-health-care-system.html; Liz Hamel,
Lunna Lopes, Cailey Mun˜ana, et al., Kaiser Family
Foundation, The Undefeated Survey on Race and
Health (Oct. 2020), p. 23, (Percent who say they can
trust the health care system to do what is right for
them or their community almost all of the time or
most of the time: Black adults: 44%; Hispanic
adults: 50%; White adults: 55%), https://
files.kff.org/attachment/Report-Race-Health-andCOVID-19-The-Views-and-Experiences-of-BlackAmericans.pdf; ‘‘Issue Brief: Health Insurance
Coverage and Access to Care for LGBTQ+
Individuals: Current Trends and Key Challenges,’’
U.S. Dep’t of Health and Human Servs., Assistant
Sec’y for Policy & Evaluation, Office of Health
Policy (June 2021), p. 9 (‘‘According to a recent
survey, 18 percent of LGBTQ+ individuals reported
avoiding going to a doctor or seeking healthcare out
of concern that they would face discrimination or
be treated poorly because of their sexual orientation
or gender identity.’’), https://aspe.hhs.gov/sites/
default/files/2021-07/lgbt-health-ib.pdf; Abigail A.
Sewell, ‘‘Disaggregating Ethnoracial Disparities in
Physician Trust,’’ Social Science Research. (Nov.
2015), https://pubmed.ncbi.nlm.nih.gov/26463531/;
Irena Stepanikova, Stefanie Mollborn, Karen S.
Cook, et al., ‘‘Patients’ Race, Ethnicity, Language,
and Trust in a Physician,’’ Journal of Health and
Social Behavior (Dec. 2006), https://pubmed.ncbi.
nlm.nih.gov/17240927/.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
interpretation of the Privacy Rule’s law
enforcement provisions.181 In the
guidance, the Department explained
that disclosures for non-health care
purposes, such as disclosures to law
enforcement officials, are permitted
only in narrow circumstances tailored to
protect the individual’s privacy and
support their access to health care,
including abortion care. The guidance
specifically reminded regulated entities
that they can use and disclose PHI,
without an individual’s signed
authorization, only as expressly
permitted or required by the Privacy
Rule. Additionally, the guidance
explained the Privacy Rule’s restrictions
on disclosures of PHI when required by
law, for law enforcement purposes, and
to avert a serious threat to health or
safety. For example, where state law
does not expressly require reporting of
suspicions of self-managed reproductive
health care, the Privacy Rule would not
permit a disclosure by a hospital
workforce member of such suspicions to
law enforcement under the ‘‘required by
law’’ permission.
However, many questions remain
with respect to the potential for this
sensitive PHI to be disclosed and the
effects of such disclosure on the
individual. Thus, it is incumbent upon
the Department to consider whether it
should revise the Privacy Rule to ensure
the privacy of health information related
to an individual’s use of lawful
reproductive health care, consistent
with Congress’ intent to create standards
for the privacy of IIHI that promote trust
and support access to high-quality
health care.182
C. To Protect the Trust Between
Individuals and Health Care Providers,
the Department Proposes To Restrict
Certain Uses and Disclosures of PHI for
Non-Health Care Purposes
The Federal Government seeks to
ensure that individuals have access to
high-quality health care.183 This
proposed rule would further that goal by
restricting the use and disclosure of
181 See
‘‘HIPAA Privacy Rule and Disclosures of
Information Relating to Reproductive Health Care,’’
U.S. Dep’t of Health and Human Servs. (June 29,
2022), https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/phi-reproductivehealth/.
182 See FCC v. Fox Television Stations, Inc., 556
U.S. 502, 515 (2009) (holding ‘‘[ . . . ] the agency
must show that there are good reasons for the new
policy. [ . . . ][I]t suffices that the new policy is
permissible under the statute, that there are good
reasons for it, and that the agency believes it to be
better, which the conscious change of course
adequately indicates.’’ (emphasis in original)).
183 See Testimony (transcribed) of Peter R. Orszag
and statement of Sen. Durenberger, supra note 135.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
23521
certain PHI for non-health care
purposes.
The Department acknowledges that
the Privacy Rule has not previously
conditioned uses and disclosures for
certain purposes on the specific type of
health care about which the disclosure
relates, as it does herein with
reproductive health care. However, the
primary reasons behind this rulemaking
are the risks to privacy, patient trust,
and health care quality that occur when
it is the very act of obtaining health care
that subjects an individual to an
investigation or proceeding, potentially
disincentivizing the individual from
obtaining medically necessary health
care.
As discussed above, the Department
has long provided special protections
for psychotherapy notes when they are
not included as part of the medical
record because of the sensitivity around
this information. Given the particularly
sensitive nature of information related
to an individual’s reproductive health,
the Department is proposing to create
new, special safeguards for this
information. However, unlike
psychotherapy notes, which by their
very nature are easily defined and
segregated, reproductive health
information is not easily defined or
segregated. This is in part because many
types of PHI may not initially appear to
be related to an individual’s
reproductive health but may in fact
reveal information about an individual’s
reproductive health or reproductive
health care an individual has received.
For example, in a pregnant individual,
a high blood pressure reading may be a
sign of preeclampsia, and glucose found
in a urine test may indicate gestational
diabetes. Additionally, it is the
Department’s understanding that today’s
clinical documentation and health IT do
not provide regulated entities with the
ability to segment certain PHI such that
regulated entities could afford specific
categories of PHI special protections, or
at least do so in a manner that is not
overly burdensome and cost
prohibitive.184 Instead, as is consistent
184 See, e.g., 87 FR 74216, 74221 (Dec. 2, 2022)
(noting that 42 CFR part 2 previously resulted in the
separation of substance use disorder (SUD)
treatment records previous from other health
records, which led to the creation of data ‘‘silos’’
that hampered the integration of SUD treatment
records into covered entities’ electronic record
systems and billing processes. When considering
amendments to the relevant statute, some
lawmakers argued that the silos perpetuated
negative stereotypes about persons with SUD and
inhibited coordination of care during the opioid
epidemic. See also ‘‘Health Information Technology
Advisory Committee (HITAC) Annual Report for
Fiscal Year 2019,’’ Health Information Technology
Advisory Committee (Feb. 19, 2020), p. 37, https://
E:\FR\FM\17APP2.SGM
Continued
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
23522
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
with the Privacy Rule’s overall
approach,185 the Department proposes a
purpose-based prohibition on certain
uses and disclosures to protect
individuals’ privacy interests in their
PHI. The Department believes that this
proposed purpose-based prohibition, in
concert with the proposed attestation,
will restrict the use and disclosure of
PHI that could harm HIPAA’s overall
goals of increasing trust in the health
care system, improving health care
quality, and protecting individual
privacy, while continuing to allow PHI
uses and disclosures that either provide
support for those goals or do not
interfere with their achievement.
Also, consistent with the Privacy
Rule’s approach, the Department
proposes a Rule of Applicability for the
purpose-based prohibition that
recognizes the interests of the Federal
Government and states in protecting the
privacy of persons who seek, obtain,
provide, or facilitate lawful
reproductive health care. This Rule of
Applicability would limit the new
prohibition to certain categories of
instances in which the state lacks any
substantial interest in seeking the
disclosure. The Department believes
that the proposals described in greater
detail later in this NPRM could benefit
health care providers and individuals.
Although many benefits are not
quantifiable, the Department believes
the proposals would increase the
likelihood that individuals would seek
lawful health care by improving their
confidence in the confidentiality of their
PHI; improve access to high quality and
continuous health care by increasing the
accuracy and completeness of
individuals’ medical records; improve
population health by encouraging
individuals to receive disease
screenings; safeguard the mental health
of pregnant individuals; prevent
increases in maternal mortality and
morbidity; enhance support for victims
of rape, incest, and sex trafficking; and
maintain family economic stability.
Similarly, the proposals are expected to
increase certainty for, and therefore
reduce the burden on, regulated entities
implementing the Privacy Rule.
The Department’s proposed
modifications are consistent with its
existing authority to modify the Privacy
Rule. As discussed above, Congress
expressly authorized the Department to
www.healthit.gov/sites/default/files/page/2020-03/
HITAC%20Annual%20Report%20for%20FY19_
508.pdf (‘‘The new certification criteria that support
the sharing of data via third-party apps will help
advance the use of data segmentation, but adoption
of this capability by the industry is not yet
widespread.’’).
185 See 64 FR 59924, 59939, and 59955.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
develop standards for the privacy of
IIHI. The Department has consistently
exercised its rulemaking authority to
establish, implement, and modify the
HIPAA Rules pursuant to this statutory
authority, including when necessary to
maintain their effectiveness, address
workability issues for regulated entities
including clarifying amendments, and
respond to changed circumstances.186
The proposed changes would effectuate
HIPAA’s goals of setting standards with
respect to the privacy of IIHI, thereby
increasing the quality of and access to
health care by fostering trust in the
health care system and buttressing
continuity of health care.187 Moreover,
Congress expressly provided in HIPAA
that the Department’s regulations in this
area ‘‘shall supersede any contrary
provision of State law,’’ absent an
explicit exception.188 As discussed
below, various state laws that might
conflict with the rules proposed herein,
such as those that require disclosure of
PHI for purposes of criminal, civil, or
administrative investigations or
proceedings based on seeking,
obtaining, providing, or facilitating
lawful reproductive health care, are not
excepted from this general rule of
preemption.
In accordance with section 264(d) of
HIPAA, the Department has consulted
with the Attorney General in the
formulation of this proposed rule and
intends to continue to engage in these
consultations before finalizing the rule.
The Department invites NCVHS to
review this proposed rule and to
provide comments to the Department.
IV. Section-by-Section Description of
Proposed Amendments to the Privacy
Rule
The Department proposes to modify
the Privacy Rule to strengthen privacy
protections for individuals’ PHI by
adding a new category of prohibited
uses and disclosures. This modification
would prohibit a regulated entity from
using or disclosing an individual’s PHI
for the purpose of conducting a
186 See, e.g., 67 FR 53182 (modifying the 2000
Privacy Rule in response to stakeholder
implementation concerns and to clarify key
provisions), 78 FR 5566 (modifying the HIPAA
Rules to address HITECH requirements and
improve workability and flexibility for covered
entities), 79 FR 7289 (modifying the Privacy Rule
to address requirements in the Clinical Laboratory
Improvement Amendments of 1988 and to improve
patient access), and 81 FR 382 (modifying the
Privacy Rule to permit certain disclosures to the
National Instant Criminal Background Check
System).
187 See section III of this rulemaking for a full
discussion of HIPAA and congressional intent.
188 42 U.S.C. 1320d–7 and section 264(c)(2) of
Public Law 104–191 (codified at 42 U.S.C. 1320d–
2 note).
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
criminal, civil, or administrative
investigation into or proceeding against
the individual, a health care provider, or
other person in connection with
seeking, obtaining, providing, or
facilitating reproductive health care
that: (1) is provided outside of the state
where the investigation or proceeding is
authorized and such health care is
lawful in the state in which it is
provided; (2) is protected, required, or
authorized by Federal law, regardless of
the state in which such health care is
provided; or (3) is provided in the state
in which the investigation or proceeding
is authorized and that is permitted by
the law of that state. In these three
circumstances, the state lacks any
substantial interest in seeking the
disclosure. To operationalize this
proposed modification, the Department
also proposes to revise or clarify certain
definitions and terms that apply to the
Privacy Rule, as well as other HIPAA
Rules. The NPRM would also prohibit a
regulated entity from using or disclosing
an individual’s PHI for the purpose of
identifying 189 an individual, health care
provider, or other person for the
purpose of initiating such an
investigation or proceeding against the
individual, a health care provider, or
other person in connection with
seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which it is provided.
To effectuate these proposals, the
Department proposes conforming and
clarifying changes to the HIPAA Rules.
These proposed changes include, but
are not limited to, clarifying the
definition of ‘‘person’’ to reflect longstanding statutory language defining the
term; adopting new definitions of
‘‘public health’’ surveillance,
investigation, or intervention, and
‘‘reproductive health care’’; clarifying
that a regulated entity may not decline
to recognize a person as a personal
representative for the purposes of the
Privacy Rule solely because they
provide or facilitate reproductive health
care for an individual; a new
requirement that, in certain
189 Section 164.514(h) of 45 CFR requires a
covered entity, in most cases, to take reasonable
steps to verify the identify and authority of a person
requesting PHI before disclosing the PHI, including
in the case of public officials. The proposed
restriction against using or disclosing PHI in
connection with the proposals in this NPRM would
not modify 45 CFR 164.514(h) but would address
only those circumstances in which a regulated
entity would use or disclose PHI to identify an
individual for a purpose that would be restricted
herein. Further, the Department believes the
attestation requirement proposed in this NPRM
would provide a regulated entity the assurance it
needs to make disclosures for identity purposes that
are consistent with the Privacy Rule.
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
circumstances, regulated entities must
first obtain an attestation that a
requested use or disclosure is not for a
prohibited purpose; and modifications
to the NPP for PHI to inform individuals
that their PHI may not be used or
disclosed for a prohibited purpose.
The Department’s proposals are
discussed in greater detail below.
A. Section 160.103—Definitions
1. Clarifying the Definition of ‘‘Person’’
Current Provision and Issues To
Address
HIPAA does not define the term
‘‘person.’’ 190 By regulation, the
Department has long defined ‘‘person’’
for purposes of the HIPAA Rules to
mean ‘‘a natural person, trust or estate,
partnership, corporation, professional
association or corporation, or other
entity, public or private.’’ 191 This
definition was based on the meaning of
‘‘person’’ that Congress adopted in the
original Social Security Act of 1935
(SSA), defined as an ‘‘individual, a trust
or estate, a partnership, or a
corporation.’’ 192
In 2002, Congress enacted 1 U.S.C. 8,
which defines ‘‘person,’’ ‘‘human
being,’’ ‘‘child,’’ and ‘‘individual.’’ 193
The statute specifies that this definition
shall apply when ‘‘determining the
meaning of any Act of Congress, or of
any ruling, regulation, or interpretation
of the various administrative bureaus
and agencies of the United States.’’ 194
The Department understands 1 U.S.C. 8
to provide a definition of ‘‘person’’ and
‘‘child’’ that is consistent with the
Department’s understanding of that
term, as it is used in the SSA, HIPAA,
and the HIPAA Rules and does not
include a fertilized egg, embryo, or
fetus.
Proposal
Thus, the Department proposes to
clarify the definition of ‘‘natural
person’’ in a manner consistent with 1
U.S.C. 8. In so doing, the Department
would make clear that all terms
subsumed within the definition of
‘‘natural person,’’ such as
‘‘individual,’’ 195 which refers to a
‘‘person’’ who is the subject of PHI
under the HIPAA Rules, is limited to the
190 See
42 U.S.C. 1320d–1320d–8.
CFR 160.103.
192 See section 1101(3) of Public Law 74–271, 49
Stat. 620 (Aug. 14, 1935) (codified at 42 U.S.C.
1301(3)).
193 1 U.S.C. 8(a). The Department is not opining
on whether any state law confers a particular legal
status upon a fetus. The Department instead cites
to this statute to define the scope of the right of
privacy that attaches pursuant to HIPAA.
194 Id.
195 45 CFR 160.103 (definition of ‘‘Individual’’).
lotter on DSK11XQN23PROD with PROPOSALS2
191 45
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
confines of the term ‘‘person.’’ 196 The
Department would also make clear that
‘‘natural person,’’ as used in the
definition of ‘‘person’’ under the HIPAA
Rules, is limited to the definition at 1
U.S.C. 8.
The Department believes it would be
beneficial to clarify the definition of
‘‘person’’ to ensure that there is an
understanding among stakeholders as to
its meaning for Privacy Rule purposes.
As such, the Department believes the
proposed clarification of the definition
of person better explains to regulated
entities and other stakeholders the
parameters of who is an ‘‘individual’’
whose PHI is protected by the HIPAA
Rules.
2. Interpreting Terms Used in Section
1178(b) of the Social Security Act 197
HIPAA includes a rule of construction
for certain laws generally concerning
‘‘[p]ublic health.’’ 198 Specifically,
section 1178(b) of the SSA provides that
nothing in HIPAA ‘‘shall be construed
to invalidate or limit’’ laws ‘‘providing
for the reporting of disease or injury,
child abuse, birth, or death, public
health surveillance, or public health
investigation or intervention.’’ 199
Accordingly, the Privacy Rule permits a
regulated entity to use and disclose PHI
for certain public health purposes,
treating the uses and disclosures
covered by section 1178(b) as permitted
uses and disclosures to public health
authorities or other appropriate
government authorities for the listed
activities.200
A regulated entity may use or disclose
PHI to public health authorities for the
full range of activities described above,
including reporting of diseases and
injuries, reporting of birth and death to
vital statistics agencies, and activities
covered by the terms public health
surveillance, public health
investigation, and public health
intervention. A ‘‘public health
authority’’ means an agency or authority
of the United States, a State, a territory,
196 See The Prenatal Record and the Initial
Prenatal Visit, The Global Library of Women’s
Medicine (last updated Jan. 2008) (PHI about the
fetus is included in the mother’s PHI), https://
www.glowm.com/section-view/heading/
The%20Prenatal%20Record%20and%20the
%20Initial%20Prenatal%20Visit/item/107#.
Y7WRKofMKUl.
197 42 U.S.C. 1320d–7(b).
198 Id.
199 Id. The Department incorporated this
limitation on Federal preemption of state laws in
the HIPAA Rules at 45 CFR 160.203(c).
200 45 CFR 164.512(b). The Privacy Rule
addresses its interactions with laws governing
excepted public health activities in two sections: 45
CFR 164.512(a), Standard: Uses and disclosures
required by law, and 45 CFR 164.512(b), Standard:
Uses and disclosures for public health activities.
PO 00000
Frm 00019
Fmt 4701
Sfmt 4702
23523
a political subdivision of a State or
territory, or an Indian tribe, or a person
or entity acting under a grant of
authority from, or contract with, such
public agency, including the employees
or agents of such public agency or its
contractors or persons or entities to
whom it has granted authority, that is
responsible for public health matters as
part of its official mandate.201
HIPAA does not define the terms in
section 1178(b) that govern the scope of
the ‘‘public health’’ exceptions to
preemption and the Department
declines to do so here. The Department
believes it necessary to define only
‘‘public health’’ surveillance,
investigation, or intervention and to
make clear the Department’s
interpretation of key terms used in
section 1178(b) to clarify when HIPAA
preempts contrary state laws. The
Department believes that state laws that
require the use or disclosure of highly
sensitive PHI for non-public health
purposes, such as criminal, civil, or
administrative investigations or
proceedings based on whether a person
sought, obtained, provided, or
facilitated reproductive health care, are
not exempt from HIPAA’s general rule
of preemption.
Reporting of Disease or Injury, Birth, or
Death
The Privacy Rule permits regulated
entities to use or disclose PHI without
authorization for the public health
purposes of reporting ‘‘disease or
injury,’’ ‘‘birth,’’ or ‘‘death.’’ 202
Similarly, section 1178(b) exempts state
laws requiring such reporting from
HIPAA’s general preemption provision.
The Department recognizes that such
public health reporting activities are an
important means of identifying threats
to the health and safety of the public.
The Department does not propose to
define ‘‘disease or injury,’’ ‘‘birth,’’ or
‘‘death,’’ because the Department
believes that these terms, when read
with the definition of ‘‘person’’ as
discussed above and in the broader
context of HIPAA as discussed in
greater detail below, exclude
information about abortion or other
reproductive health care. But the
Department invites comment on
whether it would be beneficial to clarify
that these terms exclude information
about reproductive health care.
201 See 45 CFR 164.501 (definition of ‘‘Public
health authority’’).
202 See U.S. Dep’t of Health and Human Servs.,
Office for Civil Rights, Public Health (Dec. 18,
2020), https://www.hhs.gov/hipaa/forprofessionals/special-topics/public-health/
index.html.
E:\FR\FM\17APP2.SGM
17APP2
23524
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
At the time of HIPAA’s enactment,
state laws provided for the reporting of
disease or injury, birth, or death by
covered health care providers and other
persons.203 These state public health
reporting systems were well established
and involved close collaboration
between the state, local, or territorial
jurisdiction and the Federal
Government.204 Reports generally were
made to public health authorities or, in
some specific cases, law enforcement
(e.g., reporting of gunshot wounds).205
Similar public health reporting systems
continue to exist today.
Reporting of ‘‘disease or injury’’
commonly refers to diagnosable health
conditions reported for limited purposes
such as workers’ compensation, tort
claims, or health tracking efforts. All
states, territories, and Tribal
governments require covered health care
providers (e.g., physicians and
laboratories) and others to report cases
of certain diseases or conditions that
affect public health, such as coronavirus
disease 2019 (COVID–19), malaria, and
foodborne illnesses.206 Such reporting
enables public health practitioners to
study and explain diseases and their
spread, along with determining
appropriate actions to prevent and
respond to outbreaks.207 States also
require health care providers to report
incidents of certain types of injuries,
such as those caused by gunshots,
knives, or burns.208 Various Federal
statutes use the phrase ‘‘disease or
injury’’ similarly to refer to events such
as workplace injuries for purposes of
compensation.209
203 The 1996–98 Report of the NCVHS to the
Secretary describes various types of activities
considered to be public health during the era in
which HIPAA was enacted, such as the collection
of public health surveillance data on health status
and health outcomes and vital statistics
information. See Report of ‘‘The National
Committee on Vital and Health Statistics, 1996–98,’’
Nat’l Comm. on Vital and Health Stats. (Dec. 1999),
https://ncvhs.hhs.gov/wp-content/uploads/2018/03/
90727nv-508.pdf.
204 Id.
205 Id.
206 See ‘‘Reportable diseases,’’ in National
Institutes of Health, National Library of Medicine,
MedlinePlus, https://medlineplus.gov/ency/article/
001929.htm (accessed Oct. 19, 2022). See also
‘‘What is Case Surveillance?’’ Centers for Disease
Control and Prevention, National Notifiable
Diseases Surveillance Sys. (July 20, 2022), https://
www.cdc.gov/nndss/about/.
207 See ‘‘Reportable diseases,’’ supra note 206.
Such reporting is a type of public health
surveillance activity.
208 See Victims Rights Law Center, ‘‘Mandatory
Reporting of Non-Accidental Injuries: A State-byState Guide’’ (May 2014), https://4e5ae7d17e.
nxcli.net/wp-content/uploads/2021/01/MandatoryReporting-of-Non-Accidental-Injury-Statutes-byState.pdf.
209 See, e.g., 38 U.S.C. 1110 (referring to an
‘‘injury suffered or disease contracted’’); 10 U.S.C.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
The limited meaning given to the
terms ‘‘disease’’ and ‘‘injury’’ is clear
from HIPAA’s broader context. For
instance, interpreting ‘‘injury’’ to
include reporting of any criminal abuse
would render the specific exception for
‘‘child abuse’’ superfluous. And
interpreting ‘‘disease’’ to include
reporting of any disease for any purpose
would eviscerate HIPAA’s general
provisions protecting PHI. ‘‘[D]isease
management activities’’ constitute
‘‘health care’’ under the Privacy Rule,
and a broad interpretation of ‘‘disease or
injury’’ would make even information
about cancer treatment disclosable.210
Consequently, the Department has long
understood ‘‘disease or injury’’ to
narrowly refer to diagnosable health
conditions reported for limited purposes
such as workers’ compensation, tort
claims, or health tracking efforts.211
With respect to reporting of ‘‘births’’
and ‘‘deaths,’’ such vital statistics are
reported by covered health care
providers to the vital registration
systems operated in various
jurisdictions 212 legally responsible for
the registration of vital events.213 State
972 (discussing time lost as a result of ‘‘disease or
injury’’); 38 U.S.C. 3500 (providing education for
certain children whose parent suffered ‘‘a disease
or injury’’ incurred or aggravated in the Armed
Forces); see also 5 U.S.C. 8707 (insurance provision
discussing compensation as a result of ‘‘disease or
injury’’); 33 U.S.C. 765 (discussing retirement for
disability as a result of ‘‘disease or injury’’); 15
U.S.C. 2607(c) (requiring chemical manufacturers to
maintain records of ‘‘occupational disease or
injury’’).
210 See 65 FR 82571 (recognizing that ‘‘disease
management activities’’ often constitute ‘‘health
care’’ under HIPAA); 65 FR 82777 (discussing the
importance of privacy for information about cancer,
a ‘‘disease’’ that causes an ‘‘indisputable’’ ‘‘societal
burden’’); 65 FR 82778 (discussing the importance
of privacy for information about sexually
transmitted diseases, including Human
Immunodeficiency Virus/Acquired
Immunodeficiency Syndrome (HIV/AIDS)); 65 FR
82463–64 (noting that numerous states adopted
laws protecting health information relating to
certain health conditions such as communicable
diseases, cancer, HIV/AIDS, and other stigmatized
conditions.); 65 FR 82731 (finding that there are no
persuasive reasons to provide information
contained within disease registries with special
treatment as compared with other information that
may be used to make decisions about an
individual).
211 See, e.g., 65 FR 82517 (discussing tort
litigation as information that could implicate IIHI);
65 FR 82542 (discussing workers’ compensation);
65 FR 82527 (separately addressing disclosures
about ‘‘abuse, neglect or domestic violence’’ and
limiting such disclosures to only two
circumstances, even if expressly authorized by state
statute or regulation).
212 See ‘‘Health Department Governance,’’ Centers
for Disease Control and Prevention, Public Health
Professionals Gateway (Nov. 25, 2022), https://
www.cdc.gov/publichealthgateway/sites
governance/.
213 See the list of events included in vital events
‘‘vital events—births, deaths, marriages, divorces,
and fetal deaths,’’ National Center for Health
Statistics, Centers for Disease Control and
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
laws require birth certificates to be
completed for all births, and Federal
law mandates the national collection
and publication of births and other vital
statistics data.214 Tracking and reporting
death is a complex and decentralized
process with a variety of systems used
by more than 6,000 local vital
registrars.215 When HIPAA was enacted,
the Model State Vital Statistics Act and
Regulations, which is followed by most
states,216 included distinct categories for
‘‘live births,’’ ‘‘fetal deaths,’’ and
‘‘induced terminations of pregnancy,’’
with instructions that abortions ‘‘shall
not be reported as fetal deaths.’’ 217 In
light of that common understanding at
the time of HIPAA’s enactment, it is
clear that the reporting of abortions is
not included in the category of reporting
of deaths for the purposes of HIPAA and
does not fall within the scope of state
activities Congress specifically
designated as excepted from preemption
by HIPAA.
More generally, while Congress
exempted certain ‘‘[p]ublic health’’ laws
from preemption,218 Congress chose not
to create a general exception for
criminal laws or other laws that address
the disclosure of information about
similar types of activities outside of the
public health context. Thus, the Privacy
Rule’s exceptions for reporting of
disease or injury, birth, or death do not
allow the use or disclosure of PHI for
investigating or punishing a person for
seeking, obtaining, providing, or
facilitating reproductive health care.
Similarly, state laws requiring
disclosure for such purposes are not
exempt under section 1178(b) from
HIPAA’s general preemption provision.
Prevention, About the National Vital Statistics
System (Jan. 4, 2016), https://www.cdc.gov/nchs/
nvss/about_nvss.htm.
214 See ‘‘Birth Data,’’ National Center for Health
Statistics, Centers for Disease Control and
Prevention, National Vital Statistics (Dec. 6, 2022),
https://www.cdc.gov/nchs/nvss/births.htm.
215 See ‘‘How Tracking Deaths Protects Health,’’
Centers for Disease Control and Prevention, Public
Health and Surveillance Data (July 2018), https://
www.cdc.gov/surveillance/pdfs/Tracking-Deathsprotects-healthh.pdf.
216 See ‘‘State Definitions and Reporting
Requirements: For Live Births, Fetal Deaths, and
Induced Terminations of Pregnancy,’’ Centers for
Disease Control and Prevention, National Center for
Health Statistics (1997), p. 5, https://www.cdc.gov/
nchs/data/misc/itop97.pdf.
217 ‘‘Model State Vital Statistics Act and
Regulations,’’ Centers for Disease Control and
Prevention, National Center for Health Statistics
(1992), p. 8, https://www.cdc.gov/nchs/data/misc/
mvsact92b.pdf.
218 42 U.S.C. 1178(b) (codified in HIPAA at 42
U.S.C. 1320d–7).
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
for the sick.’’ 223 Stedman’s Medical
Dictionary defines ‘‘public health’’ as
‘‘the art and science of community
The Privacy Rule also permits a
health, concerned with statistics,
regulated entity to use or disclose PHI
epidemiology, hygiene, and the
to conduct ‘‘public health’’ surveillance, prevention and eradication of epidemic
219
investigation, or intervention.
Section diseases; an effort organized by society
1178(b) similarly exempts state laws
to promote, protect, and restore the
providing for ‘‘public health’’
people’s health; public health is a social
surveillance, investigation, or
institution, a service, and a practice.’’ 224
intervention from HIPAA’s general
The Centers for Disease Control and
preemption rule. Neither HIPAA nor the Prevention’s (CDC) Agency for Toxic
Privacy Rule currently defines these
Substances and Disease Registry
terms. To clarify their meaning, the
commonly defines ‘‘public health
Department proposes to define public
surveillance’’ as ‘‘the ongoing
health 220 surveillance, investigation, or systematic collection, analysis and
intervention to mean population-based
interpretation of outcome-specific data
activities to prevent disease and
for use in the planning, implementation,
221
promote health of populations.
The
and evaluation of public health
Department also proposes to clarify that practice.’’ 225 And many states similarly
such public health activities do not
define ‘‘public health’’ to mean
include uses and disclosures for the
population-level activities.226 The
criminal, civil, or administrative
Department likewise has used public
investigation into or proceeding against
health in this way since it first adopted
any person in connection with seeking,
the Privacy Rule.227
obtaining, providing, or facilitating
There is also a widely recognized
reproductive health care, or to identify
distinction between public health
any person for the purpose of initiating
activities, which primarily focus on
such an investigation or proceeding.222
improving the health of populations,
Since the time of HIPAA’s enactment, and criminal investigations, which
public health activities related to
surveillance, investigation, or
223 ‘‘Health,’’ ‘‘public health,’’ Black’s Law
Dictionary (11th ed. 2019).
intervention have been widely
224 ‘‘Public health,’’ Stedman’s Medical
understood to refer to activities aimed at
Dictionary 394520.
improving the health of a population.
225 Jonathan Weinstein, ‘‘In Re Miguel M.,’’ 55
For example, legal dictionaries define
N.Y.L. Sch. L. Rev. 389, 390 (2010) (citing Stephen
‘‘public health’’ as ‘‘[t]he health of the
B. Thacker, ‘‘Historical Development,’’ in Principles
community at large,’’ or ‘‘[t]he healthful and Practice of Public Health Surveillance 1 (Steven
or sanitary condition of the general body M. Teutsch & R. Elliott Churchill eds., 2d ed.,
2000)), https://digitalcommons.nyls.edu/cgi/
of people or the community en masse;
viewcontent.cgi?article=1599&context=nyls_law_
esp., the methods of maintaining the
review.
226 See, e.g., Richard A. Goodman, Judith W.
health of the community, as by
Munson, Kim Dammers, et al., ‘‘Forensic
preventive medicine or organized care
Public Health Surveillance,
Investigation, or Intervention
lotter on DSK11XQN23PROD with PROPOSALS2
219 See
45 CFR 164.512(b)(1)(i); U.S. Dep’t of
Health and Human Servs., Office for Civil Rights,
Disclosures for Public Health Activities, (accessed
Oct. 19, 2022), https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/disclosures-publichealth-activities/.
220 See ‘‘Ten Essential Public Health Services,’’
Centers for Disease Control and Prevention, Public
Health Professionals Gateway (Dec. 1, 2022),
https://www.cdc.gov/publichealthgateway/
publichealthservices/essentialhealthservices.html
and ‘‘What is Public Health?’’ in CDC Foundation,
Public Health in Action (2023), https://
www.cdcfoundation.org/what-publichealth?gclid=Cj0KCQjw_
viWBhD8ARIsAH1mCd7ME0r94gapt8Q
h48LjdQO3Sto101snekpI94auuah
Rs7LizEkh7OwaAiKxEALw_wcB. See also ‘‘HIPAA
Privacy Rule and Public Health,’’ Centers for
Disease Control and Prevention, MMWR (Apr. 11,
2003), https://www.cdc.gov/mmwr/preview/
mmwrhtml/m2e411a1.htm.
221 See Report of ‘‘The National Committee on
Vital and Health Statistics, 1996–98,’’ supra note
203. These activities are consistent with the
definition proposed herein.
222 See Report of ‘‘The National Committee on
Vital and Health Statistics, 1996–98,’’ supra note
203, for descriptions of public health activities in
1996–98.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,’’ 31 The Journal
of Law, Medicine & Ethics 684, 689–90 (2003); La.
Rev. Stat. Ann. sec. 40:3.1 (2011) (defining threats
to public health as nuisances ‘‘including but not
limited to communicable, contagious, and
infectious diseases, as well as illnesses, diseases,
and genetic disorders or abnormalities’’); N.C. Gen.
Stat. sec. 130A–141.1(a) (2010) (defining public
health investigations as the ‘‘surveillance of an
illness, condition, or symptoms that may indicate
the existence of a communicable disease or
condition’’).
227 See, e.g., 65 FR 82464 (noting that reporting
of public health information on communicable
diseases is not prevented by individuals’ right to
information privacy); id. at 82467 (discussing the
importance of accurate medical records in
recognizing troubling public health trends and in
assessing the effectiveness of public health efforts);
id. at 82473 (discussing disclosure to ‘‘a department
of public health’’); id. at 82525 (recognizing that it
may be necessary to disclose PHI about
communicable diseases when conducting a public
health intervention or investigation); id. at 82526
(recognizing that an entity acts as a ‘‘public health
authority’’ when, in its role as a component of the
public health department, it conducts infectious
disease surveillance); ‘‘HIPAA Privacy Rule and
Public Health,’’ supra note 220 (describing what
traditionally are considered to be ‘‘public health
activities’’ that require PHI).
PO 00000
Frm 00021
Fmt 4701
Sfmt 4702
23525
primarily focus on identifying and
imposing liability on persons who have
violated the law. States and other local
governing authorities maintain criminal
codes that are distinct and separate from
public health reporting laws,228
although some jurisdictions enforce
required reporting through criminal
statutes. Different governmental bodies
are responsible for enforcing these
separate codes, and public health
officials do not typically investigate
criminal activity.229 When states intend
for public health information to be
shared with law enforcement for
criminal investigation purposes, they
typically pass specific laws to permit
that sharing.230 Other Federal laws also
treat public health investigations as
distinct from criminal investigations.231
Maintaining a clear distinction between
public health investigations and
criminal investigations serves HIPAA’s
broader purposes, as well, by
safeguarding privacy to ensure quality
health care.232
228 For example, traditional public health
reporting laws grew from colonial requirements that
physicians report disease. These requirements
transitioned to state regulatory requirements
imposed by public health departments on authority
granted to them by states. See Public Health Law
101, Disease Reporting and Public Health
Surveillance, Centers for Disease Control and
Prevention, p. 12 and 14, https://www.cdc.gov/
phlp/docs/phl101/PHL101-Unit-5-16Jan09Secure.pdf. See also, e.g., Code of Georgia 31–12–
2 (2021), authority to require disease reporting.
229 See ‘‘Public Health,’’ supra note 223 (‘‘Many
cities have a ‘public health department’ or other
agency responsible for maintaining the public
health; Federal laws dealing with health are
administered by the Department of Health and
Human Services.’’); See also ‘‘Forensic
Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,’’ supra note
226, at 689.
230 See ‘‘Forensic Epidemiology: Law at the
Intersection of Public Health and Criminal
Investigations,’’ supra note 226, at 687 (discussing
South Dakota Statutes sec. 22–18–31, a law
allowing HIV test results to be released to a
prosecutor for criminal investigation purposes); id.
at 693 (discussing North Carolina General Statute
(N.C.G.S.) sec. 130A–476, a law allowing
confidential medical information to be shared with
law enforcement in certain circumstances related to
communicable diseases or terrorism).
231 See Camara v. Municipal Ct. of City & Cty. of
S.F., 387 U.S. 523, 535–37 (1967) (discussing
administrative inspections under the Fourth
Amendment, such as those aimed at addressing
‘‘conditions which are hazardous to public health
and safety,’’ and not ‘‘aimed at the discovery of
evidence of crime’’); 42 U.S.C. 241(d)(D)
(prohibiting disclosure of private information from
research subjects in ‘‘criminal’’ and other
proceedings); 42 U.S.C. 290dd–2(c) (prohibiting
substance abuse records from being used in
criminal proceedings).
232 See ‘‘Forensic Epidemiology: Law at the
Intersection of Public Health and Criminal
Investigations,’’ supra note 226, at 687 (discussing
reasons why ‘‘an association of public health with
law enforcement’’ may be ‘‘to the detriment of
routine public health practice’’). See also 45 CFR
E:\FR\FM\17APP2.SGM
Continued
17APP2
23526
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
The Department concludes that the
Privacy Rule’s permissions to use and
disclose PHI for the ‘‘public health’’
activities of surveillance, investigation,
or intervention do not include criminal,
civil, or administrative investigations
into, or proceedings against, any person
in connection with seeking, obtaining,
providing, or facilitating reproductive
health care, nor do they include
identifying any person for the purpose
of initiating such investigations or
proceedings. Such actions are not public
health activities. Public health
surveillance, investigations, or
interventions ensure the health of the
community as a whole by addressing
population-level issues such as the
spread of communicable diseases, even
where they involve individual-level
interventions. Such surveillance
systems provide data necessary to
examine and potentially develop
interventions to improve the public’s
health, such as providing education or
resources to support individuals’ access
to health care and improve health
outcomes.233 U.S. states, territories, and
Tribal governments participate in
bilateral agreements with the Federal
Government to share data on conditions
that affect public health.234 The CDC’s
Division of Reproductive Health
presently collects reproductive health
data in support of national and statebased population surveillance systems
to assess maternal complications,
mortality and pregnancy-related
disparities, and the numbers and
characteristics of individuals who
obtain legal induced abortions.235
Importantly, disclosures to public
health authorities permitted by the
Privacy Rule are limited to the
‘‘minimum necessary’’ to accomplish
the public health purpose.236 In many
cases, regulated entities need disclose
only de-identified data 237 to meet the
public health purpose. By contrast,
164.512(b)(1)(i) (including ‘‘public health
investigations’’ as an activity carried out by a public
health authority that is authorized by law to carry
out public health activities).
233 See ‘‘Improving the Role of Health
Departments in Activities Related to Abortion,’’
American Public Health Association (Oct. 26, 2021),
https://www.apha.org/Policies-and-Advocacy/
Public-Health-Policy-Statements/Policy-Database/
2022/01/07/Improving-Health-Department-Role-inActivities-Related-to-Abortion.
234 See ‘‘Reportable diseases,’’ supra note 206. See
also ‘‘What is Case Surveillance?’’ supra note 206.
235 See ‘‘Reproductive Health,’’ Centers for
Disease Control and Prevention (Apr. 20, 2022),
https://www.cdc.gov/reproductivehealth/drh/aboutus/index.htm; and ‘‘Reproductive Health—CDCs
Abortion Surveillance System FAQs,’’ Centers for
Disease Control and Prevention, Reproductive
Health (Nov. 17, 2022), https://www.cdc.gov/
reproductivehealth/data_stats/abortion.htm.
236 See 45 CFR 164.502(b).
237 See 45 CFR 164.514(a).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
criminal, civil, and administrative
investigations and proceedings
generally target specific persons; they
are not designed to address populationlevel health concerns and are not
limited to information authorized to be
collected by a public health or similar
government authority for a public health
activity. Thus, the exceptions in section
1178(b) for ‘‘public health’’
investigations, interventions, or
surveillance do not limit the
Department’s ability to prohibit uses or
disclosures of PHI for other purposes,
such as judicial and administrative
proceedings or law enforcement
purposes. While the Department has
chosen as a policy matter to permit uses
or disclosures of PHI for law
enforcement and other purposes in
other contexts, it believes, as discussed
above, that a different balance is
appropriate in the context of highly
sensitive information related to
reproductive health care.
In light of the proposed definition of
‘‘public health’’ in this context, the
Department does not propose to
additionally define the terms
‘‘investigation,’’ ‘‘intervention,’’ or
‘‘surveillance,’’ because it believes these
terms are commonly understood.
Specifically, the Department believes
public health investigation or
intervention includes monitoring realtime health status and identifying
patterns to develop strategies to address
chronic diseases and injuries, as well as
using real-time data to identify and
respond to acute outbreaks,
emergencies, and other health
hazards.238 The Department also
believes public health surveillance
refers to the ongoing, systematic
collection, analysis, and interpretation
of health-related data essential to
planning, implementation, and
evaluation of public health practice.239
Nevertheless, the Department invites
comment on whether it would be
beneficial to specifically define these
terms.
240 See
Child Abuse Reporting
In accordance with section 1178(b) of
HIPAA, the Privacy Rule permits a
regulated entity to use or disclose PHI
to report known or suspected child
abuse or neglect if the report is made to
a public health authority or other
appropriate government authority that is
authorized by law to receive such
238 See ‘‘Ten Essential Public Health Services,’’
supra note 220.
239 See ‘‘Introduction to Public Health
Surveillance,’’ Centers for Disease Control and
Prevention (Nov. 15, 2018), https://www.cdc.gov/
training/publichealth101/surveillance.html.
PO 00000
Frm 00022
Fmt 4701
Sfmt 4702
reports,240 which primarily are state or
local child protective services
agencies.241 This Privacy Rule provision
does not include permission for the
covered entity to disclose PHI in
response to a request for PHI for a
criminal, civil, or administrative
investigation into or proceeding against
a person based on suspected child
abuse. Rather, the Privacy Rule only
permits the disclosure of information for
the purpose of making a report. We also
note that the permission limits such
disclosures to the minimum necessary
to make the report.242 Any disclosure of
PHI in response to a request from an
investigator, whether in follow up to the
report made by the covered entity (other
than to clarify the PHI provided on the
report) or as part of an investigation
initiated based on an allegation or report
made by a person other than the covered
entity, would be required to meet the
conditions of disclosures to law
enforcement or for other investigations
or legal proceedings.243
As discussed above, the Department
understands the term ‘‘person’’ as it is
used in the SSA, HIPAA, and the
HIPAA Rules to be consistent with 1
U.S.C. 8. Congress also defined the term
‘‘child’’ in 1 U.S.C. 8, and the
Department similarly understands the
term ‘‘child’’ in the Privacy Rule to be
consistent with that definition. Further,
at the time HIPAA was enacted, ‘‘most,
if not all, states had laws that mandated
reporting of child abuse or neglect to the
appropriate authorities.’’ 244 As such,
the Department believes that to the
extent its proposal would prohibit a
regulated entity from disclosing PHI in
order to report ‘‘child abuse’’ where the
alleged victim does not meet the
definition of ‘‘person,’’ the proposal is
consistent with both 1 U.S.C. 8 and
1178(b).
At the time HIPAA was enacted,
‘‘most, if not all, states had laws that
mandated reporting of child abuse or
neglect to the appropriate
45 CFR 164.512(b)(1)(ii).
laws require certain persons, such as
health care providers, to report known or suspected
child abuse or neglect; such persons are often called
‘‘mandatory reporters.’’ See ‘‘Mandatory Reporters
of Child Abuse and Neglect,’’ U.S. Dep’t of Health
and Human Servs., Administration for Children and
Families, Children’s Bureau, Child Welfare
Information Gateway (Apr. 2019), https://
www.childwelfare.gov/pubPDFs/manda.pdf. See
also ‘‘Factsheet: How the Child Welfare System
Works,’’ U.S. Dep’t of Health and Human Servs.,
Administration for Children and Families,
Children’s Bureau, Child Welfare Information
Gateway (Oct. 2020), https://www.childwelfare.gov/
pubPDFs/cpswork.pdf.
242 See 45 CFR 164.502(b) and 164.514(d).
243 See 45 CFR 164.512(e) and (f).
244 65 FR 82527.
241 State
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
authorities.’’ 245 Additionally, when
Congress enacted HIPAA, it had already
addressed child abuse reporting in other
laws, such as the Victims of Child
Abuse Act of 1990 246 and the Child
Abuse Prevention and Treatment Act.247
For example, 34 U.S.C. 20341(a)(1), a
provision of the original Victims of
Child Abuse Act of 1990 still in place
today, requires certain professionals to
report suspected abuse when working
on Federal land or in a federally
operated (or contracted) facility.248 As
used in these statutes, the term ‘‘child
abuse’’ does not include activities
related to reproductive health care, such
as abortion.
For the reasons just stated, the
Department believes that ‘‘child abuse’’
as used in the Privacy Rule and section
1178(b) is best interpreted to exclude
conduct based solely on seeking,
obtaining, providing, or facilitating
reproductive health care. This
interpretation is consistent with the
public health aims of improving access
to health care, including reproductive
health care, for individuals and with
congressional intent when HIPAA was
enacted. Additionally, as the
Department has stated in previous
rulemakings, we do not intend to
disrupt longstanding state or Federal
child abuse reporting requirements that
apply to regulated entities.249 Thus, the
Department believes this interpretation
of ‘‘child abuse’’ supports the protection
of children while also serving HIPAA’s
objectives of protecting the privacy of
PHI to promote individuals’ trust in the
health care system and preserving the
relationship between individuals and
their health care providers. The
Department requests comment on its
interpretation of ‘‘child abuse’’ as that
term is used in the Privacy Rule.
3. Adding a Definition of ‘‘Reproductive
Health Care’’
The HIPAA Rules define ‘‘health
care’’ as ‘‘care, services, or supplies
related to the health of an
individual.’’ 250 The definition clarifies
that the term specifically ‘‘includes but
is not limited’’ to certain types of care,
services, or supplies related to the
lotter on DSK11XQN23PROD with PROPOSALS2
245 Id.
246 Public Law 101–647, 104 Stat. 4789 (codified
at 18 U.S.C. 3509).
247 Public Law 93–247, 88 Stat. (codified at 42
U.S.C. 5101 note).
248 See 34 U.S.C. 20341(a)(1), originally enacted
as part of the Victims of Child Abuse Act of 1990
and codified at 42 U.S.C. 13031, which was
editorially reclassified as 34 U.S.C. 20341, Crime
Control and Law Enforcement. For the purposes of
such mandated reporting, see 34 U.S.C. 20341(c)(1)
for definition of ‘‘child abuse.’’
249 65 FR 82527.
250 45 CFR 160.103 (definition of ‘‘Health care’’).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
health of the individual. These
groupings are ‘‘[p]reventive, diagnostic,
therapeutic, rehabilitative, maintenance,
or palliative care, and counseling,
service, assessment, or procedure with
respect to the physical or mental
condition, or functional status, of an
individual or that affects the structure or
function of the body’’ 251 and ‘‘[the s]ale
or dispensing of a drug, device,
equipment, or other item in accordance
with a prescription.’’ 252 As indicated by
‘‘includes, but is not limited to,’’ this is
not an exclusive list of the types of
services or supplies that constitute
health care for the purposes of the
HIPAA Rules. Indeed, ‘‘health care’’ also
includes supplies purchased over the
counter or furnished to the individual
by a person that does not meet the
definition of a health care provider
under the HIPAA Rules.253
The Department proposes to add and
define a new term, ‘‘reproductive health
care,’’ that is a subcategory of the
existing term ‘‘health care.’’
Specifically, the Department proposes to
define ‘‘reproductive health care’’ as
‘‘care, services, or supplies related to the
reproductive health of the individual.’’
As with ‘‘health care,’’ ‘‘reproductive
health care’’ applies broadly and
includes not only reproductive health
care and services furnished by a health
care provider and supplies furnished in
accordance with a prescription, but also
care, services, or supplies furnished by
other persons and non-prescription
supplies purchased in connection with
an individual’s reproductive health. The
Department proposes defining
reproductive health care based on the
underlying activities, consistent with its
approach to defining ‘‘health care’’ in
the 2000 Privacy Rule.254 Under this
proposal, such care, services, or
supplies would be considered
‘‘reproductive health care’’ to the extent
that they meet this functional definition.
Elsewhere, Congress and the
Department have defined similar terms
like ‘‘reproductive health services’’ and
‘‘reproductive health care services’’ to
mean ‘‘reproductive health services
provided in a hospital, clinic,
physician’s office, or other facility, and
includes medical, surgical, counselling
or referral services relating to the human
reproductive system, including services
relating to pregnancy or the termination
of a pregnancy.’’ 255 The Department
251 Id.
252 Id.
253 45 CFR 164.103 (definition of ‘‘Health care
provider’’).
254 65 FR 82571.
255 18 U.S.C. 248(e)(5) uses the term
‘‘reproductive health services,’’ while E.O. 14076,
87 FR 42053 (July 8, 2022), and 14079, 87 FR 49505
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
23527
proposes to use the term ‘‘reproductive
health care’’ rather than ‘‘reproductive
health services’’ to ensure that the term
is interpreted broadly to capture all
health care that could be furnished to
address reproductive health, including
the provision of supplies such as
medications and devices, whether
prescription or over-the-counter. The
Department also proposes to define
‘‘reproductive health care’’ to include
all specified services regardless of
where they are provided, rather than
only when provided in particular
locations, and all types of reproductive
health care services, rather than only
certain types of services listed within
the definition. The Department believes
that services meeting the definition of
these similar terms would generally be
included within the proposed definition
of ‘‘reproductive health care.’’
Additionally, the Department believes
that basing the proposed term and
definition of ‘‘reproductive health care’’
on the existing HIPAA term and
definition of ‘‘health care’’ would be
easier and less burdensome for
regulated entities and other stakeholders
to understand and implement.
In keeping with the Department’s
intention for ‘‘reproductive health care’’
to be interpreted broadly and inclusive
of all types of health care related to an
individual’s reproductive system, the
Department would interpret
‘‘reproductive health care’’ to include,
but not be limited to: contraception,
including emergency contraception;
pregnancy-related health care; fertility
or infertility-related health care; and
other types of care, services, or supplies
used for the diagnosis and treatment of
conditions related to the reproductive
system. Pregnancy-related health care
includes, but is not limited to,
miscarriage management, molar or
ectopic pregnancy treatment, pregnancy
termination, pregnancy screening,
products related to pregnancy, prenatal
care, and similar or related care. Other
types of care, services, or supplies used
for the diagnosis and treatment of
conditions related to the reproductive
system includes health care related to
reproductive organs, regardless of
whether the health care is related to an
individual’s pregnancy or whether the
individual is of reproductive age. The
Department would interpret fertility or
infertility-related health care to include
services such as assisted reproductive
(Aug. 3, 2022), use the term ‘‘reproductive
healthcare services.’’ The definitions are essentially
the same, with the only difference being ‘‘health’’
as opposed to ‘‘healthcare.’’
E:\FR\FM\17APP2.SGM
17APP2
23528
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
technology and its components,256 as
well as other care, services, or supplies
used for the diagnosis and treatment of
infertility.
The Department is not proposing a
specific definition of ‘‘reproductive
health’’ at this time. Various definitions
of the term have been included in
literature. The Department recognizes
that it may be helpful to stakeholders if
‘‘reproductive health’’ were to be
defined in the final rule and invites
comment on whether including a
particular definition of ‘‘reproductive
health’’ would be beneficial.
4. Request for Comment
The Department requests comment on
the forgoing definitions and proposals,
including any benefits, drawbacks, or
unintended consequences. The
Department also requests comment on
the following considerations in
particular:
a. Whether the definitions the
Department proposes to adopt are
appropriate. If not, please provide an
alternative definition(s) and support for
the definition(s).
b. Whether it is necessary for the
Department to define ‘‘reproductive
health.’’ If so, please provide a
definition and support for the
definition.
c. Whether the Department should
provide examples of ‘‘reproductive
health care’’ in regulatory text, or it is
sufficient to provide extensive
discussion of the examples in preamble?
d. Whether it would be helpful for the
Department to define any additional
terms. If so, please propose a definition
and support for the definition and
rationale.
lotter on DSK11XQN23PROD with PROPOSALS2
B. Section 164.502—Uses and
Disclosures of Protected Health
Information: General Rules
1. Clarifying When PHI May Be Used or
Disclosed by Regulated Entities
Section 164.502 of the Privacy Rule
contains the general rules governing
uses and disclosures of PHI, including
that a covered entity or business
associate may use or disclose PHI only
as permitted or required by the Privacy
Rule.257 Section 164.502(a)(1) lists
permitted uses and disclosures.
In this NPRM, the Department
proposes several modifications to the
Privacy Rule to prohibit regulated
entities from using or disclosing an
256 See ‘‘What is Assisted Reproductive
Technology?’’ Centers for Disease Control and
Prevention (Oct. 8, 2019), https://www.cdc.gov/art/
whatis.html#:∼:text=According%20to%20this%20
definition%2C%20ART,
donating%20them%20to%20another%20woman.
257 45 CFR 164.502(a)(1).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
individual’s PHI for use against any
individual, regulated entity, or other
person for the purpose of a criminal,
civil, or administrative investigation
into or proceeding against such person
in connection with seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which it is provided.
The Department also proposes to
prohibit regulated entities from using or
disclosing PHI for identifying an
individual, a regulated entity, or other
person for the purpose of initiating such
an investigation or proceeding. These
changes are proposed to continue
safeguarding the privacy of PHI to
ensure trust in the health care system
and to enable individuals’ access to
high-quality health care. The proposed
prohibition in 45 CFR 164.502 is threefold: paragraph (a)(5)(iii) outlines the
activity the Department proposes to
prohibit; paragraph (a)(1)(iv) specifies
that an authorization cannot be used to
bypass the proposed prohibition in
paragraph (a)(5)(iii); and paragraph
(a)(1)(vi) clarifies that the permissions at
45 CFR 164.512 cannot be used to
circumvent the proposed prohibition.
The Department proposes to modify
the general rules in 45 CFR 164.502 by
adding a clause to paragraph (a)(1)(iv)
and adding a new requirement in
paragraph (a)(1)(vi). Existing paragraph
(a)(1)(iv) permits disclosures based on a
valid authorization and, in a prefatory
clause, provides an exception to that
general permission such that a health
plan cannot use or disclose PHI that is
genetic information for underwriting
purposes, even with an individual’s
authorization. Thus, an authorization
that purports to allow a use or
disclosure of PHI for that prohibited
purpose is not valid under the Privacy
Rule. Similarly, the Department
proposes to add the new prohibition
proposed in 45 CFR 164.502(a)(5)(iii) to
the types of uses and disclosures that
would not be permitted even with an
authorization. By adding an exception
to paragraph (a)(1)(iv) for uses and
disclosures prohibited by paragraph
(a)(5)(iii), the Department seeks to fully
protect individuals’ privacy by
precluding any possibility that a third
party, such as a law enforcement
official, could obtain an individual’s
PHI for a prohibited purpose by
coercing the individual to sign an
authorization.
In addition, the new proposed
requirement in paragraph (a)(5)(iii)
would expressly permit certain uses and
disclosures made under 45 CFR 164.512
only when an applicable attestation has
been obtained pursuant to proposed 45
CFR 164.509, discussed below in
PO 00000
Frm 00024
Fmt 4701
Sfmt 4702
section IV.D. For clarity, this proposal
would also revise paragraph (a)(5)(vi) to
replace the sentence containing the
conditions for certain permitted uses
and disclosures with a lettered list.
2. Adding a New Category of Prohibited
Uses and Disclosures
Issues To Address
Generally, the Privacy Rule prohibits
uses or disclosures of PHI except as
permitted or required by the Rule. The
Privacy Rule explicitly prohibits uses
and disclosures of PHI in two
circumstances: (1) a health plan
generally is prohibited from using or
disclosing PHI that is genetic health
information for underwriting
purposes; 258 and (2) a regulated entity
is prohibited from selling PHI except
when they have obtained a valid
authorization from the individual who
is the subject of the PHI.259
As discussed in section III of this
preamble, the Department issued its
prior iterations of the Privacy Rule at a
time when individuals, as a practical
matter, generally would not have
expected their highly sensitive health
care information to be used or disclosed
for criminal, civil, or administrative
investigations into or proceedings about
that health care. The current regulatory
and legal environment is in tension with
that expectation and threatens to erode
the trust that is essential to access to
and quality of health care. The
Department has received letters from the
public, indicating confusion and
concern as to the ability of regulated
entities to use or disclose PHI for the
purposes described above. These
sentiments have been echoed by
stakeholders in listening sessions and in
media reports. Letters sent to the
Department by Members of Congress
further reinforce that confusion and
concern exist about the privacy of
individuals’ PHI, in addition to
supporting the Department’s position
that it has the ongoing authority under
HIPAA and the HITECH Act to modify
the Privacy Rule to ensure the privacy
of PHI.260 These developments and
communications bolster the
258 45
CFR 164.502(a)(5)(i).
CFR 164.502(a)(5)(ii).
260 See, e.g., Letter from United States Congress
Senators Tammy Baldwin, Elizabeth Warren, and
Ron Wyden, et al., to HHS Secretary Xavier Becerra
(March 7, 2023); Letter from United States Congress
Senators Patty Murray, Kirsten Gillibrand, and
Martin Heinrich, et al., to HHS Secretary Xavier
Becerra (Sept. 13, 2022); Letter from United States
Congress House Representatives Earl Blumenauer,
Diana DeGette, Barbara Lee, et al., to HHS Secretary
Xavier Becerra (Aug. 30, 2022); and Letter from
United States Congress Senators Michael F. Bennet
and Catherine Cortez Masto to HHS Secretary
Xavier Becerra (July 1, 2022).
259 45
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Department’s decision to propose
certain regulatory changes and technical
corrections that are necessary to
eliminate ambiguity and promote trust
in the health care system. Therefore, the
Department proposes to modify 45 CFR
164.502 by adding a new paragraph
(a)(5)(iii) that will protect the privacy of
individuals who obtain reproductive
health care that is lawful under the
circumstances in which it is provided,
as well as their health care providers,
and others who assist them in obtaining
such health care.
Proposed Prohibition
In keeping with the Privacy Rule’s
purpose-based approach to specifying
uses or disclosures that are required,
permitted, or prohibited, proposed 45
CFR 164.502(a)(5)(iii) would prohibit a
regulated entity from using or disclosing
PHI where the PHI would be used for a
criminal, civil, or administrative
investigation into or proceeding against
any person in connection with seeking,
obtaining, providing, or facilitating
lawful reproductive health care, or
identifying any person for the purpose
of initiating such an investigation or
proceeding, subject to the Rule of
Applicability and Rule of Construction
set forth in 45 CFR 164.502(a)(5)(iii)(C)
and (D). Furthermore, the Department
proposes that ‘‘seeking, obtaining,
providing, or facilitating’’ would
include, but not be limited to,
expressing interest in, inducing, using,
performing, furnishing, paying for,
disseminating information about,
arranging, insuring, assisting, or
otherwise taking action to engage in
reproductive health care, as well as
attempting to engage in any of the same.
This proposed prohibition addresses
efforts to investigate or bring
proceedings against any person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which it is provided,
or to identify any person for the purpose
of initiating such investigation or
proceeding. As discussed above, it
would be contrary to the Congressional
intent of protecting the privacy of an
individual’s PHI and access to health
care if the Privacy Rule were to permit
a regulated entity to use or disclose PHI
to investigate and bring proceedings
against persons for seeking, obtaining,
providing or facilitating reproductive
health care, or to identify any person for
such purposes, where such health care
is lawful under state or Federal law.
Permitting such uses and disclosures
would also be inconsistent with
longstanding individual privacy
expectations and could especially chill
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
access to lawful health care, including
by high-risk individuals who may have
already experienced a miscarriage,
ectopic pregnancy, stillbirth, or
infertility. If such uses and disclosures
are permitted, individuals may delay
obtaining lawful health care or withhold
information about their condition or
medical history because they may not
trust their health care providers to use
the information only to provide
appropriate health care, rather than
report them to law enforcement
authorities or others.261 Delaying health
care may negatively affect an
individual’s health, including
increasing the risk of death. In fact, a
recent report from the Texas Maternal
Mortality and Morbidity Review
Committee and Department of State
Health Services found that the most
common contributing factors to a
woman’s pregnancy-related death in
Texas were delay or failure to seek care,
lack of knowledge regarding importance
of treatment or follow-up, and lack of
access and financial resources.262
Similarly, if such uses and disclosures
are permitted, a health care provider
might leave gaps in or include
inaccuracies in the individual’s medical
records, creating a risk that ongoing or
future health care would be
compromised, because they may not
trust that the information would not be
obtained by law enforcement authorities
or others.263
Further, even where investigations
cannot lawfully result in proceedings
against a person, investigations
themselves can reduce the health
information privacy of the individual
whose PHI is sought for the
investigation, thereby harming that
individual. For example, permitting a
261 See ‘‘In a doctor’s suspicion after a
miscarriage, a glimpse of expanding medical
mistrust,’’ supra note 13. ‘‘[A health care provider’s]
ability to take care of patients relies on trust, and
that will be impossible moving forward [. . .]
[abortion restrictions] are really going to put a
damper on people seeking care, even in very
normal, very legal situations.’’; See also Lucy OgbuNwobodo, Ruth S. Shim, Sarah Y. Vinson, et al.,
‘‘Mental Health Implications of Abortion
Restrictions for Historically Marginalized
Populations,’’ The New England Journal of
Medicine (Oct. 27, 2022), https://www.nejm.org/
doi/full/10.1056/NEJMms2211124 (‘‘With the
elimination of the right to privacy guaranteed by
Roe v. Wade and the criminalization of abortion in
many states, the risk of punitive involvement by the
criminal legal system as a consequence of
reproductive decisions, and potentially even in
cases of miscarriage, is likely to be especially high
for members of historically marginalized groups
with mental illness—a population that is already
overrepresented in the criminal legal system.’’).
262 See Texas Maternal Mortality and Morbidity
Review Committee and Department of State Health
Services Joint Biennial Report 2022, supra note 16,
p. 41.
263 See, e.g., Brief for Zurawski.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
23529
covered entity to disclose a sexual
assault survivor’s PHI to law
enforcement or others to enable them to
investigate that individual for obtaining
lawful reproductive health care as a
result of the assault compounds the
harm experienced by the individual by
violating their privacy. Additionally,
allowing the disclosure makes that
individual and others in similar
circumstances less likely to obtain
lawful reproductive health care if they
believe their privacy will be violated in
this manner. Thus, the Department
proposes to prohibit the use or
disclosure of PHI where the purpose of
the use or disclosure is for a criminal,
civil, or administrative investigation
into or proceeding against any person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which it is provided,
or identifying any person for the
purpose of initiating such an
investigation or proceeding.
Importantly, and as further discussed
below, this proposal is narrowly tailored
to address only uses and disclosures for
specified prohibited purposes. It does
not otherwise alter a regulated entity’s
responsibility to comply with the
conditions imposed on the use or
disclosure of PHI for other criminal,
civil, or administrative investigations or
proceedings. For example, the proposed
rule would not broadly preempt state or
other laws that would require the
disclosure of information about an
individual’s reproductive health to
support claims for criminal or civil
liability unrelated to the prohibited
purposes, assuming such laws meet the
requirements of other provisions of the
Privacy Rule, e.g., the permission to use
or disclose PHI where required by
law.264
Purpose-Based Prohibition
As discussed above and consistent
with the general approach and structure
of the Privacy Rule, the proposed
prohibition focuses on the purpose of
the use or disclosure, rather than the
type of PHI requested or the type of
regulated entity that receives the use or
disclosure request. The Department
acknowledges that in most cases,
information about an individual’s
reproductive health care includes the
kind of highly sensitive information that
could chill patients from obtaining
lawful health care if they knew it could
be disclosed. However, the Department
is not proposing a rule that would
provide a blanket protection for this
category of information. Enforcing such
264 45
E:\FR\FM\17APP2.SGM
CFR 164.512(a).
17APP2
23530
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
a blanket protection would require
regulated entities to restrict the flow of
this category of information, possibly
disrupting existing health care delivery
models. For example, implementing
differing rules for a newly designated
category of PHI would require costly
updates to electronic record systems to
allow for segmenting of certain data
elements for extra protection and create
barriers for care coordination. Providing
routine treatments for conditions such
as hormonal imbalances, miscarriage,
pregnancy complications, or
gynecological emergencies would be
problematic for health care providers
attempting to navigate a blanket
prohibition against disclosure of the
category of information related to
reproductive health care. Thus, this
proposal does not limit the prohibition
to the use or disclosure of certain types
of PHI or to PHI that is held or
maintained by certain types of covered
health care providers, such as a
gynecologist or endocrinologist.
A purpose-based prohibition as
proposed by the Department would also
permit health plans and many other
different types of health care providers
to continue to disclose PHI for treatment
or payment for reproductive health care
or other health care conditions that are
affected by or affect an individual’s
reproductive health. For example,
pregnancy can place a significant strain
on the heart of an individual with
certain cardiovascular conditions. It is
essential that the individual’s
cardiologist be informed of and able to
monitor the individual’s pregnancy for
potential complications without barriers
to access that information. As another
example, pregnancy tests are routinely
administered before a surgical
procedure to ensure that surgeons,
anesthesiologists, and individuals are
aware of a pregnancy and have the
opportunity to discuss the benefits and
risks of proceeding or to identify
alternative treatment options.265 And an
earlier example related to hormonal
imbalances illustrates why
endocrinologists may require access to
reproductive health information. For
similar reasons, it is important that a
health care provider maintain complete
and accurate patient medical records to
ensure subsequent health care providers
265 See Trisha Pasricha, ‘‘Pregnancy tests are
routine before many surgical procedures. But Dobbs
has raised the stakes of a positive result,’’ STAT
News (Aug. 16, 2022), https://www.statnews.com/
2022/08/16/pregnancy-tests-are-routine-beforemany-surgical-procedures-but-dobbs-has-raisedthe-stakes-of-a-positive-result/#:∼:text=
The%20Supreme
%20Court’s%20h9568%20decision,
making%20testing%20anything
%20but%20routine.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
are adequately informed in making
diagnoses or recommending courses of
treatment.
Thus, to avoid the potential for
disruption to health care and ensure the
provision of appropriate health care, the
Department proposes to limit the
prohibition’s application to uses and
disclosures of PHI where the purpose is
to use the information against any
person for seeking, obtaining, providing,
or facilitating reproductive health care
that is lawful under the circumstances
in which it is provided, or to identify
any person for doing so. The
Department believes the narrowly
crafted prohibition, as proposed, would
avoid deterring individuals from
obtaining lawful health care or
providing full information to their
health care providers out of fear that
highly sensitive health information
could be disclosed in connection with a
criminal, civil, or administrative
investigation or proceeding. At the same
time, the proposal would facilitate the
ability of health care providers to
navigate the new medical-legal
landscape in cooperation with their
patients. The proposed prohibition also
would serve as a disincentive to health
care providers considering leaving gaps
or including inaccuracies in medical
records or taking other action to protect
individuals or avoid liability under laws
prosecuting provision of reproductive
health care. Such disincentives, rooted
in the ability to keep PHI private when
sought for certain purposes, are properly
within the Department’s authority to
regulate under HIPAA.
Preemption of State Laws
The Privacy Rule generally preempts
contrary provisions of state laws.266
Thus, if this NPRM were to be finalized,
provisions of state law that are contrary
to these proposals would be preempted.
The Department recognizes that the
proposal to prohibit uses and
disclosures of PHI for a criminal, civil,
or administrative investigation into or
proceeding against any person, or to
identify any person for the purpose of
initiating such an investigation or
proceeding, may create a conflict
between the Privacy Rule and some
state laws—though we have carefully
crafted the proposed prohibition to
apply only in circumstances in which
the state lacks any substantial interest in
seeking the disclosure. In such cases,
regulated entities would be required to
comply with the Privacy Rule, if
266 42 U.S.C. 1320d–7(a)(1) (providing the general
rule that, with limited exceptions, a provision or
requirement under HIPAA supersedes any contrary
provision of state law).
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
modified as proposed. For example, the
Privacy Rule, if modified as proposed,
would prohibit the disclosure of PHI to
law enforcement in furtherance of a law
enforcement investigation of an
individual for obtaining reproductive
health care that is lawful under the
circumstances in which it is provided.
It would also prohibit the disclosure of
PHI for a law enforcement investigation
of a health clinic for providing
reproductive health care that is lawful
under the circumstances in which it is
provided, even in response to a court
order, such as a search warrant.267 Such
disclosure, despite the court order,
would be a violation of the Privacy Rule
and would subject the regulated entity
to a potential OCR investigation and
civil money penalty. Additionally, if a
regulated entity chose to comply with
the court order in the example above,
there would be a presumption that a
breach of unsecured PHI had occurred
because there was a disclosure of PHI in
a manner not permitted under the
Privacy Rule which compromises the
privacy of the PHI. Thus, breach
notification would be required unless
the entity could demonstrate that there
was a low probability that the PHI had
been compromised.268 Where an entity
determines that a breach has occurred,
the entity would need to provide
notification to the affected individual(s),
the Secretary, and, when applicable, the
media.269
Application of Proposed Prohibition
The Department proposes a Rule of
Applicability to apply the prohibition
where the relevant criminal, civil, or
administrative investigation or
proceeding is in connection with any
person seeking, obtaining, providing, or
facilitating reproductive health care
that: (1) is provided outside of the state
where the investigation or proceeding is
authorized and that is lawful in the state
in which such health care is provided;
(2) is protected, required, or authorized
by Federal law, regardless of the state in
which such health care is provided; or
(3) is provided in the state in which the
investigation or proceeding is
authorized and that is permitted by the
law of that state. This proposed Rule of
Applicability would limit the
application of the prohibition to
267 In contrast, the current Privacy Rule would
permit such a disclosure based on a court order
requiring the disclosure. See 45 CFR 164.512(a); see
also 45 CFR 164.103 (definition of ‘‘Required by
law’’).
268 45 CFR 164.402 (definition of ‘‘Breach’’).
269 See 45 CFR 164.400 through 164.414. The
HIPAA Breach Notification Rule requires covered
entities and their business associates to provide
certain notifications following a breach of
unsecured PHI.
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
circumstances in which the care is
lawful under the circumstances in
which such health care is provided.
As described above, all three prongs
of the proposed Rule of Applicability
require the reproductive health care at
issue to be provided under
circumstances in which the provision of
such health care is lawful. Thus, in
order to determine whether the
proposed rule would permit the use or
disclosure of PHI, the regulated entity
would need to determine whether the
reproductive health care was provided
under circumstances in which it was
lawful to do so. Where the regulated
entity determines that the reproductive
health care was provided under
circumstances where it was unlawful,
the proposed prohibition would not
apply, and the regulated entity would be
permitted to use or disclose the PHI for
a criminal, civil, or administrative
investigation into or proceeding against
a person in connection with seeking,
obtaining, providing, or facilitating
reproductive health care. For example,
where the regulated entity determines
that reproductive health care was
provided in a state where it was
unlawful to do so and under
circumstances in which Federal law
does not protect the provision of such
health care, a regulated entity would be
permitted to use or disclose PHI for a
criminal, civil, or administrative
investigation against a health care
provider that provided the unlawful
reproductive health care. However, the
regulated entity would be prohibited
from disclosing PHI for the same
purpose where it determined that the
reproductive health care was provided
in a state where it was lawful to do so,
subject to the proposed Rule of
Construction, discussed below.
Under the Constitution, an individual
cannot be barred from traveling from
one state to another to obtain
reproductive health care.270
Accordingly, the Department proposes
to prohibit uses and disclosures of PHI
where it is sought for use in an
investigation into or proceeding against
a person for seeking, obtaining,
providing or facilitating reproductive
health care outside of the state in which
investigation or proceeding is
authorized and where such health care
lotter on DSK11XQN23PROD with PROPOSALS2
270 Dobbs,
142 S. Ct. at 2309 (Kavanaugh, J.,
concurring) (addressing whether a state can ‘‘bar a
resident of that State from traveling to another State
to obtain an abortion? [ . . . ] [T]he answer is not
based on the constitutional right to interstate
travel.’’); see also ‘‘Application of the Comstock Act
to the Mailing of Prescription Drugs That Can Be
Used for Abortions,’’ Department of Justice, 46 Op.
O.L.C. __, at *19 (Dec. 23, 2022), https://
www.justice.gov/olc/opinion/file/1560596/
download.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
is lawful under the circumstances in
which it was provided. The proposal is
not limited to circumstances in which
the health care has not yet been
obtained, provided, or facilitated. It also
includes situations where the health
care is ongoing or has been completed.
For example, under this proposal, a
covered entity that provides lawful
reproductive health care to an out-ofstate resident generally would not be
permitted to use or disclose PHI to law
enforcement from the individual’s home
state for use in an investigation or
proceeding in connection with the
individual’s receipt of or the covered
entity’s provision of that reproductive
health care. In addition, a covered
health care provider in the state of the
individual’s residence that may receive
PHI concerning such reproductive
health care provided out of state (e.g., a
hospital in the home state that receives
records from an out-of-state clinic)
would be subject to the same restriction.
In these circumstances under the
Constitution, administrative, civil, or
criminal liability may not be imposed
for the receipt or provision of the outof-state care. The Department also notes
that generally, states do not have the
ability to permit or limit actors in
another state from engaging in certain
activities. For example, states determine
the requirements for licensure of health
care providers that furnish health care
within their borders; they do not have
the ability to set such requirements for
health care providers that furnish health
care elsewhere. Thus, it would be
inconsistent to permit states to impose
liability on health care providers who
furnish health care in another state in
accordance with the laws of that state.
The proposed prohibition would also
apply where the use or disclosure of PHI
is sought for use in an investigation into
or proceeding against a person where
the reproductive health care is
protected, required, or authorized by
Federal law, regardless of the state in
which such care is provided. For
example, the proposed prohibition
would prohibit the use or disclosure of
PHI for use in an investigation into or
proceeding against a covered entity that
provided reproductive health care in a
situation where EMTALA requires
offering such health care. Additionally,
the Department’s proposal would
prohibit the use or disclosure of PHI for
use in an investigation into or
proceeding against employees of the
Department of Veterans Affairs (VA)
who provide or facilitate reproductive
health care in a manner authorized by
Federal law, including VA
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
23531
regulations.271 And it would apply
where the investigation or proceeding is
against any person in connection with
seeking, obtaining, providing, or
facilitating reproductive health care—
such as contraception—that remains
protected by the Constitution after
Dobbs.272 In these circumstances,
Federal law bars the imposition of
administrative, civil, or criminal
liability on such care.
Finally, the prohibition would apply
when the relevant criminal, civil, or
administrative investigation or
proceeding is in connection with any
person seeking, obtaining, providing, or
facilitating reproductive health care that
is provided in the state in which the
investigation or proceeding is
authorized and that is permitted by the
law of that state. Under this proposal, a
regulated entity would not be permitted
to use or disclose PHI in response to an
investigation or proceeding occurring in
a state where the reproductive health
care is lawful. The proposal would also
prohibit the use or disclosure of PHI
where the health care meets the
requirements of an exception to a law
limiting the provision of reproductive
health care (e.g., for pregnancy
termination when the pregnancy is the
result of rape or incest or because the
life of the pregnant individual is
endangered). It would also prohibit the
use or disclosure of PHI where the
health care occurred at a point in
pregnancy at which such health care is
permitted by state law. If a state has not
made the relevant reproductive health
care unlawful, it lacks a legitimate
interest in conducting a criminal, civil,
or administrative investigation or
proceeding into such health care where
the investigation is centered on the mere
fact that reproductive health care was or
is being provided.
Scope of Proposed Prohibition
The proposed prohibition would
apply to any request for PHI to facilitate
a criminal, civil, or administrative
investigation or proceeding against any
person, or to identify any person in
order to initiate an investigation or
proceeding, where the basis for the
investigation, proceeding, or
identification is that the person sought,
271 See ‘‘Intergovernmental Immunity for the
Department of Veterans Affairs and Its Employees
When Providing Certain Abortion Services,’’
Department of Justice, 46 Op. O.L.C. __ (Sept. 21,
2022), https://www.justice.gov/d9/2022-11/2022-0921-va_immunity_for_abortion_services.pdf.
272 See Griswold v. Connecticut, 381 U.S. 479
(1965); Eisenstadt v. Baird, 405 U.S. 438 (1972);
Dobbs, 142 S. Ct. at 2309 (Kavanaugh, J.,
concurring) (Dobbs ‘‘does not threaten or cast doubt
on’’ the precedents providing constitutional
protection for contraception).
E:\FR\FM\17APP2.SGM
17APP2
23532
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
obtained, provided, or facilitated
reproductive health care that is lawful
under the circumstances in which such
health care is provided. As discussed
above, the proposal would preempt state
or other law requiring a regulated entity
to use or disclose PHI in response to a
court order or other type of legal process
for a purpose prohibited by this
proposed rule where the prohibition
applies. It would not preempt laws that
require use or disclosure of PHI for
other purposes, including public health
purposes.273 The proposal also would
not prohibit a regulated entity from
disclosing an individual’s PHI to law
enforcement where the purpose of the
disclosure is to investigate a sexual
assault committed against the
individual, provided the attestation
described later in this preamble is
obtained, or where such health care is
not lawfully obtained in the state in
which it is provided.
The Department intends ‘‘criminal,
civil, or administrative investigation
into or proceeding against’’ to
encompass any type of legal or
administrative investigation or
proceeding. This includes, but is not
limited to, law enforcement
investigations, third party investigations
in furtherance of civil proceedings, state
licensure proceedings, criminal
prosecutions, and family law
proceedings. Examples of criminal,
civil, or administrative investigations or
proceedings for which regulated entities
would be prohibited from using or
disclosing PHI would also include a
civil suit brought by a person exercising
a private right of action provided for
under state law against an individual or
health care provider who obtained,
provided, or facilitated a lawful
abortion, or a law enforcement
investigation into a health care provider
for lawfully providing or facilitating the
disposal of an embryo at the direction
of the individual.
The proposal would prohibit a
regulated entity from using or disclosing
PHI for a criminal, civil, or
administrative investigation into or
proceeding against ‘‘any person’’ in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which it is provided,
273 While this proposal does not affect reporting
to a public health authority or other appropriate
government authority authorized by law to receive
reports of child abuse or neglect as permitted under
45 CFR 164.512(b)(1)(ii), the proposed definitions of
‘‘person’’ and ‘‘child abuse’’ would make clear that
seeking, obtaining, providing, or facilitating the
provision of an abortion, products related to
pregnancy, or fertilized egg or embryo disposal
would not constitute child abuse as addressed
therein.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
or for identifying ‘‘any person’’ for the
purpose of initiating such an
investigation or proceeding. ‘‘Against
any person’’ means, based on the
HIPAA Rules’ definition of ‘‘person,’’ 274
that the proposed prohibition would not
be limited to use or disclosure of PHI for
use against the individual; rather, the
prohibition would apply to the use or
disclosure of PHI against a regulated
entity, or any other person, including an
individual or entity, who may have
obtained, provided, or facilitated lawful
reproductive health care.275
Rule of Construction
The Department does not intend for
this proposed prohibition to prevent a
regulated entity from using or disclosing
PHI for other permissible purposes
under the Privacy Rule where the
request is not made primarily for the
purpose of investigating or imposing
liability on any person for the mere act
of seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which it is provided, and proposes to
clarify that through a Rule of
Construction. In so doing, the
Department clarifies that it does not
intend for the prohibition to prevent
certain uses or disclosures of PHI where
they are permitted by other provisions
of the Privacy Rule as discussed below.
For example, just as an individual
would be able to obtain their own PHI
to initiate a claim against a covered
health care provider for professional
misconduct or negligence under the
Privacy Rule’s right of access,276 the
proposed Rule of Construction would
make clear that the proposed
prohibition does not inhibit the ability
of a covered health care provider to use
or disclose that same PHI to defend
themselves in an investigation or
proceeding related to professional
misconduct or negligence where the
alleged professional misconduct or
negligence involved reproductive health
care. In such instance, there would be
due process concerns that could
ultimately prevent the covered health
care provider from being held liable for
the professional misconduct or
negligence. Thus, the Department
proposes to limit the Rule of
Construction to applying only in
circumstances in which the health care
provider would not be using or
disclosing such PHI for the purpose of
‘‘investigating or conducting a legal
274 45
CFR 160.103 (definition of ‘‘Person’’).
that in section IV.A.1., the Department
proposes to modify the definition of ‘‘person,’’
although that proposed modification would not
have an effect here.
276 45 CFR 164.524.
275 Note
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
proceeding against a person,’’ but rather
for the purpose of defending itself
against such an investigation or a
proceeding. In addition, such an
investigation or proceeding would not
be based on the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care. Instead, the
investigation or proceeding would be
based on allegations of professional
misconduct or negligence in providing
reproductive health care. The use or
disclosure of PHI would be permitted
under such circumstances. The Federal
government could similarly use PHI
(obtained with an attestation) to defend
itself against claims brought by
individuals where professional
misconduct based on a health care
provider’s failure to meet an applicable
standard of care, as described herein,
may not be the primary focus of the
claim, but where the provision of such
care is central to the claim.
As discussed above, under the Rule of
Applicability, the proposed prohibition
on the use or disclosure of PHI for the
purposes of a criminal, civil, or
administrative investigation or
proceeding against any person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care, or the identification of any
person for such investigations or
proceedings, would apply only when
such reproductive health care is
provided under circumstances in which
it is lawful to do so. When read in
isolation, this would seemingly prevent
regulated entities from using or
disclosing PHI for the purpose of
defending themselves or others against
allegations that they sought, obtained,
provided, or facilitated unlawful care.
To address this potential misreading,
the proposed Rule of Construction
limits the proposed prohibition to
circumstances in which the PHI is
sought for the purpose of investigating
or imposing liability on any person for
the mere act of seeking, obtaining,
providing, or facilitating reproductive
health care. Thus, under the proposal, a
regulated entity could not use or
disclose PHI as part of an investigation
into any person for allegedly seeking,
obtaining, providing, or facilitating
reproductive health care; in contrast, the
regulated entity could use or disclose
PHI to defend any person in a criminal,
civil, or administrative proceeding
where liability could be imposed on that
person for providing such health care.
Additionally, the proposed Rule of
Construction would clarify that the
proposed prohibition does not prohibit
uses or disclosures to a health oversight
agency for health oversight activities,
such as for the purpose of investigating
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
whether reproductive health care was
actually provided or appropriately
billed in connection with a claim for
such services.277 For example, the
proposed Rule of Construction would
not prohibit the use or disclosure of PHI
where the PHI is sought to investigate or
pursue proceedings against a person for
knowingly submitting a claim for
reproductive health care for payment to
the government where the reproductive
health care was not provided or
improperly billed. In this case, the
request would not be made primarily for
the purpose of investigating or imposing
liability on any person for the mere act
of seeking, obtaining, providing, or
facilitating reproductive health care;
instead, the request would be primarily
for the purpose of investigating or
imposing liability on a person for, in
this particular scenario, an alleged
violation of the Federal False Claims
Act or a state equivalent.278 As another
example, the proposed Rule of
Construction also would not prohibit
the use or disclosure of PHI to an
Inspector General where the PHI is
sought to conduct an audit aimed at
protecting the integrity of the Medicare
or Medicaid program. The proposed
Rule of Construction also would make
clear that the proposed prohibition does
not prevent uses or disclosures for the
purpose of investigating alleged
violations of Federal nondiscrimination
laws or abusive conduct, such as sexual
assault, that occur in connection with
reproductive health care.
The proposed Rule of Construction
would also clarify that the proposed
prohibition would not prohibit a
regulated entity from responding to a
request for relevant records in a
criminal or civil investigation or
proceeding pursuant to 18 U.S.C. 248
regarding freedom of access to clinic
entrances. Investigations under this
provision are conducted for the purpose
of determining whether a person
physically obstructed, intimidated, or
interfered with persons providing
‘‘reproductive health services,’’ 279 or
attempted to do so. They therefore do
not involve investigations or
proceedings against a person in
connection with the mere act of
‘‘seeking, obtaining, providing, or
facilitating of reproductive health care’’
277 See 45 CFR 164.512(d)(1)(i) through (iv) for
health oversight activities for which the Privacy
Rule permits uses and disclosures of PHI. The
proposal would permit these uses and disclosures
of PHI to effectuate Federal agencies’ health
oversight activities.
278 31 U.S.C. 3729–3733.
279 18 U.S.C. 248(e)(5) (definition of
‘‘Reproductive health services’’).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
under circumstances in which it was
lawful to do so.
Disclosures Required by the Privacy
Rule
Regulated entities are expected to
continue to comply with and disclose
PHI in response to an individual’s
request for access to their own PHI,280
or a request from the Secretary to
disclose PHI as part of an investigation
into a regulated entity’s compliance
with the HIPAA Rules. These
requirements to disclose PHI at 45 CFR
164.502(a)(2) and (4) are unlikely to
come into conflict with the proposed
prohibition because neither an
individual’s request for their own PHI
nor a HIPAA compliance investigation
are disclosures sought primarily because
a person sought, obtained, provided, or
facilitated reproductive health care.
The Department also reaffirms that an
individual’s right of access to their own
PHI cannot be denied based on their
intended use of the PHI.281 Thus, an
individual would retain their current
ability to obtain a copy of their own PHI
in a designated record set from a
covered entity, as well as to direct a
covered entity to transmit to another
person (which could be a law
enforcement official if the individual so
chooses) an electronic copy of their PHI
in an electronic health record (EHR).
The Department is concerned that a law
enforcement official or other person
could potentially coerce an individual
into exercising their right of access for
the purpose of circumventing the
prohibition. However, the Department
also views the right of access as
paramount to an individual’s ability to
make decisions regarding their own
health care and does not intend to
impede an individual’s ability to
exercise this right. Therefore, the
Department does not propose to modify
the right of access to address this
specific concern.
280 Under 45 CFR 164.502(a)(2)(i), covered
entities are primarily responsible for compliance
with the Privacy Rule’s individual right of access
provisions. The Privacy Rule imposes narrow direct
liability on business associates for compliance with
the individual right of access at 45 CFR
164.502(a)(4)(ii). However, it is the Department’s
understanding that many covered entities engage
business associates, such as release-of-information
vendors, to accept and respond to such requests.
For additional information on business associates
and their obligations under the HIPAA Rules, visit
https://www.hhs.gov/hipaa/for-professionals/
privacy/guidance/business-associates/factsheet/
index.html.
281 As explained in the preamble to the 2000
Privacy Rule, covered entities may only deny access
for the reasons specifically provided in the rule. 65
FR 82556.
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
23533
3. Clarifying Personal Representative
Status in the Context of Reproductive
Health Care
Current Provision and Issues To
Address
Section 164.502(g) of the Privacy Rule
contains the standard for personal
representatives and generally requires a
regulated entity to treat an individual’s
personal representative as the
individual when consistent with state
law.282 For example, the Privacy Rule
would treat a legal guardian of an
individual who has been declared
incompetent by a court as the personal
representative of that individual, if
consistent with applicable law (e.g.,
state law).283 In this and certain other
provisions, the Department seeks to
maintain the balance between the
interest of a state or others to regulate
health and safety and protect vulnerable
individuals 284 with the goal of
maintaining the privacy protections
established in the Privacy Rule.285
The Department is concerned that
some regulated entities may interpret
the Privacy Rule as providing them with
the ability to refuse to recognize as an
individual’s personal representative a
person who makes reproductive health
care decisions, on behalf of the
individual, with which the regulated
entity disagrees. Under these
circumstances, current section 502(g)(5)
of the Privacy Rule could be interpreted
to permit a regulated entity to assert
that, by virtue of the personal
representative’s involvement in the
reproductive health care of the
individual, the regulated entity believes
that the personal representative is
subjecting the individual to abuse.
Further, in the absence of clarification
as proposed in this NPRM, this
regulated entity could exercise
professional judgment to decide that it
is in the best interest of the individual
not to recognize the personal
representative’s authority to make
medical decisions for that individual.
Proposal
To protect the balance of interests
struck by the Privacy Rule, the
Department proposes to modify 45 CFR
164.502 by adding a new paragraph
(g)(5)(iii). Proposed 45 CFR
164.502(g)(5)(iii) would ensure that a
282 See
45 CFR 164.502(g)(1).
45 CFR 164.502(g)(3)(i). See also
‘‘Personal Representatives,’’ U.S. Dep’t of Health
and Human Servs., Office for Civil Rights, https://
www.hhs.gov/hipaa/for-individuals/personalrepresentatives/.
284 See, e.g., 45 CFR 164.510(b)(3) and
164.512(j)(1)(i)(A).
285 See 65 FR 82471.
283 See
E:\FR\FM\17APP2.SGM
17APP2
23534
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
regulated entity could not deny personal
representative status to a person, where
such status would otherwise be
consistent with state and other
applicable law, primarily because that
person facilitates or facilitated or
provided reproductive health care for an
individual. The Department believes
this proposal is narrowly tailored and
respects the interests of states and the
Department by not unduly interfering
with the ability of states to define the
nature of the relationship between an
individual and another person,
including between a minor and a parent,
upon whom the state deems it
appropriate to bestow personal
representative status. This proposal
would, however, maintain the existing
HIPAA standard by ensuring personal
representative status, when otherwise
consistent with state law, is not affected
by the type of underlying health care
sought.
4. Request for Comment
The Department requests comment on
the foregoing proposals, including any
benefits, drawbacks, or unintended
consequences. The Department also
requests comment on the following
considerations in particular:
e. Whether the proposed prohibition
in section IV.B.2. is sufficiently narrow
so as to limit harmful uses or
disclosures (such as for investigating
individuals who have obtained, or
health care providers who have
provided, lawful health care primarily
because they obtained or provided the
lawful health care) and to permit
beneficial uses or disclosures (such as
for conducting investigations into health
care fraud or audits examining general
compliance with claims billing
requirements). If not, please explain and
provide examples.
f. The effects of individuals’ concerns
about the potential disclosure of their
PHI to law enforcement or others on
their willingness to confide in their
health care providers.
g. The effects of individuals’
withholding information about their
health from their health care providers.
h. The effects of health care providers’
concerns about potential criminal, civil,
or administrative investigations into or
proceedings against them or their
patients in connection with the
provision of lawful reproductive health
care on the completeness and accuracy
of medical records and continuity of
care.
i. Whether it would be beneficial to
further clarify or provide additional
examples of instances in which the use
or disclosure of PHI would be permitted
under the proposal, such as examples of
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
type of investigations or proceedings
that are focused on health care fraud
and for which PHI is necessary.
j. Whether the Department should
permit the use and disclosure of an
individual’s PHI for the purpose
described in section IV.B.2. with a valid
authorization from the individual.
i. If so, please provide
recommendations for how the
Department could ensure that
individuals are adequately protected
from coercive tactics to provide such
authorization. For example, should the
Department permit such use or
disclosure based on an authorization
only if a regulated entity also obtains
some form of attestation or assurance
from the recipient of the PHI?
ii. Whether third parties might
circumvent the prohibition by coercing
individuals to exercise their right to
direct a covered entity to transmit to a
third party an electronic copy of their
PHI in an EHR. If so, please suggest
ways the Department could address this
problem without curtailing an
individual’s right of access or increasing
the burden on regulated entities.
k. Whether the Department should
apply the proposed prohibition broadly
to any health care, rather than limiting
it to reproductive health care. Please
explain.
l. Whether the Department should
prohibit or limit uses or disclosures of
‘‘highly sensitive PHI’’ for certain
purposes. If so:
i. How should the Department define
‘‘highly sensitive PHI’’? Please explain
and provide reference materials to
support any suggested definition.
ii. What additional protections should
‘‘highly sensitive PHI’’ be accorded?
iii. Do regulated entities have the
technical ability to differentiate between
types of PHI in their electronic record
systems and apply special protections to
a new category of ‘‘highly sensitive
PHI’’?
iv. What would be the estimated
burden on regulated entities of
providing additional protections for
‘‘highly sensitive PHI’’?
m. Whether in addition to, or instead
of, the proposed prohibition, the
Department should:
i. Require a regulated entity to obtain
an individual’s authorization for certain
uses and disclosures of PHI that
currently are permitted without an
authorization.
ii. Require a regulated entity to obtain
an individual’s authorization for any
uses and disclosures of a defined
category of PHI (e.g., ‘‘highly sensitive
PHI’’).
iii. Require a regulated entity to
accept and comply with an individual’s
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
request for restrictions of uses and
disclosures of ‘‘highly sensitive PHI.’’
iv. Eliminate or narrow any existing
permissions to use or disclose ‘‘highly
sensitive PHI’’ (e.g., permissions to
report crime on the premises or report
crime in emergencies).
n. What are the practices and
procedures that a regulated entity
currently uses to determine what
actions they will take when faced with
a conflict of state and Federal laws
regarding uses and disclosures of PHI?
o. Whether the scope of the proposed
rule of applicability will be sufficiently
clear to individuals and covered
entities, and whether the provision
should be made more specific or
otherwise modified to ensure
individuals and covered entities know
when disclosures of PHI will be
permitted.
p. Whether the proposed Rule of
Construction is sufficient, or whether
the Rule of Construction should be
expanded, narrowed, or otherwise
modified. Please explain and provide
support for this response.
q. Whether the proposed clarification
to personal representative status in the
context of reproductive health care is
sufficient to clarify that personal
representatives who provide or facilitate
reproductive health care have not
committed an act of ‘‘child abuse.’’
Please explain and provide support for
this response.
C. Section 164.509—Uses and
Disclosures for Which an Attestation Is
Required (Proposed Heading)
1. Current Provision and Issues To
Address
The Privacy Rule currently separates
uses and disclosures into three
categories: required, permitted, and
prohibited. Permitted uses and
disclosures are further subdivided into
those to carry out treatment, payment,
or health care operations; 286 those for
which an individual’s authorization is
required; 287 those requiring an
opportunity for the individual to agree
or object; 288 and those for which an
authorization or opportunity to agree or
object is not required.289 For an
individual’s authorization to be valid,
the Privacy Rule requires that it contain
certain specific information to ensure
that an individual authorizing a
regulated entity to use or disclose their
PHI to another person knows and
286 45
CFR 164.506.
CFR 164.508.
288 45 CFR 164.510.
289 45 CFR 164.512.
287 45
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
understands to what it is they are
agreeing.290
Pursuant to proposals in this NPRM,
a regulated entity presented with a
request for PHI that is potentially
related to reproductive health care
would need to discern whether using or
disclosing PHI in response to the
request would be prohibited by the
proposed 45 CFR 164.502(a)(5)(iii).
Without a mechanism for assisting
regulated entities in determining the
purpose of a use or disclosure request
from certain persons, the Department
believes it would be difficult for
regulated entities to distinguish between
use and disclosure requests for
permitted and prohibited purposes,
potentially leading regulated entities to
deny use or disclosure requests for
permitted purposes. Additionally,
absent an enforcement mechanism, the
Department believes requesters of PHI
could seek to use existing Privacy Rule
permissions for purposes that would be
prohibited under 45 CFR
164.502(a)(5)(iii).
2. Proposal
To facilitate compliance with the
proposed prohibition while also
providing a pathway to disclose PHI for
permitted purposes for which
authorization is not required and an
opportunity to agree or object is not
required, the Department proposes to
add a requirement to obtain an
attestation from the person requesting
the use and disclosure as a condition for
certain permitted uses and disclosures.
Specifically, the Department proposes
to add a new section 45 CFR 164.509:
‘‘Uses and disclosures for which an
attestation is required.’’ This proposed
condition would require a regulated
entity to obtain assurances from the
person requesting the PHI, in the form
of a signed and dated written statement
attesting that the use or disclosure
would not be for a purpose prohibited
under 45 CFR 164.502(a)(5)(iii), where
the person is making the request under
the Privacy Rule permissions at 45 CFR
164.512(d) (disclosures for health
oversight activities), (e) (disclosures for
judicial and administrative
proceedings), (f) (disclosures for law
enforcement purposes), or (g)(1)
(disclosures about decedents to coroners
and medical examiners). This proposed
condition would apply when the
request is for PHI that is potentially
related to reproductive health care, as
defined in proposed 45 CFR 160.103.
Thus, an attestation would not be
required when the person making the
request does not seek PHI potentially
290 45
CFR 164.508(b).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
related to reproductive health care. If,
however, the request would require a
regulated entity to disclose PHI
potentially related to reproductive
health care, a regulated entity would
have to first obtain an attestation from
the person making the request to ensure
that the PHI would not be used or
disclosed for a prohibited purpose.
Additionally, where one of these
permissions applies, the attestation
must include a statement that the use or
disclosure is not prohibited as described
at 45 CFR 164.502(a)(5)(iii). Thus, the
Department proposes to limit the
attestation requirement to the Privacy
Rule provisions that have the greatest
potential to result in use or disclosure
of an individual’s PHI for a criminal,
civil, or administrative investigation
into or proceeding against, any person
for seeking, obtaining, providing, or
facilitating reproductive health care or
to identify any person for the purpose
of initiating such an investigation or
proceeding.
The attestation proposal is intended
both to ensure that the existing Privacy
Rule permissions could not be used to
circumvent the new proposed
prohibition at 45 CFR 164.502(a)(5)(iii)
and to continue permitting essential
disclosures. The proposed attestation
requirement also would limit the
additional burden on the regulated
entity receiving requests for such uses
and disclosures by providing a standard
mechanism by which the regulated
entity would ascertain whether a
requested use or disclosure would be
prohibited under the proposal.
The Department’s attestation proposal
is modeled after the authorization
requirement at 45 CFR 164.508.291
Modeling the proposed attestation
provision after the authorization
provision would ensure that a person
requesting the PHI provides a regulated
entity with the information needed to
ascertain whether the request is for a
prohibited purpose because the
proposed attestation requirement would
require the person requesting the
disclosure to confirm the types of PHI
that they are requesting; to clearly
identify the name of the individual
whose PHI is being requested, if
practicable, or if not practicable, the
class of individuals whose PHI is being
requested, and to confirm, in writing,
that the use or disclosure is not for a
purpose prohibited under 45 CFR
164.502(a)(5)(iii). For purposes of the
291 Section 164.508 of title 45 CFR details the
general rules for authorizations, such as the rules
specific to types of PHI or purposes for disclosure,
compound authorizations, the elements required for
a valid authorization, and how authorizations may
be revoked.
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
23535
‘‘class of individuals’’ described in 45
CFR 164.509(c)(1)(i)(B), the requesting
entity may describe such a class in
general terms—for example, as all
individuals who were treated by a
certain health care provider or for whom
a certain health care provider submitted
claims, all individuals who received a
certain procedure, or all individuals
with given health insurance coverage.
Similar to the authorization provision,
the proposed attestation provision
would also include the general
requirements for a valid attestation, and
defects of an invalid attestation. The
provision would also include the
attestation’s content requirements and
would apply to both uses and
disclosures for the specified
purposes.292 In addition, the attestation
must be written in plain language.293
The proposed attestation provision
would also include a prohibition on
compound attestations. Specifically, the
proposal would prohibit the attestation
from being ‘‘combined with’’ any other
document. The Department intends this
prohibition to mean that an attestation
must be clearly labeled and distinct
from any surrounding text. For example,
an attestation would not be
impermissibly ‘‘combined with’’ a
subpoena if it is attached to it, provided
that the attestation is clearly labeled as
such. As another example, an electronic
attestation would not to be
impermissibly ‘‘combined with’’
another document where the attestation
is on the same screen as the other
document, provided that the attestation
is clearly and distinctly labeled as such.
Further, the attestation proposal
would explicitly permit the attestation
document to be in electronic format, as
well as electronically signed by the
person requesting the disclosure.294 At
this time, the Department declines to
propose mandating a specific electronic
format for the attestation. The
attestation would be facially valid when
the document meets the required
elements of the attestation proposal and
includes an electronic signature that is
valid under applicable Federal and state
law.295
292 Pursuant to 45 CFR 164.530(j), regulated
entities would be required to maintain a written or
electronic copy of the attestation.
293 The Federal plain language guidelines under
the Plain Writing Act of 2010 only applies to
Federal agencies, but it serves as a helpful resource.
See .
294 Proposed 45 CFR 164.509(b)(1)(iv) and
(c)(1)(v).
295 While not explicitly stated in the Privacy Rule,
the Department previously issued guidance
clarifying that authorizations are permitted to be
submitted and signed electronically. See HIPAA
FAQ #475, and HIPAA FAQ #554, https://
E:\FR\FM\17APP2.SGM
Continued
17APP2
23536
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Unlike the authorization provision,
the proposed attestation would be
limited to the specific use or disclosure.
Generally, when a regulated entity
receives a valid authorization, they may
continue to use or disclose PHI to such
requestor pursuant to that authorization
after the initial disclosure, provided that
such subsequent uses and disclosures
are valid and related to that
authorization. Under the proposal, the
Department anticipates that each use or
disclosure request would require a new
attestation.
The Department is explicitly
declining to propose a new exception to
the minimum necessary standard for
uses and disclosures made pursuant to
an attestation under 45 CFR 164.509.296
Thus, a regulated entity would have to
limit a use or disclosure to the
minimum necessary when provided in
response to a request that would be
subject to the proposed attestation
requirement. Where the person
requesting the PHI is also a regulated
entity, that person would also need to
make reasonable efforts to limit their
request to the minimum necessary to
accomplish the intended purpose of the
use, disclosure, or request.297
The Department does not propose to
require a regulated entity to investigate
the validity of an attestation provided
by a person requesting a use or
disclosure of PHI; rather, a regulated
entity would be able to rely on the
attestation provided that it is objectively
reasonable under the circumstances for
the regulated entity to believe the
statement required by 45 CFR
164.509(c)(1)(iv) that the requested
disclosure of PHI is not for a purpose
prohibited by 45 CFR
164.502(a)(5)(iii).298 If such reliance is
not objectively reasonable, then the
regulated entity may not rely on the
attestation. Under the proposal, it would
not be objectively reasonable for a
regulated entity to rely on a requester’s
representation as to whether the
reproductive health care was provided
under circumstances in which it was
lawful to provide such care. This is
www.hhs.gov/hipaa/for-professionals/faq/554/howdo-hipaa-authorizations-apply-to-electronic-healthinformation/.
296 See 45 CFR 164.502(b). The minimum
necessary standard of the Privacy Rule applies to
all uses and disclosures where a request does not
meet one of the specified exceptions in paragraph
(b)(2).
297 45 CFR 164.502(b)(1).
298 This approach is consistent with 45 CFR
164.514(h)(2)(iii), which permits a covered entity to
rely on certain statements or requests to meet the
requirement to verify the legal authority of a public
official or a person acting on behalf of the public
official if such reliance is reasonable under the
circumstances.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
because the regulated entity, and not the
requester, has the information about the
provision of such care that is necessary
to make this determination. Therefore,
this determination would need to be
made by the regulated entity prior to
using or disclosing PHI in response to
a request for a use or disclosure of PHI
that would require an attestation under
the proposal.
The proposed attestation also would
require a regulated entity to cease use or
disclosure of PHI if the regulated entity
developed reason to believe, during the
course of the use or disclosure, that the
representations contained within the
attestation were materially false, leading
to uses or disclosures for a prohibited
purpose.299 The Department notes that
pursuant to HIPAA, a person who
knowingly and in violation of the
Administrative Simplification
provisions obtains or discloses IIHI
relating to another individual or
discloses IIHI to another person would
be subject to criminal liability.300 Thus,
a requester who knowingly falsifies an
attestation (e.g., makes material
misrepresentations as to the intended
uses of the PHI requested) to obtain (or
cause to be disclosed) an individual’s
IIHI would be in violation of HIPAA and
could be subject to criminal penalties as
outlined in the statute.301 Additionally,
the Department notes that a disclosure
made based on an attestation that
contains material misrepresentations
after the regulated entity becomes aware
of such misrepresentations would
constitute an impermissible disclosure,
which may require notifications of a
breach to the individual, the Secretary,
and in some cases, the media.302
The proposed attestation does not
replace the requirements of the Privacy
Rule’s permissions for a regulated entity
to disclose PHI in response to a
subpoena, discovery request, or other
lawful process 303 or administrative
request; 304 instead, it is designed to
work with these permissions and their
requirements. Under this proposal, for
PHI to be disclosed pursuant to 45 CFR
164.512(e)(1)(ii) and (f)(1)(ii)(C), a
regulated entity would need to verify
that the requirements of each provision
are met and also satisfy the
requirements of the new attestation
provision under the proposed 45 CFR
299 Proposed
45 CFR 164.509(d).
42 U.S.C. 1320d–6(a).
301 See 42 U.S.C. 1320d–6(b).
302 45 CFR 164.400 et seq. The HIPAA Breach
Notification Rule, 45 CFR 164.400–414, requires
HIPAA covered entities and their business
associates to provide notification following a breach
of unsecured PHI.
303 45 CFR 165.512(e)(1)(ii).
304 45 CFR 164.512(f)(1)(ii)(C).
300 See
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
164.509. In addition, the requirements
of 45 CFR 164.528, the right to an
accounting of disclosures of PHI made
by a covered entity, would not be
affected by the proposed attestation.
Therefore, disclosures made pursuant to
a permission under 45 CFR 164.512(d),
(e), (f), or (g) must be included in the
accounting, including when they are
made pursuant to an attestation.305
To reduce the burden on regulated
entities implementing this proposed
attestation, the Department is
considering developing a model
attestation that a regulated entity may
use when developing its own attestation
templates. The Department does not
anticipate requiring regulated entities to
use the model attestation at this time,
thereby leaving a regulated entity free to
draft an attestation that meets the
specific needs of their organization.
However, we do note that under the
proposal, an attestation would be
defective if it contained anything
beyond the elements and statements
required by paragraphs (c)(1) of
§ 164.509.
3. Request for Comment
The Department requests comment on
the foregoing proposals, including any
benefits, drawbacks, or unintended
consequences. The Department also
requests comment on the following
considerations in particular:
r. Whether the proposed attestation
requirement in section IV.C. would
address all relevant types of permitted
uses and disclosures under the Privacy
Rule. That is, should the proposed
requirement apply as a condition of any
additional permitted uses and
disclosures that could be used to request
uses and disclosures of PHI for a
prohibited purpose?
i. Conversely, would the proposed
requirement be overinclusive, placing
unreasonable barriers to disclosures for
beneficial purposes such that the
Department should narrow the scope of
the proposed requirement?
ii. The Department requests comment
on specific examples of unreasonable
barriers and recommended alternatives.
s. Whether requesters of PHI should
be required to name the individuals
whose PHI they are requesting, or if
describing a class of individuals whose
PHI is requested is sufficient. Please
explain how the Department can further
protect the privacy of individuals from
requests for large amounts of PHI
ostensibly sought for a non-prohibited
305 See also 45 CFR 164.528(a)(2) regarding when
the covered entity must temporarily suspend an
individual’s right to receive an accounting of
disclosures to a health oversight agency or law
enforcement official.
E:\FR\FM\17APP2.SGM
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
purpose if requesters of PHI are
permitted to describe a class of
individuals whose PHI is requested.
t. How the Department should
interpret the terms ‘‘practicable’’ and
‘‘class of individuals.’’
u. Whether a model attestation would
be useful for regulated entities.
i. If so, what other information should
be included within such model
attestation to improve regulated entities’
understanding of the proposed
attestation requirements, if adopted?
ii. What should be the format of a
model attestation?
v. Whether the Department should
require a particular attestation format,
rather than providing a model
attestation.
w. How the Department should
interpret ‘‘combined with’’ at proposed
45 CFR 164.509(b)(3) with respect to
both paper and electronic attestations to
minimize the burden on regulated
entities of understanding and
responding to requests that require an
attestation.
x. Whether the Department should
consider permitting the attestation to be
combined with other types of
documents.
i. If so, which types of documents
should regulated entities be permitted to
combine with the attestation?
ii. What potential negative impacts
could this have on the clarity of the
attestation?
y. Whether the Department should
require the attestation to include a
signed declaration made under penalty
of perjury that the requester is not
making the request for a purpose
prohibited by this proposal and any
ramifications, positive or negative, of
such a requirement.
z. Whether there are any other
elements that should be included within
the proposed attestation that are not
currently listed.
aa. Whether the Department should
consider it a material misrepresentation
if a person who signs an attestation does
not have an objectively reasonable basis
to suspect that the reproductive health
care was provided under circumstances
in which it was unlawful. If so, what
should the Department consider a
reasonable basis for suspicion?
bb. How the proposed attestation
requirement would affect a regulated
entity’s process for responding to
regular or routine requests from certain
requestors, such as government agencies
that request PHI for purposes of health
oversight activities. For such requests,
what information should such
requestors provide to reduce regulated
entities’ compliance burden associated
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
with the proposed attestation
requirements?
cc. Whether there is alternative
documentation that a requestor could
provide, instead of an attestation, to
assist a regulated entity in complying
with 45 CFR 164.502(a)(5)(iii). For
example, would a notice from a health
oversight agency that identifies the
objective of an audit, information
sought, and the requesting agency
provide sufficient information to assure
the regulated entity that the audit is not
subject to the prohibition at proposed 45
CFR 164.502(a)(5)(iii)? Please provide
examples of documentation that may be
helpful.
D. Section 164.512—Uses and
Disclosures for Which an Authorization
or Opportunity To Agree or Object Is
Not Required
1. Applying the Proposed Prohibition
and Attestation Requirement to Certain
Permitted Uses and Disclosures
Current Provision and Issues To
Address
Section 164.512 of the Privacy Rule
contains the standards for uses and
disclosures for which an authorization
or opportunity to agree or object is not
required. Many of the uses and
disclosures addressed by 45 CFR
164.512 relate to government or
administrative functions,306 or as
described in the 2000 Privacy Rule
preamble, ‘‘national priority
purposes.’’ 307 These permissions for
uses and disclosures were not required
by HIPAA but instead represented the
Secretary’s previous balancing of the
privacy interests and expectations of
individuals and the interests of
communities in making certain
information available for community
purposes, such as for certain public
health, health care oversight, and
research purposes.308 As discussed
previously, the regulations
implementing HIPAA have sought to
ensure that individuals do not forgo
306 See, e.g., 45 CFR 164.512(a), Uses and
disclosures required by law; 45 CFR 164.512(b),
Uses and disclosures for public health activities; 45
CFR 164.512(c), Disclosures about victims of abuse,
neglect or domestic violence; 45 CFR 164.512(d)
Uses and disclosures for health oversight activities;
45 CFR 164.512(e), Disclosures for judicial and
administrative proceedings; 45 CFR 164.512(f),
Disclosures for law enforcement purposes; 45 CFR
164.512(g) Uses and disclosures about decedents;
45 CFR 164.512(h), Uses and disclosures for
cadaveric organ, eye or tissue donation purposes; 45
CFR 164.512(i), Uses and disclosures for research
purposes; 45 CFR 164.512(j), Uses and disclosures
to avert a serious threat to health or safety; 45 CFR
164.512(k), Uses and disclosures for specialized
government functions; and 45 CFR 164.512(l),
Disclosures for workers’ compensation.
307 65 FR 82524.
308 See 65 FR 82471.
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
23537
health care when needed—or withhold
important information from their health
care providers that may affect the
quality of health care they receive—out
of a fear that their sensitive information
would be revealed outside of their
relationships with their health care
providers.
The changes proposed in this NPRM
attempt to address the need to ensure
that PHI continues to be used and
disclosed only in a manner consistent
with the standard established in the
Privacy Rule, given recent
developments in Federal and state law
that may undermine the privacy
protections for PHI.
As discussed above, the proposed 45
CFR 164.502(a)(5)(iii) may prohibit uses
and disclosures of PHI in some
circumstances that are currently
permitted. To clarify that this proposal
is inclusive of purposes currently
permitted under 45 CFR 164.512, the
Department believes it is necessary to
modify the general rule for such
permitted uses and disclosures. In
addition, the Department believes it is
necessary to modify the general rule to
reflect the new condition that would be
imposed upon certain uses and
disclosures permitted under 45 CFR
164.512 through the proposed
attestation requirement at 45 CFR
164.509.
Proposal
The Department proposes to modify
the introductory text of 45 CFR 164.512
by citing the proposed prohibition at the
beginning of the first sentence and
conditioning certain disclosures on the
receipt of the attestation proposed at 45
CFR 164.509. The proposed
modification would add the clause
‘‘Except as provided by 45 CFR
164.502(a)(5)(iii), [ . . . ]’’ and ‘‘and 45
CFR 164.509’’ to ‘‘subject to the
applicable requirements of this section.’’
As discussed above, the proposed
change would create a new requirement
to obtain an attestation from the person
requesting the use and disclosure of PHI
potentially related to reproductive
health care as a condition for certain
types of permitted uses and disclosures
of PHI. For example, the Privacy Rule
currently permits uses and disclosures
for health care oversight,309 judicial and
administrative proceedings,310 law
enforcement purposes,311 and coroners
and medical examiners,312 provided
specified conditions are met. If
paragraph (a)(5)(iii) of 45 CFR 164.502
309 45
CFR 164.512(d).
CFR 164.512(e).
311 45 CFR 164.512(f).
312 45 CFR 164.512(g)(1).
310 45
E:\FR\FM\17APP2.SGM
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
23538
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
is finalized, uses and disclosures of PHI
for these purposes would be subject to
an additional condition; that is, such
uses and disclosures would be
prohibited unless a regulated entity first
obtained an attestation from the person
requesting the use and disclosure under
proposed 45 CFR 164.509.
The Department assumes that there
would be instances in which a state or
other law requires a regulated entity to
use or disclose PHI for health care
oversight, judicial and administrative
proceedings, law enforcement purposes,
or coroners and medical examiners for
a purpose not related to one of the
prohibited purposes in proposed 45 CFR
164.502(a)(5)(iii). The Department
believes that a regulated entity would be
able to comply with such laws, as well
as the proposed attestation requirement
if the PHI is potentially related to
reproductive health care. For example, a
regulated entity may continue to
disclose PHI without an authorization to
a state medical board, a prosecutor, or
a coroner, in accordance with the
Privacy Rule, when the request is for
PHI that is not potentially related to
reproductive health care or
accompanied by the required
attestation. As a result, a regulated
entity may continue to assist the state in
carrying out its health care oversight,
judicial and administrative functions,
law enforcement, and coroner duties
with the use or disclosure of PHI that is
potentially related to reproductive
health care once a facially valid
attestation has been provided to the
regulated entity from whom PHI is
sought, except in matters involving
restrictions on seeking, obtaining,
providing, or facilitating reproductive
health care. In such cases, the state
would need to obtain information about
an individual’s reproductive health or
reproductive health care received by the
individual from an entity not regulated
under the Privacy Rule. As a reminder,
the Privacy Rule only applies to PHI,
which is IIHI that is maintained or
transmitted by, for, or on behalf of a
covered entity. Thus, it does not apply
to individuals’ health information when
it is in the possession of a person that
is not a covered entity or business
associate, such as a friend, family
member, or is stored on a personal
cellular telephone or tablet.313
Additionally, for clarity, the
Department proposes to change the
word ‘‘orally’’ at the end of the
313 See
Guidance on ‘‘Protecting the Privacy and
Security of Your Health Information When Using
Your Personal Cell Phone or Tablet,’’ U.S. Dep’t of
Health and Human Servs. (June 29, 2022), https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/cell-phone-hipaa/.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
introductory paragraph to ‘‘verbally.’’
No substantive change is intended.
2. Making a Technical Correction to the
Heading of 45 CFR 164.512(c) and
Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse,
Neglect, or Domestic Violence
Current Provisions and Issues to
Address
Paragraph (c) of 45 CFR 164.512
permits disclosures of PHI about victims
of abuse, neglect, or domestic violence
under specified conditions. While the
regulatory text includes the serial
comma, clearly indicating that the
provision addresses victims of three
different types of crimes, the standard
heading is less clear.
This section permits a regulated entity
to disclose an individual’s PHI under
certain conditions to an authorized
government agency where the regulated
entity reasonably believes the
individual to be a victim of abuse,
neglect, or domestic violence. The
Department is concerned that recent
state actions may lead regulated entities
to think that they are permitted to make
such disclosures of PHI when they
believe that persons who provide or
facilitate access to reproductive health
care are perpetrators of such crimes.
Thus, the Department believes it is
necessary to clarify that providing or
facilitating access to appropriate
reproductive health care is not abuse,
neglect, or domestic violence.
Proposals
For grammatical clarity, the
Department proposes to add the serial
comma after the word ‘‘neglect’’ in the
heading of the standard contained at 45
CFR 164.512(c), so it would read
‘‘Standard: Disclosures about victims of
abuse, neglect, or domestic violence.’’
The Department also proposes to add
a new paragraph (c)(3) to 45 CFR
164.512(c), with the heading ‘‘Rules of
construction,’’ that would read,
‘‘Nothing in this section shall be
construed to permit uses or disclosures
prohibited by § 164.502(a)(5)(iii).’’ This
new paragraph would clarify that the
permission to use or disclose PHI in
reports of abuse, neglect, or domestic
violence does not permit uses or
disclosures based primarily on the
provision or facilitation of reproductive
health care to the individual. The
proposed provision is intended to
safeguard the privacy of individuals’
PHI against claims that uses and
disclosures of that PHI are warranted
because the provision or facilitation of
reproductive health care, in and of
itself, may constitute abuse, neglect, or
PO 00000
Frm 00034
Fmt 4701
Sfmt 4702
domestic violence. Similar to the
discussion above in section IV.D.1, the
Department also does not intend for this
proposal to obstruct oversight related to
professional conduct or similar legal
proceedings for which PHI related to
reproductive health care is needed.
3. Clarifying the Permission for
Disclosures Based on Administrative
Processes
Current Provision and Issues To
Address
Under 45 CFR 164.512(f)(1), a
regulated entity may disclose PHI
pursuant to an administrative request,
provided that: (1) the information
sought is relevant and material to a
legitimate law enforcement inquiry; (2)
the request is specific and limited in
scope to the extent reasonably
practicable in light of the purpose for
which the information is sought; and (3)
de-identified information could not
reasonably be used.314 Examples of
administrative requests include
administrative subpoena or summons, a
civil or an authorized investigative
demand, or similar process authorized
under law.315 The examples of
administrative requests provided in the
existing regulatory text include only
those requests that are enforceable in a
court of law, and the catchall ‘‘or similar
process authorized by law’’ similarly is
intended to include only requests that,
by law, require a response. This
interpretation is consistent with the
Privacy Rule’s definition of ‘‘required by
law,’’ which enumerates these and other
examples of administrative requests that
constitute ‘‘a mandate contained in law
that compels an entity to make a use or
disclosure of protected health
information and that is enforceable in a
court of law.’’ 316 However, the
Department has become aware that
some regulated entities may be
interpreting this provision in a manner
that is inconsistent with the
Department’s intent. Therefore, the
Department is taking this opportunity to
clarify the types of administrative
processes that this provision was
intended to address.
Proposal
Specifically, the Department proposes
to insert language to clarify that the
administrative processes that give rise to
a permitted disclosure include only
those that, by law, require a regulated
314 45
CFR 164.512(f)(1)(ii)(C).
315 Id.
316 See 45 CFR 164.103. The Privacy Rule’s
definition of ‘‘Required by law’’ includes
administrative requests and lists the examples of
processes that are enumerated under 45 CFR
164.512(f)(1)(ii)(C).
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
entity to respond. Accordingly, the
proposal would specify that PHI may be
disclosed pursuant to an administrative
request ‘‘for which a response is
required by law.’’ This is not intended
to be a substantive change, as the
proposal is consistent with preamble
discussion on this topic in the 2000
Privacy Rule.317
4. Request for Comment
The Department requests comment on
the forgoing proposals, including any
benefits, drawbacks, or unintended
consequences. The Department also
requests comment on the following
considerations in particular:
dd. The way in which regulated
entities currently receive and address
requests for PHI when requested
pursuant to the Privacy Rule
permissions at 45 CFR 164.512(d) (uses
and disclosures for health oversight
activities), (e) (disclosures for judicial
and administrative proceedings), (f)
(disclosures for law enforcement
purposes), or (g)(1) (uses and
disclosures about decedents to coroners
and medical examiners). Specifically:
i. How are such requests currently
submitted (e.g., hard copy letter,
electronically via email, an online
form)?
ii. For requests under 45 CFR
164.512(e)(1)(ii) and (f)(1)(ii)(C):
i. When using or disclosing
information after receiving the required
assurances,318 does the entity choose to
obtain assurances for every subsequent
related request, or does the entity
continue to disclose PHI to such entity
after receiving the initial assurance,
provided that subsequent requests are
related to the initial request in which
the initial assurance was received?
ii. How do regulated entities accept
assurances (e.g., hard copy letter,
electronically via email, uploading to an
online portal)?
ee. Examples, if any, of uses or
disclosures of PHI that are required by
law and are not for prohibited purposes
but may no longer be permitted under
this proposal.
ff. The effect expanding the scope of
the proposed prohibition to include any
health care would have on the proposed
attestation requirement and the ability
of regulated entities to implement it.
gg. Whether the phrase ‘‘based
primarily’’ is sufficient to clarify that
the proposed rule of construction is
only intended to address situations
where the purpose is to investigate or
impose liability because reproductive
health care was provided, rather than,
317 See
318 See
65 FR 82531.
45 CFR 164.512(e)(1)(iii) and (f)(1)(ii)(C).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
for example, the quality of the health
care provided or whether claims
submitted for that health care were
appropriate.
hh. Whether there are disclosures
currently made under Federal agencies’
interpretations of the Privacy Act that
would not be permitted under the
proposal. If so, what would they be, and
should the Department permit them?
E. Section 164.520—Notice of Privacy
Practices for Protected Health
Information
1. Current Provision and Issues To
Address
The Privacy Rule generally requires
that a covered entity provide
individuals with an NPP to ensure that
they understand how a covered entity
may use and disclose their PHI, as well
as their rights and the covered entity’s
legal duties with respect to PHI.319
Section 164.520(b)(1)(ii) of the Privacy
Rule describes the required contents of
the NPP, including descriptions of the
types of permitted uses and disclosures
of their PHI. It does not, however,
currently require a covered entity to
provide information about prohibited
uses and disclosures of PHI. The
Department is concerned that the
current NPP requirements might not
provide individuals with adequate
assurances that a revised Privacy Rule
would prohibit the use or disclosure of
their PHI in certain circumstances.
Without such assurances, the
Department is concerned that
individuals may avoid accessing crucial
health care.
2. Proposal
The Department proposes to modify
45 CFR 164.520(b)(1)(ii) to require that
a covered entity add two types of uses
and disclosures to those already
described in the NPP, putting
individuals on notice about how their
PHI may or may not be used.
Specifically, the Department proposes at
45 CFR 164.520(b)(1)(ii)(F) to add to the
NPP’s list of required elements two that
address the proposed use and disclosure
prohibition at 45 CFR 164.502(a)(5)(iii).
Under this proposal, a covered entity
must separately describe each type of
use or disclosure prohibited by 45 CFR
164.502(a)(5)(iii) and must do so in
sufficient detail for an individual to
understand this prohibition and the
proposed attestation requirement.
By modifying the NPP, a covered
entity would continue to provide an
319 45 CFR 164.520. Unlike many provisions of
the Privacy Rule, 45 CFR 164.520 applies only to
covered entities, as opposed to both covered entities
and their business associates.
PO 00000
Frm 00035
Fmt 4701
Sfmt 4702
23539
individual with information the
individual needs to make decisions
about their health care, as well as
information about how the covered
entity will treat PHI the individual
chooses to disclose to the covered
entity, and about how to exercise their
rights of access 320 and to request
restrictions.321 The modification would
also enable the covered entity to provide
the individual with reassurance about
their privacy rights and their ability to
discuss their reproductive health and
related care with any health care
provider without fear of harm because it
would inform an individual that their
PHI may not be used or disclosed for the
purposes the Department proposes to
prohibit.
3. Request for Comment
The Department requests comment on
the foregoing proposals, including any
benefits, drawbacks, or unintended
consequences. The Department also
requests comment on the following
considerations in particular:
ii. Whether it would benefit
individuals for the Department to
require that covered entities include a
statement in the NPP explaining that
when PHI is disclosed for a permitted
purpose to an entity other than a
covered entity (e.g., disclosed to a noncovered health care provider for
treatment purposes), the recipient of the
PHI would not be bound by the
proposed prohibition because the
Privacy Rule would no longer apply.
V. Executive Order 12866 and Related
Executive Orders on Regulatory Review
A. Regulatory Impact Analysis
The Department of Health and Human
Services (HHS or Department) has
examined the effects of the proposed
rule under Executive Order (E.O.)
12866, Regulatory Planning and
Review,322 E.O. 13563, Improving
Regulation and Regulatory Review,323
320 With certain exceptions, an individual has a
right of access to inspect and obtain a copy of PHI
about the individual in a designated record set for
as long as the PHI is maintained in the designated
record set. See 45 CFR 164.524.
321 A covered entity must permit an individual to
request that the covered entity restrict uses or
disclosures of PHI for certain purposes. While the
covered entity is not required to agree to the
restriction, they may not use or disclose PHI if they
agree to do so, except in limited circumstances.
Additionally, a covered health care provider must
permit an individual to request and must
accommodate a reasonable request by an individual
to receive communications of PHI from the covered
entity by alternative means or at alternative
locations. A health plan must do the same in certain
circumstances. See 45 CFR 164.522.
322 58 FR 51735 (Oct. 4, 1993).
323 76 FR 3821 (Jan. 21, 2011).
E:\FR\FM\17APP2.SGM
17APP2
23540
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
the Regulatory Flexibility Act 324 (RFA),
and the Unfunded Mandates Reform Act
of 1995 325 (UMRA). E.O.s 12866 and
13563 direct the Department to assess
all costs and benefits of available
regulatory alternatives and, when
regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, public health
and safety, and other advantages;
distributive effects; and equity). This
proposed rule is significant under
section 3(f)(1) of E.O. 12866.
The RFA requires us to analyze
regulatory options that would minimize
any significant effect of a rule on small
entities. As discussed in greater detail
below, this analysis concludes, and the
Secretary proposes to certify, that the
proposed rule, if finalized, would not
result in a significant economic effect on
a substantial number of small entities.
The UMRA (section 202(a)) generally
requires us to prepare a written
statement, which includes an
assessment of anticipated costs and
benefits, before proposing ‘‘any rule that
includes any Federal mandate that may
result in the expenditure by State, local,
and tribal governments, in the aggregate,
or by the private sector, of $100,000,000
or more (adjusted annually for inflation)
in any one year.’’ The current threshold
after adjustment for inflation is $165
million, using the most current (2021)
Implicit Price Deflator for the Gross
Domestic Product. UMRA does not
address the total cost of a rule. Rather,
it focuses on certain categories of cost,
mainly Federal mandate costs resulting
from imposing enforceable duties on
state, local, or Tribal governments, or on
the private sector; or increasing the
stringency of conditions in, or
decreasing the funding of, state, local, or
Tribal governments under entitlement
programs. This proposed rule would
impose mandates that would result in
the expenditure by state, local, and
Tribal governments, in the aggregate, or
by the private sector, of more than $165
million in any one year. The impact
analysis in this proposed rule addresses
those impacts both qualitatively and
quantitatively. In general, each
regulated entity, including government
entities such as state Medicaid agencies
that meet the definition of covered
entity, would be required to ensure it
adopts new policies and procedures for
handling requests for PHI for which an
attestation is required and train its
workforce members on the new
requirements. Additionally, although
the Department has not quantified the
costs, state, local, and Tribal
investigative agencies would need to
analyze requests that they initiate for
PHI and provide regulated entities with
an attestation that the request is not for
a prohibited purpose where the request
is for PHI that is potentially related to
reproductive health care. One-time costs
for all regulated entities to make these
policy changes would result in costs
over the UMRA threshold in one year.
The Department has initially estimated
that ongoing expenses for the new
attestation requirement would not rise
significantly; however, it seeks
additional data to inform its estimates.
Although Medicaid has funds available
for states for certain administrative
costs, these are limited to costs specific
to operating the Medicaid program.
There are no Federal funds directed at
HIPAA compliance activities.
The Summary of Major Proposals and
Need for Rulemaking sections at the
beginning of this preamble contain a
summary of this proposed rule and
describe the reasons it is needed. The
Department presents a detailed analysis
below.
1. Summary of Costs and Benefits
The Department has identified six
general categories of quantifiable costs
arising from these proposals: (1) creating
an attestation form and handling
requests for disclosures for which an
attestation is required; (2) revising
business associate agreements; (3)
updating the Notice of Privacy Practices
(NPP) and posting it online; (4)
developing new or modified policies
and procedures; (5) revising training
programs for workforce members; and
(6) requesting an exception from
preemption of state law. The first five
categories apply primarily to covered
entities such as health care providers
and health plans, while the sixth
category applies to states and other
interested persons.
The Department estimates that the
first-year costs attributable to the
proposed rule would total
approximately $612 million. These costs
are associated with covered entities
creating an attestation form and
responding to requests for protected
health information (PHI) that may
require an attestation; revising business
associate agreements; revising policies
and procedures; updating, posting, and
mailing the NPP; and revising training
programs for workforce members, and
with states or other persons requesting
exceptions from preemption. These
costs also include increased estimates
for wages, postage, and the number of
NPPs distributed by health plans. For
years two through five, estimated
annual costs of approximately $68
million are attributable to ongoing costs
related to the proposed attestation
requirement. Table 1 reports the present
value and annualized estimates of the
costs of the proposed rule covering a 5year time horizon. Using a 7% discount
rate, the Department estimates the
proposed rule would result in
annualized costs of $192 million; and
using a 3% discount rate, these
annualized costs are $183 million.
TABLE 1—ACCOUNTING TABLE, COSTS OF THE PROPOSED RULE, $ MILLIONS
Primary
estimate
Costs
lotter on DSK11XQN23PROD with PROPOSALS2
Present Value .........................................................................
Present Value .........................................................................
Present Value .........................................................................
Annualized ..............................................................................
Annualized ..............................................................................
Year dollars
$883.4
786.8
839.1
191.9
183.2
2021
2021
2021
2021
2021
The proposed changes to the Privacy
Rule would likely result in important
benefits that the Department is unable to
fully quantify at this time. As explained
further below, unquantified benefits
include improved trust between
individuals and health care providers;
enhanced privacy and improved access
324 Public Law 96–354, 94 Stat. 1164 (codified at
5 U.S.C. 601–612).
325 Pubic Law 104–4, 109 Stat. 48 (codified at 2
U.S.C. 1501).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
PO 00000
Frm 00036
Fmt 4701
Sfmt 4702
Discount rate
Undiscounted .........................
7% ..........................................
3% ..........................................
7% ..........................................
3% ..........................................
Period
covered
2023–2027
2023–2027
2023–2027
2023–2027
2023–2027
to reproductive health care and
information, which may prevent
increases in maternal mortality and
morbidity; increased accuracy and
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
completeness in patient medical
records, which may prevent poor health
outcomes; enhanced support for victims
of rape, incest, and sex trafficking; and
maintenance of family economic
stability. Additionally, the Department
believes that allowing regulated entities
to accept an attestation from a requester
of PHI that is potentially related to
reproductive health care will reduce
23541
potential liability for regulated entities
by providing some assurance that the
requested disclosure is not prohibited.
TABLE 2—POTENTIAL NON-QUANTIFIED BENEFITS FOR COVERED ENTITIES AND INDIVIDUALS
Benefits
lotter on DSK11XQN23PROD with PROPOSALS2
Improve access to complete information about lawful reproductive health care options for individuals who are pregnant or considering a pregnancy (i.e., health literacy).
Maintain or reduce levels of maternal mortality and morbidity by ensuring that individuals and their clinicians can freely communicate and have
access to complete information needed for quality health care, including coordination of care.
Decrease barriers to accessing prenatal health care by maintaining privacy for individuals who seek a complete range of reproductive health
care options.
Enhance mental health and emotional well-being of pregnant individuals by reducing fear of prosecution based on potential disclosures of their
PHI.
Improve or maintain trust between individuals and health care providers by reducing the potential for health care providers reporting PHI in a
manner that could harm the individuals’ interests.
Prevent or reduce re-victimization of pregnant individuals who have survived rape or incest by protecting their PHI from undue scrutiny.
Improve or maintain families’ economic well-being by not exposing individuals to costly criminal, civil, or administrative investigations or proceedings for engaging in lawful activities if their PHI or a family member’s PHI is disclosed.
Maintain the economic well-being of regulated entities by not exposing regulated entities or workforce members to costly civil litigation, investigation, or prosecution for engaging in lawful activities.
Ensure individuals’ ability to obtain full and complete information and make lawful decisions concerning fertility- or infertility-related health care
that may include selection or disposal of embryos without risk of criminal, civil, or administrative investigation or proceedings based on the
disclosure of their PHI.
2. Baseline Conditions
The Privacy Rule, in conjunction with
the Security and Breach Notification
Rules, protects the privacy and security
of individuals’ PHI, that is, individually
identifiable health information (IIHI)
transmitted by or maintained in
electronic media or any other form or
medium, with certain exceptions. It
limits the circumstances under which
regulated entities are permitted or
required to use or disclose PHI and
requires covered entities to have
safeguards in place to protect the
privacy of PHI. The Privacy Rule also
establishes certain rights for individuals
with respect to their PHI. The Rule
requires appropriate safeguards to
protect the privacy of PHI and sets
limits and conditions on the uses and
disclosures that may be made of such
information without an individual’s
authorization.
As explained in the preamble, the
Department has the authority under the
Health Insurance Portability and
Accountability Act of 1996 (HIPAA) to
modify the Privacy Rule to prohibit the
use or disclosure of PHI for a criminal,
civil, or administrative investigation
into or proceeding against any person in
connection with obtaining, providing, or
facilitating reproductive health care, as
well as to identify any person for the
purpose of initiating such an
investigation or proceeding. The Privacy
Rule has been modified several times
since it was first issued in 2000 to
address statutory requirements, changed
circumstances, and concerns and issues
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
raised by stakeholders regarding the
effects of the Privacy Rule on regulated
entities, individuals, and others.
Recently, as the preamble discusses,
changed circumstances resulting from
new inconsistencies in the regulation of
reproductive health care nationwide
and the negative effects on individuals’
expectations for privacy and their
relationships with their health care
providers, as well as the additional
burdens imposed on regulated entities,
necessitate consideration of additional
modifications.
For purposes of this Regulatory
Impact Analysis (RIA), the proposed
rule adopts the list of covered entities
and cost assumptions identified in the
Department’s 2019 Information
Collection Request (ICR).326 The
Department also relies on certain
estimates and assumptions from the
1999 Privacy Rule NPRM 327 that remain
relevant, and the 2013 Omnibus Rule,328
as referenced in the analysis that
follows.
The Department quantitatively
analyzes and monetizes the effect that
this proposed rule may have on
regulated entities’ actions to: revise
business associate agreements between
covered entities and their business
associates, including release-ofinformation contractors; create new
forms; respond to certain types of
requests for PHI that is potentially
related to reproductive health care;
326 84
FR 34905 (July 19, 2019).
FR 59918 (Nov. 3, 1999).
328 78 FR 5566 (Jan. 25, 2013).
327 64
PO 00000
Frm 00037
Fmt 4701
Sfmt 4702
update their NPP; adopt policies and
procedures to implement the legal
requirements of this proposed rule, and
train their employees on the updated
policies and procedures. The
Department analyzes the remaining
benefits and burdens qualitatively
because of the uncertainty inherent in
predicting other concrete actions that
such a diverse scope of regulated
entities might take in response to this
proposed rule.
Analytic Assumptions
The Department bases its assumptions
for calculating estimated costs and
benefits on a number of publicly
available datasets, including data from
the U.S. Census, the U.S. Department of
Labor, Bureau of Labor Statistics (BLS),
Centers for Medicare & Medicaid
Services, and the Agency for Healthcare
Research and Quality.
Implementing the proposed regulatory
changes likely would require covered
entities to engage workforce members or
consultants for certain activities. The
Department assumes that an attorney
would draft or review the new
attestation form, revisions to business
associate agreements, revisions to the
NPP, and required changes to HIPAA
policies and procedures. The
Department expects that a training
specialist would revise the necessary
HIPAA training and a web designer
would post the updated NPP. The
Department further anticipates that a
workforce member at the pay level of
general health care practitioner would
E:\FR\FM\17APP2.SGM
17APP2
23542
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
confirm receipt of required attestations.
To the extent that these assumptions
would affect the Department’s estimate
of costs, the Department welcomes
comment on its assumptions,
particularly those in which the
Department identifies the level of
workforce member (i.e., clerical staff,
professional) that would be engaged in
activities, and the amount of time that
particular types of workforce members
spend conducting activities related to
this NPRM as further described below.
Table 3 also lists pay rates for
occupations referenced in the
explanation of estimated information
collection burdens in section F of this
RIA and related tables.
For changes in time use for on-the-job
activities considered in this analysis,
the Department adopts an hourly value
of time based on the cost of labor,
including wages and benefits, and also
indirect costs, which ‘‘reflect resources
necessary for the administrative
oversight of employees and generally
include time spent on administrative
personnel issues (e.g., human resources
activities such as hiring, performance
reviews, personnel transfers, affirmative
action programs), writing administrative
guidance documents, office expenses
(e.g., space rental, utilities, equipment
costs), and outreach and general training
(e.g., employee development).’’ 329 For
each occupation performing activities as
a result of the proposed rule, the
Department identifies a pre-tax hourly
wage using a database maintained by
the BLS.330 For the purposes of this
analysis, the Department assumes that
benefits plus indirect costs equal
approximately 100 percent of pre-tax
wages, and adjusts the hourly wage rates
by multiplying by two, for a fully loaded
hourly wage rate. The Department
adopts this as the estimate of the hourly
value of time for changes in time use for
on-the-job activities.
TABLE 3—OCCUPATIONAL PAY RATES
Mean hourly
wage
Occupation code and title
00–0000 All Occupations .........................................................................................................................................
43–3021 Billing and Posting Clerks ........................................................................................................................
29–0000 Healthcare Practitioners and Technical Occupations ..............................................................................
29–9021 Health Information Technologists and Medical Registrars ......................................................................
29–9099 Healthcare Practitioners and Technical Workers, All Other ....................................................................
15–1212 Information Security Analysts ...................................................................................................................
23–1011 Lawyers ....................................................................................................................................................
13–1111 Management Analysts ..............................................................................................................................
11–9111 Medical and Health Services Manager ....................................................................................................
29–2072 Medical Records Specialist ......................................................................................................................
43–0000 Office and Administrative Support Occupations ......................................................................................
11–2030 Public Relations and Fundraising Managers ...........................................................................................
13–1151 Training and Development Specialist .......................................................................................................
43–4171 Receptionists and Information Clerks ......................................................................................................
15–1255 Web and Digital Interface Designers .......................................................................................................
Composite Wage for Breach Notice ........................................................................................................................
$56.02
41.10
87.60
59.06
62.38
108.92
142.34
96.66
115.22
46.46
41.76
127.70
65.02
31.64
91.80
76.66
This proposed rule would apply to
HIPAA covered entities, including
health care providers 332 that conduct
covered electronic transactions, health
plans, and in certain circumstances,
health care clearinghouses.333 The
Department estimates that there are
774,331 business establishments that
meet the definition of a covered entity
(see Table 4). By calculating costs for
establishments, rather than firms (which
may be an umbrella organization over
multiple establishments), there is a
tendency toward overestimating some
burdens, because certain costs would be
borne by a parent organization rather
than each separate facility. However, the
level of an organization that is
financially responsible for covering
costs to implement Privacy Rule
requirements may vary across the health
care industry. The Department requests
data on the extent to which certain
burdens of the proposed rule would be
borne by each facility versus an
umbrella organization. Unless otherwise
indicated, the Department relies on data
about the number of firms and
establishments from the U.S. Census.334
The Department expects that the
proposed rule will have varying effects
on different covered entities and would
have the most direct effect on covered
health care providers and health plans.
However, all affected covered entities
would at least need to adopt or change
some policies and procedures and retrain some employees. Affected covered
entities would include many Federal,
state, local, Tribal, and private sector
health care providers.
329 See ‘‘Valuing Time in U.S. Department of
Health and Human Services Regulatory Impact
Analyses: Conceptual Framework and Best
Practices,’’ U.S. Dep’t of Health and Human Servs.,
Office of the Assistant Secretary for Planning and
Evaluation (2017), p. v, https://aspe.hhs.gov/
reports/valuing-time-us-department-health-humanservices-regulatory-impact-analyses-conceptualframework.
330 See ‘‘Occupational Employment and Wages,’’
Bureau of Labor Statistics, U.S. Dep’t of Labor (May
2021), https://www.bls.gov/oes/current/oes_
nat.htm.
331 This includes 60 days from publication of a
final rule to the effective date and an additional 180
days until the compliance date.
332 The Department notes that pharmacies,
discussed later in the preamble, are a type of health
care provider under HIPAA. HIPAA defines the
term health care provider for the purposes of the
Administrative Simplification provisions at section
262: ‘‘The term ‘health care provider’ includes a
provider of services (as defined in section 1861(u)),
a provider of medical or other health services (as
defined in section 1861(s)), and any other person
furnishing health care services or supplies.’’
333 Only certain provisions of the Privacy Rule
apply to clearinghouses as covered entities. In
addition, certain provisions apply to clearinghouses
in their role as business associates of other covered
entities. See 45 CFR 164.500(b) and (c). Because the
provisions addressed in this proposed rule
generally do not apply directly to clearinghouses,
the Department does not anticipate that these
entities would experience costs associated with this
proposed rule.
334 See ‘‘2015 Statistics of U.S. Businesses (SUSB)
Annual Data Tables by Establishment Industry’’
(Jan. 2018), https://www.census.gov/data/tables/
2015/econ/susb/2015-susb-annual.html.
The Department assumes that the vast
majority of covered entities would be
able to incorporate changes to their
workforce training into existing HIPAA
training programs because the total time
frame for compliance from date of
finalization would be 240 days.331
Covered Entities Affected
lotter on DSK11XQN23PROD with PROPOSALS2
$28.01
20.55
43.80
29.53
31.19
54.46
71.17
48.33
57.61
23.23
20.88
63.85
32.51
15.82
45.90
38.33
Fully loaded
hourly wage
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
PO 00000
Frm 00038
Fmt 4701
Sfmt 4702
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
Census data for businesses in the
category of Third Party Administration
of Insurance and Pension Funds does
not separately enumerate those that
service health and medical insurance.
However, the Department is able to
extrapolate from data about insurance
carriers the percentage of businesses
that service health and medical
insurance. According to Census data,
there are 880 Direct Health and Medical
Insurance Carrier firms compared to
5,350 Insurance Carrier firms, such that
health and medical insurance firms
make up 16.4% of insurance firms.
Thus, the Department assumes for
purposes of this analysis that 16.4% of
Third Party Administration of Insurance
and Pension Funds firms and
establishments service health and
medical insurance. Applying this
percentage to the 2,773 firms and 4,772
establishments in the category Third
Party Administration of Insurance and
Pension Funds, the Department
estimates that 455 of these firms and
783 establishments are affected by this
proposed rule.335 See Table 4 below.
Covered pharmacies would also be
affected by the proposed rule. There
were 67,753 community pharmacies
(including 19,500 pharmacy and drug
store firms and 44,130 establishments
identified in U.S. Census data) operating
in the U.S. in 2015.336 Small pharmacies
largely use pharmacy services
administration organizations (PSAOs) to
provide administrative services, such as
negotiations, on their behalf.337 A 2013
study identified 22 PSAOs and notes
there may be more in operation.338
Based on information received from
industry, the Department adjusts this
number upward and estimates that the
proposed rule would affect 40 PSAOs.
The Department assumes that costs
affecting pharmacies are incurred at
each pharmacy and drug store
establishment and each PSAO.
The Department has not separately
calculated the effect of the proposed
rule on business associates because the
primary effect is on the covered entities
for which they provide services. To the
extent that covered entities engage
business associates to perform activities
under the proposed rule, the
Department assumes that any additional
costs will be borne by the covered
entities through their contractual
agreements with business associates.
The Department’s estimate that each
revised business associate agreement
would require no more than 1 hour of
a lawyer’s labor assumes that the hourly
burden could be split between the
23543
covered entity and the business
associate. Thus, the Department has
calculated estimated costs based on the
potential number of business associate
agreements that are revised rather than
the number of covered entities or
business associates with revised
agreements. The Department requests
data on the number of business
associates (which may include health
care clearinghouses acting in their role
as business associates of other covered
entities) that would be affected by the
proposed rule and the extent to which
they may experience costs or other
burdens not already accounted for in the
estimates of burdens for revising
business associate agreements. The
Department also requests comment on
the number of business associate
agreements that would need to be
revised, if any.
The Department requests public
comment on these estimates, including
those for third party administrators and
pharmacies where the Department has
provided additional explanation. The
Department additionally requests
detailed comment on any situations in
which covered entities other than those
identified here would be affected by this
rulemaking.
TABLE 4—ESTIMATED NUMBER AND TYPE OF COVERED ENTITIES
Covered Entities
NAICS code
Type of entity
524114 .......................................................
524292 .......................................................
622 .............................................................
44611 .........................................................
6211–6213 .................................................
6215 ...........................................................
6214 ...........................................................
6219 ...........................................................
623 .............................................................
6216 ...........................................................
532291 .......................................................
Health and Medical Insurance Carriers .....................................
Third Party Administrators .........................................................
Hospitals ....................................................................................
Pharmacies ................................................................................
Office of Drs. & Other Professionals .........................................
Medical Diagnostic & Imaging ...................................................
Outpatient Care .........................................................................
Other Ambulatory Care ..............................................................
Skilled Nursing & Residential Facilities .....................................
Home Health Agencies ..............................................................
Home Health Equipment Rental ................................................
880
456
3,293
19,540
433,267
7,863
16,896
6,623
38,455
21,829
611
5,379
783
7,012
a 67,753
505,863
17,265
39,387
10,059
86,653
30,980
3,197
Total ...................................................
....................................................................................................
549,713
774,331
a Number
Establishments
of pharmacy establishments is taken from industry statistics.
The Department believes that the
population of individuals potentially
affected by the proposed rule is
approximately 74 million overall,339
representing nearly one-fourth of the
U.S. population, including
approximately 6 million pregnant
women and girls annually and an
unknown number of individuals facing
a potential pregnancy or pregnancy risk
due to sexual activity, contraceptive
avoidance or failure, rape (including
statutory rape), and incest. According to
Federal data, 78 percent of sexually
active females received reproductive
health care in 2015–2017.340
× .164 = 454.7; 4,772 × .164 = 782.6].
Dima Mazen Qato, Shannon Zenk, Jocelyn
Wilder, et al., ‘‘The availability of pharmacies in the
United States: 2007–2015,’’ PLOS ONE (Aug. 2017),
https://doi.org/10.1371/journal.pone.0183172.
337 Discussing generally that small and
independent pharmacies often lack internal
resources to support these services. See
‘‘Prescription Drugs: The Number, Role, and
Ownership of Pharmacy Services Administrative
Organizations,’’ U.S. Government Accountability
Office, GAO–13–176 (Jan. 29, 2013), https://
www.gao.gov/products/GAO-13-176.
338 Id.
339 See females aged 10–44, American
Community Survey S0101 AGE AND SEX 2020:
ACS 5-Year Estimates Subject Tables, https://
data.census.gov/cedsci/table?q=United%20States
%20females&t=Populations%20and%20People&
g=0100000US&tid=ACSST5Y2020.S0101.
340 See Sexually active females who received
reproductive health services (FP–7.1),
Healthypeople.gov, https://wayback.archive-it.org/
5774/20220415172039/https:/www.healthy
people.gov/2020/leading-health-indicators/2020lhi-topics/Reproductive-and-Sexual-Health/data.
Individuals Affected
lotter on DSK11XQN23PROD with PROPOSALS2
Firms
335 [2,773
336 See
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
PO 00000
Frm 00039
Fmt 4701
Sfmt 4702
E:\FR\FM\17APP2.SGM
17APP2
23544
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
TABLE 5—ESTIMATED NUMBER OF INDIVIDUALS AFFECTED
Population
estimate
Females of potentially childbearing age
Females Aged 10—14 342 ..................................................................................................................................
Females 15—44 343 ...........................................................................................................................................
10,310,162
64,130,037
4,460
5,575,150
Total ............................................................................................................................................................
74,440,199
5,579,610
3. Costs of the Proposed Rule
Below, the Department provides the
basis for its estimated quantifiable costs
resulting from the proposed changes to
specific provisions of the Privacy Rule
and invites comments on the
Department’s assumptions, data, and
calculations, as well as any additional
considerations that the Department has
not identified here. Many of the
estimates are based on assumptions
formed through the Office for Civil
Rights’ (OCR’s) experience in its
compliance and enforcement program
and accounts from stakeholders
received at outreach events. The
Department has not quantified recurring
burdens for the proposed rule beyond
that of obtaining a required attestation
from the requester for health oversight,
legal proceedings, law enforcement, and
coroners or medical examiners.
The Department welcomes
information or data points from
commenters to further refine its
estimates and assumptions.
a. Costs Associated With Requests for
Exception From Preemption
The Department anticipates that states
that restrict access to reproductive
health care are likely to seek an
exception to the proposed requirements
of this rule that would preempt state
law. Given the fast-developing status of
state laws governing access to
reproductive health care, the
Department estimates a potential
increase of 26 states344 incurring costs
lotter on DSK11XQN23PROD with PROPOSALS2
Number of 2017
Pregnancies 341
341 See Isaac Maddow-Zimet and Kathryn Kost,
‘‘Pregnancies, Births and Abortions in the United
States, 1973–2017: National and State Trends by
Age Appendix Tables,’’ Guttmacher Institute,
https://www.guttmacher.org/sites/default/files/
report_downloads/pregnancies-births-abortions-us1973-2017-appendix-tables.pdf.
342 See American Community Survey S0101 AGE
AND SEX 2020: ACS 5-Year Estimates Subject
Tables, https://data.census.gov/cedsci/table?q=
United%20States%20females&t=
Populations%20and%20People&g=0100000
US&tid=ACSST5Y2020.S0101.
343 Id.
344 See Elizabeth Nash, Lauren Cross, ‘‘26 States
Are Certain or Likely to Ban Abortion Without Roe:
Here’s Which Ones and Why,’’ Guttmacher Institute
(published Oct. 28, 2021; updated Apr. 19, 2022; an
updated analysis was published on Jan. 10, 2023),
https://www.guttmacher.org/article/2021/10/26states-are-certain-or-likely-ban-abortion-withoutroe-heres-which-ones-and-why. The number of
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
to develop an exception request to
submit to the Secretary. Based on
existing burden estimates for this
activity,345 the Department estimates
that each exception request would
require approximately 16 hours of labor
at the rate of a general health care
practitioner and that approximately 26
states would make such requests. Thus,
the Department estimates that states will
spend a total of 416 hours requesting
exception from preemption and
monetize this as a one-time cost of
$36,442 [= 16 × 26 × $87.60].
b. Estimated Costs From Adding a
Requirement for an Attestation for
Disclosures for Certain Purposes
The Department analyzed the costs of
the proposed attestation requirement in
comparison to the estimated costs of
complying with the existing
authorization requirement because both
activities involve reviewing requests for
disclosures and required
documentation. The Department
estimates that the annual costs of
implementing a requirement to obtain
an attestation that certain types of
requests for PHI that is potentially
related to reproductive health care are
not for a prohibited purpose would be
similar to the costs associated with uses
and disclosures for which an
authorization is required because the
number of attestation-based requests
likely would be lower even if the
handling of such requests were more
burdensome. For purposes of this
analysis, the Department adopts the cost
estimates already approved for
documenting disclosures based on an
authorization because those estimates
provide an established baseline. The
Department draws this estimate from its
approved ICR for 45 CFR 164.508,
which allows for one burden hour per
covered entity based on the hourly wage
of a general health care practitioner.346
states identified dropped to 24 in 2023; however,
due to the pace of change in this area the
Department relies on the higher number as a basis
for its cost estimates.
345 Information Collection, Process for Requesting
Exception Determinations (states or persons),
https://www.reginfo.gov/public/do/PRAViewIC?ref_
nbr=201909-0945-001&icID=10428.
346 See Section F. of this RIA, Paperwork
Reduction Act of 1995.
PO 00000
Frm 00040
Fmt 4701
Sfmt 4702
For 774,331 covered entities, this would
amount to a total annual cost of
$67,831,396 [= 774,331 × 1 × $87.60].
The quantified burden is associated
with the requirement to keep records of
attestations received. The Department
anticipates an increase in time needed
by regulated entities to process each
request for PHI under 45 CFR
164.512(d), (e), (f), or (g)(1) that is not
accompanied by an attestation. The
Department believes that the regulated
entity would likely need to determine
whether the requested PHI includes PHI
potentially related to reproductive
health care. However, the Department
lacks sufficient information to estimate
the amount such a burden would vary
from the burden of processing requests
for PHI with an authorization.
Additionally, the Department believes
that regulated entities may need to
evaluate whether the reproductive
health care encompassed within the
scope of a request under 45 CFR
164.512(d) through (f) and (g)(1) was
lawful under the circumstances in
which it was provided, and solicits
comments on data about the associated
costs of such reviews.
In addition to the recurring costs of
responding to requests for PHI under the
proposed revisions, the Department
estimates that covered entities would
incur a one-time cost for creating a new
attestation form for a total of
$55,109,137 [= 774,331 × (30/60) ×
$142.34]. This would be based on 30
minutes of labor by a lawyer using the
Department’s sample form.
c. Costs Arising From Revised Business
Associate Agreements
The Department anticipates that a
certain percentage of business associate
agreements would likely need to be
updated to reflect a determination made
by covered entities and business
associates that, where the business
associate receives requests for
disclosures of PHI under proposed 45
CFR 164.512(d), (e), (f), or (g)(1), the
covered entity will bear the burden of
determining whether a requested
disclosure would include PHI that is
potentially related to reproductive
health care. Based on estimates in
previous HIPAA rulemaking, the
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
Department estimates that each new or
significantly modified contract between
a business associate and its
subcontractors would require, at most,
one hour of labor by a lawyer at the
wage reported in Table 3. We believe
that approximately 35 percent of 1
million business associates, or 350,000
entities, would decide to create or
significantly modify subcontracts,
resulting in total costs of $49,819,000 [=
350,000 × $142.34]. The Department
invites comments on these assumptions
and the number of business associate
agreements likely to be revised due to
the proposed regulatory changes.
d. Costs Arising From Changes to the
Notice of Privacy Practices
The Department proposes to modify
the NPP to notify individuals that
covered entities cannot use or disclose
PHI for certain purposes and that in
certain circumstances, covered entities
must obtain an attestation from the
person requesting the use or disclosure
affirming that the request is not for a
prohibited purpose, and where
applicable, that the use or disclosure is
primarily for a purpose described at 45
CFR 164.502(a)(5)(iii)(C).
The Department believes the burden
associated with revising the NPP
consists of costs related to developing
and drafting the revised NPP for covered
entities. The Department estimates that
the proposal to update and revise the
language in the NPP would require 30
minutes of professional legal services at
the wage reported in Table 3. Across all
covered entities, the Department
estimates a cost of $55,109,137 [=
774,331 × (30/60) × $142.34]. The
Department does not anticipate any new
costs for health care providers
associated with distribution of the
revised notice other than posting it on
the entity’s website (if it has one)
because health care providers have an
ongoing obligation to provide the notice
to first-time patients that is already
accounted for in cost estimates for the
HIPAA Rules. Health plans that post
their NPP online would incur minimal
costs by posting the updated notice, and
then, including the updated NPP in the
next annual mailing to subscribers.347
Health plans that do not provide an
annual mailing would potentially incur
an additional $12,743,700 in capital
expenses for mailing the revised NPP to
an estimated 10 percent of the
150,000,000 health plan subscribers
who receive a mailed, paper copy of the
notice, as well as the labor expense for
an administrative support staff member
at the rate shown in Table 3 to complete
the mailing, for approximately
$2,610,000 [= 62,500 hours × $41.76].
The Department further estimates the
cost of posting the revised NPP on the
covered entity’s website would be 15
minutes of a web designer’s time at the
wage reported in Table 3. Across all
covered entities, the Department
estimates a cost of online posting as
$17,770,896 [= 774,331 × (15/60) ×
$91.80].
e. Estimated Costs for Developing New
or Modified Policies and Procedures
The Department anticipates that
covered entities would need to develop
new or modified policies and
procedures related to new requirements
for attestations, prohibited uses and
disclosures, certain uses and disclosures
permitted under 45 CFR 164.512, and
23545
clarification of personal representative
qualifications. The Department
estimates that the costs associated with
developing policies and procedures
would be the labor of a lawyer for 2.5
hours and that this expense would
represent the largest area of cost for
compliance with the rule once finalized,
for a total of $275,545,686 [= 774,331 ×
2.5 × $142.34].
f. Costs Associated With Training
Workforce Members
The Department anticipates that
covered entities would be able to
incorporate new content into existing
HIPAA training requirements and that
the costs associated with doing so
would be attributed to the labor of a
training specialist for an estimated 90
minutes for a total of $75,543,732 [=
774,331 × (90/60) × $65.04].
The Department invites comments on
all aspects of its estimates and
assumptions, including the time spent
on the identified activities and the
occupations or professions of persons
designated to perform those tasks.
g. Total Quantifiable Costs
The Department summarizes in Table
6 the estimated nonrecurring costs that
covered entities and states would
experience in the first year of
implementing the proposed regulatory
changes. The Department anticipates
that these costs would be for requesting
exceptions from preemption of state
law, implementing the attestation
requirement, revising business associate
agreements, revising the NPP, mailing it,
and posting it online, revising policies
and procedures, and updating HIPAA
training programs.
lotter on DSK11XQN23PROD with PROPOSALS2
TABLE 6—NEW NONRECURRING COSTS OF COMPLIANCE WITH THE PROPOSED RULE
Total costs
(millions)
Nonrecurring costs
Burden hours/action × hourly wage
Respondents
Exception Requests .................................
Attestations, New Form ...........................
BAAs, Revising ........................................
NPP, Updating .........................................
NPP, Mailing ............................................
NPP, Posting Online ................................
Policies & Procedures .............................
Training ....................................................
Capital Expenses, Mailing NPPs—Health
Plans.
16 × $87.60 .............................................
30/60 × $142.34 ......................................
1 × $142.34 .............................................
30/60 × $142.34 ......................................
0.25/60 × $41.76 .....................................
15/60 × $91.80 ........................................
150/60 × $142.34 ....................................
90/60 × $65.04 ........................................
$.85/NPP .................................................
26 States .................................................
774,331 Covered entities ........................
350,000 BAAs .........................................
774,331 Covered entities ........................
15,000,000 Subscribers ..........................
774,331 Covered entities ........................
774,331 Covered entities ........................
774,331 Covered entities ........................
15,000,000 Subscribers ..........................
$0.04
55
50
55
3
18
276
76
13
Total Nonrecurring Burden ...............
..................................................................
..................................................................
a 544
a Totals
may not add up due to rounding.
Table 7 summarizes the recurring
costs that the Department anticipates
covered entities would incur annually
347 45
as a result of the proposed regulatory
changes. These new costs would be
based on responding to requests for
disclosures for which an attestation is
required.
CFR 164.520(c)(1)(v)(A).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
PO 00000
Frm 00041
Fmt 4701
Sfmt 4702
E:\FR\FM\17APP2.SGM
17APP2
23546
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
TABLE 7—RECURRING ANNUAL COSTS OF COMPLIANCE WITH THE PROPOSED RULE a
Burden hours/CE × wage
Respondents
Disclosures for which an attestation is
required.
1 × $87.60 ...............................................
774,331 Covered entities ........................
$67,831,396
Total Recurring Annual Burden ........
..................................................................
..................................................................
67,831,396
a Totals
may not add up due to rounding.
Costs Borne by the Department
The covered entities that are operated
by the Department would be affected by
the proposed changes in a similar
manner to other covered entities, and
those costs have been factored into the
estimates above.
The Department expects that it would
incur costs related to drafting and
disseminating information about the
proposed regulatory changes to covered
entities, including health care providers
and health plans. In addition, the
Department anticipates that it may incur
a 26-fold increase in the number of
requests for exceptions from state law
preemption in the first year after a final
rule becomes effective, at an estimated
total cost of approximately $146,319 to
analyze and develop responses for an
average cost of $7,410 per request. This
increase is based on the number of
states that have or are likely to pass
more restrictive abortion laws 348 and
may seek to use or disclose individuals’
PHI to enforce those laws. This estimate
assumes that the Department receives
and reviews exception requests from
each of those 26 states, that half of those
require a more complex analysis, and
that all requests result in a written
response within one year of the final
rule’s publication.
Benefits of the Proposed Rule
The benefits of the proposed rule to
individuals and families are likely
substantial, and yet are not fully
quantifiable because the area of health
care the proposed rule addresses is
among the most sensitive and lifealtering if privacy is violated.
Additionally, the value of privacy,
which cannot be recovered once lost,
and trust that privacy will be protected
by others, is difficult to quantify fully.
Notably, matters of reproductive health
may include circumstances resulting in
lotter on DSK11XQN23PROD with PROPOSALS2
Total annual
cost
(millions)
Recurring costs
348 See Elizabeth Nash, Lauren Cross, ‘‘26 States
Are Certain or Likely to Ban Abortion Without Roe:
Here’s Which Ones and Why,’’ Guttmacher Institute
(published Oct. 28, 2021; updated Apr. 19, 2022
and Jan. 10, 2023), https://www.guttmacher.org/
article/2021/10/26-states-are-certain-or-likely-banabortion-without-roe-heres-which-ones-and-why. In
January 2023, the number of projected states
dropped to 24.
VerDate Sep<11>2014
17:59 Apr 14, 2023
Jkt 259001
a pregnancy, considerations concerning
maternal and fetal health, family genetic
conditions, information concerning
sexually transmitted infections, and the
relationship between prospective
parents (including victimization due to
rape, incest, or sex trafficking).
Involuntary or poorly-timed disclosures
can irreparably harm relationships and
reputations, and even result in job loss
or other negative consequences in the
workplace,349 as well as investigation,
civil litigation or proceedings, and
prosecution for lawful
activities.350Additionally, fear of
potential penalties or liability that may
result from disclosing information to a
health care provider related to accessing
abortion or other reproductive health
care may cast a long shadow, decreasing
trust between individuals and health
care providers, discouraging and
deterring access to other valuable and
necessary health care, or compromising
ongoing or subsequent care if patient
medical records are not accurate or
complete.351 The proposed rule would
prevent or reduce the harms discussed
here, resulting in non-quantifiable
benefits to individuals and their
families, friends, and health care
providers. In particular, the role of trust
in the health care system and its
importance to the provision of highquality health care is discussed
extensively in section III of this
preamble.
The Department believes the
proposed rule would increase health
349 See Danielle Keats Citron and Daniel J. Solove,
‘‘Privacy Harms,’’ GWU Legal Studies Research
Paper No. 2021–11, GWU Law School Public Law
Research Paper No. 2021–11, 102 Boston University
Law Review 793, 830—861 (Feb. 9, 2021), https://
papers.ssrn.com/sol3/papers.cfm?abstract_
id=3782222.
350 See ‘‘Lawyers preparing for abortion
prosecutions warn about health care, data privacy,’’
supra note 166.
351 See ‘‘Women with chronic conditions struggle
to find medications after abortion laws limit
access,’’ Centers for Disease Control and Prevention,
Division of Reproductive Health, National Center
for Chronic Disease Prevention and Health
Promotion (Jan. 4, 2023), https://www.cdc.gov/
teenpregnancy/health-care-providers/index.htm;
and ‘‘Abortion Bans May Limit Essential
Medications for Women with Chronic Conditions,’’
supra note 176.
PO 00000
Frm 00042
Fmt 4701
Sfmt 4702
literacy by improving access to
complete information about health care
options for individuals.352 For example,
the proposal to prohibit use and
disclosure of PHI for purposes of
prosecuting an individual, a person
assisting them, or their health care
provider would enable health care
providers to obtain and provide
complete and accurate medical
information about reproductive health
care without undue fear of serious and
costly repercussions.
The Department believes that the
proposed rule would also contribute to
increased access to prenatal health care
at the critical early stages of pregnancy
by affording individuals the assurance
that they may obtain reproductive
health care without fearing that records
related to that care would be subject to
disclosure. For example, if a sexually
active individual fears they or their
health care providers could be subject to
prosecution as a result of disclosure of
their PHI, the individual may avoid
informing health care providers about
symptoms or asking questions of
medical experts and may consequently
fail to receive the support and health
care they need to obtain a pregnancy
diagnosis and receive appropriate,
lawful health care.353 Similarly, the
proposed rule would likely contribute to
decreasing the rate of maternal mortality
and morbidity by improving access to
information about health services.354
The Department believes that the
proposed rule would contribute to
enhancing the mental health and
emotional well-being of individuals
seeking or obtaining reproductive health
care by reducing fear that their PHI
would be disclosed for an investigation
352 See Lynn M. Yee, Robert Silver, David M.
Haas, et al., ‘‘Association of Health Literacy Among
Nulliparous Individuals and Maternal and Neonatal
Outcomes,’’ JAMA Network Open (Sept. 1, 2021),
https://jamanetwork.com/journals/
jamanetworkopen/fullarticle/2783674.
353 See Texas Maternal Mortality and Morbidity
Review Committee and Department of State Health
Services Joint Biennial Report 2022, supra note 16.
354 See Helen Levy, Alex Janke, ‘‘Health Literacy
and Access to Care,’’ Journal of Health
Communication (2016), https://
www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/;
see also Brief for Zurawski.
E:\FR\FM\17APP2.SGM
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
of or proceeding against, or prosecution
of the individual, their health care
provider, or any persons facilitating the
individual’s access to reproductive
health care. This is especially important
for individuals who need access to
reproductive health care because they
are survivors of rape, incest, or sex
trafficking. For at least some such
individuals, certain types of
reproductive health care, including
abortion, generally remain legal even if
the option to terminate a pregnancy is
no longer available to the broader
population under state laws. The
proposed rule is projected to prevent or
reduce re-victimization of pregnant
individuals who have been subject to
rape, incest, or sex trafficking by
protecting their PHI from disclosure.
Investigations and prosecutions that
rely on that information may be costly
to defend against and thus financially
draining for the target of the
investigation or prosecution and for
persons who are not the target of the
investigation or prosecution but whose
information may be used as evidence
against others. Witnesses or targets of an
investigation or prosecution may lose
time from work and incur steep legal
bills that create unmanageable debt or
otherwise harm the economic stability
of the individual, their family, and their
health care provider. In the absence of
the proposal, much of those costs may
be for defending against the disclosure
or use of PHI. Thus, the Department
expects that the proposed rule would
contribute to families’ economic wellbeing by reducing the risk of exposure
to costly investigation or prosecution for
lawful activities as a result of
disclosures of PHI.
The Department believes that the
proposed rule would also contribute to
improved continuity of care and
ongoing and subsequent health care for
individuals, thereby improving health
outcomes. If a health care provider
believes that the patient’s PHI is likely
to be disclosed without the patient’s or
the health care provider’s knowledge or
consent, possibly to initiate or be used
in criminal or civil proceedings against
the patient, their health care provider,
or others, the health care provider is
more likely to omit information about a
patient’s medical history or condition,
or leave gaps or include inaccuracies,
when preparing patient medical records.
And if an individual’s medical records
lack complete information about the
individual’s health history, a
subsequent health care provider may
not be able to conduct an appropriate
health assessment to reach a sound
diagnosis and recommend the best
course of action for the individual.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
Alternatively, health care providers may
withhold from the individual full and
complete information about their
treatment options because of liability
concerns stemming from fears about the
privacy of an individual’s PHI.355
Heightened confidentiality and privacy
protections enable a health care
provider to feel confident maintaining
full and complete patient records.
Without complete patient records, an
individual is less likely to receive
appropriate ongoing or future health
care, including correct diagnoses, and
will be impeded in making informed
treatment decisions.
Comparison of Benefits and Costs
The Department expects the totality of
the benefits of the proposed rule to
outweigh the costs because the rule
would create a net benefit to society,
particularly for the significant number
of individuals who could become
pregnant (nearly one-fourth of the
population of the U.S.) and who need
access to lawful health care without the
risk of their PHI being used or disclosed
in furtherance of criminal, civil, or
administrative investigations or
proceedings. The Department expects
covered entities and individuals to
benefit from covered entities’ increased
flexibility and confidence to be able to
provide health care according to
professional standards.
The Department’s benefit-cost
analysis asserts that the proposed
regulatory changes would help support
individuals’ right to access health care
and information about their health care
options free of government intrusion,
enhance the relationship between health
care professionals and individuals,
strengthen maternal well-being and
family stability, and support victims of
rape, incest, and sex trafficking. The
regulatory proposals would also aid
health care providers in developing and
maintaining a high level of trust
between health care professionals and
individuals and maintaining complete
and accurate patient medical records to
aid ongoing and subsequent health care.
Greater levels of trust would further
enable individuals to develop and
maintain relationships with health care
professionals, which would enhance
continuity of health care for all
individuals receiving care from the
health care provider, not only those in
need of reproductive health care.
The financial costs of the proposed
rule would accrue primarily to covered
entities, particularly health care
providers and health plans in the first
year after implementation of a final rule,
355 See
PO 00000
Brief for Zurawski at p. 10.
Frm 00043
Fmt 4701
Sfmt 4702
23547
with recurring costs accruing annually
at a lower rate.
4. Request for Comment
jj. The Department requests comment
on all the estimates, assumptions, and
analyses within the cost-benefits
analysis, including the costs to
regulated entities and individuals.
kk. The Department also requests
comments on any relevant information
or data that would inform a quantitative
analysis of proposed reforms that the
Department qualitatively addresses in
this RIA. Specifically, the Department
requests comment on the following:
i. Whether this proposed rule would
affect other activities of regulated
entities, including their ability to
comply with other laws, and, if so, how.
ii. Whether the proposed prohibition
on the use or disclosure of PHI for a
criminal, civil, or administrative
investigation or proceeding against any
person in connection with seeking,
obtaining, providing, or facilitating
reproductive health care that is lawful
under the circumstances in which it is
provided would affect the disclosure of
PHI between health care providers or
between health care providers and
health plans for treatment purposes.
iii. Whether the proposed prohibition
on the use or disclosure of PHI for a
criminal, civil, or administrative
investigation or proceeding against any
person in connection with seeking
obtaining, providing, or facilitating
reproductive health care that is lawful
under the circumstances in which it is
provided would affect the provision of
access to individuals who request
copies of their own PHI.
iv. Data about the costs to regulated
entities of determining whether
reproductive health care revealed in PHI
that is the subject of a request under 45
CFR 164.512(d) through (f) and (g)(1)
was lawful under the circumstances in
which it was provided.
v. Data about the costs to regulated
entities of determining whether a
request for the use or disclosure of PHI
is for a prohibited purpose where an
attestation is not provided.
vi. Whether the ongoing cost
associated with the burden of
responding to requests for PHI with an
authorization is an appropriate
comparator for the ongoing cost
associated with the burden of
responding to requests for PHI that may
require an attestation.
vii. The number of requests regulated
entities receive annually for uses and
disclosures under 45 CFR 164.512(d)
through (f) and (g)(1), and the number
of individuals’ records encompassed by
those requests.
E:\FR\FM\17APP2.SGM
17APP2
23548
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
viii. Data about the costs and any
other burdens for regulated entities
associated with determining that a
request is for PHI that is potentially
related to reproductive health care.
ix. Whether the lack of an attestation
for some requests received under 45
CFR 164.512(d) through (f) and (g)(1)
would increase the time needed to
process each request.
ll. The Department also requests
comments on whether there may be
other indirect costs and benefits
resulting from the changes in the
proposed rule and welcomes additional
information that may help quantify
those costs and benefits.
B. Regulatory Alternatives to the
Proposed Rule
The Department welcomes public
comment on any benefits or drawbacks
of the following alternatives it
considered, but did not propose, while
developing this proposed rule. The
Department also requests comment on
whether the Department should
reconsider any of the alternatives
considered, and if so, why.
No Regulatory Changes
The Department carefully considered
several alternatives to issuing this
NPRM, including the option of not
pursuing any regulatory changes, but
rejected that approach for several
reasons. Recent developments in state
law that impose greater restrictions on
access to reproductive health care are
generating significant confusion for
individuals, health care providers, and
family, friends, and caregivers regarding
their ability to privately seek, obtain,
provide, or facilitate lawful
reproductive health care. In light of
these developments, there is significant
confusion about the extent to which
reproductive health care information is
protected by the Privacy Rule. Perhaps
most importantly, the current regulatory
environment is diminishing the ability
of individuals to receive medically
appropriate health care that remains
legal under the circumstances in which
it is provided—including in a wide
range of contexts beyond reproductive
care—thus putting their health at
increased risk.356 The Department
believes that the Privacy Rule should be
lotter on DSK11XQN23PROD with PROPOSALS2
356 See
‘‘Methotrexate access becomes challenging
for some patients following Supreme Court decision
on abortion,’’ ‘‘Abortion restrictions may be making
it harder for patients to get a cancer and arthritis
drug,’’ ‘‘Abortion bans complicate access to drugs
for cancer, arthritis, even ulcers,’’ supra note 175.
See also, e.g., ‘‘Women with chronic conditions
struggle to find medications after abortion laws
limit access,’’ ‘‘Abortion Bans May Limit Essential
Medications for Women with Chronic Conditions,’’
supra note 176.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
modified to protect the privacy of PHI
to better support the provision of
appropriate, timely, and lawful
reproductive health care and other
health care for pregnant individuals in
the current environment. The proposed
regulatory changes would further
Congressional intent to protect the
privacy of IIHI and bolster patientprovider confidentiality. Revising the
Privacy Rule would clarify covered
entities’ obligations and flexibilities,
protect the privacy of individuals’ PHI,
and improve the quality of individuals’
health care.
Modify Privacy Rule Without
Preempting State Law
The Department also considered
whether to remove the Privacy Rule
permissions for a covered entity to
comply with certain other legal
requirements to use or disclose PHI,
such as the terms of a court order or
other judicial or administrative process
without preempting statutes or
regulations that specifically require
regulated entities to make uses and
disclosures of PHI about an individual’s
reproductive health. The Department
believes that this approach would not
protect an individual from having their
PHI disclosed and used against them
when another law requires the
disclosure. As discussed in the
preamble, the Department believes that
this result would undermine trust in the
health care system and thereby decrease
access to quality health care, as well as
interfere with continuity of care by
compromising the accuracy and
completeness of patient medical
records, contrary to Congress’ intent in
enacting HIPAA. The Department
believes that these harms outweigh the
states’ interests in this context. The
Department therefore proposes to
preempt state law that would require
use or disclosure of PHI about an
individual’s reproductive health for
prohibited purposes, as discussed
herein.
Modify the Privacy Rule To Align With
42 CFR Part 2 for Uses and Disclosures
of PHI for Certain Criminal and
Noncriminal Proceedings Against an
Individual
The Department also considered
proposing to apply requirements
equivalent to 42 CFR part 2 (referred to
as ‘‘part 2’’) for uses and disclosures of
PHI for certain criminal and
noncriminal proceedings against an
individual based on their alleged
decision to obtain, or attempt to obtain,
reproductive health care. However, the
Department believes this approach also
would not protect an individual from
PO 00000
Frm 00044
Fmt 4701
Sfmt 4702
having their PHI disclosed and
potentially used against them pursuant
to a court order, and thus it also would
not prevent regulated entities from
disclosing an individual’s PHI for
purposes of imposing criminal or civil
liability on an individual, health care
provider, or other person, for obtaining,
providing, or facilitating lawful
reproductive health care. Part 2 affords
some discretion to courts to order
disclosures of part 2 records in certain
circumstances; however, part 2 also
expressly prohibits further use or
disclosure of those records by any
recipient for a proceeding against a
patient. The Privacy Rule only regulates
uses and disclosures by regulated
entities; the Privacy Rule cannot limit
further uses or disclosures by other
persons who receive an individual’s
health information from a regulated
entity. Therefore, an approach similar to
part 2 would not sufficiently strengthen
privacy protections with respect to the
purposes for which this proposal would
prohibit the use or disclosure of PHI.
Require a Valid Authorization Before
Using or Disclosing PHI for Certain
Purposes
As an alternative to prohibiting
certain uses and disclosures as proposed
in this NPRM, the Department
considered proposing to permit
regulated entities to make such uses or
disclosures of PHI only after obtaining
a valid authorization. However, the
Department has concerns regarding the
potential for coercion or harassment of
individuals to pressure them into
providing authorization for access to
their PHI by persons requesting the
disclosure, such as law enforcement. In
such a scenario, covered entities would
be forced to choose between their
obligations under state law and their
Privacy Rule compliance
responsibilities in the event that an
individual declined to provide an
authorization, undermining health
information privacy protections for
individuals. As a result, the
Department’s current view is that an
authorization approach would not
adequately ensure trust in the
relationship between health care
professionals and individuals.
Require Covered Entities To Agree to
Requests for Restrictions on Disclosures
of PHI for Treatment, Payment, and
Health Care Operations
Concerns have arisen that some states
may attempt to criminalize or otherwise
penalize individuals for traveling out of
state to obtain reproductive health care,
or other persons for assisting
individuals who do, notwithstanding
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
relevant constitutional protections. The
Department thus considered including a
proposal that would have required
regulated entities to agree to requests
from individuals to restrict disclosures
of PHI related to reproductive health
care for treatment, payment, or health
care operations. This may lower the risk
of PHI being disclosed to covered
entities in states that may seek to obtain
it pursuant to a criminal, civil, or
administrative investigation or
proceeding related to the receipt or
facilitation of reproductive health care.
However, the Department has concerns
about the ability of regulated entities to
operationalize such a requirement.
Further, the requirement would likely
be overly restrictive for regulated
entities and may not improve the
quality of health care. Additionally, this
approach would be dependent on
individuals’ awareness of their right to
make a request for restrictions and
confidence that such requests would be
granted. The Privacy Rule permits
regulated entities to accept requests for
restrictions from individuals, although
they are only mandated to accept such
requests to prevent disclosures to an
individual’s health plan for health care
that has been paid in full by the
individual.
lotter on DSK11XQN23PROD with PROPOSALS2
Prohibit Uses and Disclosures of PHI
Related to Reproductive Health Care
The Department considered limiting
the prohibition to uses and disclosures
of PHI related to reproductive health
care for certain purposes. However, as
discussed in the preamble, this would
have required the Department to define
what constitutes ‘‘related to’’
reproductive health care. Given the
connection between reproductive health
care and other types of health care, the
Department believes that it would not
be possible to create such a definition at
this time without being both under- and
over-inclusive. The difficulty of
defining this category could make it
impossible for electronic health records
to reliably segregate the information.
In addition, requiring regulated
entities to take actions that necessitate
treating one category of PHI differently
than other PHI (e.g., imposing
conditions on uses and disclosures that
would require such entities to label or
segment certain PHI within medical
records) would hinder coordinated care
and potentially result in negative health
outcomes if treating clinicians are
unaware of an individual’s complete
medical history. As a result, the
Department believes that this approach
would not enhance access to quality
health care.
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
Under the current proposal, regulated
entities would be required to obtain an
attestation from persons requesting PHI
that is ‘‘potentially related to
reproductive health care’’ when the
request is made pursuant to the use and
disclosure permissions at 45 CFR
164.512(d) through (f) or (g)(1). While
the language itself is similar, the
Department believes using it in this
instance would not create the same
operational challenges described above.
For example, because the proposed
attestation requirement would apply
only to certain permissions that are not
used by covered health care providers to
disclose PHI to other health care
providers for treatment purposes, care
coordination would not be hindered.
Additionally, we do not believe that this
approach would implicate the
segmentation concerns described above
because ‘‘potentially related to
reproductive health care’’ is broader
than ‘‘related to reproductive health
care.’’ This would require regulated
entities to consider the full scope and
context of the PHI requested to
determine whether it could reveal
information about the individual’s
reproductive health.
Prohibit the Uses and Disclosures of PHI
Proposed in This Rule Without the Rule
of Applicability
The Department considered
prohibiting the use or disclosure of PHI
for the purpose of investigating or
conducting a proceeding against any
person for seeking, obtaining, providing,
or facilitating reproductive care,
regardless of whether the care was
lawful under state or Federal law.
However, the Department is concerned
that this uniform approach would have
placed significant burdens on states’
abilities to enforce their laws. The
Department has therefore proposed the
more tailored approach in this proposed
rule.
Require Attestations for Requests for
Any PHI Under 45 CFR 164.512(d)
Through (f) and (g)(1)
The Department considered requiring
that regulated entities obtain an
attestation before using or disclosing
any PHI under 45 CFR 164.512(d)
through (f) and (g)(1). However, this
could have placed an unnecessary
burden on regulated entities and
persons requesting PHI by requiring
attestations even under circumstances
in which the requested disclosure
would be unlikely to implicate the
prohibition. Thus, the Department has
taken a narrower approach to the
proposed attestation requirement.
PO 00000
Frm 00045
Fmt 4701
Sfmt 4702
23549
Require Attestations To Include Names
of Individuals Whose PHI Is Being
Sought for All Requests
The Department considered requiring
that an attestation include the name of
any individual whose PHI is being
requested, without providing an option
for the requestor to identify a class of
individuals if it is not practicable to
provide the individuals’ names.
However, this could have impeded
investigations of health care fraud, for
example, where health oversight
agencies and law enforcement
authorities know the name of a
suspected health care provider, but may
not know the names of individuals
before the request is made. Therefore,
where providing the names of
individuals is not practicable, the
Department has proposed an option for
identifying a class of individuals.
C. Regulatory Flexibility Act—Small
Entity Analysis
The Department has examined the
economic implications of this proposed
rule as required by the RFA. This
analysis, as well as other sections in this
RIA, serves as the Initial Regulatory
Flexibility Analysis, as required under
the RFA.
For purposes of the RFA, small
entities include small businesses,
nonprofit organizations, and small
governmental jurisdictions. The Act
defines ‘‘small entities’’ as (1) a
proprietary firm meeting the size
standards of the Small Business
Administration (SBA), (2) a nonprofit
organization that is not dominant in its
field, and (3) a small government
jurisdiction of less than 50,000
population. Because 90 percent or more
of all health care providers meet the
SBA size standard for a small business
or are a nonprofit organization, the
Department generally treats all health
care providers as small entities for
purposes of performing a regulatory
flexibility analysis. The SBA size
standard for health care providers
ranges between a maximum of $8
million and $41.5 million in annual
receipts, depending upon the type of
entity.357
With respect to health insurers, the
SBA size standard is a maximum of
$41.5 million in annual receipts, and for
third party administrators it is $40
million.358 While some insurers are
classified as nonprofit, it is possible
357 See ‘‘Table of Small Business Size Standards,’’
U.S. Small Business Administration (July 14, 2022),
https://www.sba.gov/sites/default/files/2022-07/
Table%20of%20Size%20Standards_
Effective%20July%2014%202022_Final-508.pdf.
358 Id.
E:\FR\FM\17APP2.SGM
17APP2
23550
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
they are dominant in their market. For
example, a number of Blue Cross/Blue
Shield insurers are organized as
nonprofit entities; yet they dominate the
health insurance market in the states
where they are licensed.
For the reasons stated below, it is not
expected that the cost of compliance
would be significant for small entities.
Nor is it expected that the cost of
compliance would fall
disproportionately on small entities.
Although many of the covered entities
affected by the proposed rule are small
entities, they would not bear a
disproportionate cost burden compared
to the other entities subject to the
proposed rule.
The projected total costs are discussed
in detail in the RIA. The Department
does not view this as a burden because
the result of the changes would be
annualized costs per covered entity of
approximately $236 [= $183 million 359/
774,331 covered entities]. Thus, this
analysis concludes, and the Secretary
proposes to certify, that the proposed
rule, if finalized, would not result in a
significant economic effect on a
substantial number of small entities.
D. Executive Order 13132—Federalism
As required by E.O. 13132 on
Federalism, the Department has
examined the effects of provisions in the
proposed regulation on the relationship
between the Federal Government and
the states. In the Department’s view, this
proposed regulation would have
federalism implications because it
would have direct effects on the states,
the relationship between the National
Government and states, and on the
distribution of power and
responsibilities among various levels of
government relating to the disclosure of
PHI.
Any federalism implications of the
rule, however, flow from and are
consistent with the underlying statute—
and the proposed Rule of Applicability
would limit the proposed regulation to
those circumstances in which the state
lacks any substantial interest in seeking
the disclosure. The statute allows the
Department to preempt state or local
rules that provide less stringent privacy
protection requirements than Federal
law.360 Section 3(b) of E.O. 13132
recognizes that national action limiting
the policymaking discretion of states
will be imposed only where there is
constitutional and statutory authority
for the action and the national activity
is appropriate in light of the presence of
359 This figure represents annualized costs
discounted at a 3% rate.
360 42 U.S.C. 1320d–7(a)(1).
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
a problem of national significance. The
privacy of PHI is of national concern by
virtue of the scope of interstate health
commerce. As described in the
preamble, recent state actions on
reproductive health care have
undermined the longstanding
expectation among individuals in all
states that their highly sensitive
reproductive health information will
remain private. These state actions thus
directly threaten the trust that is
essential to ensuring access to, and
quality of, lawful health care. HIPAA’s
provisions reflect this position by
authorizing the Secretary to promulgate
regulations to implement the Privacy
Rule.
Section 4(a) of E.O. 13132 expressly
contemplates preemption when there is
a conflict between exercising state and
Federal authority under a Federal
statute. Section 4(b) of the E.O.
authorizes preemption of state law in
the Federal rulemaking context when
‘‘the exercise of State authority directly
conflicts with the exercise of Federal
authority under the Federal statute.’’
The approach in this regulation is
consistent with these standards in the
Executive order in superseding state
authority only when such authority is
inconsistent with standards established
pursuant to the grant of Federal
authority under the statute. State and
local laws that impose less stringent
requirements for the protection of
reproductive health information
undermine Congress’ intent to ensure
that all individuals who receive health
care are assured a minimum level of
privacy for their PHI. Both the personal
and public interest is served by
protecting PHI so as not to undermine
an individual’s access to and quality of
health care services and their trust in
the health care system.
Section 6(b) of E.O. 13132 includes
some qualitative discussion of
substantial direct compliance costs that
state and local governments would
incur as a result of a proposed
regulation. The Department anticipates
that the most significant direct costs on
state and local governments would be
the cost for state and local governmentoperated covered entities to revise
business associate agreements, revise
policies and procedures, create a new
form for attestations, update the NPP,
update training programs, and process
requests for disclosures for which an
attestation is required. In addition, the
Department anticipates that
approximately half of the states may
choose to file a request for an exception
to preemption. The longstanding
regulatory provisions that govern
preemption exception requests under
PO 00000
Frm 00046
Fmt 4701
Sfmt 4702
the HIPAA Rules would remain
undisturbed by this proposed rule.361
However, based on the legal
developments in some states that are
described elsewhere in this preamble,
the Department believes it is likely that,
in the first year of implementation of a
final rule, more states will submit
requests for exceptions from preemption
than have done so in the past. The RIA
above addresses these costs in detail.
The Department requests comment
from local and state governments on
provisions in the proposed rule that
would preempt state and local laws and
on whether state and local governments
are likely to incur additional costs, such
as those associated with the effects of
the prohibited disclosures on law
enforcement’s access to information.
E. Assessment of Federal Regulation
and Policies on Families
Section 654 of the Treasury and
General Government Appropriations
Act of 1999 362 requires Federal
departments and agencies to determine
whether a proposed policy or regulation
could affect family well-being. If the
determination is affirmative, then the
Department or agency must prepare an
impact assessment to address criteria
specified in the law.
The proposed rule would strengthen
the stability of the family and marital
commitment because it enables
individuals and families to have access
to the full range of reproductive health
care information and access to options
for consideration when making sensitive
decisions about family planning. The
proposed rule may be carried out only
by the Federal Government because it
would modify Federal health privacy
law, ensuring that American families
have access to reproductive health care
information and can freely discuss their
reproductive health, regardless of the
state where they are located when
health care is accessed. Access to
reproductive health care and
information about the full range of
reproductive health care is vital for
individuals who may become pregnant
or who are capable of becoming
pregnant.
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act
of 1995 363 (PRA), agencies are required
to submit to the Office of Management
and Budget (OMB) for review and
approval any reporting or recordkeeping requirements inherent in a
361 45
CFR 160.201 through 160.205.
Law 105–277, 112 Stat. 2681 (Oct. 21,
362 Public
1998).
363 Public Law 104–13, 109 Stat. 163 (May 22,
1995).
E:\FR\FM\17APP2.SGM
17APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
proposed or final rule, and are required
to publish such proposed requirements
for public comment. The PRA requires
agencies to provide a 60-day notice in
the Federal Register and solicit public
comment on a proposed collection of
information before it is submitted to
OMB for review and approval. To fairly
evaluate whether an information
collection should be approved by the
OMB, section 3506(c)(2)(A) of the PRA
requires that the Department solicit
comment on the following issues:
1. Whether the information collection
is necessary and useful to carry out the
proper functions of the agency;
2. The accuracy of the agency’s
estimate of the information collection
burden;
3. The quality, utility, and clarity of
the information to be collected; and
4. Recommendations to minimize the
information collection burden on the
affected public, including automated
collection techniques.
The PRA requires consideration of the
time, effort, and financial resources
necessary to meet the information
collection requirements referenced in
this section. The Department explicitly
seeks, and will consider, public
comment on its assumptions as they
relate to the PRA requirements
summarized in this section. To
comment on the collection of
information or to obtain copies of the
supporting statements and any related
forms for the proposed paperwork
collections referenced in this section,
email your comment or request,
including your address and phone
number to Sherrette.Funn@hhs.gov, or
call the Reports Clearance Office at
(202) 690–6162. Written comments and
recommendations for the proposed
information collections must be directed
to the OS Paperwork Clearance Officer
at the above email address within 60
days.
In this NPRM, the Department is
revising certain information collection
requirements and, as such, is revising
the information collection last prepared
in 2019 and previously approved under
OMB control # 0945–0003. The revised
information collection describes all new
and adjusted information collection
requirements for covered entities
pursuant to the implementing regulation
for HIPAA at 45 CFR parts 160 and 164,
the HIPAA Privacy, Security, Breach
Notification, and Enforcement Rules.
The estimated annual labor burden
presented by the proposed regulatory
modifications in the first year of
implementation, including nonrecurring
and recurring burdens, is 5,189,569
burden hours at a cost of
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
$596,728,985 364 and $67,831,396 of
estimated annual labor costs in years
two through five. The overall total
burden for respondents to comply with
the information collection requirements
of all of the HIPAA Privacy, Security,
and Breach Notification Rules,
including nonrecurring and recurring
burdens presented by proposed program
changes, is 955,098,062 burden hours at
a cost of $101,685,085,101, plus
$188,873,438 in capital costs for a total
estimated annual burden of
$101,873,958,539 in the first year
following the effective date of the final
rule, assuming all changes are adopted
as proposed. Details describing the
burden analysis for the proposals
associated with this NPRM are
presented below.
1. Explanation of Estimated Annualized
Burden Hours
Below is a summary of the significant
program changes and adjustments made
since the 2019 information collection.
These program changes and adjustments
form the bases for the burden estimates
presented in information collection
request associated with this NPRM.
Adjusted Estimated Annual Burdens of
Compliance
(1) Increasing the number of covered
entities from 700,000 to 774,331 based
on program change;
(2) Increasing the number of
respondents requesting exceptions to
state law preemption from 1 to 27 based
on an expected reaction by states that
have enacted restrictions on
reproductive health care access;
(3) Increasing the burden hours by a
factor of two for responding to
individuals’ requests for restrictions on
disclosures of their PHI under 45 CFR
164.522 to represent a doubling of the
expected requests; and
(4) Increasing the total number of
NPPs distributed by health plans by
50% to total 300,000,000 due to the
increase in number of Americans with
health coverage.
New Burdens Resulting From Program
Changes
In addition to these changes, the
Department added new annual burdens
as a result of program changes:
(1) A nonrecurring burden of 30
minutes per covered entity to create a
new attestation form using the sample
provided by the Department;
(2) A recurring burden of 1 hour per
covered entity for uses and disclosures
364 This includes an increase of 416 burden hours
and $36,442 in costs added to the existing
information collection for requesting exemption
determinations under 45 CFR 160.204.
PO 00000
Frm 00047
Fmt 4701
Sfmt 4702
23551
for which an attestation must be
obtained from the person requesting the
use and disclosure;
(3) A nonrecurring burden of 1 hour
per business associate agreement that is
revised as a result of the proposed
changes to handling requests under 45
CFR 164.512(d), (e), (f), and (g)(1), to
allocate responsibilities between
covered entities and their release-ofinformation contractors;
(4) A nonrecurring burden of 30
minutes per covered entity to update the
required content of its NPP;
(5) A nonrecurring burden of 15
minutes per covered entity for posting
an updated NPP online;
(6) A nonrecurring burden of 2.5
hours for each covered entity to update
its policies and procedures; and
(7) A nonrecurring burden of 90
minutes for each covered entity to
update the content of its HIPAA training
program.
VI. Request for Comment
In addition to the questions posed
above, the Department also seeks
comment on the following questions:
mm. Whether individuals who are
members of historically underserved
and minority communities are more
likely to be subjects of investigations
into or proceedings against persons in
connection with obtaining, providing, or
facilitating lawful reproductive health
care. If so, please explain the
relationship to and effects on the health
information privacy of community
members, including data and citations
to relevant literature.
nn. Whether individuals who are
members of historically underserved
and minority communities are less
likely to have access to legal counsel
when facing investigations into or
proceedings against persons in
connection with obtaining, providing, or
facilitating lawful reproductive health
care. If so, please explain the
relationship to and effects on the health
information privacy of community
members, including data and citations
to relevant literature.
oo. With respect to an individual’s
right to restrict uses and disclosures of
their PHI under 45 CFR 164.522(a)(1):
i. Whether individuals are generally
aware of this right.
ii. Whether covered entities have
experienced an increase in requests
from individuals to exercise this right.
iii. Whether regulated entities have
been or are more likely to grant
individuals such requests considering
the recent developments in the legal
environment.
E:\FR\FM\17APP2.SGM
17APP2
23552
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
VII. Public Participation
The Department seeks comment on all
issues raised by the proposed
regulation, including any unintended
adverse consequences. Because of the
large number of public comments
normally received on Federal Register
documents, the Department is not able
to acknowledge or respond to them
individually. In developing the final
rule, the Department will consider the
public comments that are received by
the date and time specified in the DATES
section of the Preamble, in accordance
with the agency practices described in
the section labeled ADDRESSES.
List of Subjects
45 CFR Part 160
Administrative practice and
procedure, Computer technology,
Electronic information system,
Electronic transactions, Employer
benefit plan, Health, Health care, Health
facilities, Health insurance, Health
professions, Health records, Hospitals,
Investigations, Medicaid, Medical
research, Medicare, Penalties,
Preemption, Privacy, Public health,
Reporting and recordkeeping
requirements, Reproductive health care,
Security.
45 CFR Part 164
Administrative practice and
procedure, Computer technology, Drug
abuse, Electronic information system,
Electronic transactions, Employer
benefit plan, Health, Health care, Health
facilities, Health insurance, Health
professions, Health records, Hospitals,
Medicaid, Medical research, Privacy,
Public health, Reporting and
recordkeeping requirements,
Reproductive health care, Security.
§ 160.103
Definitions.
*
*
*
*
*
Person means a natural person
(meaning a human being who is born
alive), trust or estate, partnership,
corporation, professional association or
corporation, or other entity, public or
private.
*
*
*
*
*
Public health, as used in the terms
‘‘public health surveillance,’’ ‘‘public
health investigation,’’ and ‘‘public
health intervention,’’ means populationlevel activities to prevent disease and
promote health of populations. Such
activities do not include uses and
disclosures for the criminal, civil, or
administrative investigation into or
proceeding against a person in
connection with obtaining, providing, or
facilitating reproductive health care, or
for the identification of any person in
connection with a criminal, civil, or
administrative investigation into or
proceeding against a person in
connection with obtaining, providing, or
facilitating reproductive health care.
Reproductive health care means care,
services, or supplies related to the
reproductive health of the individual.
*
*
*
*
*
PART 164—SECURITY AND PRIVACY
3. The authority citation for part 164
continues to read as follows:
■
Authority: 42 U.S.C. 1302(a); 42 U.S.C.
1320d–1320d–9; sec. 264, Pub. L. 104–191,
110 Stat. 2033–2034 (42 U.S.C. 1320d–
2(note)); and secs. 13400–13424, Pub. L. 111–
5, 123 Stat. 258–279.
Proposed Rule
■
For the reasons stated in the
preamble, the Department of Health and
Human Services proposes to amend 45
CFR subtitle A, subchapter C, parts 160
and 164 as set forth below:
§ 164.502 Uses and disclosures of
protected health information: General rules.
PART 160—GENERAL
ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160
continues to read as follows:
■
lotter on DSK11XQN23PROD with PROPOSALS2
b. Adding in alphabetical order the
definitions of ‘‘Public health’’ and
‘‘Reproductive health care’’.
The revision and additions read as
follows:
■
Authority: 42 U.S.C. 1302(a); 42 U.S.C.
1320d–1320d–9; sec. 264, Pub. L. 104–191,
110 Stat. 2033–2034 (42 U.S.C. 1320d–2
(note)); 5 U.S.C. 552; secs. 13400–13424, Pub.
L. 111–5, 123 Stat. 258–279; and sec. 1104 of
Pub. L. 111–148, 124 Stat. 146–154.
2. Amend § 160.103 by:
a. Revising the definition of ‘‘Person’’;
and
■
■
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
4. Amend § 164.502 by revising
paragraphs (a)(1)(iv) and (vi) and adding
paragraphs (a)(5)(iii) and (g)(5)(iii) to
read as follows:
(a) * * *
(1) * * *
(iv) Except for uses and disclosures
prohibited under paragraph (a)(5)(i) or
(iii) of this section, pursuant to and in
compliance with a valid authorization
under § 164.508;
*
*
*
*
*
(vi) As permitted by and in
compliance with any of the following:
(A) This section.
(B) Section 164.512 and, where
applicable, § 164.509.
(C) Section 164.514(e).
(D) Section 164.514(f).
PO 00000
Frm 00048
Fmt 4701
Sfmt 4702
(E) Section 164.514(g).
*
*
*
*
(5) * * *
(iii) Reproductive health care—(A)
Prohibition. Subject to paragraphs
(a)(5)(iii)(C) and (D) of this section, a
covered entity or business associate may
not use or disclose protected health
information for either of the following
purposes.
(1) Where the use or disclosure is for
a criminal, civil, or administrative
investigation into or proceeding against
any person in connection with seeking,
obtaining, providing, or facilitating
reproductive health care.
(2) To identify any person for the
purpose of initiating an activity
described at paragraph (a)(5)(iii)(A)(1) of
this section.
(B) Scope of prohibition. For the
purposes of this subpart, seeking,
obtaining, providing, or facilitating
reproductive health care includes, but is
not limited to, any of the following:
expressing interest in, inducing, using,
performing, furnishing, paying for,
disseminating information about,
arranging, insuring, assisting, or
otherwise taking action to engage in
reproductive health care; or attempting
any of the same.
(C) Rule of applicability. The
prohibition at paragraph (a)(5)(iii) of
this section applies where one or more
of the following conditions exists.
(1) The relevant criminal, civil, or
administrative investigation or
proceeding is in connection with any
person seeking, obtaining, providing, or
facilitating reproductive health care
outside of the state where the
investigation or proceeding is
authorized and where such health care
is lawful in the state in which it is
provided.
(2) The relevant criminal, civil, or
administrative investigation or
proceeding is in connection with any
person seeking, obtaining, providing, or
facilitating reproductive health care that
is protected, required, or authorized by
Federal law, regardless of the state in
which such health care is provided.
(3) The relevant criminal, civil, or
administrative investigation or
proceeding is in connection with any
person seeking, obtaining, providing, or
facilitating reproductive health care that
is provided in the state in which the
investigation or proceeding is
authorized and that is permitted by the
law of that state.
(D) Rule of construction. Nothing in
this section shall be construed to
prohibit a use or disclosure of protected
health information otherwise permitted
by this subpart unless such use or
*
E:\FR\FM\17APP2.SGM
17APP2
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules
disclosure is primarily for the purpose
of investigating or imposing liability on
any person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care.
*
*
*
*
*
(g) * * *
(5) * * *
(iii) Paragraph (g)(5) of this section
does not apply where the primary basis
for the covered entity’s belief is the
facilitation or provision of reproductive
health care by such person for and at the
request of the individual.
*
*
*
*
*
■ 5. Add § 164.509 to read as follows:
lotter on DSK11XQN23PROD with PROPOSALS2
§ 164.509 Uses and disclosures for which
an attestation is required.
(a) Standard: Attestations for certain
uses and disclosures of protected health
information to persons other than
covered entities. A covered entity may
not use or disclose protected health
information potentially related to
reproductive health care for purposes
specified in § 164.512(d), (e), (f), or
(g)(1), without obtaining an attestation
that is valid under this section from the
person requesting the use or disclosure.
(b) Implementation specifications:
General requirements—(1) Valid
attestations. (i) A valid attestation is a
document that meets the requirements
of paragraph (c)(1) of this section.
(ii) A valid attestation verifies that the
use or disclosure is not otherwise
prohibited by § 164.502(a)(5)(iii).
(iii) A valid attestation may be
electronic, provided that it meets the
requirements in paragraph (c)(1) of this
section, as applicable.
(2) Defective attestations. An
attestation is not valid if the document
submitted has any of the following
defects:
(i) The attestation lacks an element or
statement required by paragraph (c) of
this section.
(ii) The attestation contains an
element or statement not required by
paragraph (c) of this section.
(iii) The attestation violates paragraph
(b)(3) of this section.
(iv) The covered entity has actual
knowledge that material information in
the attestation is false.
(v) It is objectively unreasonable for
the covered entity to believe that the
attestation is true with respect to the
requirement at paragraph (c)(1)(iv) of
this section.
(3) Compound attestation. An
attestation may not be combined with
any other document.
(c) Implementation specifications:
Content requirements and other
VerDate Sep<11>2014
17:22 Apr 14, 2023
Jkt 259001
obligations—(1) Required elements. A
valid attestation under this section must
contain the following elements:
(i) A description of the information
requested that identifies the information
in a specific fashion, including one of
the following:
(A) The name of any individual(s)
whose protected health information is
sought, if practicable.
(B) If including the name(s) of any
individual(s) whose protected health
information is sought is not practicable,
a description of the class of individuals
whose protected health information is
sought.
(ii) The name or other specific
identification of the person(s), or class
of persons, who are requested to make
the use or disclosure.
(iii) The name or other specific
identification of the person(s), or class
of persons, to whom the covered entity
is to make the requested use or
disclosure.
(iv) A clear statement that the use or
disclosure is not for a purpose
prohibited under § 164.502(a)(5)(iii).
(v) Signature of the person requesting
the protected health information, which
may be an electronic signature, and
date. If the attestation is signed by a
representative of the person requesting
the information, a description of such
representative’s authority to act for the
person must also be provided.
(2) Plain language requirement. The
attestation must be written in plain
language.
(d) Material misrepresentations. If,
during the course of using or disclosing
protected health information in
reasonable reliance on a facially valid
attestation, a covered entity discovers
information reasonably showing that the
representations in the attestation were
materially false, leading to uses or
disclosures for a prohibited purpose, the
covered entity must cease such use or
disclosure.
■ 6. Amend § 164.512 by:
■ a. Revising the introductory text and
the heading of paragraph (c);
■ b. Adding paragraph (c)(3); and
■ c. Revising paragraph (f)(1)(ii)(C)
introductory text.
The revisions and addition read as
follows:
§ 164.512 Uses and disclosures for which
an authorization or opportunity to agree or
object is not required.
Except as provided by
§ 164.502(a)(5)(iii), a covered entity may
use or disclose protected health
information without the written
PO 00000
Frm 00049
Fmt 4701
Sfmt 9990
23553
authorization of the individual, as
described in § 164.508, or the
opportunity for the individual to agree
or object as described in § 164.510, in
the situations covered by this section,
subject to the applicable requirements of
this section and § 164.509. When the
covered entity is required by this
section to inform the individual of, or
when the individual may agree to, a use
or disclosure permitted by this section,
the covered entity’s information and the
individual’s agreement may be given
verbally.
*
*
*
*
*
(c) Standard: Disclosures about
victims of abuse, neglect, or domestic
violence. * * *
(3) Rule of construction. Nothing in
this section shall be construed to permit
disclosures prohibited by
§ 164.502(a)(5)(iii) when the report of
abuse, neglect, or domestic violence is
based primarily on the provision of
reproductive health care.
*
*
*
*
*
(f) * * *
(1) * * *
(ii) * * *
(C) An administrative request for
which response is required by law,
including an administrative subpoena or
summons, a civil or an authorized
investigative demand, or similar process
authorized under law, provided that:
*
*
*
*
*
■ 7. Amend § 164.520 by adding
paragraphs (b)(1)(ii)(F) and (G) to read
as follows:
§ 164.520 Notice of privacy practices for
protected health information.
*
*
*
*
*
(b) * * *
(1) * * *
(ii) * * *
(F) A description, including at least
one example, of the types of uses and
disclosures prohibited under
§ 164.502(a)(5)(iii) in sufficient detail for
an individual to understand the
prohibition.
(G) A description, including at least
one example, of the types of uses and
disclosures for which an attestation is
required under § 164.509.
*
*
*
*
*
Dated: April 5, 2023.
Xavier Becerra,
Secretary, Department of Health and Human
Services.
[FR Doc. 2023–07517 Filed 4–12–23; 8:45 am]
BILLING CODE 4153–01–P
E:\FR\FM\17APP2.SGM
17APP2
]]>Agencies
[Federal Register Volume 88, Number 73 (Monday, April 17, 2023)]
[Proposed Rules]
[Pages 23506-23553]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-07517]
[[Page 23505]]
Vol. 88
Monday,
No. 73
April 17, 2023
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Part 160 and 164
HIPAA Privacy Rule To Support Reproductive Health Care Privacy;
Proposed Rule
��Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 /
Proposed Rules��
[[Page 23506]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0945-AA20
HIPAA Privacy Rule To Support Reproductive Health Care Privacy
AGENCY: Office for Civil Rights (OCR), Office of the Secretary,
Department of Health and Human Services.
ACTION: Notice of proposed rulemaking; notice of Tribal consultation.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS or
``Department'') is issuing this notice of proposed rulemaking (NPRM) to
solicit comment on its proposal to modify the Standards for Privacy of
Individually Identifiable Health Information (``Privacy Rule'') under
the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
and the Health Information Technology for Economic and Clinical Health
Act of 2009 (HITECH Act). The proposal would modify existing standards
permitting uses and disclosures of protected health information (PHI)
by limiting uses and disclosures of PHI for certain purposes where the
use or disclosure of information is about reproductive health care that
is lawful under the circumstances in which such health care is
provided. The proposal would modify existing standards by prohibiting
uses and disclosures of PHI for criminal, civil, or administrative
investigations or proceedings against individuals, covered entities or
their business associates (collectively, ``regulated entities''), or
other persons for seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which it is provided.
DATES:
Comments: Submit comments on or before June 16, 2023.
Meeting: Pursuant to Executive Order 13175, Consultation and
Coordination with Indian Tribal Governments, the Department of Health
and Human Services' Tribal Consultation Policy, and the Department's
Plan for Implementing Executive Order 13175, the Office for Civil
Rights solicits input from Tribal officials as the Department develops
the modifications to the HIPAA Privacy Rule at 45 CFR parts 160 and
164, subparts A and E. The Tribal consultation meeting will be held on
May 17, 2023, at 2 p.m. to 3:30 p.m. EDT.
ADDRESSES: You may submit comments, identified by RIN Number 0945-AA20,
by any of the following methods. Please do not submit duplicate
comments.
To participate in the Tribal consultation meeting, you must
register in advance at https://www.zoomgov.com/meeting/register/vJItf-2hqD8jHfdtmYaUoWidy9odBZMYQ4Q.
Federal eRulemaking Portal: You may submit electronic
comments at https://www.regulations.gov by searching for the Docket ID
number HHS-OCR-0945-AA20. Follow the instructions at https://www.regulations.gov for submitting electronic comments. Attachments
should be in Microsoft Word or Portable Document Format (PDF).
Regular, Express, or Overnight Mail: You may mail written
comments to the following address only: U.S. Department of Health and
Human Services, Office for Civil Rights, Attention: HIPAA and
Reproductive Health Care Privacy NPRM, Hubert H. Humphrey Building,
Room 509F, 200 Independence Avenue SW, Washington, DC 20201. Please
allow sufficient time for mailed comments to be timely received in the
event of delivery or security delays.
Please note that comments submitted by fax or email and those
submitted after the comment period will not be accepted.
Inspection of Public Comments: All comments received by the
accepted methods and due date specified above may be posted without
change to content to https://www.regulations.gov, which may include
personal information provided about the commenter, and such posting may
occur after the closing of the comment period. However, the Department
may redact certain non-substantive content from comments or attachments
to comments before posting, including: threats, hate speech, profanity,
sensitive health information, graphic images, promotional materials,
copyrighted materials, or individually identifiable information about a
third-party individual other than the commenter. In addition, comments
or material designated as confidential or not to be disclosed to the
public will not be accepted. Comments may be redacted or rejected as
described above without notice to the commenter, and the Department
will not consider in rulemaking any redacted or rejected content that
would not be made available to the public as part of the administrative
record.
Docket: For complete access to background documents or posted
comments, go to https://www.regulations.gov and search for Docket ID
number HHS-OCR-0945-AA20.
FOR FURTHER INFORMATION CONTACT: Lester Coffer at (202) 240-3110 or
(800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION: The discussion below includes an Executive
Summary, a description of relevant statutory and regulatory authority
and history, the justification for this proposed regulation, a section-
by-section description of the proposed modifications, and a regulatory
impact analysis and other required regulatory analyses. The Department
solicits public comment on all aspects of the proposed rule. The
Department requests that persons commenting on the provisions of the
proposed rule label their discussion of any particular provision or
topic with a citation to the section of the proposed rule being
addressed and identify the particular request for comment being
addressed, if applicable.
I. Executive Summary
A. Overview
B. Applicability
C. Table of Abbreviations/Commonly Used Acronyms in This
Document
II. Statutory Authority and Regulatory History
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996
(HIPAA)
2. The Health Information Technology for Economic and Clinical
Health (HITECH) Act
B. Rulemaking Authority and Regulatory History
1. The Department's Rulemaking Authority Under HIPAA
2. Regulatory History
III. Justification for This Proposed Rulemaking
A. HIPAA Encourages Trust by Carefully Balancing Individuals'
Privacy Interests With Others' Interests in Using or Disclosing PHI
B. Developments in the Legal Environment are Eroding
Individuals' Trust in the Health Care System
C. To Protect the Trust Between Individuals and Health Care
Providers, the Department Proposes To Restrict Certain Uses and
Disclosures of PHI for Non-Health Care Purposes
IV. Section-by-Section Description of Proposed Amendments to the
Privacy Rule
A. Section 160.103--Definitions
1. Clarifying the Definition of ``Person''
2. Interpreting Terms Used in Section 1178(b) of the Social
Security Act
3. Adding a Definition of ``Reproductive Health Care''
4. Request for Comment
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
1. Clarifying When PHI May Be Used or Disclosed by Regulated
Entities
2. Adding a New Category of Prohibited Uses and Disclosures
[[Page 23507]]
3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
4. Request for Comment
C. Section 164.509--Uses and Disclosures for Which an
Attestation Is Required (Proposed Heading)
1. Current Provision and Issues To Address
2. Proposal
3. Request for Comment
D. Section 164.512--Uses and Disclosures for Which an
Authorization or Opportunity To Agree or Object Is Not Required
1. Applying the Proposed Prohibition and Attestation Requirement
to Certain Permitted Uses and Disclosures
2. Making a Technical Correction to the Heading of 45 CFR
164.512(c) and Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures Based on
Administrative Processes
4. Request for Comment
E. Section 164.520--Notice of Privacy Practices for Protected
Health Information
1. Current Provision and Issues To Address
2. Proposal
3. Request for Comment
V. Executive Order 12866 and Related Executive Orders on Regulatory
Review
A. Regulatory Impact Analysis
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Proposed Rule
4. Request for Comment
B. Regulatory Alternatives to the Proposed Rule
C. Regulatory Flexibility Act--Small Entity Analysis
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized Burden Hours
VI. Request for Comment
VII. Public Participation
I. Executive Summary
A. Overview
In this notice of proposed rulemaking (NPRM), the Department of
Health and Human Services (HHS or ``Department'') proposes
modifications to the Standards for Privacy of Individually Identifiable
Health Information (``Privacy Rule''), issued pursuant to section 264
of the Administrative Simplification provisions of title II, subtitle
F, of the Health Insurance Portability and Accountability Act of 1996
(HIPAA).\1\ The Privacy Rule \2\ is one of several rules, collectively
known as the HIPAA Rules,\3\ that protect the privacy and security of
individuals' protected health information \4\ (PHI), which is
individually identifiable health information \5\ (IIHI) transmitted by
or maintained in electronic media or any other form or medium, with
certain exceptions.\6\
---------------------------------------------------------------------------
\1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat.
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social
Security Act (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 14, 1935),
(see sections 1171-1179 of the SSA (codified at 42 U.S.C. 1320d-
1320d-8)), as well as promulgating section 264 of HIPAA (codified at
42 U.S.C. 1320d-2 note), which authorizes the Secretary to
promulgate regulations with respect to the privacy of individually
identifiable health information. The Privacy Rule has subsequently
been amended pursuant to the Genetic Information Nondiscrimination
Act of 2008 (GINA), title I, section 105, Public Law 110-233, 122
Stat. 881 (May 21, 2008) (codified at 42 U.S.C. 2000ff), and the
Health Information Technology for Economic and Clinical Health
(HITECH) Act of 2009, Public Law 111-5, 123 Stat. 226 (Feb. 17,
2009) (codified at 42 U.S.C. 139w-4(0)(2)).
\2\ 45 CFR parts 160 and 164, subparts A and E. For a history of
the Privacy Rule, see Section II.B.2., ``Regulatory History,''
below.
\3\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164,
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
\4\ 45 CFR 160.103 (definition of ``Protected health
information'').
\5\ 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of
``Individually identifiable health information'').
\6\ At times throughout this NPRM, the Department uses the terms
``health information'' or ``individuals' health information'' to
refer generically to health information pertaining to an individual
or individuals. In contrast, the Department's use of the term
``IIHI'' refers to a category of health information defined in
HIPAA, and ``PHI'' is used to refer specifically to a category of
IIHI that is defined by and subject to the privacy and security
standards promulgated in the HIPAA Rules.
---------------------------------------------------------------------------
Under its statutory authority to administer and enforce the HIPAA
Rules, the Department modifies the HIPAA Rules as needed, but not more
than once every 12 months.\7\ The Department makes the determination
that such modifications may be needed using information it receives on
an ongoing basis--from the public, regulated entities, media reports,
and its own analysis of the state of privacy for IIHI. Based on
information the Department has received in recent months, we believe it
may be necessary to modify the Privacy Rule to avoid the circumstance
where an existing provision of the Privacy Rule is used to request the
use or disclosure of an individual's PHI as a pretext for obtaining PHI
related to reproductive health care for a non-health care purpose where
such use or disclosure would be detrimental to any person. The
proposals in this NPRM would amend provisions of the Privacy Rule to
strengthen privacy protections for individuals' PHI related to
reproductive health care.
---------------------------------------------------------------------------
\7\ 45 CFR 160.104.
---------------------------------------------------------------------------
The Supreme Court's decision in Dobbs v. Jackson Women's Health
Organization \8\ (Dobbs) makes it more likely than before that
individuals' PHI may be disclosed in ways that cause harm to the
interests that HIPAA seeks to protect but that are not adequately
addressed in this context,\9\ such as criminal, civil, or
administrative investigations or proceedings that chill access to
lawful health care and full communication between individuals and
health care providers. These developments in the legal environment
increase the potential for uses or disclosures about an individual's
reproductive health to undermine access to and the quality of health
care generally. Some states have already imposed criminal, civil, or
administrative liability for, or created private rights of action
against, individuals who obtain certain reproductive health care,
including pregnancy termination; the health care providers who furnish
such reproductive health care; or other persons who facilitate the
furnishing or receipt of certain reproductive health care.\10\ Other
states may follow suit in the future. And in yet other states, law
enforcement agencies may attempt to use general criminal laws to
prosecute individuals for seeking or obtaining such reproductive health
care.\11\
---------------------------------------------------------------------------
\8\ 597 U.S. __, 142 S. Ct. 2228 (2022) (No. 19-1392) (June 24,
2022).
\9\ See National Committee on Vital and Health Statistics (NCVHS
or ``Committee'') discussion below, section II.A.1., expressing
concern for harm caused by disclosing identifiable health
information for non-health care purposes.
\10\ See, e.g., S.C. Code Ann. sec. 44-41-80(b), NRS 200.220,
Tex. Health & Safety Code Ann. sec. 171.208 (2021); 63 OK Stat sec.
1-745.34-35 (2022). See also Abortion Policy Tracker, Kaiser Family
Foundation (Jan. 20, 2023), https://www.kff.org/other/state-indicator/abortion-policy-tracker/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.
\11\ See Laura Huss, Farah Diaz-Tello, Goleen Samari, ``Self-
Care, Criminalized: August 2022 Preliminary Findings,*'' If/When/
How: Lawyering for Reproductive Justice (2022), https://www.ifwhenhow.org/resources/self-care-criminalized-preliminary-findings/; Caroline Kitchener and Ellen Francis, ``Talk of
prosecuting women for abortion pills roils antiabortion movement,''
The Washington Post (Jan. 11. 2023), https://www.washingtonpost.com/nation/2023/01/11/alabama-abortion-pills-prosecution/.
---------------------------------------------------------------------------
After Dobbs, the Department has heard concerns that civil,
criminal, or administrative investigations or proceedings have been
instituted or threatened on the basis of reproductive health care that
is lawful under the circumstances in which it is provided. The threat
that PHI will be obtained and used in such an investigation or
proceeding is likely to chill individuals' willingness to seek lawful
treatment or to provide full information to their
[[Page 23508]]
health care providers when obtaining that treatment.
A positive, trusting relationship between individuals and their
health care providers is essential to an individual's health and well-
being.\12\ The prospect of releasing highly sensitive PHI can result in
medical mistrust and the deterioration of the confidential, safe
environment that is necessary to quality health care, a functional
health care system, and the public's health generally.\13\ That is even
more true in the context of reproductive health care, given the
potential for stigmatization and other adverse consequences to
individuals resulting from disclosures they do not want or expect.\14\
---------------------------------------------------------------------------
\12\ See Fallon E. Chipidza, Rachel S. Wallwork, Theodore A.
Stern, ``Impact of the Doctor-Patient Relationship,'' The Primary
Care Companion for CNS Disorders (Oct. 2015), https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/.
\13\ See, e.g., Kim Bellware, ``Doctor says she shouldn't have
to turn over patients' abortion records,'' The Washington Post (Nov.
19, 2022), https://www.washingtonpost.com/politics/2022/11/19/caitlin-bernard-rokita-lawsuit/ (citing the testimony of pediatric
bioethics expert Kyle Brothers about the potential negative effects
requests for this type of sensitive medical record could have on
individuals: ``This kind of disclosure, especially for a minor, is
just heartbreaking.''). See also Eric Boodman, ``In a doctor's
suspicion after a miscarriage, a glimpse of expanding medical
mistrust,'' STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/ (Sarah Prager, professor of obstetrics and
gynecology at the University of Washington said that it's a bad
precedent if clinical spaces become unsafe for patients because,
``[a health care provider's] ability to take care of patients relies
on trust, and that will be impossible moving forward.'').
\14\ See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary
Michael O. Leavitt (Feb. 20, 2008) (listing categories of health
information that are commonly considered to contain sensitive
information), p. 5, https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf.
---------------------------------------------------------------------------
Experience shows that medical mistrust--especially in vulnerable
communities that have been negatively affected by historical and
current health care disparities \15\--can create damaging and chilling
effects on individuals' willingness to seek appropriate and lawful care
for medical conditions that can worsen without treatment.\16\ If
individuals believe that their PHI may be disclosed without their
knowledge or consent to initiate criminal, civil, or administrative
investigations or proceedings against them or others based primarily
upon their receipt of lawful reproductive health care, they are likely
to be less open, honest, or forthcoming about their symptoms and
medical history. As a result, individuals may refrain from sharing
critical information with their health care providers, regardless of
whether they are seeking reproductive health care that is lawful under
the circumstances in which it is provided. For instance, an individual
who has obtained a lawful abortion in one state may fear receiving
emergency care in a state where abortion is unlawful because providing
information to a health care provider in such a state could place them
into legal jeopardy, even if that information is relevant to the
immediate health emergency. If an individual believes they cannot be
honest about their health history, the health care provider cannot
conduct an appropriate health assessment to reach a sound diagnosis and
recommend the best course of action for that individual. Heightened
confidentiality and privacy protections enable an individual to develop
a trust-based relationship with their health care provider and to be
open and honest with their health care provider. That health care
provider is then more likely to provide a correct diagnosis and aid the
individual in making informed treatment decisions.
---------------------------------------------------------------------------
\15\ See Lisa P. Oakley, Marie Harvey, Daniel F. Lopez-Cevallos,
``Racial and Ethnic Discrimination, Medical Mistrust, and
Satisfaction with Birth Control Services among Young Adult
Latinas,'' Women's Health Issues (July-August 2018), p. 313, https://www.sciencedirect.com/science/article/abs/pii/S1049386717305443;
and Cynthia Prather, Taleria R. Fuller, Khiya J. Marshall, et al.,
``The Impact of Racism on the Sexual and Reproductive Health of
African American Women,'' Journal of Women's Health (July 2016), p.
664, https://www.liebertpub.com/doi/abs/10.1089/jwh.2015.5637.
\16\ See Texas Maternal Mortality and Morbidity Review Committee
and Department of State Health Services Joint Biennial Report 2022,
Texas Department of State Health Services (Dec. 2022), p. 41,
https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/Joint-Biennial-MMMRC-Report-2022.pdf.
---------------------------------------------------------------------------
Similarly, if a health care provider believes that an individual's
highly sensitive PHI is likely to be disclosed without the individual's
or the health care provider's knowledge or consent in connection with a
criminal, civil, or administrative investigation or proceeding against
the individual, their health care provider, or others primarily because
of the type of health care the individual received or sought, the
health care provider is more likely to omit information about an
individual's medical history or condition, leave gaps, or include
inaccuracies when preparing the individual's medical records. And if an
individual's medical records lack complete information about the
individual's health history, a subsequent health care provider may not
be able to conduct an appropriate health assessment to reach a sound
diagnosis and recommend the best course of action for the individual.
Alternatively, a health care provider may even withhold from an
individual full and complete information about their treatment options
because of liability fears stemming from concerns about the level of
privacy afforded to PHI.\17\ Heightened confidentiality and privacy
protections enable a health care provider to feel confident maintaining
full and complete medical records. With complete medical records, an
individual is more likely to receive appropriate ongoing or future
health care, including correct diagnoses, and obtain appropriate
guidance, empowering the individual in making informed treatment
decisions. This further enables the individual to access lawful health
care--and health care providers to practice medicine--in an environment
that promotes social, environmental, mental, and physical wellness.
---------------------------------------------------------------------------
\17\ See Brief for Zurawski at p. 10, Zurawski v. State of Texas
(No. D-1-GN-23-000968) (W.D. Tex. 2023) (stating that ``[i]n every
interaction with their medical team in Texas, Lauren M. and her
husband felt confused and frustrated and could not get direct
answers,'' and that ``[i]t was apparent that their doctors, nurses,
and counselors were all fearful of speaking directly and openly
about abortion for fear of liability under Texas's abortion
bans.'').
---------------------------------------------------------------------------
Furthermore, an individual's lack of trust in their health care
provider to maintain the confidentiality of the individual's most
sensitive medical information and a lack of trust in the medical system
more generally may have significant repercussions for the public's
health more generally. Individuals who are not candid with their health
care providers about their reproductive health care may also withhold
information about other matters that have public health implications,
such as sexually transmitted infections or vaccinations.\18\
---------------------------------------------------------------------------
\18\ See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary
Michael O. Leavitt (June 22, 2006), p. 2 (with forwarded NCVHS
recommendations, ``Individual trust in the privacy and
confidentiality of their personal health information also promotes
public health, because individuals with potentially contagious or
communicable diseases are not inhibited from seeking treatment.''),
https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/.
---------------------------------------------------------------------------
When proposing the initial Privacy Rule, the Department described
its policy choices as being motivated to develop and maintain a
relationship of trust between individuals and health care providers.
``A fundamental assumption of this regulation is that the greatest
benefits of improved privacy protection will be realized in the future
as patients gain increasing trust in health care practitioner's ability
to
[[Page 23509]]
maintain the confidentiality of their health information.'' \19\ The
Department also described the benefits of increasing individuals'
access to their own health care information in the development and
maintenance of that trust. Providing individuals with ``[o]pen access
to [their] health information can benefit both the individuals and the
covered entities. [ . . . ] It can increase communication, thereby
enhancing individuals' trust in their health care providers and
increasing compliance with the providers' instructions.'' \20\ The
Department reiterated this need for trust between individuals and
health care providers in the 2000 Privacy Rule, noting that ``[t]he
provision of high-quality health care requires the exchange of
personal, often-sensitive information between an individual and a
skilled practitioner. Vital to that interaction is the patient's
ability to trust that the information shared will be protected and kept
confidential.'' \21\ As the Department also stated, ``[h]ealth care
professionals who lose the trust of their patients cannot deliver high-
quality care.'' \22\
---------------------------------------------------------------------------
\19\ See 64 FR 59918, 60006 (Nov. 3, 1999).
\20\ See 64 FR 59980.
\21\ See 65 FR 82462, 82463 (Dec. 28, 2000).
\22\ See 65 FR 82468.
---------------------------------------------------------------------------
However, the Department also noted that the policy choices it made
when issuing the 2000 Privacy Rule were a result of balancing the
interests of the individual in the privacy of their PHI with the
interests of society in disclosures of PHI for non-health care
purposes. Thus, the 2000 Privacy Rule included permissions for
regulated entities to disclose PHI under certain conditions for
judicial and administrative proceedings and law enforcement purposes.
As the Department explained at that time, ``Individuals' right to
privacy in information about themselves is not absolute. It does not,
for instance, prevent reporting of public health information on
communicable diseases or stop law enforcement from getting information
when due process has been observed.'' \23\
---------------------------------------------------------------------------
\23\ 65 FR 82464.
---------------------------------------------------------------------------
The proposed modifications to the Privacy Rule in this NPRM
directly advance the purposes of HIPAA. From their inception, the
Department's regulations implementing the statute have sought to ensure
that individuals do not forgo lawful health care when needed--or
withhold important information from their health care providers that
may affect the quality of health care they receive--out of a fear that
their sensitive information would be revealed outside of their
relationships with their health care providers. In the past, the
Department generally has applied the same privacy standards to nearly
all PHI, regardless of the type of health care at issue. But the
Department has also recognized that some forms of PHI may be
particularly sensitive and thus may warrant heightened protections. For
example, the Department has accorded ``special protections'' to
psychotherapy notes under the Privacy Rule, owing in part to the
``particularly sensitive information'' those notes contain.\24\
---------------------------------------------------------------------------
\24\ The special protections for psychotherapy notes and the
Department's rationale for them are discussed at greater length in
section III of this preamble.
---------------------------------------------------------------------------
Many individuals regard information about their reproductive health
as highly private and personal. That information is likely to come up
in a wide variety of encounters between individuals and their health
care providers, including routine physicals, gynecological
examinations, and a range of other encounters that do not involve an
individual's effort to obtain health care, such as an abortion, that is
illegal under some post-Dobbs state laws. However, if individuals do
not trust that their health care providers will keep their sensitive
information private, they may withhold important health information
from their health care providers, leading to incomplete and inaccurate
medical records and potentially substandard health care. Some
individuals may refrain from or defer obtaining necessary health care,
which could lead to worse health outcomes and exacerbate health
disparities.\25\ Others may withhold aspects of their medical history
from their health care providers, which could impede the ability of
health care professionals to make fully informed medical judgments and
provide full and complete information about treatment options.
Similarly, health care providers may omit information about an
individual's medical history or condition, or leave gaps or include
inaccuracies, when preparing medical records, out of fear that the
individual's PHI is likely to be disclosed without the individual's or
the health care provider's knowledge or consent for use in criminal or
civil proceedings against the individual, their health care provider,
or others. In so doing, they increase the risk that the individual will
receive substandard ongoing or future health care. Regardless of how it
occurs, the result is substandard health care and worse health
outcomes.
---------------------------------------------------------------------------
\25\ See Jessica Winter, ``The Dobbs Decision Has Unleashed
Legal Chaos for Doctors and Patients,'' The New Yorker (July 2,
2022) (Chloe Akers, a criminal defense attorney in Tennessee,
discussing agencies authorized to investigate offenses related to
abortion ``[t]hat leads to a serious concern about privacy at ob-gyn
offices and for other health-care providers.''), https://www.newyorker.com/news/news-desk/the-dobbs-decision-has-unleashed-legal-chaos-for-doctors-and-patients.
---------------------------------------------------------------------------
Such deferrals or avoidance of lawful health care are not only
problematic for individuals' health, but they are also problematic for
public health. As discussed in greater detail below, the objective of
public health is to protect and improve the health of people and their
communities. Barriers that undermine the willingness of individuals to
seek lawful health care in a timely manner or to provide complete and
accurate health information to their health care providers undermine
the overall objective of public health. Thus, based on the longstanding
purposes of HIPAA, there is a compelling need to provide additional
protections to this especially sensitive category of information.
Following the Dobbs decision in 2022, laws enacted or effective in
a number of states \26\ raised the prospect that highly sensitive PHI
would be disclosed under circumstances that did not exist before the
Supreme Court's decision, generating significant confusion for
individuals, health care providers, family, friends, and caregivers
regarding their ability to privately seek, obtain, provide, or
facilitate health care. The Department has received questions from
regulated entities, Members of Congress, and others about the state of
privacy protections, particularly for information about an individual's
reproductive health or about reproductive health care an individual may
have received. While the Department has already taken steps to address
some of the confusion,\27\ we have received additional inquiries and
reports that indicate further clarification is needed to resolve this
confusion and strengthen privacy protections. In light of this
confusion, the Department believes that there is a need to reaffirm and
clarify that maintaining the privacy of an individual's PHI is
important to providing high-quality health care. To do so, the
Department believes it is
[[Page 23510]]
necessary to provide heightened protections for another especially
sensitive category of health information--PHI sought for the purposes
of conducting a criminal, civil, or administrative investigation into
or proceeding against any person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that is lawful
under the circumstances in which it is provided. These proposed
modifications would provide heightened protections for individuals'
health information privacy under the defined circumstances; foster an
open and honest exchange of information between the individual and
health care provider, who--with that information--could employ
evidence-based clinical practice guidelines; and increase access to
high-quality, lawful health care.
---------------------------------------------------------------------------
\26\ See ``After Roe Fell: Abortion Laws by State,'' Center for
Reproductive Rights (updated in real time) (describing actions taken
by states, including that ``some states and territories never
repealed their pre-Roe abortion bans'' that have now gone into
effect.), https://reproductiverights.org/maps/abortion-laws-by-state/.
\27\ See Press Release, ``HHS Issues Guidance to Protect Patient
Privacy in Wake of Supreme Court Decision on Roe,'' U.S. Dep't of
Health and Human Servs. (June 29, 2022), https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html.
---------------------------------------------------------------------------
The Department has determined, in accordance with other Federal
agencies, that information about reproductive health care is
particularly sensitive and requires heighted protections. For example,
the Federal Trade Commission (FTC) has recognized that information
related to personal reproductive matters is ``particularly sensitive.''
\28\ In business guidance, FTC staff explained that ``[t]he exposure of
health information and medical conditions, especially data related to
sexual activity or reproductive health, may subject people to
discrimination, stigma, mental anguish, or other serious harms.'' \29\
As a result, the FTC has committed to using the full scope of its
authorities to protect consumers' privacy, including the privacy of
their health information and other sensitive data.\30\
---------------------------------------------------------------------------
\28\ Kristin Cohen, ``Location, health, and other sensitive
information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data,'' Federal Trade
Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal (last
accessed Nov. 15, 2022).
\29\ Id.
\30\ Id.
---------------------------------------------------------------------------
The Department of Defense (DOD) has also recognized such privacy
concerns. In a memorandum to DOD leaders, the Secretary of Defense
directed the DOD to ``[e]stablish additional privacy protections for
reproductive health care information'' for service members and
``[d]isseminate guidance that directs Department of Defense health care
providers that they may not notify or disclose reproductive health
information to commanders unless this presumption is overcome by
specific exceptions set forth in policy.'' \31\ The guidance repeatedly
emphasizes not only the importance of privacy for such highly sensitive
information but also the importance of privacy in making highly
sensitive reproductive health care decisions.\32\
---------------------------------------------------------------------------
\31\ Memorandum Re: Ensuring Access to Reproductive Health Care,
Dep't of Defense (Oct. 20, 2022), p. 1, (emphasis in original),
https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF.
\32\ Id.
---------------------------------------------------------------------------
The Department recognizes that the need for heightened protections
for highly sensitive PHI is now more acute than it was before, given
the actions taken by states to regulate, and even criminalize,
reproductive health care.\33\ Before the Supreme Court's decision, the
range of circumstances in which persons attempted to seek or use highly
sensitive PHI in criminal, civil, and administrative investigations or
proceedings in connection with the provision of reproductive health
care was much narrower. The general HIPAA privacy protections provided
the necessary trust to promote access to and receipt of high-quality
and lawful health care in that environment. As states take steps to
more broadly regulate reproductive health care, some individuals and
their health care providers are at greater risk and have increased fear
that especially sensitive PHI detailing the individual's need for, or
receipt of, lawful reproductive health care will be used or disclosed
without their knowledge or consent.\34\
---------------------------------------------------------------------------
\33\ See ``Talk of prosecuting women for abortion pills roils
antiabortion movement,'' supra note 11.
\34\ Id.
---------------------------------------------------------------------------
The Department carefully analyzed state prohibitions or
restrictions on an individual's ability to obtain health care and the
effects on health information privacy, access to high-quality health
care, and the relationships between individuals and their health care
providers after Dobbs; and conducted a thorough review of the history
and text of HIPAA and the Privacy Rule. The Department has also engaged
in extensive discussions with HHS agencies and other Federal
departments, including the Department of Justice; examined media
reports on state activity affecting privacy protections for
reproductive health information; held listening sessions with and
reviewed correspondence from stakeholders, including covered entities,
requesting technical assistance from the Department and urging the
Department to clarify and strengthen privacy protections for PHI; and
reviewed correspondence to HHS from Members of Congress who have urged
the same. The proposals contained within this NPRM are the result of
this work.
B. Applicability
The effective date of a final rule would be 60 days after
publication.\35\ Regulated entities would have until the ``compliance
date'' to establish and implement policies and practices to achieve
compliance with any new or modified standards. Except as otherwise
provided, 45 CFR 160.105 provides that regulated entities must comply
with the applicable new or modified standards or implementation
specifications no later than 180 days from the effective date of any
such change. The Department has previously noted that the 180-day
general compliance period for new or modified standards would not apply
where a different compliance period is provided in the regulation for
one or more provisions.\36\ However, the compliance period cannot be
less than the statutory minimum of 180 days.\37\
---------------------------------------------------------------------------
\35\ See Office of the Federal Register, A Guide to the
Rulemaking Process (2011), p. 8, https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf.
\36\ See 78 FR 5566, 5569 (Jan. 25, 2013).
\37\ See 42 U.S.C. 1320d-4(b)(2).
---------------------------------------------------------------------------
The Department does not believe that the proposed rule would pose
unique implementation challenges that would justify an extended
compliance period (i.e., a period longer than the standard 180 days
provided in 45 CFR 160.105). Further, the Department believes that
adherence to the standard compliance period is necessary to timely
address the circumstances described in this NPRM. Thus, the Department
proposes to apply the standard compliance date of 180 days after the
effective date of a final rule.\38\ The Department seeks comment on
this time frame for compliance.
---------------------------------------------------------------------------
\38\ See 45 CFR 160.104(c)(1), which requires the Secretary to
provide at least a 180-day period for covered entities to comply
with modifications to standards and implementation specifications in
the HIPAA Rules.
---------------------------------------------------------------------------
If any provision in this rulemaking is held to be invalid or
unenforceable facially, or as applied to any person, plaintiff, or
circumstance, the provision shall be severable from the remainder of
this rulemaking, and shall not affect the remainder thereof, and the
invalidation of any specific application of a provision shall not
affect the application of the provision to other persons or
circumstances.
C. Table of Abbreviations/Commonly Used Acronyms in This Document
As used in this preamble, the following terms and abbreviations
have the meanings noted below.
[[Page 23511]]
------------------------------------------------------------------------
Term Meaning
------------------------------------------------------------------------
AMA.................................... American Medical Association.
BLS.................................... Bureau of Labor Statistics.
CDC.................................... Centers for Disease Control and
Prevention.
DOD.................................... Department of Defense.
HHS or Department...................... U.S. Department of Health and
Human Services.
EHR.................................... Electronic Health Record.
E.O.................................... Executive Order.
FTC.................................... Federal Trade Commission.
GINA................................... Genetic Information
Nondiscrimination Act of 2008.
Health IT.............................. Health Information Technology.
HITECH Act............................. Health Information Technology
for Economic and Clinical
Health Act of 2009.
HIPAA.................................. Health Insurance Portability
and Accountability Act of
1996.
ICR.................................... Information Collection Request.
IIHI................................... Individually Identifiable
Health Information.
NCVHS or Committee..................... National Committee on Vital and
Health Statistics.
NPP.................................... Notice of Privacy Practices.
NPRM................................... Notice of Proposed Rulemaking.
OCR.................................... Office for Civil Rights.
OMB.................................... Office of Management and
Budget.
PDF.................................... Portable Document Format.
PHI.................................... Protected Health Information.
PRA.................................... Paperwork Reduction Act of
1995.
PSAO................................... Pharmacy Services
Administration Organization.
RFA.................................... Regulatory Flexibility Act.
RIA.................................... Regulatory Impact Analysis.
SBA.................................... Small Business Administration.
SSA.................................... Social Security Act of 1935.
UMRA................................... Unfunded Mandates Reform Act of
1995.
VA..................................... Department of Veterans Affairs.
------------------------------------------------------------------------
II. Statutory Authority and Regulatory History
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA \39\ to reform the health care
delivery system. In so doing, Congress intended to make health
insurance more portable and accessible for consumers, to improve its
quality, and to simplify its administration.\40\ As noted by a leading
proponent of the bill during final debate leading up to passage of the
law, ``[o]ur objective, then, is to initiate fundamental reforms in
access to health care without doing irreversible harm to quality,
research and technology.'' \41\
---------------------------------------------------------------------------
\39\ See HIPAA, supra note 1.
\40\ See H. Rept. 104-736, 104th Cong. (1996) at 177. See also
142 Cong. Rec. H3038 (daily ed. Mar. 28, 1996), (statement of Rep.
McDermott) (speaking about how privacy protection is essential to
improving health care quality, one of the purposes of the H.R. 3103,
Health Coverage Availability and Affordability Act of 1996, the
precursor to HIPAA); 142 Cong. Rec. H9568 (daily ed. Aug. 1, 1996)
(statement of Rep. Ganske).
\41\ See 142 Cong. Rec. S9505 (daily ed. Aug. 2, 1996)
(statement of Sen. Roth).
---------------------------------------------------------------------------
At the time, the health care system was moving from paper-based to
electronic medical records. Congress recognized the need to reduce the
burden of the transition on health care providers, encourage health
care provider adoption of technology by addressing concerns for
potential liability for use of new systems, and ensure patient
confidentiality of electronic data to foster trust in health care
providers and support patient access to health care.\42\ Congressional
statements leading up to HIPAA's enactment demonstrate Congress' desire
that the law enhance individuals' trust in health care providers: ``The
bill would also establish strict security standards for health
information because Americans clearly want to make sure that their
health care records can only be used by the medical professionals that
treat them. Often we assume that because doctors take an oath of
confidentiality that in fact all who touch their records operate by the
same standards. Clearly they do not.'' \43\
---------------------------------------------------------------------------
\42\ See H.Rept. 104-736 at 177 and 264, supra note 40. See also
142 Cong. Rec. H9780 (daily ed., No. 116 Part II, Aug. 1, 1996)
(statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed. Aug. 1,
1996) (statement of Rep. McDermott); and 142 Cong. Rec. S9515-16
(daily ed. Aug. 2, 1996) (statement of Sen. Simon).
\43\ 142 Cong. Rec. H9780 (statement of Rep. Sawyer), supra note
42.
---------------------------------------------------------------------------
To address these needs, Congress enacted HIPAA's Administrative
Simplification provisions \44\ in subtitle F, sections 261 through 264,
which contained requirements for standards to support the electronic
exchange of health information. Section 261 states, in part, that
``[i]t is the purpose of this subtitle to improve [ . . . ] the
efficiency and effectiveness of the health care system, by encouraging
the development of a health information system through the
establishment of standards and requirements for the electronic
transmission of certain health information [ . . . ].'' \45\
---------------------------------------------------------------------------
\44\ See HIPAA, supra note 1.
\45\ 42 U.S.C. 1320d note (Statutory Notes and Related
Subsidiaries: Purpose). Subtitle F also amended related provisions
of the SSA.
---------------------------------------------------------------------------
HIPAA protects individuals' health information in various ways.
Congress prohibited, among other things, the disclosure of
``individually identifiable health information to another person'' \46\
and provided for severe penalties for violations, including prison
sentences of up to 10 years and monetary fines of up to $250,000.\47\
Congress also put in place numerous protections for the privacy of
individuals' health information and directed HHS to promulgate rules,
recognizing the importance of standards for security and privacy in the
developing electronic environment, when Congress did not enact detailed
privacy requirements within a specified period.\48\
---------------------------------------------------------------------------
\46\ 42 U.S.C. 1320d-6(a).
\47\ 42 U.S.C. 1320d-6(b).
\48\ See, e.g., 42 U.S.C. 1320a-7c(a)(3)(B)(ii) (creating a
fraud and abuse control program with measures to protect, among
other things, the confidentiality of the information and the privacy
of individuals receiving health care services and items.); H.Rept.
104-736 at 242, supra note 40 (explaining that such program ``would
ensure the confidentiality of information [ . . . ] as well as the
privacy of individuals receiving health care services''); 42 U.S.C.
1320a-7e(b)(3) (creating a health care fraud and abuse data
collection program with procedures to assure the protection of the
privacy of individuals receiving health care services.); H.Rept.
104-736 at 252, supra note 40 (explaining that such program would
``protect the privacy of individuals receiving health care
services''); section 264(a) of Public Law 104-191, (codified at 42
U.S.C. 1320d-2 note) (requiring the Secretary of HHS to submit
recommendations on privacy standards for individually identifiable
health information); section 264(c) of Public Law 104-191, (codified
at 42 U.S.C. 1320d-2 note) (requiring the Secretary to issue
regulations containing such privacy standards if Congress does not);
H.Rept. 104-736 at 265, supra note 40 (recognizing that ``certain
uses of individually identifiable information are appropriate, and
do not compromise the privacy of an individual[,]'' such as ``the
transfer of information when making referrals from primary care to
specialty care'').
---------------------------------------------------------------------------
HIPAA's preemption provisions reflect Congress' intent to protect
individuals' health care privacy. The statute provides a ``[g]eneral
rule'' that, with certain exceptions, HIPAA's provisions ``supersede
any contrary provision of State law.'' \49\ One exception to HIPAA's
preemption provisions is for ``state privacy laws that are contrary to
and more stringent than the corresponding federal standard,
requirement, or implementation specification.'' \50\ ``The effect of
these provisions is to let the law that is most protective of privacy
control.'' \51\ Thus, HIPAA created privacy standards that safeguard
the health information of all Americans, while respecting the ability
[[Page 23512]]
of states to provide individuals with additional privacy protection.
---------------------------------------------------------------------------
\49\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that,
with limited exceptions, a provision or requirement under HIPAA
supersedes any contrary provision of state law.) See also section
264(c)(2) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2
note).
\50\ 65 FR 82580 (the exception applies under section
1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
\51\ Id.
---------------------------------------------------------------------------
The Conference Report resolving differences in House and Senate
bill language provides further evidence that Congress gave great weight
to the need for privacy standards that adequately protect individual
health information privacy at a Federal level but allow for greater
health information privacy protection by states. Congressional
references to ``rapidly'' progressing technological innovation \52\ and
the need to balance the privacy interests of individuals and the
benefits of sharing data in certain circumstances (e.g., sharing IIHI
for treatment or aggregated data for research \53\) demonstrate that
Congress considered that health care reform would require a carefully
calibrated and appropriate method for exchanging data. Similarly,
congressional deliberations demonstrate that Congress viewed individual
privacy, confidentiality, and data security as critical for orderly
administrative simplification.\54\ As noted by one Member of Congress,
privacy standards would add an additional layer of protection beyond
the oath pledged by health care providers to keep information secure
and, as described by another Member, would further protect information
from being used in a ``malicious or discriminatory manner.'' \55\
---------------------------------------------------------------------------
\52\ See H.Rept. 104-736 at 270, supra note 40. See also South
Carolina Med. Ass'n v. Thompson, 327 F.3d 346, 354 (4th Cir. 2003)
(``Recognizing the importance of protecting the privacy of health
information in the midst of the rapid evolution of health
information systems, Congress passed HIPAA in August 1996.''), cert.
denied, 540 U.S. 981 (2003).
\53\ See H.Rept. 104-736 at 265, supra note 40.
\54\ On a resolution waiving points of order against the
Conference Report to H.R. 3103, members debated an ``erosion of
privacy'' balanced against the administrative simplification
provisions. See 142 Cong. Rec. H9777 and H9780, supra note 42.
\55\ See comment from Rep. Sawyer, supra note 42. See also
statement of Sen. Simon, supra note 42.
---------------------------------------------------------------------------
Congress applied the Administrative Simplification provisions
directly to three types of entities known as ``covered entities''--
health plans, health care clearinghouses, and health care providers who
transmit information electronically in connection with a transaction
for which HHS has adopted a standard.\56\ Congress also required the
Secretary, no later than 12 months from the date of enactment, to
identify ``detailed'' recommendations for Federal standards to protect
the privacy and security of IIHI nationwide addressing, at least, (1)
the rights that an individual who is a subject of IIHI should have; (2)
the procedures that should be established for the exercise of such
rights; and (3) the uses and disclosures of such information that
should be authorized or required. Congress further directed the
Secretary to promulgate standards to govern the privacy of information
no later than 42 months after HIPAA's enactment if Congress itself had
not done so via additional legislation.\57\
---------------------------------------------------------------------------
\56\ See section 262 of Public Law 104-191, adding section 1172
to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404
of the American Recovery and Reinvestment Act of 2009, Public Law
111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934)
(applying privacy provisions and penalties to business associates of
covered entities).
\57\ See section 264 of Public Law 104-191 (codified at 42
U.S.C. 1320d-2 note). Although the original regulations were enacted
in 2001, more than 42 months from HIPAA's enactment, ``HHS's delay
in promulgating the final Privacy Rule did not deprive the agency of
the power to act.'' Ass'n of Am. Physicians & Surgeons, Inc. v. HHS,
224 F. Supp. 2d 1115, 1127 (S.D. Tex. 2002), aff'd, 67 F. App'x 253
(5th Cir. 2003) (noting that HHS's delay, ``particularly in the face
of huge administrative burdens . . . do[es] not result in the
invalidation of HHS's authority to promulgate the Privacy Rule'')
(citing Regions Hospital v. Shalala, 522 U.S. 448, 459 n.2 (1998);
Brock v. Pierce Cnty., 476 U.S. 253, 260 (1986)).
---------------------------------------------------------------------------
HIPAA section 264(d) required the Secretary to consult with the
Department's National Committee on Vital and Health Statistics (NCVHS)
\58\ in carrying out the requirements of section 264.\59\ Like
Congress, NCVHS considered the appropriateness of permitting
identifiable health information to be used for certain purposes and not
others and requiring ``substantive and procedural barriers'' for still
others. For example, NCVHS recommended that ``strong substantive and
procedural protections'' be imposed if health information were to be
disclosed to law enforcement, and, where identifiable health
information would be made available for non-health purposes,
individuals should be afforded assurances that their data would not be
used against them.\60\ Ultimately, NCVHS ``unanimously'' believed, ``[
. . . ] the Secretary and the Administration [should] assign the
highest priority to the development of a strong position on health
privacy that provides the highest possible level of protection for the
privacy rights of patients.'' \61\ NCVHS further noted that failure to
do so would ``undermine public confidence in the health care system,
expose patients to continuing invasions of privacy, subject record
keepers to potentially significant legal liability, and interfere with
the ability of health care providers and others to operate the health
care delivery and payment system in an effective and efficient
manner,'' which would undermine what Congress intended when it enacted
HIPAA.\62\
---------------------------------------------------------------------------
\58\ See section 264(a) and (d) of Public Law 104-191 (codified
at 42 U.S.C. 1320d-2 note). The law also required the Secretary to
consult with the U.S. Attorney General.
\59\ 42 U.S.C. 242k(k) established the NCVHS as an 18-member
committee within the Office of the Secretary. The statute requires
the committee to include persons with expertise in the following
fields: health statistics, electronic interchange of health care
information, privacy and security of electronic information,
population-based public health, purchasing or financing health care
services, integrated computerized health information systems, health
services research, consumer interests in health information, health
data standards, epidemiology, and the provision of health services.
NCVHS committee members are appointed to serve four-year terms.
NCVHS serves as the statutory public advisory body to the Secretary
``for health data, statistics, privacy, and national health
information policy and the Health Insurance Portability and
Accountability Act.'' In addition, the Committee advises the
Secretary, ``reports regularly to Congress on HIPAA implementation,
and serves as a forum for interaction between HHS and interested
private sector groups on a range of health data issues.'' National
Comm. on Vital and Health Statistics, About NCVHS, https://ncvhs.hhs.gov/.
\60\ Letter from NCVHS Chair Don E. Detmer to HHS Secretary
Donna E. Shalala (June 27, 1997) (forwarding NCVHS recommendations),
https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
\61\ Id. at Principal Findings and Recommendations.
\62\ Id.
---------------------------------------------------------------------------
The NCVHS explicitly stated that:
The Committee strongly supports limiting use and disclosure of
identifiable information to the minimum amount necessary to
accomplish the purpose. The Committee also strongly believes that
when identifiable health information is made available for non-
health uses, patients deserve a strong assurance that the data will
not be used to harm them.\63\
---------------------------------------------------------------------------
\63\ Id. at Executive Summary.
NCVHS acknowledged that secondary uses of individuals' health
information could provide benefits to society but recognized that these
uses posed the potential for harm to individuals in certain
circumstances. As NCVHS described it, ``[a] restriction prohibiting
secondary use against the record subject is an essential part of the
`bargain' that allows use of the data for socially beneficial purposes
while protecting individual patients.'' \64\ Thus, NCVHS strongly
recommended restrictions of the ability of third parties to use
information against the individual for purposes unrelated to health,
particularly for law enforcement and other governmental purposes.
---------------------------------------------------------------------------
\64\ Id. at E.
---------------------------------------------------------------------------
In its recommendations, NCVHS acknowledged that there might be
difficulty in distinguishing between categories of users, but it also
recognized the importance of doing so.\65\ NCVHS recommended that ``any
rules
[[Page 23513]]
regulating disclosures of identifiable health information be as clear
and as narrow as possible. Each group of users must be required to
justify their need for health information and must accept reasonable
substantive and procedural limitations on access.'' \66\ This would
allow for the disclosures that society deemed necessary and appropriate
while providing individuals with clear expectations regarding their
health information privacy.
---------------------------------------------------------------------------
\65\ Id. at F.
\66\ Id.
---------------------------------------------------------------------------
2. The Health Information Technology for Economic and Clinical Health
(HITECH) Act
On February 17, 2009, Congress enacted the Health Information
Technology for Economic and Clinical Health Act of 2009 (HITECH Act)
\67\ to promote the widespread adoption and standardization of health
information technology (health IT). In passing the law, Congress
instructed that any new health IT standards take into account the
privacy and security requirements of the HIPAA Rules.\68\
---------------------------------------------------------------------------
\67\ Title XIII of Division A and Title IV of Division B of the
American Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
\68\ Section 3009(a)(1)(B) of the HITECH Act (codified at 42
U.S.C. 300jj-19(a)(1)) requires that the health IT standards and
implementation specifications adopted under section 3004 take into
account the requirements of HIPAA privacy and security law.
---------------------------------------------------------------------------
Within the HITECH Act, Congress enacted new HIPAA privacy and
security requirements for covered entities and business associates and
expanded certain rights of individuals with respect to their PHI. The
HITECH Act affirmed that ``[t]he standards governing the privacy and
security of individually identifiable health information promulgated by
the Secretary under sections 262(a) and 264'' of HIPAA ``shall remain
in effect to the extent that they are consistent with this subtitle''
and directed the Secretary to ``amend such Federal regulations as
required to make such regulations consistent with this subtitle.'' \69\
The HITECH Act further provided that ``[t]his title may not be
construed as having any effect on the authorities of the Secretary
under HIPAA privacy and security law,'' defined to include ``section
264 of the [HIPAA]'' and ``regulations under [that] provision[ ].''
\70\
---------------------------------------------------------------------------
\69\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\70\ Section 3009(a) of the HITECH Act (codified at 42 U.S.C.
300jj-19(a)), which, as stated above, preserves the Secretary's
authority to modify the privacy regulations under 45 CFR 160.104(a).
---------------------------------------------------------------------------
Congress understood the relationship between a connected health IT
landscape, a necessary and vital component of health care reform,\71\
and privacy and security standards when it enacted the HITECH Act. The
Purpose statement of an accompanying House of Representatives report
\72\ on the Energy and Commerce Recovery and Reinvestment Act \73\
recognizes that ``[i]n addition to costs, concerns about the security
and privacy of health information have also been regarded as an
obstacle to the adoption of [health IT].'' The Senate Report for S. 336
\74\ similarly acknowledges that ``[i]nformation technology systems
linked securely and with strong privacy protections can improve the
quality and efficiency of health care while producing significant cost
savings.'' \75\ As the Department explained in the 2013 regulation
referred to as the ``Omnibus Rule'' \76\ and discussed in greater
detail below, the HITECH Act's new HIPAA privacy and security
requirements \77\ supported Congress' goal to promote widespread
adoption and interoperability of health IT by ``strengthen[ing] the
privacy and security protections for health information established by
HIPAA.'' \78\
---------------------------------------------------------------------------
\71\ C. Stephen Redhead, ``The Health Information Technology for
Economic and Clinical Health (HITECH) Act,'' Congressional Research
Service (updated Apr. 27, 2009), https://crsreports.congress.gov/product/pdf/R/R40161/9 (``[Health IT], which generally refers to the
use of computer applications in medical practice, is widely viewed
as a necessary and vital component of health care reform.'').
\72\ H.Rept. 111-7, accompanying H.R. 629, 111th Cong., at 74
(2009).
\73\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act
of 2009, introduced in the House on January 22, 2009, contained
nearly identical provisions to subtitle D of the HITECH Act.
\74\ Congress enacted the American Recovery and Reinvestment Act
of 2009, which included the HITECH Act, on February 17, 2009. While
it was the House version of the bill, H.R. 1, that was enacted, the
Senate version, S. 336, contained nearly identical provisions to
subtitle D of the HITECH Act.
\75\ S.Rept. 111-3, 111th Cong. accompanying S. 336, 111th
Cong., at 59 (2009).
\76\ 78 FR 5566.
\77\ Subtitle D of title XIII of the HITECH Act (codified at 42
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
\78\ 78 FR 5568.
---------------------------------------------------------------------------
B. Rulemaking Authority and Regulatory History
1. The Department's Rulemaking Authority Under HIPAA
In passing HIPAA, Congress recognized the importance of privacy for
IIHI by requiring the Secretary to issue regulations on privacy in the
event that Congress itself did not enact specific privacy
legislation.\79\ That statutory directive complemented the Secretary's
general rulemaking authority to ``make and publish such rules and
regulations, not inconsistent with this chapter, as may be necessary to
the efficient administration of the functions with which each is
charged under this chapter.'' \80\
---------------------------------------------------------------------------
\79\ See Section 264(c)(1) of Public Law 104-191 (codified at 42
U.S.C. 1320d-2 note).
\80\ Section 1102 of the SSA (codified at 42 U.S.C. 1302).
---------------------------------------------------------------------------
Congress further contemplated that related rulemaking authorities
would not be static. Indeed, in a closely analogous section of the
HIPAA Administrative Simplification provisions--related to enabling the
electronic exchange of health information--Congress built in a
mechanism to adapt such regulations as technology and health care
evolve, directing that the Secretary review and modify the
Administrative Simplification standards as determined appropriate, but
not more frequently than once every 12 months.\81\ The Department
recognized how intertwined these particular Administrative
Simplification standards would be with the standards for the privacy of
individually identifiable health information, and thus promulgated a
regulatory standard that limits modifications to all of the rules
promulgated under the Administrative Simplification provisions to no
more frequently than once every 12 months.\82\
---------------------------------------------------------------------------
\81\ See Section 1174(b)(1) of Public Law 104-191 (codified at
42 U.S.C. 1320d-3).
\82\ 45 CFR 160.104.
---------------------------------------------------------------------------
The Secretary exercised each of these rulemaking authorities in
2000 to adopt 45 CFR 160.104(a), which reserves the Secretary's power
to modify any ``standard or implementation specification adopted under
this subchapter'' of these regulations, including the Administrative
Simplification provisions. The Secretary invoked this modification
authority to amend the Privacy Rule in 2002.\83\
---------------------------------------------------------------------------
\83\ See 67 FR 53182 (Aug. 14, 2002).
---------------------------------------------------------------------------
Subsequently, as discussed above, Congress affirmed that the HIPAA
Rules--including 45 CFR 160.104(a)--are to remain in effect to the
extent that they are consistent with the HITECH Act and directed the
Secretary to revise the HIPAA Rules as necessary for consistency with
the HITECH Act.\84\ At the same time, Congress also confirmed that the
new law was not intended to have any effect on authorities already
granted under HIPAA to the Department, including section 264 of that
statute and the regulations issued under that provision. Congress'
affirmation of the Secretary's rulemaking power, including the
[[Page 23514]]
authority to modify the Secretary's own regulations, thus confirms that
the Secretary retains the authority to modify the Privacy Rule as often
as every 12 months when appropriate, including to strengthen privacy
and security protections for IIHI. In fact, after the enactment of the
HITECH Act, the Secretary exercised this authority to modify the
Privacy Rule again in 2013.\85\
---------------------------------------------------------------------------
\84\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\85\ See 78 FR 5566.
---------------------------------------------------------------------------
To properly execute the HIPAA statutory mandate, and in accordance
with the regulatory authority granted to it by Congress, the Department
regularly evaluates the interaction of the Privacy Rule and state
statutes and regulations governing the privacy of health information.
In keeping with the Department's practice, this NPRM attempts to
accommodate state autonomy to the extent consistent with the need to
maintain rules for health information privacy that serve HIPAA's
objectives. The proposed regulation, if finalized, would thus preempt
state law only to the extent necessary to achieve the national
objectives of HIPAA.
The Secretary has delegated authority to administer the HIPAA Rules
and to make decisions regarding their implementation, interpretation,
and enforcement to the HHS Office for Civil Rights (OCR).\86\
---------------------------------------------------------------------------
\86\ See U.S. Dep't of Health and Human Servs., Office of the
Secretary, Office for Civil Rights; Statement of Delegation of
Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and
Human Servs., Office of the Secretary, Office for Civil Rights;
Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep't of
Health and Human Servs., Office of the Secretary, Statement of
Organization, Functions and Delegations of Authority, 81 FR 95622
(Dec. 28, 2016).
---------------------------------------------------------------------------
2. Regulatory History
The 2000 Privacy Rule
As directed by HIPAA, the Department provided a series of
recommendations to Congress for a potential new law that would address
the confidentiality of individually identifiable health
information.\87\ Congress did not act within its three-year self-
imposed deadline. As a result, the Department published a proposed rule
setting forth the required standards on November 3, 1999,\88\ and
issued the first final rule establishing ``Standards for Privacy of
Individually Identifiable Health Information'' (``2000 Privacy Rule'')
on December 28, 2000.\89\
---------------------------------------------------------------------------
\87\ See Confidentiality of Individually Identifiable Health
Information, U.S. Dep't of Health and Human Servs., Section I.A.
(Sept. 1997), https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information.
\88\ 64 FR 59918.
\89\ 65 FR 82462.
---------------------------------------------------------------------------
The final rule announced ``standards to protect the privacy of
individually identifiable health information'' to ``begin to address
growing public concerns that advances in electronic technology and
evolution in the health care industry are resulting, or may result, in
a substantial erosion of the privacy surrounding'' health
information.\90\ On the eve of that rule's issuance, the President
issued an Executive order recognizing the importance of protecting
patient privacy, explaining that ``[p]rotecting the privacy of
patients' protected health information promotes trust in the health
care system. It improves the quality of health care by fostering an
environment in which patients can feel more comfortable in providing
health care professionals with accurate and detailed information about
their personal health.'' \91\ Thus, the primary goal of the Privacy
Rule was to provide greater protections to individuals' privacy and to
engender a trusting relationship between individuals and health care
providers.\92\
---------------------------------------------------------------------------
\90\ 65 FR 82462.
\91\ Executive Order 13181 (Dec. 20, 2000), 65 FR 81321.
\92\ Id.
---------------------------------------------------------------------------
The final rule announced ``standards to protect the privacy of
individually identifiable health information'' to ``begin to address
growing public concerns that advances in electronic technology and
evolution in the health care industry are resulting, or may result, in
a substantial erosion of the privacy surrounding'' health
information.\93\
---------------------------------------------------------------------------
\93\ 65 FR 82462.
---------------------------------------------------------------------------
Since promulgation, the Privacy Rule has protected PHI \94\ by
limiting the circumstances under which covered entities and their
business associates (collectively, ``regulated entities'') are
permitted or required to use or disclose PHI and by requiring covered
entities to have safeguards in place to protect the privacy of PHI. In
adopting these regulations, the Department acknowledged the need to
balance several competing factors, including existing legal
expectations, individuals' privacy expectations, and societal
expectations.\95\ The Department noted ``the large number of comments
from individuals and groups representing individuals demonstrate the
deep public concern about the need to protect the privacy of
individually identifiable health information'' and ``evidence about the
importance of protecting privacy and the potential adverse consequences
to individuals and their health if such protections are not extended.''
\96\ The Department struck a balance between the ``competing
interests--the necessity of protecting privacy and the public interest
in using identifiable health information for vital public and private
purposes--in a way that is also workable for the varied
stakeholders[.]'' \97\
---------------------------------------------------------------------------
\94\ PHI includes individuals' IIHI transmitted by or maintained
in electronic media or any other form or medium, with certain
exceptions. See 45 CFR 160.103 (definition of ``Protected health
information'').
\95\ See 65 FR 82471.
\96\ 65 FR 82472.
\97\ Id.
---------------------------------------------------------------------------
The Department established ``general rules'' for uses and
disclosures of PHI, codified at 45 CFR 164.502, in the 2000 Privacy
Rule.\98\ The 2000 Privacy Rule also specified the circumstances in
which a covered entity was required to obtain an individual's
consent,\99\ authorization,\100\ or the opportunity for the individual
to agree or object.\101\ Additionally, it established rules for when a
covered entity is permitted to use or disclose PHI without an
individual's consent, authorization, or opportunity to agree or
object.\102\ In particular, the Privacy Rule permits certain uses and
disclosures of PHI, without the individual's authorization, for
identified activities that benefit the community, such as public health
activities, law enforcement purposes, judicial and administrative
proceedings, and research.
---------------------------------------------------------------------------
\98\ 65 FR 82462.
\99\ 45 CFR 164.506 was originally titled ``Consent for uses or
disclosures to carry out treatment, payment, or health care
operations.''
\100\ 45 CFR 164.508.
\101\ 45 CFR 164.510.
\102\ 45 CFR 164.512.
---------------------------------------------------------------------------
The Privacy Rule also established the rights of individuals with
respect to their PHI, including the right to receive adequate notice of
a covered entity's privacy practices, the right to request restrictions
of uses and disclosures, the right to access (i.e., to inspect and
obtain a copy of) their PHI, the right to request an amendment of their
PHI, and the right to receive an accounting of disclosures.\103\
---------------------------------------------------------------------------
\103\ See 45 CFR 164.520, 164.522, 164.524, 164.526, and
164.528.
---------------------------------------------------------------------------
As part of the final rule, the Department provided that covered
entities were to comply with the 2000 Privacy Rule no later than 24
months following its effective date.\104\
---------------------------------------------------------------------------
\104\ The effective date of the Privacy Rule was updated to
April 14, 2001. A covered entity meeting the definition of a small
health plan was given 36 months to comply with the Privacy Rule. The
compliance date for most covered entities was April 14, 2003. See 66
FR 12434 (Feb. 26, 2001).
---------------------------------------------------------------------------
The 2002 Privacy Rule
After publication of the 2000 Privacy Rule, the Department received
many
[[Page 23515]]
inquiries and unsolicited comments about the Rule's impact and
operation. As a result, the Department opened the 2000 Privacy Rule for
further comment in March 2001, less than one month before the effective
date and 25 months before the compliance date, for most covered
entities and issued clarifying guidance on the Rule's
implementation.\105\ NCVHS' Subcommittee on Privacy, Confidentiality
and Security held public hearings about the 2000 Privacy Rule. From
those hearings, the Department learned more about concerns related to
key provisions and their potential unintended consequences on health
care quality and access.\106\ In March 2002, the Department proposed
modifications to the 2000 Privacy Rule to clarify the requirements and
correct potential problems that could threaten access to, or quality
of, health care.\107\
---------------------------------------------------------------------------
\105\ 66 FR 12738 (Feb. 28, 2001).
\106\ 67 FR 53183.
\107\ 67 FR 14775 (Mar. 27, 2002).
---------------------------------------------------------------------------
In response to the comments on the proposed rule, the Department
finalized modifications on August 14, 2002 (``2002 Privacy
Rule'').\108\ This final rule clarified HIPAA's requirements while
``maintain[ing] strong protections for the privacy of individually
identifiable health information.'' \109\ These modifications addressed
certain workability issues, including but not limited to clarifying
distinctions between health care operations and marketing; modifying
the minimum necessary standard to exclude disclosures authorized by
individuals and clarify its operation; clarifying that consent is not
required for treatment, payment, or health care operations, and to
otherwise clarify the role of consent in the Privacy Rule; and making
other modifications and conforming amendments consistent with the
proposed rule. The Department also included modifications to the
provisions permitting the use or disclosure of PHI for public health
activities and for research activities without consent, authorization,
or an opportunity to agree or object.
---------------------------------------------------------------------------
\108\ 67 FR 53182. See the final rule for changes in the
entirety. The 2002 Privacy Rule was issued before the compliance
date for the 2000 Privacy Rule. Thus, covered entities never
implemented the 2000 Privacy Rule. Instead, they implemented the
2000 Privacy Rule as modified by the 2002 Privacy Rule.
\109\ 67 FR 53182.
---------------------------------------------------------------------------
2013 Omnibus Final Rule
Following the enactment of the HITECH Act, the Department issued an
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology for Economic
and Clinical Health [HITECH] Act'' (``2010 NPRM''),\110\ to propose
implementation of certain HITECH Act requirements. In 2013, the
Department issued the Modifications to the HIPAA Privacy, Security,
Enforcement, and Breach Notification Rules Under the Health Information
Technology for Economic and Clinical Health [HITECH] Act and the
Genetic Information Nondiscrimination Act, and Other Modifications to
the HIPAA Rules--Final Rule (``2013 Omnibus Rule''),\111\ which
implemented many of the new HITECH Act requirements, including
strengthening individuals' privacy rights as related to their PHI.
---------------------------------------------------------------------------
\110\ 75 FR 40867 (July 14, 2010).
\111\ 78 FR 5565. In addition to finalizing requirements of the
HITECH Act that were proposed in the NPRM, the Department adopted
modifications to the Enforcement Rule not previously adopted in an
earlier interim final rule, 74 FR 56123 (Oct. 30, 2009), and to the
Breach Notification Rule not previously adopted in an interim final
rule, 74 FR 42739 (Aug. 24, 2009). The Department also finalized
previously proposed Privacy Rule modifications as required by GINA,
74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------
The Department also finalized regulatory provisions not required by
the HITECH Act, but necessary to address the ``workability and
effectiveness'' of the HIPAA Rules and ``to increase flexibility for
and decrease burden on regulated entities.'' \112\ In the 2010 NPRM,
the Department noted that it had not amended the HIPAA Privacy and
Security Rules since 2002 and 2003, respectively, other than to amend
the Enforcement Rule through a 2009 interim final rule.\113\ It further
explained that information gleaned from contact with the public since
that time, enforcement experience, and technical corrections required
to eliminate ambiguity provided the impetus for the Department's
actions to make certain regulatory changes.\114\
---------------------------------------------------------------------------
\112\ 78 FR 5566. The Department's general rulemaking authority
is codified in HIPAA section 264(c), and OCR conducts rulemaking
under HIPAA based on authority granted by the Secretary.
\113\ See 75 FR 40871. See also 74 FR 56123. The Department
issued an interim final rule on October 30, 2009, to implement
HITECH Act statutory changes to the HIPAA Enforcement Rule.
\114\ 75 FR 40871.
---------------------------------------------------------------------------
For example, the Department modified its prior interpretation of
the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a
description of a research purpose must be ``study specific.'' The
Department explained that, under its new interpretation, the research
purposes need only be described adequately so that it would be
``reasonable for the individual to expect that his or her protected
health information could be used or disclosed for such future
research.'' \115\ The Department attributed its changed interpretation
to the expressed concerns from covered entities, researchers, and other
commenters to the 2010 NPRM that the former requirement did not
represent current research practices. The Department expressed a
similar rationale for the Privacy Rule modifications permitting certain
disclosures of student immunization records to schools without an
authorization,\116\ and another provision redefining the definition of
PHI to exclude information regarding an individual who has been
deceased for more than 50 years.\117\ For the latter, the Department
noted that it was balancing the privacy interests of decedents' living
relatives and other affected individuals against the legitimate needs
of public archivists to obtain records.
---------------------------------------------------------------------------
\115\ 78 FR 5612.
\116\ Id. at 5616-17. See also 45 CFR 164.512(b)(1).
\117\ 78 FR 5614. See also 45 CFR 164.502(f) and the definition
of ``Protected health information'' at 45 CFR 160.103, excluding
IIHI regarding a person who has been deceased for more than 50
years.
---------------------------------------------------------------------------
None of the above-described changes were expressly required by the
HITECH Act. Rather, the Department determined them to be necessary
pursuant to its ongoing general rulemaking authority.\118\
---------------------------------------------------------------------------
\118\ In addition to the rulemakings discussed here, the
Department has modified the HIPAA Privacy Rule for workability
purposes and in response to changes in circumstances on two other
occasions, and it issued another notice of proposed rulemaking in
2021 for the same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382
(Jan. 6, 2016), and 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------
III. Justification for This Proposed Rulemaking
HIPAA and the HIPAA Rules promote access to health care by
establishing standards for the privacy of PHI in order to protect the
confidentiality of individuals' health information. These protections
promote the development and maintenance of confidence and trust between
individuals and their health care providers and health plans, and help
improve the completeness and accuracy of patient records.\119\ The
Privacy Rule, as it has been amended over time, carefully balances the
interests of individuals and society in identifiable health information
by establishing conditions for when and how such information may be
used and
[[Page 23516]]
disclosed--with and without the individual's permission.
---------------------------------------------------------------------------
\119\ See 65 FR 82463. See also H. Rept. 104-736 at 177 and 264,
supra note 40. See also 142 Cong. Rec. H9780 (statement of Rep.
Sawyer), supra note 42; 142 Cong. Rec. H9792 (statement of Rep.
McDermott), supra note 42; and 142 Cong. Rec. S9515-16 (statement of
Sen. Simon), supra note 42.
---------------------------------------------------------------------------
The Privacy Rule is balanced to protect an individual's privacy
while allowing the use or disclosure of PHI for certain non-health care
purposes, including in certain criminal, civil, and administrative
investigations and proceedings. The Privacy Rule permits, but does not
require, covered entities to disclose PHI to law enforcement officials,
without the individual's written authorization, under specific
circumstances.\120\ For example, a covered entity is permitted to
disclose PHI to law enforcement in compliance with, and as limited by,
the relevant requirements of a court order. A covered entity is also
permitted to disclose certain limited types of PHI in response to a law
enforcement official's request for such information for the limited
purpose of identifying or locating a suspect, fugitive, material
witness, or missing person. Such disclosures are also currently
permitted, under certain circumstances, for health oversight
purposes,\121\ judicial and administrative proceedings,\122\ or to
coroners and medical examiners.\123\ Except when required by law, the
disclosures summarized above are subject to a minimum necessary
determination by the covered entity.\124\ When reasonable to do so, the
covered entity may rely upon the representations of the public health
authority, law enforcement official, or other public official as to
what information is the minimum necessary for their lawful
purpose.\125\ Moreover, if the law enforcement official making the
request for information is not known to the covered entity, the covered
entity must verify the identity and authority of such person prior to
disclosing the information.\126\
---------------------------------------------------------------------------
\120\ See 45 CFR 164.152(f).
\121\ 45 CFR 164.512(d).
\122\ 45 CFR 164.512(e).
\123\ 45 CFR 164.512(g)(1).
\124\ 45 CFR 164.502(b) and 164.514(d).
\125\ 45 CFR 164.514(d)(3)(iii)(A).
\126\ 45 CFR 164.514(h).
---------------------------------------------------------------------------
However, the Department believes that developments in the legal
environment have disrupted the balance. On one hand, there is the
individual's interest in the privacy of their health information and
that of society in fostering trust between individuals and health care
providers to promote public health. On the other hand, there is the
interest of others in using or disclosing that information to achieve
certain public policy goals, in this case, for purposes of criminal,
civil, and administrative investigations or proceedings. Those
developments have made information related to reproductive health care,
which has long been considered highly sensitive,\127\ more likely to be
of interest for punitive non-health care purposes, and thus more likely
to be disclosed if sought for a purpose permitted under the Privacy
Rule today. The interest in this sensitive health information is likely
to remain high, even where the reproductive health care has been
provided under circumstances in which it was lawful to do so. The
Department believes PHI will be increasingly targeted by those seeking
evidence for criminal, civil, or administrative investigations into or
proceedings against persons in connection with seeking, obtaining,
providing, or facilitating reproductive health care--or identifying
persons for such purposes, thereby jeopardizing the relationships
between individuals and their health care providers, even when such
health care is lawfully obtained.
---------------------------------------------------------------------------
\127\ See Letter from NCVHS, supra note 14.
---------------------------------------------------------------------------
To address these developments, the Department is proposing to
protect this sensitive PHI and preserve that balance by establishing a
new purpose for which disclosures are prohibited in certain
circumstances--that is, the use or disclosure of PHI for the criminal,
civil, or administrative investigation of or proceeding against an
individual, regulated entity, or other person for seeking, obtaining,
providing, or facilitating reproductive health care, as well as the
identification of any person for the purpose of initiating such an
investigation or proceeding. Such disclosures of PHI would be
prohibited when the reproductive health care: (1) is provided outside
of the state where the investigation or proceeding is authorized and
where such health care is lawfully provided; (2) is protected,
required, or authorized by Federal law, regardless of the state in
which such health care is provided; or (3) is provided in the state in
which the investigation or proceeding is authorized and that is
permitted by the law of that state. In these circumstances, the state
lacks any substantial interest in seeking the disclosure. Protecting
against disclosures of PHI in these circumstances thus directly
advances the long-understood purpose of the HIPAA privacy protections
without unduly interfering with legitimate state prerogatives.
To assist in effectuating this prohibition, the Department proposes
to require covered entities in certain circumstances to obtain an
attestation from the person requesting the use or disclosure that the
use or disclosure is not for a prohibited purpose. Additionally, the
Department proposes to clarify the definition of ``person'' and certain
other terms that distinguish between state laws that are contrary to
the Privacy Rule and are therefore preempted by it and those that are
excepted from preemption. The Department also discusses its view of
``child abuse'' for the purposes of the Privacy Rule and which persons
a covered entity may decline to recognize as an individual's personal
representative under particular circumstances. This NPRM contains
proposals for minor technical corrections that reflect the Department's
long-standing interpretation of the Privacy Rule. Lastly, the
Department proposes to require modifications to the Notice of Privacy
Practices (NPP) to ensure that individuals are aware of and understand
the proposed prohibition.
A. HIPAA Encourages Trust by Carefully Balancing Individuals' Privacy
Interests With Others' Interests in Using or Disclosing PHI
It is well established that a functioning health care system
depends in part on patients trusting their health care providers and
health care systems.\128\ According to the American Medical Association
(AMA), a key element of patient trust is privacy protection, ``a
crucial element for honest health discussions.'' \129\ Privacy is the
core foundation of the relationship between individuals and their
health care providers.\130\ The original Hippocratic Oath required
physicians to pledge to maintain the confidentiality of information
they learn about their patients.\131\ Individuals' health privacy
concerns affect their trust in health care providers, and thus, their
willingness to provide complete and accurate information to health care
providers.\132\
[[Page 23517]]
Individuals must disclose sensitive information to their health care
providers to obtain appropriate health care.\133\ If individuals do not
trust that the sensitive information they disclose to their health care
providers will be kept private, they may be deterred from seeking or
obtaining needed health care or withhold information from their health
care providers, compromising the quality of the health care they
receive.\134\ Similarly, if a health care provider does not trust that
the information they include in an individual's medical records will
not be kept private, the health care provider might leave gaps or
include inaccuracies when preparing medical records, creating a risk
that ongoing or future health care would be compromised. Thus, the
Privacy Rule promotes access to higher quality health care by
protecting the privacy of individuals' health information in order to
engender trust between individuals and health care providers and to
help improve the completeness and accuracy of individuals' medical
records. The Federal Government has a strong interest in ensuring that
individuals have access to high-quality health care,\135\ and from its
inception, the Privacy Rule has recognized the importance of trust to
health care quality.
---------------------------------------------------------------------------
\128\ See Jennifer Richmond, Marcella H. Boynton, Sachiko Ozawa,
et al., ``Development and Validation of the Trust in My Doctor,
Trust in Doctors in General, and Trust in the Health Care Team
Scales,'' Social Science & Medicine (Apr. 2022), https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub.
\129\ See ``Patient Perspectives Around Data Privacy,'' American
Medical Association (2022), https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf.
\130\ Id.
\131\ Warren T. Reich, editor. Vol. 5. Macmillan; New York, NY:
1995. Oath of Hippocrates; p. 2632. (Encyclopedia of Bioethics).
\132\ See ``Development and Validation of the Trust in My
Doctor, Trust in Doctors in General, and Trust in the Health Care
Team Scales,'' supra note 128; Bradley E. Iott, Celeste Campos-
Castillo, Denise L. Anthony, ``Trust and Privacy: How Patient Trust
in Providers is Related to Privacy Behaviors and Attitudes,'' AMIA
Annual Symposium Proceedings (Mar. 2020), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/; Pamela Sankar, Susan
Mora, Jon F. Merz, et al., ``Patient perspectives of medical
confidentiality: a review of the literature,'' Journal of General
Internal Medicine (Aug. 2003), p. 659-69, https://pubmed.ncbi.nlm.nih.gov/12911650/.
\133\ See ``Recommendations on Privacy and Confidentiality,
2006-2008,'' Nat'l Comm. on Vital and Health Stats. (May 2009), p.
4, https://ncvhs.hhs.gov/wp-content/uploads/2014/05/privacyreport0608.pdf; See also Letter from NCVHS (forwarding NCVHS
recommendations) (``As a practical matter, it is often essential for
individuals to disclose sensitive, even potentially embarrassing,
information to a health care provider to obtain appropriate care''),
supra note 18.
\134\ See 64 FR 60019 (In the 1999 Privacy Rule NPRM, the
Department discussed confidentiality as an important component of
trust between individuals and health care providers and cited a 1994
consumer privacy survey that indicated that a lack of privacy may
deter patients from obtaining preventive care and treatment.);
``Trust and Privacy: How Patient Trust in Providers is Related to
Privacy Behaviors and Attitudes,'' supra note 132.
\135\ See Testimony (transcribed) of Peter R. Orszag, Director,
Congressional Budget Office, Hearing on Comparative Clinical
Effectiveness before House of Representatives Committee on Ways and
Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007)
(``because federal health insurance programs play a large role in
financing medical care and represent a significant expenditure, the
federal government itself has an interest in evaluations of the
effectiveness of different health care approaches''); Statement of
Sen. Durenberger introducing S.1836, American Health Quality Act of
1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991)
(``[T]he Federal Government has a demonstrated interest in assessing
the quality of care, access to care, and the costs of care through
the evaluative activities of several Federal agencies.'').
---------------------------------------------------------------------------
Of course, health information--and PHI in particular--can be useful
for purposes other than an individual's own health care. Indeed,
society also benefits when individuals trust their health care
providers to keep highly sensitive information private for the same
reasons that individuals benefit. After all, it is to society's benefit
that individuals seek out necessary medical care, and that when they
do, they receive high-quality health care based on information that is
more likely to be complete and accurate when individuals trust their
health care providers. Individuals' lack of trust in health care
providers and the health care system can have serious consequences for
society.\136\
---------------------------------------------------------------------------
\136\ See Letter from NCVHS, supra note 18.
---------------------------------------------------------------------------
There is also significant interest in using PHI to address non-
health care concerns, such as for research, law enforcement purposes,
judicial and administrative proceedings, health oversight activities,
and others. As the Department explained in the 1999 Privacy Rule NPRM,
``The information may be sought well before a trial or hearing, to
permit the party to discover the existence or nature of testimony or
physical evidence, or in conjunction with the trial or hearing, in
order to obtain the presentation of testimony or other evidence. These
uses of health information are clearly necessary to allow the smooth
functioning of the legal system.'' \137\ For example, in the absence of
a permission to use or disclose PHI for judicial and administrative
proceedings, a regulated entity would be dependent upon an individual's
authorization to use or disclose PHI to defend itself against a medical
malpractice claim brought by the individual, rendering the regulated
entity dependent upon the very person bringing the claim against them.
The Department believes that there is societal benefit to permitting
such uses and disclosures where such uses and disclosures do not
undermine the public policy goals set by Congress when it passed
HIPAA--that is, where they do not undermine the trust of individuals in
the health care system and the ability of individuals to receive high-
quality health care.\138\ The Department has long permitted uses and
disclosures of PHI for non-health care purposes in such circumstances,
subject to certain limitations because of the potential harm they could
cause to individuals.
---------------------------------------------------------------------------
\137\ 64 FR 59959.
\138\ See Letter from NCVHS, at Executive Summary, supra note 60
(with forwarded NCVHS recommendations, ``The importance of trust in
the provider-patient relationship must be preserved. Health records
are used to improve the quality of health care [ . . . ] protect the
public health, and assure public accountability of the health care
system.'').
---------------------------------------------------------------------------
As discussed in section II of this preamble, the Privacy Rule
represents the Department's careful balancing of individuals' interests
and the interests of others in a way that engenders individuals' trust
and enables high-quality health care, while also allowing others to use
individuals' PHI for certain public policy purposes. The Department
recognized the need for trust between patients and health care
providers in the 2000 Privacy Rule, noting that ``[t]he provision of
high-quality health care requires the exchange of personal, often-
sensitive information between an individual and a skilled practitioner.
Vital to that interaction is the patient's ability to trust that the
information shared will be protected and kept confidential.'' \139\
Further, if individuals do not trust that the sensitive information
they give their health care providers will be kept private, they may be
deterred from seeking needed health care.\140\ And when individuals do
seek health care, they may be reluctant to be completely forthcoming
with their health care providers, thus compromising the quality of the
health care they receive. As the Department also stated, ``[h]ealth
care professionals who lose the trust of their patients cannot deliver
high-quality care.'' \141\ And when the trust of individuals is lost,
the public's health as a whole is jeopardized.
---------------------------------------------------------------------------
\139\ 65 FR 82463.
\140\ See 64 FR 60019 (In the 1999 Privacy Rule NPRM, the
Department discussed confidentiality as an important component of
trust between individuals and health care providers and cited a 1994
consumer privacy survey that indicated that a lack of privacy may
deter patients from obtaining preventive care and treatment.).
\141\ 65 FR 82468.
---------------------------------------------------------------------------
Throughout the preamble to the 2000 Privacy Rule and the preambles
to the rules revising the Privacy Rule, the Department described and
explained its efforts to balance those interests. In the 2002 Privacy
Rule, the Department discussed its re-evaluation of the balance
established by the 2000 Privacy Rule and revised certain provisions
because of concerns that arose as regulated entities prepared to
implement its requirements. The Department made certain revisions to
protect the privacy interests of individuals by strengthening the
requirements for covered entities to inform individuals of their
privacy practices through an NPP. These revisions afforded individuals
the opportunity to engage in discussions
[[Page 23518]]
regarding the use and disclosure of their PHI, while protecting the
interests of covered entities by allowing activities that are essential
to the provision of high-quality health care to occur unimpeded,
reducing the burden on such entities.\142\ The Department made other
revisions to ``balance an individual's privacy expectations with a
covered entity's need for information for reimbursement and quality
purposes.'' \143\ In that same rulemaking, in addressing comments on
still other revisions, the Department clearly stated, ``Patient privacy
must be balanced against other public goods, such as research and the
risk of compromising such research projects if researchers could not
continue to use such data.'' \144\
---------------------------------------------------------------------------
\142\ 67 FR 53209.
\143\ 67 FR 53216.
\144\ 67 FR 53226.
---------------------------------------------------------------------------
In more recent rulemakings, the Department has continued its
efforts to build and maintain individuals' trust in the health care
system by balancing the interests of individuals with those of others
as it further revised the Privacy Rule. For example, in explaining
revisions made as part of the 2013 Omnibus Rule, the Department stated,
``The Privacy Rule, at Sec. 164.512(b), recognizes that covered
entities must balance protecting the privacy of health information with
sharing health information with those responsible for ensuring public
health and safety.'' \145\ As another example from that same rule, the
Department revised the requirements for the distribution of the NPP
because ``[w]e believe these distribution requirements best balance the
right of individuals to be informed of their privacy rights with the
burden on health plans to provide the revised [Notice of Privacy
Practices].'' \146\ In the 2014 CLIA Program and HIPAA Privacy Rule;
Patients' Access to Test Reports Final Rule, the Department further
balanced the interests of individuals and those of others by providing
individuals (or their personal representatives) with the right to
access test reports directly from laboratories subject to HIPAA.\147\
This rulemaking afforded the Department with the opportunity to
demonstrate the supremacy of the individual's right of access over the
potential burden imposed on others, in this case, the laboratory. And
still more recently, the primary focus of the 2016 HIPAA Privacy Rule
and the National Instant Criminal Background Check System (NICS) Final
Rule was to issue a narrowly tailored rule that appropriately balanced
public safety goals with individuals' privacy interests to ensure that
individuals are not discouraged from seeking voluntary treatment for
mental health needs.\148\
---------------------------------------------------------------------------
\145\ 78 FR 5616.
\146\ 78 FR 5625.
\147\ 79 FR 7290 (Feb. 6, 2014).
\148\ 81 FR 382, 386 (Jan. 6, 2016).
---------------------------------------------------------------------------
As part of balancing individuals' interests with those of society,
the Department has recognized that it may be necessary to provide
certain types of health information with special protection because
they are particularly sensitive. For example, while the Department
usually applies the same privacy standards to all PHI regardless of the
type of health care at issue, it affords ``special protections'' to
psychotherapy notes. These protections are afforded in part because of
the ``particularly sensitive information'' those notes contain and in
part because of the unique function of these records, which are by
definition maintained separately from an individual's medical
record.\149\ As the Department explained when it proposed these
protections, ``[p]sychotherapy notes are of primary value to the
specific provider and the promise of strict confidentiality helps to
ensure that the patient will feel comfortable freely and completely
disclosing very personal information essential to successful
treatment.'' \150\ The Department elaborated that, ``[b]ecause of the
sensitive nature of the problems for which individuals consult
psychotherapists,'' and the ``embarrassment or disgrace'' engendered by
``disclosure of confidential communications made during counseling
sessions,'' even ``the mere possibility of disclosure may impede
development of the confidential relationship necessary for successful
treatment.'' \151\ To support the development and maintenance of an
individual's trust and protect the relationship between an individual
and their therapist, psychotherapy notes may be disclosed without an
individual's authorization only in limited circumstances, such as to
avert a serious and imminent threat to health or safety. Those limited
circumstances do not include judicial and administrative proceedings or
law enforcement purposes unless the disclosure is ``necessary to
prevent or lessen a serious and imminent threat to the health or safety
of a person or the public.'' \152\
---------------------------------------------------------------------------
\149\ See 45 CFR 164.501 (definition of ``Psychotherapy notes'')
(explicitly providing that psychotherapy notes are separated from
the individual's medical record).
\150\ 64 FR 59941.
\151\ Id.
\152\ 45 CFR 164.508(a)(2).
---------------------------------------------------------------------------
Information related to an individual's reproductive health and
associated health care is also especially sensitive and has long been
recognized as such. As stated in the AMA's Principles of Medical
Ethics, the ``decision to terminate a pregnancy should be made
privately within the relationship of trust between patient and
physician in keeping with the patient's unique values and needs and the
physician's best professional judgment.\153\ NCVHS first noted it as an
example of a category of health information commonly considered to
contain sensitive information in 2008.\154\ From 2005-2010, NCVHS held
nine hearings that addressed questions about sensitive information in
medical records and identified additional categories of sensitive
information beyond those addressed in Federal and state law, including
``sexuality and reproductive health information,'' which NCVHS
elaborated on in a 2010 letter to the Secretary:
---------------------------------------------------------------------------
\153\ Amendment to Opinion 4.2.7, Abortion H-140.823, American
Medical Association (2022), https://policysearch.amaassn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml.
\154\ See Letter from NCVHS, supra note 14.
Some reproductive issues may expose people to political
controversy [ . . . ], and public knowledge of an individual's
reproductive history may place [them] at risk of stigmatization.
Additionally, individuals may wish to have their reproductive
history segmented so that it is not viewed by family members who
otherwise have access to their records. Parents may wish to delay
telling their offspring about adoption, gamete donation, or the use
of other forms of assisted reproduction technology in their
conception, and, thus, it may be important to have the capacity to
segment these records.\155\
---------------------------------------------------------------------------
\155\ See Letter from NCVHS Chair Justine M. Carr to HHS
Secretary Kathleen Sebelius (Nov. 10, 2010) (forwarding NCVHS
recommendations).
At that time, the general privacy standards promulgated under HIPAA
adequately protected information related to reproductive health care.
Based on settled Federal constitutional law in 2000, the Department did
not see a need to treat uses or disclosures of PHI related to
reproductive health care, such as information about a pregnancy
termination, differently from other uses or disclosures of PHI related
to other categories of health care when establishing the Federal
standards for privacy as mandated by HIPAA.\156\ HHS knew that
individuals generally could legally access reproductive health care
nationwide. And because such health care generally was legal and
constitutionally protected, HHS was confident that law enforcement or
other
[[Page 23519]]
third parties typically would not seek individuals' health information
for purposes of investigating violations of criminal or civil laws
related to highly sensitive types of health care, such as the provision
of or access to reproductive health care, except in certain limited
circumstances aimed at ensuring the quality and safety of such health
care. Therefore, until states' recent efforts to regulate and
criminalize the provision of or access to reproductive health care,
effectuating the purposes of HIPAA did not require regulatory
provisions that restricted uses and disclosures of PHI related to those
activities.
---------------------------------------------------------------------------
\156\ See 65 FR 82464-70.
---------------------------------------------------------------------------
B. Developments in the Legal Environment Are Eroding Individuals' Trust
in the Health Care System
The Supreme Court's decision in Dobbs on June 24, 2022, created new
concerns about the privacy of PHI related to reproductive health care.
In that decision, the Court overruled Roe v. Wade \157\ and Planned
Parenthood of Southeastern Pennsylvania v. Casey \158\ and held that
constitutional challenges to state abortion regulations are subject to
rational-basis review.\159\ But the Court's decision did not disturb
other longstanding constitutional principles, such as those protecting
the right of interstate travel or the right to use contraception.\160\
Nor did it displace Federal statutes, such as Emergency Medical
Treatment and Active Labor Act \161\ (EMTALA), that protect access to
reproductive health care in particular circumstances.
---------------------------------------------------------------------------
\157\ 410 U.S. 113 (1973).
\158\ 505 U.S. 833 (1992).
\159\ Dobbs, 142 S. Ct. at 2283-2284.
\160\ See id. at 2309 (Kavanaugh, J., concurring).
\161\ Public Law 99-272, 100 Stat. 164 (Apr. 7, 1986) (codified
at 42 U.S.C. 1395dd). For further discussion of a health care
provider's obligations under the EMTALA statute, see https://www.hhs.gov/sites/default/files/emergency-medical-care-letter-to-health-care-providers.pdf.
---------------------------------------------------------------------------
Following the Supreme Court's decision, states have taken actions,
some tacitly and some explicitly, that could interfere with
individuals' longstanding expectations created by HIPAA and the Privacy
Rule with respect to the privacy of their PHI.\162\ The Department is
aware of reports that persons or authorities have reached or intend to
reach beyond their own states' borders to investigate reproductive
health care that has been performed in other states where that health
care is legal.\163\ These actions present new concerns nationwide for
the protection of health information privacy mandated by HIPAA. Because
the Privacy Rule currently permits uses and disclosures of PHI for
certain purposes,\164\ including when another law requires a regulated
entity to make the use or disclosure,\165\ regulated entities after
Dobbs might be compelled to use or disclose PHI to law enforcement or
other persons who may use that health information against an
individual, a regulated entity, or another person who has sought,
obtained, provided, or facilitated reproductive health care, even when
such health care is lawful in the circumstances in which the health
care is obtained.\166\
---------------------------------------------------------------------------
\162\ See, e.g., Kayte Spector-Bagdady, Michelle M. Mello,
``Protecting the Privacy of Reproductive Health Information After
the Fall of Roe v Wade,'' JAMA Network (June 30, 2022), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032; Lisa
G. Gill, ``What does the overturn of Roe v. Wade mean for you?,''
Consumer Reports (June 24, 2022), https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/.
\163\ See, e.g., Giulia Carbonaro, ``Texas bill targeting
internet abortion access `attacks individual liberty','' Newsweek
(Mar. 3, 2023), https://www.newsweek.com/texas-bill-targeting-internet-abortion-access-attacks-individual-liberty-1785254; Alice
Miranda Ollstein and Megan Messerly, ``Missouri wants to stop out-
of-state abortions. Other states could follow,'' Politico (Mar. 19,
2022), https://www.politico.com/news/2022/03/19/travel-abortion-law-missouri-00018539. For pending bills that would impose limitations
on the ability of individuals to travel to obtain reproductive
health care, see, e.g., H.B. 2012, Missouri 101st General Assembly
(2022) (would have permitted a private citizen to sue a person who
provides or facilitates an abortion for a Missouri resident,
including an out-of-state physician or person who transports an
individual across state lines to a health care provider); H.B. No.
787, Texas State Legislature (2023) (prohibiting the receipt of tax
incentives by a business entity that assists an employee in
obtaining an abortion, including through funding out-of-state travel
for the procedure); and H.B. 90 and S.B. 600, Tennessee General
Assembly (2023) (prohibiting local governments from spending money
to assist ``a person in obtaining an abortion,'' including through
funding out-of-state travel for the procedure).
\164\ 45 CFR 164.502(a)(1).
\165\ 45 CFR 164.512(a).
\166\ See Eleanor Klibanoff, ``Lawyers preparing for abortion
prosecutions warn about health care, data privacy,'' The Texas
Tribune (July 25, 2022), https://www.texastribune.org/2022/07/25/abortion-prosecution-data-health-care/(discussing the fact that the
most common way PHI is obtained by law enforcement is through health
care provider disclosures).
---------------------------------------------------------------------------
One significant consequence of the developments in Federal and
state law is the erosion of individuals' trust in health care providers
to protect their health information privacy, creating barriers or
disincentives for individuals to obtain health care, including legal
reproductive health care, and increasing the potential for health care
providers to possess incomplete or inaccurate medical records. A 2023
qualitative study of individuals who obtained abortions after the
passage of a law significantly restricting abortion access in Texas
highlighted the concerns of such individuals with respect to the
privacy of PHI related to reproductive health care they received.\167\
In fact, a recently filed complaint details the decision made by the
plaintiff's out-of-state health care provider to describe the
plaintiff's condition as something other than an abortion, even though
the abortion was lawful in the state in which it was provided because
the health care provider was concerned about the ramifications of
documenting the health care provided as an abortion.\168\ Another
significant consequence is the risk that individual medical records
will not be maintained with completeness and accuracy, including as
they relate to legal reproductive health care. The developments
discussed above have increased uncertainty nationwide for individuals,
regulated entities, and other persons about the privacy of an
individual's PHI. Recent state actions now place individuals and health
care providers in potential civil or criminal jeopardy when PHI related
to an individual's reproductive health is used and disclosed,
regardless of whether the health care services are obtained or
performed legally.
---------------------------------------------------------------------------
\167\ Courtney C. Baker, Emma Smith, Mitchell D. Creinin, et
al., ``Texas Senate Bill 8 and Abortion Experiences in Patients with
Fetal Diagnoses: A Qualitative Analysis,'' Obstetrics & Gynecology
(Mar. 2023), https://pubmed.ncbi.nlm.nih.gov/36735418 (citing a
representative statement made by a study participant, `` `I would
joke around and say, well don't sue me, but halfway mean it.' '').
\168\ See Brief for Zurawski at p. 2 (One plaintiff had to
travel out of state for an abortion to save the life of one of her
twins, and afterwards, fearful of documenting her abortion, her
health care provider instead described her condition as ``vanishing
twin syndrome.'').
---------------------------------------------------------------------------
In the past, some law enforcement officials exercised their
authority under general criminal statutes to obtain PHI for use against
pregnant individuals on the basis of their pregnancy status or
pregnancy outcomes.\169\ But more recent developments in law have
created an environment in which law enforcement and others are
increasingly likely to request PHI from regulated entities for use
against individuals,\170\ health care
[[Page 23520]]
providers, and others, solely because such persons sought, obtained,
provided, or facilitated lawful reproductive health care.\171\ This
environment of increased demand for PHI for these purposes is not
limited to states in which those legal developments have occurred.
Rather, these legal developments have nationwide implications because
of the overall effects on the relationship between health care
providers and individuals and the flow of health information across
state lines. Examples of such cross-state health information flows
include disclosures from health care providers to health plans with a
multi-state presence or between health care providers in different
states to treat individuals as they travel across the country.
---------------------------------------------------------------------------
\169\ See ``Self-Care, Criminalized: August 2022 Preliminary
Findings,*'' supra note 11; ``Confronting Pregnancy Criminalization:
A Practical Guide for Healthcare Providers, Lawyers, Medical
Examiners, Child Welfare Workers, and Policymakers,'' Pregnancy
Justice (June 2022), https://www.pregnancyjusticeus.org/confronting-pregnancy-criminalization/.
\170\ See, e.g., S.C. Code Ann. sec. 44-41-80(b) and NRS
200.220. See also ``Self-Care, Criminalized: August 2022 Preliminary
Findings,*'' supra note 11, p. 2-3 (From 2000 to 2020, out of 54
cases, 74% of the adult cases involved the criminalization of the
person for self-managing their own abortion, and 39% of the cases
reported to law enforcement were by health care providers.); ``Talk
of prosecuting women for abortion pills roils antiabortion
movement,'' supra note 11.
\171\ The Department believes that those investigating or
bringing proceedings against individuals, health care providers, or
other persons for seeking, obtaining, providing, or facilitating
reproductive health care will increasingly seek to access PHI as
part of their investigation or proceeding. See, e.g., Karen Brooks
Harper, ``Texas abortion foes use legal threats and propose more
laws to increase pressure on providers and their allies,'' The Texas
Tribune (July 18, 2022), https://www.texastribune.org/2022/07/18/texas-abortion-laws-pressure-campaign/; Timothy Bella, ``Doctor in
10-year-old rape victim's abortion faces AG inquiry, threats,'' The
Washington Post (July 27, 2022), https://www.washingtonpost.com/politics/2022/07/27/abortion-doctor-girl-rape-caitlin-bernard-investigation/; ``Doctor says she shouldn't have to turn over
patients' abortion records,'' supra note 13.
---------------------------------------------------------------------------
This reality is in tension with many individuals' expectation that
they have or should have the right to health information privacy,
including the right to determine who has access to that information. In
fact, in its most recent annual survey on patient privacy, the AMA
found that, of 1,000 patients surveyed: (1) nearly 75% are concerned
about protecting the privacy of their own health information; and (2)
59% of patients worry about health data being used by companies to
discriminate against them or their loved ones.\172\ In its report on
the survey, the AMA opines that a lack of health information privacy
raises many questions about circumstances that could put patients and
physicians in legal peril, and that the ``primary purpose of increasing
[health information] privacy is to build public trust, not inhibit data
exchange.'' \173\ The mismatch between privacy expectations and current
legal protections for health information privacy undermines trust
between individuals and health care providers nationwide, thereby
decreasing access to, and effectiveness of, health care for
individuals.
---------------------------------------------------------------------------
\172\ See ``Patient Perspectives Around Data Privacy,'' supra
note 129.
\173\ Id. at 2.
---------------------------------------------------------------------------
The present situation also has resulted in ambiguity and confusion
for individuals and health care providers, many of whom are uncertain
about when health information is protected under the HIPAA Rules given
recent legal developments.\174\ This confusion undermines access to
health care and individual privacy--including for individuals seeking
or obtaining health care that is lawful nationwide. For example, the
Department is aware that some health care providers, both clinicians
and pharmacies, are hesitant to prescribe or fill prescriptions for
medications that can result in pregnancy loss, even when those
prescriptions are intended to treat individuals for other health
matters, because of fear of law enforcement action.\175\ As a result,
these health care providers are either denying access to prescriptions
that affect an individual's quality of life or requiring additional PHI
to justify an individual's need for such prescriptions for purposes
that are permissible under state law.\176\ Although most health care
providers, including pharmacies, are subject to the HIPAA Rules, and
thus, limited in the purposes for which they are permitted to use or
disclose such PHI, an individual's privacy is necessarily reduced as an
increasing number of persons have access to an increasing amount of
their PHI. Additionally, individuals face an increasing risk to the
security of their PHI as the number of information technology systems
in which the PHI is stored increases. As the number of persons and
information technology systems with access to this PHI increases, this
expands the number and types of regulated entities from which law
enforcement and others may try to seek disclosure of this highly
sensitive information. Individual trust in regulated entities is eroded
when individuals' access to health care is questioned and their PHI is
subject to disclosures that previously were unnecessary.
---------------------------------------------------------------------------
\174\ See Press Release, American Medical Association, American
Pharmacists Association, American Society of Health-System
Pharmacists, and National Community Pharmacists Association,
``Statement on state laws impacting patient access to necessary
medicine'' (Sept. 8, 2022), https://www.ama-assn.org/press-center/press-releases/statement-state-laws-impacting-patient-access-necessary-medicine. See also Abigail Higgins, ``Abortion rights
advocates fear access to birth control could be curtailed,'' The
Washington Post (June 24, 2022), https://www.washingtonpost.com/nation/2022/06/24/birth-control-access-supreme-court-abortion-ruling/.
\175\ See Interview with Donald Miller, PharmD, ``Methotrexate
access becomes challenging for some patients following Supreme Court
decision on abortion,'' Pharmacy Times (July 20, 2022), https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion; Jamie
Ducharme, ``Abortion restrictions may be making it harder for
patients to get a cancer and arthritis drug,'' Time (July 6, 2022),
https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/; Katie Shepherd and Frances Stead Sellers, ``Abortion
bans complicate access to drugs for cancer, arthritis, even
ulcers,'' The Washington Post (Aug. 8, 2022), https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/.
\176\ See, e.g., Jen Christensen, ``Women with chronic
conditions struggle to find medications after abortion laws limit
access,'' CNN Health (July 22, 2022), https://www.cnn.com/2022/07/22/health/abortion-law-medications-methotrexate/; Brittni
Frederiksen, Matthew Rae, Tatyana Roberts, et al., ``Abortion Bans
May Limit Essential Medications for Women with Chronic Conditions,''
Kaiser Family Foundation (Nov. 17, 2022), https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/.
---------------------------------------------------------------------------
Impingements on health information privacy related to reproductive
health care are likely to have a disproportionately greater effect on
women, individuals of reproductive age, and individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment.\177\ Historically underserved and marginalized individuals
are also more likely to be the subjects of investigations and
proceedings about any suspected interest in, or obtaining of,
reproductive health care, even where such health care is lawful under
the circumstances in which it is provided.\178\ They are also less
likely to have adequate access to legal counsel to defend themselves
from
[[Page 23521]]
such actions.\179\ Such individuals are thus especially likely to be
concerned that information they give to their health care providers
regarding their reproductive health care will not remain private. This
is particularly true in light of the historic lack of trust that
members of marginalized communities have for the health care system;
\180\ such individuals are more likely to be deterred from seeking or
obtaining health care--or from giving their health care providers full
information when they do obtain it.
---------------------------------------------------------------------------
\177\ See Christine Dehlendorf, Lisa H. Harris, Tracy A. Weitz,
``Disparities in Abortion Rates: A Public Health Approach,''
American Journal of Public Health. (Oct. 2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/. See also Kiara
Alfonseca, ``Why Abortion Restrictions Disproportionately Impact
People of Color, ABC News (June 24, 2022), https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809; Susan A. Cohen, ``Abortion and Women of Color:
The Bigger Picture,'' Guttmacher Institute (Aug. 6, 2008), https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture; ``The Disproportionate Harm of Abortion Bans: Spotlight on
Dobbs v. Jackson Women's Health,'' Center for Reproductive Rights
(Nov. 29, 2021), https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/.
\178\ See Brief of Amici Curiae for Organizations Dedicated to
the Fight for Reproductive Justice--Mississippi in Action, et al. at
*59-60, Dobbs, 142 S. Ct. (discussing the likelihood that those who
terminate their pregnancies and anyone who assists them may face
criminal investigation or arrest, exacerbating the mass
incarceration of marginalized people in Mississippi and Louisiana,
particularly in light of the states' disproportionate rates of
incarceration for people of color).
\179\ See ``Equal access to justice: ensuring meaningful access
to counsel in civil cases, including immigration proceedings,''
Columbia Law School Human Rights Institute and Northeastern
University School of Law Program on Human Rights and the Global
Economy (July 2014), https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf.
See also ``Report: State Abortion Bans Will Harm Women and Families'
Economic Security Across the U.S.'' (Aug. 25, 2022), https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/.
\180\ See Leslie Read, Heather Nelson, Leslie Korenda, The
Deloitte Ctr. for Health Solutions, ``Rebuilding Trust in Health
Care: What Do Consumers Want--and Need--Organizations to Do?'' (Aug.
5, 2021), p. 3 (With focus groups of 525 individuals in the United
States who identify as Black, Hispanic, Asian, or Native American,
``Fifty-five percent reported a negative experience where they lost
trust in a health care provider.''), https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html;
Liz Hamel, Lunna Lopes, Cailey Mu[ntilde]ana, et al., Kaiser Family
Foundation, The Undefeated Survey on Race and Health (Oct. 2020), p.
23, (Percent who say they can trust the health care system to do
what is right for them or their community almost all of the time or
most of the time: Black adults: 44%; Hispanic adults: 50%; White
adults: 55%), https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf;
``Issue Brief: Health Insurance Coverage and Access to Care for
LGBTQ+ Individuals: Current Trends and Key Challenges,'' U.S. Dep't
of Health and Human Servs., Assistant Sec'y for Policy & Evaluation,
Office of Health Policy (June 2021), p. 9 (``According to a recent
survey, 18 percent of LGBTQ+ individuals reported avoiding going to
a doctor or seeking healthcare out of concern that they would face
discrimination or be treated poorly because of their sexual
orientation or gender identity.''), https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf; Abigail A. Sewell,
``Disaggregating Ethnoracial Disparities in Physician Trust,''
Social Science Research. (Nov. 2015), https://pubmed.ncbi.nlm.nih.gov/26463531/; Irena Stepanikova, Stefanie
Mollborn, Karen S. Cook, et al., ``Patients' Race, Ethnicity,
Language, and Trust in a Physician,'' Journal of Health and Social
Behavior (Dec. 2006), https://pubmed.ncbi.nlm.nih.gov/17240927/.
---------------------------------------------------------------------------
The recent legal landscape that increases the potential for
disclosures of PHI to impose liability for seeking, obtaining,
providing, or facilitating reproductive health care risks eroding
health information privacy and trust in health care providers that has
long been supported and advanced by the Privacy Rule. The Department
issued guidance in 2022 to clarify its longstanding interpretation of
the Privacy Rule's law enforcement provisions.\181\ In the guidance,
the Department explained that disclosures for non-health care purposes,
such as disclosures to law enforcement officials, are permitted only in
narrow circumstances tailored to protect the individual's privacy and
support their access to health care, including abortion care. The
guidance specifically reminded regulated entities that they can use and
disclose PHI, without an individual's signed authorization, only as
expressly permitted or required by the Privacy Rule. Additionally, the
guidance explained the Privacy Rule's restrictions on disclosures of
PHI when required by law, for law enforcement purposes, and to avert a
serious threat to health or safety. For example, where state law does
not expressly require reporting of suspicions of self-managed
reproductive health care, the Privacy Rule would not permit a
disclosure by a hospital workforce member of such suspicions to law
enforcement under the ``required by law'' permission.
---------------------------------------------------------------------------
\181\ See ``HIPAA Privacy Rule and Disclosures of Information
Relating to Reproductive Health Care,'' U.S. Dep't of Health and
Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/.
---------------------------------------------------------------------------
However, many questions remain with respect to the potential for
this sensitive PHI to be disclosed and the effects of such disclosure
on the individual. Thus, it is incumbent upon the Department to
consider whether it should revise the Privacy Rule to ensure the
privacy of health information related to an individual's use of lawful
reproductive health care, consistent with Congress' intent to create
standards for the privacy of IIHI that promote trust and support access
to high-quality health care.\182\
---------------------------------------------------------------------------
\182\ See FCC v. Fox Television Stations, Inc., 556 U.S. 502,
515 (2009) (holding ``[ . . . ] the agency must show that there are
good reasons for the new policy. [ . . . ][I]t suffices that the new
policy is permissible under the statute, that there are good reasons
for it, and that the agency believes it to be better, which the
conscious change of course adequately indicates.'' (emphasis in
original)).
---------------------------------------------------------------------------
C. To Protect the Trust Between Individuals and Health Care Providers,
the Department Proposes To Restrict Certain Uses and Disclosures of PHI
for Non-Health Care Purposes
The Federal Government seeks to ensure that individuals have access
to high-quality health care.\183\ This proposed rule would further that
goal by restricting the use and disclosure of certain PHI for non-
health care purposes.
---------------------------------------------------------------------------
\183\ See Testimony (transcribed) of Peter R. Orszag and
statement of Sen. Durenberger, supra note 135.
---------------------------------------------------------------------------
The Department acknowledges that the Privacy Rule has not
previously conditioned uses and disclosures for certain purposes on the
specific type of health care about which the disclosure relates, as it
does herein with reproductive health care. However, the primary reasons
behind this rulemaking are the risks to privacy, patient trust, and
health care quality that occur when it is the very act of obtaining
health care that subjects an individual to an investigation or
proceeding, potentially disincentivizing the individual from obtaining
medically necessary health care.
As discussed above, the Department has long provided special
protections for psychotherapy notes when they are not included as part
of the medical record because of the sensitivity around this
information. Given the particularly sensitive nature of information
related to an individual's reproductive health, the Department is
proposing to create new, special safeguards for this information.
However, unlike psychotherapy notes, which by their very nature are
easily defined and segregated, reproductive health information is not
easily defined or segregated. This is in part because many types of PHI
may not initially appear to be related to an individual's reproductive
health but may in fact reveal information about an individual's
reproductive health or reproductive health care an individual has
received. For example, in a pregnant individual, a high blood pressure
reading may be a sign of preeclampsia, and glucose found in a urine
test may indicate gestational diabetes. Additionally, it is the
Department's understanding that today's clinical documentation and
health IT do not provide regulated entities with the ability to segment
certain PHI such that regulated entities could afford specific
categories of PHI special protections, or at least do so in a manner
that is not overly burdensome and cost prohibitive.\184\ Instead, as is
consistent
[[Page 23522]]
with the Privacy Rule's overall approach,\185\ the Department proposes
a purpose-based prohibition on certain uses and disclosures to protect
individuals' privacy interests in their PHI. The Department believes
that this proposed purpose-based prohibition, in concert with the
proposed attestation, will restrict the use and disclosure of PHI that
could harm HIPAA's overall goals of increasing trust in the health care
system, improving health care quality, and protecting individual
privacy, while continuing to allow PHI uses and disclosures that either
provide support for those goals or do not interfere with their
achievement.
---------------------------------------------------------------------------
\184\ See, e.g., 87 FR 74216, 74221 (Dec. 2, 2022) (noting that
42 CFR part 2 previously resulted in the separation of substance use
disorder (SUD) treatment records previous from other health records,
which led to the creation of data ``silos'' that hampered the
integration of SUD treatment records into covered entities'
electronic record systems and billing processes. When considering
amendments to the relevant statute, some lawmakers argued that the
silos perpetuated negative stereotypes about persons with SUD and
inhibited coordination of care during the opioid epidemic. See also
``Health Information Technology Advisory Committee (HITAC) Annual
Report for Fiscal Year 2019,'' Health Information Technology
Advisory Committee (Feb. 19, 2020), p. 37, https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf (``The new
certification criteria that support the sharing of data via third-
party apps will help advance the use of data segmentation, but
adoption of this capability by the industry is not yet
widespread.'').
\185\ See 64 FR 59924, 59939, and 59955.
---------------------------------------------------------------------------
Also, consistent with the Privacy Rule's approach, the Department
proposes a Rule of Applicability for the purpose-based prohibition that
recognizes the interests of the Federal Government and states in
protecting the privacy of persons who seek, obtain, provide, or
facilitate lawful reproductive health care. This Rule of Applicability
would limit the new prohibition to certain categories of instances in
which the state lacks any substantial interest in seeking the
disclosure. The Department believes that the proposals described in
greater detail later in this NPRM could benefit health care providers
and individuals. Although many benefits are not quantifiable, the
Department believes the proposals would increase the likelihood that
individuals would seek lawful health care by improving their confidence
in the confidentiality of their PHI; improve access to high quality and
continuous health care by increasing the accuracy and completeness of
individuals' medical records; improve population health by encouraging
individuals to receive disease screenings; safeguard the mental health
of pregnant individuals; prevent increases in maternal mortality and
morbidity; enhance support for victims of rape, incest, and sex
trafficking; and maintain family economic stability. Similarly, the
proposals are expected to increase certainty for, and therefore reduce
the burden on, regulated entities implementing the Privacy Rule.
The Department's proposed modifications are consistent with its
existing authority to modify the Privacy Rule. As discussed above,
Congress expressly authorized the Department to develop standards for
the privacy of IIHI. The Department has consistently exercised its
rulemaking authority to establish, implement, and modify the HIPAA
Rules pursuant to this statutory authority, including when necessary to
maintain their effectiveness, address workability issues for regulated
entities including clarifying amendments, and respond to changed
circumstances.\186\ The proposed changes would effectuate HIPAA's goals
of setting standards with respect to the privacy of IIHI, thereby
increasing the quality of and access to health care by fostering trust
in the health care system and buttressing continuity of health
care.\187\ Moreover, Congress expressly provided in HIPAA that the
Department's regulations in this area ``shall supersede any contrary
provision of State law,'' absent an explicit exception.\188\ As
discussed below, various state laws that might conflict with the rules
proposed herein, such as those that require disclosure of PHI for
purposes of criminal, civil, or administrative investigations or
proceedings based on seeking, obtaining, providing, or facilitating
lawful reproductive health care, are not excepted from this general
rule of preemption.
---------------------------------------------------------------------------
\186\ See, e.g., 67 FR 53182 (modifying the 2000 Privacy Rule in
response to stakeholder implementation concerns and to clarify key
provisions), 78 FR 5566 (modifying the HIPAA Rules to address HITECH
requirements and improve workability and flexibility for covered
entities), 79 FR 7289 (modifying the Privacy Rule to address
requirements in the Clinical Laboratory Improvement Amendments of
1988 and to improve patient access), and 81 FR 382 (modifying the
Privacy Rule to permit certain disclosures to the National Instant
Criminal Background Check System).
\187\ See section III of this rulemaking for a full discussion
of HIPAA and congressional intent.
\188\ 42 U.S.C. 1320d-7 and section 264(c)(2) of Public Law 104-
191 (codified at 42 U.S.C. 1320d-2 note).
---------------------------------------------------------------------------
In accordance with section 264(d) of HIPAA, the Department has
consulted with the Attorney General in the formulation of this proposed
rule and intends to continue to engage in these consultations before
finalizing the rule. The Department invites NCVHS to review this
proposed rule and to provide comments to the Department.
IV. Section-by-Section Description of Proposed Amendments to the
Privacy Rule
The Department proposes to modify the Privacy Rule to strengthen
privacy protections for individuals' PHI by adding a new category of
prohibited uses and disclosures. This modification would prohibit a
regulated entity from using or disclosing an individual's PHI for the
purpose of conducting a criminal, civil, or administrative
investigation into or proceeding against the individual, a health care
provider, or other person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that: (1) is
provided outside of the state where the investigation or proceeding is
authorized and such health care is lawful in the state in which it is
provided; (2) is protected, required, or authorized by Federal law,
regardless of the state in which such health care is provided; or (3)
is provided in the state in which the investigation or proceeding is
authorized and that is permitted by the law of that state. In these
three circumstances, the state lacks any substantial interest in
seeking the disclosure. To operationalize this proposed modification,
the Department also proposes to revise or clarify certain definitions
and terms that apply to the Privacy Rule, as well as other HIPAA Rules.
The NPRM would also prohibit a regulated entity from using or
disclosing an individual's PHI for the purpose of identifying \189\ an
individual, health care provider, or other person for the purpose of
initiating such an investigation or proceeding against the individual,
a health care provider, or other person in connection with seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which it is provided.
---------------------------------------------------------------------------
\189\ Section 164.514(h) of 45 CFR requires a covered entity, in
most cases, to take reasonable steps to verify the identify and
authority of a person requesting PHI before disclosing the PHI,
including in the case of public officials. The proposed restriction
against using or disclosing PHI in connection with the proposals in
this NPRM would not modify 45 CFR 164.514(h) but would address only
those circumstances in which a regulated entity would use or
disclose PHI to identify an individual for a purpose that would be
restricted herein. Further, the Department believes the attestation
requirement proposed in this NPRM would provide a regulated entity
the assurance it needs to make disclosures for identity purposes
that are consistent with the Privacy Rule.
---------------------------------------------------------------------------
To effectuate these proposals, the Department proposes conforming
and clarifying changes to the HIPAA Rules. These proposed changes
include, but are not limited to, clarifying the definition of
``person'' to reflect long-standing statutory language defining the
term; adopting new definitions of ``public health'' surveillance,
investigation, or intervention, and ``reproductive health care'';
clarifying that a regulated entity may not decline to recognize a
person as a personal representative for the purposes of the Privacy
Rule solely because they provide or facilitate reproductive health care
for an individual; a new requirement that, in certain
[[Page 23523]]
circumstances, regulated entities must first obtain an attestation that
a requested use or disclosure is not for a prohibited purpose; and
modifications to the NPP for PHI to inform individuals that their PHI
may not be used or disclosed for a prohibited purpose.
The Department's proposals are discussed in greater detail below.
A. Section 160.103--Definitions
1. Clarifying the Definition of ``Person''
Current Provision and Issues To Address
HIPAA does not define the term ``person.'' \190\ By regulation, the
Department has long defined ``person'' for purposes of the HIPAA Rules
to mean ``a natural person, trust or estate, partnership, corporation,
professional association or corporation, or other entity, public or
private.'' \191\ This definition was based on the meaning of ``person''
that Congress adopted in the original Social Security Act of 1935
(SSA), defined as an ``individual, a trust or estate, a partnership, or
a corporation.'' \192\
---------------------------------------------------------------------------
\190\ See 42 U.S.C. 1320d-1320d-8.
\191\ 45 CFR 160.103.
\192\ See section 1101(3) of Public Law 74-271, 49 Stat. 620
(Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
---------------------------------------------------------------------------
In 2002, Congress enacted 1 U.S.C. 8, which defines ``person,''
``human being,'' ``child,'' and ``individual.'' \193\ The statute
specifies that this definition shall apply when ``determining the
meaning of any Act of Congress, or of any ruling, regulation, or
interpretation of the various administrative bureaus and agencies of
the United States.'' \194\ The Department understands 1 U.S.C. 8 to
provide a definition of ``person'' and ``child'' that is consistent
with the Department's understanding of that term, as it is used in the
SSA, HIPAA, and the HIPAA Rules and does not include a fertilized egg,
embryo, or fetus.
---------------------------------------------------------------------------
\193\ 1 U.S.C. 8(a). The Department is not opining on whether
any state law confers a particular legal status upon a fetus. The
Department instead cites to this statute to define the scope of the
right of privacy that attaches pursuant to HIPAA.
\194\ Id.
---------------------------------------------------------------------------
Proposal
Thus, the Department proposes to clarify the definition of
``natural person'' in a manner consistent with 1 U.S.C. 8. In so doing,
the Department would make clear that all terms subsumed within the
definition of ``natural person,'' such as ``individual,'' \195\ which
refers to a ``person'' who is the subject of PHI under the HIPAA Rules,
is limited to the confines of the term ``person.'' \196\ The Department
would also make clear that ``natural person,'' as used in the
definition of ``person'' under the HIPAA Rules, is limited to the
definition at 1 U.S.C. 8.
---------------------------------------------------------------------------
\195\ 45 CFR 160.103 (definition of ``Individual'').
\196\ See The Prenatal Record and the Initial Prenatal Visit,
The Global Library of Women's Medicine (last updated Jan. 2008) (PHI
about the fetus is included in the mother's PHI), https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl.
---------------------------------------------------------------------------
The Department believes it would be beneficial to clarify the
definition of ``person'' to ensure that there is an understanding among
stakeholders as to its meaning for Privacy Rule purposes. As such, the
Department believes the proposed clarification of the definition of
person better explains to regulated entities and other stakeholders the
parameters of who is an ``individual'' whose PHI is protected by the
HIPAA Rules.
2. Interpreting Terms Used in Section 1178(b) of the Social Security
Act \197\
---------------------------------------------------------------------------
\197\ 42 U.S.C. 1320d-7(b).
---------------------------------------------------------------------------
HIPAA includes a rule of construction for certain laws generally
concerning ``[p]ublic health.'' \198\ Specifically, section 1178(b) of
the SSA provides that nothing in HIPAA ``shall be construed to
invalidate or limit'' laws ``providing for the reporting of disease or
injury, child abuse, birth, or death, public health surveillance, or
public health investigation or intervention.'' \199\ Accordingly, the
Privacy Rule permits a regulated entity to use and disclose PHI for
certain public health purposes, treating the uses and disclosures
covered by section 1178(b) as permitted uses and disclosures to public
health authorities or other appropriate government authorities for the
listed activities.\200\
---------------------------------------------------------------------------
\198\ Id.
\199\ Id. The Department incorporated this limitation on Federal
preemption of state laws in the HIPAA Rules at 45 CFR 160.203(c).
\200\ 45 CFR 164.512(b). The Privacy Rule addresses its
interactions with laws governing excepted public health activities
in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures
required by law, and 45 CFR 164.512(b), Standard: Uses and
disclosures for public health activities.
---------------------------------------------------------------------------
A regulated entity may use or disclose PHI to public health
authorities for the full range of activities described above, including
reporting of diseases and injuries, reporting of birth and death to
vital statistics agencies, and activities covered by the terms public
health surveillance, public health investigation, and public health
intervention. A ``public health authority'' means an agency or
authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, or a person or
entity acting under a grant of authority from, or contract with, such
public agency, including the employees or agents of such public agency
or its contractors or persons or entities to whom it has granted
authority, that is responsible for public health matters as part of its
official mandate.\201\
---------------------------------------------------------------------------
\201\ See 45 CFR 164.501 (definition of ``Public health
authority'').
---------------------------------------------------------------------------
HIPAA does not define the terms in section 1178(b) that govern the
scope of the ``public health'' exceptions to preemption and the
Department declines to do so here. The Department believes it necessary
to define only ``public health'' surveillance, investigation, or
intervention and to make clear the Department's interpretation of key
terms used in section 1178(b) to clarify when HIPAA preempts contrary
state laws. The Department believes that state laws that require the
use or disclosure of highly sensitive PHI for non-public health
purposes, such as criminal, civil, or administrative investigations or
proceedings based on whether a person sought, obtained, provided, or
facilitated reproductive health care, are not exempt from HIPAA's
general rule of preemption.
Reporting of Disease or Injury, Birth, or Death
The Privacy Rule permits regulated entities to use or disclose PHI
without authorization for the public health purposes of reporting
``disease or injury,'' ``birth,'' or ``death.'' \202\ Similarly,
section 1178(b) exempts state laws requiring such reporting from
HIPAA's general preemption provision. The Department recognizes that
such public health reporting activities are an important means of
identifying threats to the health and safety of the public. The
Department does not propose to define ``disease or injury,'' ``birth,''
or ``death,'' because the Department believes that these terms, when
read with the definition of ``person'' as discussed above and in the
broader context of HIPAA as discussed in greater detail below, exclude
information about abortion or other reproductive health care. But the
Department invites comment on whether it would be beneficial to clarify
that these terms exclude information about reproductive health care.
---------------------------------------------------------------------------
\202\ See U.S. Dep't of Health and Human Servs., Office for
Civil Rights, Public Health (Dec. 18, 2020), https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/.
---------------------------------------------------------------------------
[[Page 23524]]
At the time of HIPAA's enactment, state laws provided for the
reporting of disease or injury, birth, or death by covered health care
providers and other persons.\203\ These state public health reporting
systems were well established and involved close collaboration between
the state, local, or territorial jurisdiction and the Federal
Government.\204\ Reports generally were made to public health
authorities or, in some specific cases, law enforcement (e.g.,
reporting of gunshot wounds).\205\ Similar public health reporting
systems continue to exist today.
---------------------------------------------------------------------------
\203\ The 1996-98 Report of the NCVHS to the Secretary describes
various types of activities considered to be public health during
the era in which HIPAA was enacted, such as the collection of public
health surveillance data on health status and health outcomes and
vital statistics information. See Report of ``The National Committee
on Vital and Health Statistics, 1996-98,'' Nat'l Comm. on Vital and
Health Stats. (Dec. 1999), https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf.
\204\ Id.
\205\ Id.
---------------------------------------------------------------------------
Reporting of ``disease or injury'' commonly refers to diagnosable
health conditions reported for limited purposes such as workers'
compensation, tort claims, or health tracking efforts. All states,
territories, and Tribal governments require covered health care
providers (e.g., physicians and laboratories) and others to report
cases of certain diseases or conditions that affect public health, such
as coronavirus disease 2019 (COVID-19), malaria, and foodborne
illnesses.\206\ Such reporting enables public health practitioners to
study and explain diseases and their spread, along with determining
appropriate actions to prevent and respond to outbreaks.\207\ States
also require health care providers to report incidents of certain types
of injuries, such as those caused by gunshots, knives, or burns.\208\
Various Federal statutes use the phrase ``disease or injury'' similarly
to refer to events such as workplace injuries for purposes of
compensation.\209\
---------------------------------------------------------------------------
\206\ See ``Reportable diseases,'' in National Institutes of
Health, National Library of Medicine, MedlinePlus, https://medlineplus.gov/ency/article/001929.htm (accessed Oct. 19, 2022).
See also ``What is Case Surveillance?'' Centers for Disease Control
and Prevention, National Notifiable Diseases Surveillance Sys. (July
20, 2022), https://www.cdc.gov/nndss/about/.
\207\ See ``Reportable diseases,'' supra note 206. Such
reporting is a type of public health surveillance activity.
\208\ See Victims Rights Law Center, ``Mandatory Reporting of
Non-Accidental Injuries: A State-by-State Guide'' (May 2014), https://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf.
\209\ See, e.g., 38 U.S.C. 1110 (referring to an ``injury
suffered or disease contracted''); 10 U.S.C. 972 (discussing time
lost as a result of ``disease or injury''); 38 U.S.C. 3500
(providing education for certain children whose parent suffered ``a
disease or injury'' incurred or aggravated in the Armed Forces); see
also 5 U.S.C. 8707 (insurance provision discussing compensation as a
result of ``disease or injury''); 33 U.S.C. 765 (discussing
retirement for disability as a result of ``disease or injury''); 15
U.S.C. 2607(c) (requiring chemical manufacturers to maintain records
of ``occupational disease or injury'').
---------------------------------------------------------------------------
The limited meaning given to the terms ``disease'' and ``injury''
is clear from HIPAA's broader context. For instance, interpreting
``injury'' to include reporting of any criminal abuse would render the
specific exception for ``child abuse'' superfluous. And interpreting
``disease'' to include reporting of any disease for any purpose would
eviscerate HIPAA's general provisions protecting PHI. ``[D]isease
management activities'' constitute ``health care'' under the Privacy
Rule, and a broad interpretation of ``disease or injury'' would make
even information about cancer treatment disclosable.\210\ Consequently,
the Department has long understood ``disease or injury'' to narrowly
refer to diagnosable health conditions reported for limited purposes
such as workers' compensation, tort claims, or health tracking
efforts.\211\
---------------------------------------------------------------------------
\210\ See 65 FR 82571 (recognizing that ``disease management
activities'' often constitute ``health care'' under HIPAA); 65 FR
82777 (discussing the importance of privacy for information about
cancer, a ``disease'' that causes an ``indisputable'' ``societal
burden''); 65 FR 82778 (discussing the importance of privacy for
information about sexually transmitted diseases, including Human
Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/
AIDS)); 65 FR 82463-64 (noting that numerous states adopted laws
protecting health information relating to certain health conditions
such as communicable diseases, cancer, HIV/AIDS, and other
stigmatized conditions.); 65 FR 82731 (finding that there are no
persuasive reasons to provide information contained within disease
registries with special treatment as compared with other information
that may be used to make decisions about an individual).
\211\ See, e.g., 65 FR 82517 (discussing tort litigation as
information that could implicate IIHI); 65 FR 82542 (discussing
workers' compensation); 65 FR 82527 (separately addressing
disclosures about ``abuse, neglect or domestic violence'' and
limiting such disclosures to only two circumstances, even if
expressly authorized by state statute or regulation).
---------------------------------------------------------------------------
With respect to reporting of ``births'' and ``deaths,'' such vital
statistics are reported by covered health care providers to the vital
registration systems operated in various jurisdictions \212\ legally
responsible for the registration of vital events.\213\ State laws
require birth certificates to be completed for all births, and Federal
law mandates the national collection and publication of births and
other vital statistics data.\214\ Tracking and reporting death is a
complex and decentralized process with a variety of systems used by
more than 6,000 local vital registrars.\215\ When HIPAA was enacted,
the Model State Vital Statistics Act and Regulations, which is followed
by most states,\216\ included distinct categories for ``live births,''
``fetal deaths,'' and ``induced terminations of pregnancy,'' with
instructions that abortions ``shall not be reported as fetal deaths.''
\217\ In light of that common understanding at the time of HIPAA's
enactment, it is clear that the reporting of abortions is not included
in the category of reporting of deaths for the purposes of HIPAA and
does not fall within the scope of state activities Congress
specifically designated as excepted from preemption by HIPAA.
---------------------------------------------------------------------------
\212\ See ``Health Department Governance,'' Centers for Disease
Control and Prevention, Public Health Professionals Gateway (Nov.
25, 2022), https://www.cdc.gov/publichealthgateway/sitesgovernance/.
\213\ See the list of events included in vital events ``vital
events--births, deaths, marriages, divorces, and fetal deaths,''
National Center for Health Statistics, Centers for Disease Control
and Prevention, About the National Vital Statistics System (Jan. 4,
2016), https://www.cdc.gov/nchs/nvss/about_nvss.htm.
\214\ See ``Birth Data,'' National Center for Health Statistics,
Centers for Disease Control and Prevention, National Vital
Statistics (Dec. 6, 2022), https://www.cdc.gov/nchs/nvss/births.htm.
\215\ See ``How Tracking Deaths Protects Health,'' Centers for
Disease Control and Prevention, Public Health and Surveillance Data
(July 2018), https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf.
\216\ See ``State Definitions and Reporting Requirements: For
Live Births, Fetal Deaths, and Induced Terminations of Pregnancy,''
Centers for Disease Control and Prevention, National Center for
Health Statistics (1997), p. 5, https://www.cdc.gov/nchs/data/misc/itop97.pdf.
\217\ ``Model State Vital Statistics Act and Regulations,''
Centers for Disease Control and Prevention, National Center for
Health Statistics (1992), p. 8, https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf.
---------------------------------------------------------------------------
More generally, while Congress exempted certain ``[p]ublic health''
laws from preemption,\218\ Congress chose not to create a general
exception for criminal laws or other laws that address the disclosure
of information about similar types of activities outside of the public
health context. Thus, the Privacy Rule's exceptions for reporting of
disease or injury, birth, or death do not allow the use or disclosure
of PHI for investigating or punishing a person for seeking, obtaining,
providing, or facilitating reproductive health care. Similarly, state
laws requiring disclosure for such purposes are not exempt under
section 1178(b) from HIPAA's general preemption provision.
---------------------------------------------------------------------------
\218\ 42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d-
7).
---------------------------------------------------------------------------
[[Page 23525]]
Public Health Surveillance, Investigation, or Intervention
The Privacy Rule also permits a regulated entity to use or disclose
PHI to conduct ``public health'' surveillance, investigation, or
intervention.\219\ Section 1178(b) similarly exempts state laws
providing for ``public health'' surveillance, investigation, or
intervention from HIPAA's general preemption rule. Neither HIPAA nor
the Privacy Rule currently defines these terms. To clarify their
meaning, the Department proposes to define public health \220\
surveillance, investigation, or intervention to mean population-based
activities to prevent disease and promote health of populations.\221\
The Department also proposes to clarify that such public health
activities do not include uses and disclosures for the criminal, civil,
or administrative investigation into or proceeding against any person
in connection with seeking, obtaining, providing, or facilitating
reproductive health care, or to identify any person for the purpose of
initiating such an investigation or proceeding.\222\
---------------------------------------------------------------------------
\219\ See 45 CFR 164.512(b)(1)(i); U.S. Dep't of Health and
Human Servs., Office for Civil Rights, Disclosures for Public Health
Activities, (accessed Oct. 19, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/.
\220\ See ``Ten Essential Public Health Services,'' Centers for
Disease Control and Prevention, Public Health Professionals Gateway
(Dec. 1, 2022), https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html and ``What is
Public Health?'' in CDC Foundation, Public Health in Action (2023),
https://www.cdcfoundation.org/what-public-health?gclid=Cj0KCQjw_viWBhD8ARIsAH1mCd7ME0r94gapt8Qh48LjdQO3Sto101snekpI94auuahRs7LizEkh7OwaAiKxEALw_wcB. See also ``HIPAA Privacy Rule
and Public Health,'' Centers for Disease Control and Prevention,
MMWR (Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm.
\221\ See Report of ``The National Committee on Vital and Health
Statistics, 1996-98,'' supra note 203. These activities are
consistent with the definition proposed herein.
\222\ See Report of ``The National Committee on Vital and Health
Statistics, 1996-98,'' supra note 203, for descriptions of public
health activities in 1996-98.
---------------------------------------------------------------------------
Since the time of HIPAA's enactment, public health activities
related to surveillance, investigation, or intervention have been
widely understood to refer to activities aimed at improving the health
of a population. For example, legal dictionaries define ``public
health'' as ``[t]he health of the community at large,'' or ``[t]he
healthful or sanitary condition of the general body of people or the
community en masse; esp., the methods of maintaining the health of the
community, as by preventive medicine or organized care for the sick.''
\223\ Stedman's Medical Dictionary defines ``public health'' as ``the
art and science of community health, concerned with statistics,
epidemiology, hygiene, and the prevention and eradication of epidemic
diseases; an effort organized by society to promote, protect, and
restore the people's health; public health is a social institution, a
service, and a practice.'' \224\ The Centers for Disease Control and
Prevention's (CDC) Agency for Toxic Substances and Disease Registry
commonly defines ``public health surveillance'' as ``the ongoing
systematic collection, analysis and interpretation of outcome-specific
data for use in the planning, implementation, and evaluation of public
health practice.'' \225\ And many states similarly define ``public
health'' to mean population-level activities.\226\ The Department
likewise has used public health in this way since it first adopted the
Privacy Rule.\227\
---------------------------------------------------------------------------
\223\ ``Health,'' ``public health,'' Black's Law Dictionary
(11th ed. 2019).
\224\ ``Public health,'' Stedman's Medical Dictionary 394520.
\225\ Jonathan Weinstein, ``In Re Miguel M.,'' 55 N.Y.L. Sch. L.
Rev. 389, 390 (2010) (citing Stephen B. Thacker, ``Historical
Development,'' in Principles and Practice of Public Health
Surveillance 1 (Steven M. Teutsch & R. Elliott Churchill eds., 2d
ed., 2000)), https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review.
\226\ See, e.g., Richard A. Goodman, Judith W. Munson, Kim
Dammers, et al., ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' 31 The Journal of Law,
Medicine & Ethics 684, 689-90 (2003); La. Rev. Stat. Ann. sec.
40:3.1 (2011) (defining threats to public health as nuisances
``including but not limited to communicable, contagious, and
infectious diseases, as well as illnesses, diseases, and genetic
disorders or abnormalities''); N.C. Gen. Stat. sec. 130A-141.1(a)
(2010) (defining public health investigations as the ``surveillance
of an illness, condition, or symptoms that may indicate the
existence of a communicable disease or condition'').
\227\ See, e.g., 65 FR 82464 (noting that reporting of public
health information on communicable diseases is not prevented by
individuals' right to information privacy); id. at 82467 (discussing
the importance of accurate medical records in recognizing troubling
public health trends and in assessing the effectiveness of public
health efforts); id. at 82473 (discussing disclosure to ``a
department of public health''); id. at 82525 (recognizing that it
may be necessary to disclose PHI about communicable diseases when
conducting a public health intervention or investigation); id. at
82526 (recognizing that an entity acts as a ``public health
authority'' when, in its role as a component of the public health
department, it conducts infectious disease surveillance); ``HIPAA
Privacy Rule and Public Health,'' supra note 220 (describing what
traditionally are considered to be ``public health activities'' that
require PHI).
---------------------------------------------------------------------------
There is also a widely recognized distinction between public health
activities, which primarily focus on improving the health of
populations, and criminal investigations, which primarily focus on
identifying and imposing liability on persons who have violated the
law. States and other local governing authorities maintain criminal
codes that are distinct and separate from public health reporting
laws,\228\ although some jurisdictions enforce required reporting
through criminal statutes. Different governmental bodies are
responsible for enforcing these separate codes, and public health
officials do not typically investigate criminal activity.\229\ When
states intend for public health information to be shared with law
enforcement for criminal investigation purposes, they typically pass
specific laws to permit that sharing.\230\ Other Federal laws also
treat public health investigations as distinct from criminal
investigations.\231\ Maintaining a clear distinction between public
health investigations and criminal investigations serves HIPAA's
broader purposes, as well, by safeguarding privacy to ensure quality
health care.\232\
---------------------------------------------------------------------------
\228\ For example, traditional public health reporting laws grew
from colonial requirements that physicians report disease. These
requirements transitioned to state regulatory requirements imposed
by public health departments on authority granted to them by states.
See Public Health Law 101, Disease Reporting and Public Health
Surveillance, Centers for Disease Control and Prevention, p. 12 and
14, https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf. See also, e.g., Code of Georgia 31-12-2 (2021),
authority to require disease reporting.
\229\ See ``Public Health,'' supra note 223 (``Many cities have
a `public health department' or other agency responsible for
maintaining the public health; Federal laws dealing with health are
administered by the Department of Health and Human Services.''); See
also ``Forensic Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,'' supra note 226, at 689.
\230\ See ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' supra note 226, at 687
(discussing South Dakota Statutes sec. 22-18-31, a law allowing HIV
test results to be released to a prosecutor for criminal
investigation purposes); id. at 693 (discussing North Carolina
General Statute (N.C.G.S.) sec. 130A-476, a law allowing
confidential medical information to be shared with law enforcement
in certain circumstances related to communicable diseases or
terrorism).
\231\ See Camara v. Municipal Ct. of City & Cty. of S.F., 387
U.S. 523, 535-37 (1967) (discussing administrative inspections under
the Fourth Amendment, such as those aimed at addressing ``conditions
which are hazardous to public health and safety,'' and not ``aimed
at the discovery of evidence of crime''); 42 U.S.C. 241(d)(D)
(prohibiting disclosure of private information from research
subjects in ``criminal'' and other proceedings); 42 U.S.C. 290dd-
2(c) (prohibiting substance abuse records from being used in
criminal proceedings).
\232\ See ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' supra note 226, at 687
(discussing reasons why ``an association of public health with law
enforcement'' may be ``to the detriment of routine public health
practice''). See also 45 CFR 164.512(b)(1)(i) (including ``public
health investigations'' as an activity carried out by a public
health authority that is authorized by law to carry out public
health activities).
---------------------------------------------------------------------------
[[Page 23526]]
The Department concludes that the Privacy Rule's permissions to use
and disclose PHI for the ``public health'' activities of surveillance,
investigation, or intervention do not include criminal, civil, or
administrative investigations into, or proceedings against, any person
in connection with seeking, obtaining, providing, or facilitating
reproductive health care, nor do they include identifying any person
for the purpose of initiating such investigations or proceedings. Such
actions are not public health activities. Public health surveillance,
investigations, or interventions ensure the health of the community as
a whole by addressing population-level issues such as the spread of
communicable diseases, even where they involve individual-level
interventions. Such surveillance systems provide data necessary to
examine and potentially develop interventions to improve the public's
health, such as providing education or resources to support
individuals' access to health care and improve health outcomes.\233\
U.S. states, territories, and Tribal governments participate in
bilateral agreements with the Federal Government to share data on
conditions that affect public health.\234\ The CDC's Division of
Reproductive Health presently collects reproductive health data in
support of national and state-based population surveillance systems to
assess maternal complications, mortality and pregnancy-related
disparities, and the numbers and characteristics of individuals who
obtain legal induced abortions.\235\ Importantly, disclosures to public
health authorities permitted by the Privacy Rule are limited to the
``minimum necessary'' to accomplish the public health purpose.\236\ In
many cases, regulated entities need disclose only de-identified data
\237\ to meet the public health purpose. By contrast, criminal, civil,
and administrative investigations and proceedings generally target
specific persons; they are not designed to address population-level
health concerns and are not limited to information authorized to be
collected by a public health or similar government authority for a
public health activity. Thus, the exceptions in section 1178(b) for
``public health'' investigations, interventions, or surveillance do not
limit the Department's ability to prohibit uses or disclosures of PHI
for other purposes, such as judicial and administrative proceedings or
law enforcement purposes. While the Department has chosen as a policy
matter to permit uses or disclosures of PHI for law enforcement and
other purposes in other contexts, it believes, as discussed above, that
a different balance is appropriate in the context of highly sensitive
information related to reproductive health care.
---------------------------------------------------------------------------
\233\ See ``Improving the Role of Health Departments in
Activities Related to Abortion,'' American Public Health Association
(Oct. 26, 2021), https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion.
\234\ See ``Reportable diseases,'' supra note 206. See also
``What is Case Surveillance?'' supra note 206.
\235\ See ``Reproductive Health,'' Centers for Disease Control
and Prevention (Apr. 20, 2022), https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm; and ``Reproductive
Health--CDCs Abortion Surveillance System FAQs,'' Centers for
Disease Control and Prevention, Reproductive Health (Nov. 17, 2022),
https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm.
\236\ See 45 CFR 164.502(b).
\237\ See 45 CFR 164.514(a).
---------------------------------------------------------------------------
In light of the proposed definition of ``public health'' in this
context, the Department does not propose to additionally define the
terms ``investigation,'' ``intervention,'' or ``surveillance,'' because
it believes these terms are commonly understood. Specifically, the
Department believes public health investigation or intervention
includes monitoring real-time health status and identifying patterns to
develop strategies to address chronic diseases and injuries, as well as
using real-time data to identify and respond to acute outbreaks,
emergencies, and other health hazards.\238\ The Department also
believes public health surveillance refers to the ongoing, systematic
collection, analysis, and interpretation of health-related data
essential to planning, implementation, and evaluation of public health
practice.\239\ Nevertheless, the Department invites comment on whether
it would be beneficial to specifically define these terms.
---------------------------------------------------------------------------
\238\ See ``Ten Essential Public Health Services,'' supra note
220.
\239\ See ``Introduction to Public Health Surveillance,''
Centers for Disease Control and Prevention (Nov. 15, 2018), https://www.cdc.gov/training/publichealth101/surveillance.html.
---------------------------------------------------------------------------
Child Abuse Reporting
In accordance with section 1178(b) of HIPAA, the Privacy Rule
permits a regulated entity to use or disclose PHI to report known or
suspected child abuse or neglect if the report is made to a public
health authority or other appropriate government authority that is
authorized by law to receive such reports,\240\ which primarily are
state or local child protective services agencies.\241\ This Privacy
Rule provision does not include permission for the covered entity to
disclose PHI in response to a request for PHI for a criminal, civil, or
administrative investigation into or proceeding against a person based
on suspected child abuse. Rather, the Privacy Rule only permits the
disclosure of information for the purpose of making a report. We also
note that the permission limits such disclosures to the minimum
necessary to make the report.\242\ Any disclosure of PHI in response to
a request from an investigator, whether in follow up to the report made
by the covered entity (other than to clarify the PHI provided on the
report) or as part of an investigation initiated based on an allegation
or report made by a person other than the covered entity, would be
required to meet the conditions of disclosures to law enforcement or
for other investigations or legal proceedings.\243\
---------------------------------------------------------------------------
\240\ See 45 CFR 164.512(b)(1)(ii).
\241\ State laws require certain persons, such as health care
providers, to report known or suspected child abuse or neglect; such
persons are often called ``mandatory reporters.'' See ``Mandatory
Reporters of Child Abuse and Neglect,'' U.S. Dep't of Health and
Human Servs., Administration for Children and Families, Children's
Bureau, Child Welfare Information Gateway (Apr. 2019), https://www.childwelfare.gov/pubPDFs/manda.pdf. See also ``Factsheet: How
the Child Welfare System Works,'' U.S. Dep't of Health and Human
Servs., Administration for Children and Families, Children's Bureau,
Child Welfare Information Gateway (Oct. 2020), https://www.childwelfare.gov/pubPDFs/cpswork.pdf.
\242\ See 45 CFR 164.502(b) and 164.514(d).
\243\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------
As discussed above, the Department understands the term ``person''
as it is used in the SSA, HIPAA, and the HIPAA Rules to be consistent
with 1 U.S.C. 8. Congress also defined the term ``child'' in 1 U.S.C.
8, and the Department similarly understands the term ``child'' in the
Privacy Rule to be consistent with that definition. Further, at the
time HIPAA was enacted, ``most, if not all, states had laws that
mandated reporting of child abuse or neglect to the appropriate
authorities.'' \244\ As such, the Department believes that to the
extent its proposal would prohibit a regulated entity from disclosing
PHI in order to report ``child abuse'' where the alleged victim does
not meet the definition of ``person,'' the proposal is consistent with
both 1 U.S.C. 8 and 1178(b).
---------------------------------------------------------------------------
\244\ 65 FR 82527.
---------------------------------------------------------------------------
At the time HIPAA was enacted, ``most, if not all, states had laws
that mandated reporting of child abuse or neglect to the appropriate
[[Page 23527]]
authorities.'' \245\ Additionally, when Congress enacted HIPAA, it had
already addressed child abuse reporting in other laws, such as the
Victims of Child Abuse Act of 1990 \246\ and the Child Abuse Prevention
and Treatment Act.\247\ For example, 34 U.S.C. 20341(a)(1), a provision
of the original Victims of Child Abuse Act of 1990 still in place
today, requires certain professionals to report suspected abuse when
working on Federal land or in a federally operated (or contracted)
facility.\248\ As used in these statutes, the term ``child abuse'' does
not include activities related to reproductive health care, such as
abortion.
---------------------------------------------------------------------------
\245\ Id.
\246\ Public Law 101-647, 104 Stat. 4789 (codified at 18 U.S.C.
3509).
\247\ Public Law 93-247, 88 Stat. (codified at 42 U.S.C. 5101
note).
\248\ See 34 U.S.C. 20341(a)(1), originally enacted as part of
the Victims of Child Abuse Act of 1990 and codified at 42 U.S.C.
13031, which was editorially reclassified as 34 U.S.C. 20341, Crime
Control and Law Enforcement. For the purposes of such mandated
reporting, see 34 U.S.C. 20341(c)(1) for definition of ``child
abuse.''
---------------------------------------------------------------------------
For the reasons just stated, the Department believes that ``child
abuse'' as used in the Privacy Rule and section 1178(b) is best
interpreted to exclude conduct based solely on seeking, obtaining,
providing, or facilitating reproductive health care. This
interpretation is consistent with the public health aims of improving
access to health care, including reproductive health care, for
individuals and with congressional intent when HIPAA was enacted.
Additionally, as the Department has stated in previous rulemakings, we
do not intend to disrupt longstanding state or Federal child abuse
reporting requirements that apply to regulated entities.\249\ Thus, the
Department believes this interpretation of ``child abuse'' supports the
protection of children while also serving HIPAA's objectives of
protecting the privacy of PHI to promote individuals' trust in the
health care system and preserving the relationship between individuals
and their health care providers. The Department requests comment on its
interpretation of ``child abuse'' as that term is used in the Privacy
Rule.
---------------------------------------------------------------------------
\249\ 65 FR 82527.
---------------------------------------------------------------------------
3. Adding a Definition of ``Reproductive Health Care''
The HIPAA Rules define ``health care'' as ``care, services, or
supplies related to the health of an individual.'' \250\ The definition
clarifies that the term specifically ``includes but is not limited'' to
certain types of care, services, or supplies related to the health of
the individual. These groupings are ``[p]reventive, diagnostic,
therapeutic, rehabilitative, maintenance, or palliative care, and
counseling, service, assessment, or procedure with respect to the
physical or mental condition, or functional status, of an individual or
that affects the structure or function of the body'' \251\ and ``[the
s]ale or dispensing of a drug, device, equipment, or other item in
accordance with a prescription.'' \252\ As indicated by ``includes, but
is not limited to,'' this is not an exclusive list of the types of
services or supplies that constitute health care for the purposes of
the HIPAA Rules. Indeed, ``health care'' also includes supplies
purchased over the counter or furnished to the individual by a person
that does not meet the definition of a health care provider under the
HIPAA Rules.\253\
---------------------------------------------------------------------------
\250\ 45 CFR 160.103 (definition of ``Health care'').
\251\ Id.
\252\ Id.
\253\ 45 CFR 164.103 (definition of ``Health care provider'').
---------------------------------------------------------------------------
The Department proposes to add and define a new term,
``reproductive health care,'' that is a subcategory of the existing
term ``health care.'' Specifically, the Department proposes to define
``reproductive health care'' as ``care, services, or supplies related
to the reproductive health of the individual.'' As with ``health
care,'' ``reproductive health care'' applies broadly and includes not
only reproductive health care and services furnished by a health care
provider and supplies furnished in accordance with a prescription, but
also care, services, or supplies furnished by other persons and non-
prescription supplies purchased in connection with an individual's
reproductive health. The Department proposes defining reproductive
health care based on the underlying activities, consistent with its
approach to defining ``health care'' in the 2000 Privacy Rule.\254\
Under this proposal, such care, services, or supplies would be
considered ``reproductive health care'' to the extent that they meet
this functional definition.
---------------------------------------------------------------------------
\254\ 65 FR 82571.
---------------------------------------------------------------------------
Elsewhere, Congress and the Department have defined similar terms
like ``reproductive health services'' and ``reproductive health care
services'' to mean ``reproductive health services provided in a
hospital, clinic, physician's office, or other facility, and includes
medical, surgical, counselling or referral services relating to the
human reproductive system, including services relating to pregnancy or
the termination of a pregnancy.'' \255\ The Department proposes to use
the term ``reproductive health care'' rather than ``reproductive health
services'' to ensure that the term is interpreted broadly to capture
all health care that could be furnished to address reproductive health,
including the provision of supplies such as medications and devices,
whether prescription or over-the-counter. The Department also proposes
to define ``reproductive health care'' to include all specified
services regardless of where they are provided, rather than only when
provided in particular locations, and all types of reproductive health
care services, rather than only certain types of services listed within
the definition. The Department believes that services meeting the
definition of these similar terms would generally be included within
the proposed definition of ``reproductive health care.'' Additionally,
the Department believes that basing the proposed term and definition of
``reproductive health care'' on the existing HIPAA term and definition
of ``health care'' would be easier and less burdensome for regulated
entities and other stakeholders to understand and implement.
---------------------------------------------------------------------------
\255\ 18 U.S.C. 248(e)(5) uses the term ``reproductive health
services,'' while E.O. 14076, 87 FR 42053 (July 8, 2022), and 14079,
87 FR 49505 (Aug. 3, 2022), use the term ``reproductive healthcare
services.'' The definitions are essentially the same, with the only
difference being ``health'' as opposed to ``healthcare.''
---------------------------------------------------------------------------
In keeping with the Department's intention for ``reproductive
health care'' to be interpreted broadly and inclusive of all types of
health care related to an individual's reproductive system, the
Department would interpret ``reproductive health care'' to include, but
not be limited to: contraception, including emergency contraception;
pregnancy-related health care; fertility or infertility-related health
care; and other types of care, services, or supplies used for the
diagnosis and treatment of conditions related to the reproductive
system. Pregnancy-related health care includes, but is not limited to,
miscarriage management, molar or ectopic pregnancy treatment, pregnancy
termination, pregnancy screening, products related to pregnancy,
prenatal care, and similar or related care. Other types of care,
services, or supplies used for the diagnosis and treatment of
conditions related to the reproductive system includes health care
related to reproductive organs, regardless of whether the health care
is related to an individual's pregnancy or whether the individual is of
reproductive age. The Department would interpret fertility or
infertility-related health care to include services such as assisted
reproductive
[[Page 23528]]
technology and its components,\256\ as well as other care, services, or
supplies used for the diagnosis and treatment of infertility.
---------------------------------------------------------------------------
\256\ See ``What is Assisted Reproductive Technology?'' Centers
for Disease Control and Prevention (Oct. 8, 2019), https://
www.cdc.gov/art/
whatis.html#:~:text=According%20to%20this%20definition%2C%20ART,donat
ing%20them%20to%20another%20woman.
---------------------------------------------------------------------------
The Department is not proposing a specific definition of
``reproductive health'' at this time. Various definitions of the term
have been included in literature. The Department recognizes that it may
be helpful to stakeholders if ``reproductive health'' were to be
defined in the final rule and invites comment on whether including a
particular definition of ``reproductive health'' would be beneficial.
4. Request for Comment
The Department requests comment on the forgoing definitions and
proposals, including any benefits, drawbacks, or unintended
consequences. The Department also requests comment on the following
considerations in particular:
a. Whether the definitions the Department proposes to adopt are
appropriate. If not, please provide an alternative definition(s) and
support for the definition(s).
b. Whether it is necessary for the Department to define
``reproductive health.'' If so, please provide a definition and support
for the definition.
c. Whether the Department should provide examples of ``reproductive
health care'' in regulatory text, or it is sufficient to provide
extensive discussion of the examples in preamble?
d. Whether it would be helpful for the Department to define any
additional terms. If so, please propose a definition and support for
the definition and rationale.
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities
Section 164.502 of the Privacy Rule contains the general rules
governing uses and disclosures of PHI, including that a covered entity
or business associate may use or disclose PHI only as permitted or
required by the Privacy Rule.\257\ Section 164.502(a)(1) lists
permitted uses and disclosures.
---------------------------------------------------------------------------
\257\ 45 CFR 164.502(a)(1).
---------------------------------------------------------------------------
In this NPRM, the Department proposes several modifications to the
Privacy Rule to prohibit regulated entities from using or disclosing an
individual's PHI for use against any individual, regulated entity, or
other person for the purpose of a criminal, civil, or administrative
investigation into or proceeding against such person in connection with
seeking, obtaining, providing, or facilitating reproductive health care
that is lawful under the circumstances in which it is provided. The
Department also proposes to prohibit regulated entities from using or
disclosing PHI for identifying an individual, a regulated entity, or
other person for the purpose of initiating such an investigation or
proceeding. These changes are proposed to continue safeguarding the
privacy of PHI to ensure trust in the health care system and to enable
individuals' access to high-quality health care. The proposed
prohibition in 45 CFR 164.502 is three-fold: paragraph (a)(5)(iii)
outlines the activity the Department proposes to prohibit; paragraph
(a)(1)(iv) specifies that an authorization cannot be used to bypass the
proposed prohibition in paragraph (a)(5)(iii); and paragraph (a)(1)(vi)
clarifies that the permissions at 45 CFR 164.512 cannot be used to
circumvent the proposed prohibition.
The Department proposes to modify the general rules in 45 CFR
164.502 by adding a clause to paragraph (a)(1)(iv) and adding a new
requirement in paragraph (a)(1)(vi). Existing paragraph (a)(1)(iv)
permits disclosures based on a valid authorization and, in a prefatory
clause, provides an exception to that general permission such that a
health plan cannot use or disclose PHI that is genetic information for
underwriting purposes, even with an individual's authorization. Thus,
an authorization that purports to allow a use or disclosure of PHI for
that prohibited purpose is not valid under the Privacy Rule. Similarly,
the Department proposes to add the new prohibition proposed in 45 CFR
164.502(a)(5)(iii) to the types of uses and disclosures that would not
be permitted even with an authorization. By adding an exception to
paragraph (a)(1)(iv) for uses and disclosures prohibited by paragraph
(a)(5)(iii), the Department seeks to fully protect individuals' privacy
by precluding any possibility that a third party, such as a law
enforcement official, could obtain an individual's PHI for a prohibited
purpose by coercing the individual to sign an authorization.
In addition, the new proposed requirement in paragraph (a)(5)(iii)
would expressly permit certain uses and disclosures made under 45 CFR
164.512 only when an applicable attestation has been obtained pursuant
to proposed 45 CFR 164.509, discussed below in section IV.D. For
clarity, this proposal would also revise paragraph (a)(5)(vi) to
replace the sentence containing the conditions for certain permitted
uses and disclosures with a lettered list.
2. Adding a New Category of Prohibited Uses and Disclosures
Issues To Address
Generally, the Privacy Rule prohibits uses or disclosures of PHI
except as permitted or required by the Rule. The Privacy Rule
explicitly prohibits uses and disclosures of PHI in two circumstances:
(1) a health plan generally is prohibited from using or disclosing PHI
that is genetic health information for underwriting purposes; \258\ and
(2) a regulated entity is prohibited from selling PHI except when they
have obtained a valid authorization from the individual who is the
subject of the PHI.\259\
---------------------------------------------------------------------------
\258\ 45 CFR 164.502(a)(5)(i).
\259\ 45 CFR 164.502(a)(5)(ii).
---------------------------------------------------------------------------
As discussed in section III of this preamble, the Department issued
its prior iterations of the Privacy Rule at a time when individuals, as
a practical matter, generally would not have expected their highly
sensitive health care information to be used or disclosed for criminal,
civil, or administrative investigations into or proceedings about that
health care. The current regulatory and legal environment is in tension
with that expectation and threatens to erode the trust that is
essential to access to and quality of health care. The Department has
received letters from the public, indicating confusion and concern as
to the ability of regulated entities to use or disclose PHI for the
purposes described above. These sentiments have been echoed by
stakeholders in listening sessions and in media reports. Letters sent
to the Department by Members of Congress further reinforce that
confusion and concern exist about the privacy of individuals' PHI, in
addition to supporting the Department's position that it has the
ongoing authority under HIPAA and the HITECH Act to modify the Privacy
Rule to ensure the privacy of PHI.\260\ These developments and
communications bolster the
[[Page 23529]]
Department's decision to propose certain regulatory changes and
technical corrections that are necessary to eliminate ambiguity and
promote trust in the health care system. Therefore, the Department
proposes to modify 45 CFR 164.502 by adding a new paragraph (a)(5)(iii)
that will protect the privacy of individuals who obtain reproductive
health care that is lawful under the circumstances in which it is
provided, as well as their health care providers, and others who assist
them in obtaining such health care.
---------------------------------------------------------------------------
\260\ See, e.g., Letter from United States Congress Senators
Tammy Baldwin, Elizabeth Warren, and Ron Wyden, et al., to HHS
Secretary Xavier Becerra (March 7, 2023); Letter from United States
Congress Senators Patty Murray, Kirsten Gillibrand, and Martin
Heinrich, et al., to HHS Secretary Xavier Becerra (Sept. 13, 2022);
Letter from United States Congress House Representatives Earl
Blumenauer, Diana DeGette, Barbara Lee, et al., to HHS Secretary
Xavier Becerra (Aug. 30, 2022); and Letter from United States
Congress Senators Michael F. Bennet and Catherine Cortez Masto to
HHS Secretary Xavier Becerra (July 1, 2022).
---------------------------------------------------------------------------
Proposed Prohibition
In keeping with the Privacy Rule's purpose-based approach to
specifying uses or disclosures that are required, permitted, or
prohibited, proposed 45 CFR 164.502(a)(5)(iii) would prohibit a
regulated entity from using or disclosing PHI where the PHI would be
used for a criminal, civil, or administrative investigation into or
proceeding against any person in connection with seeking, obtaining,
providing, or facilitating lawful reproductive health care, or
identifying any person for the purpose of initiating such an
investigation or proceeding, subject to the Rule of Applicability and
Rule of Construction set forth in 45 CFR 164.502(a)(5)(iii)(C) and (D).
Furthermore, the Department proposes that ``seeking, obtaining,
providing, or facilitating'' would include, but not be limited to,
expressing interest in, inducing, using, performing, furnishing, paying
for, disseminating information about, arranging, insuring, assisting,
or otherwise taking action to engage in reproductive health care, as
well as attempting to engage in any of the same.
This proposed prohibition addresses efforts to investigate or bring
proceedings against any person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that is lawful
under the circumstances in which it is provided, or to identify any
person for the purpose of initiating such investigation or proceeding.
As discussed above, it would be contrary to the Congressional intent of
protecting the privacy of an individual's PHI and access to health care
if the Privacy Rule were to permit a regulated entity to use or
disclose PHI to investigate and bring proceedings against persons for
seeking, obtaining, providing or facilitating reproductive health care,
or to identify any person for such purposes, where such health care is
lawful under state or Federal law. Permitting such uses and disclosures
would also be inconsistent with longstanding individual privacy
expectations and could especially chill access to lawful health care,
including by high-risk individuals who may have already experienced a
miscarriage, ectopic pregnancy, stillbirth, or infertility. If such
uses and disclosures are permitted, individuals may delay obtaining
lawful health care or withhold information about their condition or
medical history because they may not trust their health care providers
to use the information only to provide appropriate health care, rather
than report them to law enforcement authorities or others.\261\
Delaying health care may negatively affect an individual's health,
including increasing the risk of death. In fact, a recent report from
the Texas Maternal Mortality and Morbidity Review Committee and
Department of State Health Services found that the most common
contributing factors to a woman's pregnancy-related death in Texas were
delay or failure to seek care, lack of knowledge regarding importance
of treatment or follow-up, and lack of access and financial
resources.\262\ Similarly, if such uses and disclosures are permitted,
a health care provider might leave gaps in or include inaccuracies in
the individual's medical records, creating a risk that ongoing or
future health care would be compromised, because they may not trust
that the information would not be obtained by law enforcement
authorities or others.\263\
---------------------------------------------------------------------------
\261\ See ``In a doctor's suspicion after a miscarriage, a
glimpse of expanding medical mistrust,'' supra note 13. ``[A health
care provider's] ability to take care of patients relies on trust,
and that will be impossible moving forward [. . .] [abortion
restrictions] are really going to put a damper on people seeking
care, even in very normal, very legal situations.''; See also Lucy
Ogbu-Nwobodo, Ruth S. Shim, Sarah Y. Vinson, et al., ``Mental Health
Implications of Abortion Restrictions for Historically Marginalized
Populations,'' The New England Journal of Medicine (Oct. 27, 2022),
https://www.nejm.org/doi/full/10.1056/NEJMms2211124 (``With the
elimination of the right to privacy guaranteed by Roe v. Wade and
the criminalization of abortion in many states, the risk of punitive
involvement by the criminal legal system as a consequence of
reproductive decisions, and potentially even in cases of
miscarriage, is likely to be especially high for members of
historically marginalized groups with mental illness--a population
that is already overrepresented in the criminal legal system.'').
\262\ See Texas Maternal Mortality and Morbidity Review
Committee and Department of State Health Services Joint Biennial
Report 2022, supra note 16, p. 41.
\263\ See, e.g., Brief for Zurawski.
---------------------------------------------------------------------------
Further, even where investigations cannot lawfully result in
proceedings against a person, investigations themselves can reduce the
health information privacy of the individual whose PHI is sought for
the investigation, thereby harming that individual. For example,
permitting a covered entity to disclose a sexual assault survivor's PHI
to law enforcement or others to enable them to investigate that
individual for obtaining lawful reproductive health care as a result of
the assault compounds the harm experienced by the individual by
violating their privacy. Additionally, allowing the disclosure makes
that individual and others in similar circumstances less likely to
obtain lawful reproductive health care if they believe their privacy
will be violated in this manner. Thus, the Department proposes to
prohibit the use or disclosure of PHI where the purpose of the use or
disclosure is for a criminal, civil, or administrative investigation
into or proceeding against any person in connection with seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which it is provided, or identifying
any person for the purpose of initiating such an investigation or
proceeding.
Importantly, and as further discussed below, this proposal is
narrowly tailored to address only uses and disclosures for specified
prohibited purposes. It does not otherwise alter a regulated entity's
responsibility to comply with the conditions imposed on the use or
disclosure of PHI for other criminal, civil, or administrative
investigations or proceedings. For example, the proposed rule would not
broadly preempt state or other laws that would require the disclosure
of information about an individual's reproductive health to support
claims for criminal or civil liability unrelated to the prohibited
purposes, assuming such laws meet the requirements of other provisions
of the Privacy Rule, e.g., the permission to use or disclose PHI where
required by law.\264\
---------------------------------------------------------------------------
\264\ 45 CFR 164.512(a).
---------------------------------------------------------------------------
Purpose-Based Prohibition
As discussed above and consistent with the general approach and
structure of the Privacy Rule, the proposed prohibition focuses on the
purpose of the use or disclosure, rather than the type of PHI requested
or the type of regulated entity that receives the use or disclosure
request. The Department acknowledges that in most cases, information
about an individual's reproductive health care includes the kind of
highly sensitive information that could chill patients from obtaining
lawful health care if they knew it could be disclosed. However, the
Department is not proposing a rule that would provide a blanket
protection for this category of information. Enforcing such
[[Page 23530]]
a blanket protection would require regulated entities to restrict the
flow of this category of information, possibly disrupting existing
health care delivery models. For example, implementing differing rules
for a newly designated category of PHI would require costly updates to
electronic record systems to allow for segmenting of certain data
elements for extra protection and create barriers for care
coordination. Providing routine treatments for conditions such as
hormonal imbalances, miscarriage, pregnancy complications, or
gynecological emergencies would be problematic for health care
providers attempting to navigate a blanket prohibition against
disclosure of the category of information related to reproductive
health care. Thus, this proposal does not limit the prohibition to the
use or disclosure of certain types of PHI or to PHI that is held or
maintained by certain types of covered health care providers, such as a
gynecologist or endocrinologist.
A purpose-based prohibition as proposed by the Department would
also permit health plans and many other different types of health care
providers to continue to disclose PHI for treatment or payment for
reproductive health care or other health care conditions that are
affected by or affect an individual's reproductive health. For example,
pregnancy can place a significant strain on the heart of an individual
with certain cardiovascular conditions. It is essential that the
individual's cardiologist be informed of and able to monitor the
individual's pregnancy for potential complications without barriers to
access that information. As another example, pregnancy tests are
routinely administered before a surgical procedure to ensure that
surgeons, anesthesiologists, and individuals are aware of a pregnancy
and have the opportunity to discuss the benefits and risks of
proceeding or to identify alternative treatment options.\265\ And an
earlier example related to hormonal imbalances illustrates why
endocrinologists may require access to reproductive health information.
For similar reasons, it is important that a health care provider
maintain complete and accurate patient medical records to ensure
subsequent health care providers are adequately informed in making
diagnoses or recommending courses of treatment.
---------------------------------------------------------------------------
\265\ See Trisha Pasricha, ``Pregnancy tests are routine before
many surgical procedures. But Dobbs has raised the stakes of a
positive result,'' STAT News (Aug. 16, 2022), https://
www.statnews.com/2022/08/16/pregnancy-tests-are-routine-before-many-
surgical-procedures-but-dobbs-has-raised-the-stakes-of-a-positive-
result/
#:~:text=The%20Supreme%20Court's%20h9568%20decision,making%20testing%
20anything%20but%20routine.
---------------------------------------------------------------------------
Thus, to avoid the potential for disruption to health care and
ensure the provision of appropriate health care, the Department
proposes to limit the prohibition's application to uses and disclosures
of PHI where the purpose is to use the information against any person
for seeking, obtaining, providing, or facilitating reproductive health
care that is lawful under the circumstances in which it is provided, or
to identify any person for doing so. The Department believes the
narrowly crafted prohibition, as proposed, would avoid deterring
individuals from obtaining lawful health care or providing full
information to their health care providers out of fear that highly
sensitive health information could be disclosed in connection with a
criminal, civil, or administrative investigation or proceeding. At the
same time, the proposal would facilitate the ability of health care
providers to navigate the new medical-legal landscape in cooperation
with their patients. The proposed prohibition also would serve as a
disincentive to health care providers considering leaving gaps or
including inaccuracies in medical records or taking other action to
protect individuals or avoid liability under laws prosecuting provision
of reproductive health care. Such disincentives, rooted in the ability
to keep PHI private when sought for certain purposes, are properly
within the Department's authority to regulate under HIPAA.
Preemption of State Laws
The Privacy Rule generally preempts contrary provisions of state
laws.\266\ Thus, if this NPRM were to be finalized, provisions of state
law that are contrary to these proposals would be preempted. The
Department recognizes that the proposal to prohibit uses and
disclosures of PHI for a criminal, civil, or administrative
investigation into or proceeding against any person, or to identify any
person for the purpose of initiating such an investigation or
proceeding, may create a conflict between the Privacy Rule and some
state laws--though we have carefully crafted the proposed prohibition
to apply only in circumstances in which the state lacks any substantial
interest in seeking the disclosure. In such cases, regulated entities
would be required to comply with the Privacy Rule, if modified as
proposed. For example, the Privacy Rule, if modified as proposed, would
prohibit the disclosure of PHI to law enforcement in furtherance of a
law enforcement investigation of an individual for obtaining
reproductive health care that is lawful under the circumstances in
which it is provided. It would also prohibit the disclosure of PHI for
a law enforcement investigation of a health clinic for providing
reproductive health care that is lawful under the circumstances in
which it is provided, even in response to a court order, such as a
search warrant.\267\ Such disclosure, despite the court order, would be
a violation of the Privacy Rule and would subject the regulated entity
to a potential OCR investigation and civil money penalty. Additionally,
if a regulated entity chose to comply with the court order in the
example above, there would be a presumption that a breach of unsecured
PHI had occurred because there was a disclosure of PHI in a manner not
permitted under the Privacy Rule which compromises the privacy of the
PHI. Thus, breach notification would be required unless the entity
could demonstrate that there was a low probability that the PHI had
been compromised.\268\ Where an entity determines that a breach has
occurred, the entity would need to provide notification to the affected
individual(s), the Secretary, and, when applicable, the media.\269\
---------------------------------------------------------------------------
\266\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that,
with limited exceptions, a provision or requirement under HIPAA
supersedes any contrary provision of state law).
\267\ In contrast, the current Privacy Rule would permit such a
disclosure based on a court order requiring the disclosure. See 45
CFR 164.512(a); see also 45 CFR 164.103 (definition of ``Required by
law'').
\268\ 45 CFR 164.402 (definition of ``Breach'').
\269\ See 45 CFR 164.400 through 164.414. The HIPAA Breach
Notification Rule requires covered entities and their business
associates to provide certain notifications following a breach of
unsecured PHI.
---------------------------------------------------------------------------
Application of Proposed Prohibition
The Department proposes a Rule of Applicability to apply the
prohibition where the relevant criminal, civil, or administrative
investigation or proceeding is in connection with any person seeking,
obtaining, providing, or facilitating reproductive health care that:
(1) is provided outside of the state where the investigation or
proceeding is authorized and that is lawful in the state in which such
health care is provided; (2) is protected, required, or authorized by
Federal law, regardless of the state in which such health care is
provided; or (3) is provided in the state in which the investigation or
proceeding is authorized and that is permitted by the law of that
state. This proposed Rule of Applicability would limit the application
of the prohibition to
[[Page 23531]]
circumstances in which the care is lawful under the circumstances in
which such health care is provided.
As described above, all three prongs of the proposed Rule of
Applicability require the reproductive health care at issue to be
provided under circumstances in which the provision of such health care
is lawful. Thus, in order to determine whether the proposed rule would
permit the use or disclosure of PHI, the regulated entity would need to
determine whether the reproductive health care was provided under
circumstances in which it was lawful to do so. Where the regulated
entity determines that the reproductive health care was provided under
circumstances where it was unlawful, the proposed prohibition would not
apply, and the regulated entity would be permitted to use or disclose
the PHI for a criminal, civil, or administrative investigation into or
proceeding against a person in connection with seeking, obtaining,
providing, or facilitating reproductive health care. For example, where
the regulated entity determines that reproductive health care was
provided in a state where it was unlawful to do so and under
circumstances in which Federal law does not protect the provision of
such health care, a regulated entity would be permitted to use or
disclose PHI for a criminal, civil, or administrative investigation
against a health care provider that provided the unlawful reproductive
health care. However, the regulated entity would be prohibited from
disclosing PHI for the same purpose where it determined that the
reproductive health care was provided in a state where it was lawful to
do so, subject to the proposed Rule of Construction, discussed below.
Under the Constitution, an individual cannot be barred from
traveling from one state to another to obtain reproductive health
care.\270\ Accordingly, the Department proposes to prohibit uses and
disclosures of PHI where it is sought for use in an investigation into
or proceeding against a person for seeking, obtaining, providing or
facilitating reproductive health care outside of the state in which
investigation or proceeding is authorized and where such health care is
lawful under the circumstances in which it was provided. The proposal
is not limited to circumstances in which the health care has not yet
been obtained, provided, or facilitated. It also includes situations
where the health care is ongoing or has been completed. For example,
under this proposal, a covered entity that provides lawful reproductive
health care to an out-of-state resident generally would not be
permitted to use or disclose PHI to law enforcement from the
individual's home state for use in an investigation or proceeding in
connection with the individual's receipt of or the covered entity's
provision of that reproductive health care. In addition, a covered
health care provider in the state of the individual's residence that
may receive PHI concerning such reproductive health care provided out
of state (e.g., a hospital in the home state that receives records from
an out-of-state clinic) would be subject to the same restriction. In
these circumstances under the Constitution, administrative, civil, or
criminal liability may not be imposed for the receipt or provision of
the out-of-state care. The Department also notes that generally, states
do not have the ability to permit or limit actors in another state from
engaging in certain activities. For example, states determine the
requirements for licensure of health care providers that furnish health
care within their borders; they do not have the ability to set such
requirements for health care providers that furnish health care
elsewhere. Thus, it would be inconsistent to permit states to impose
liability on health care providers who furnish health care in another
state in accordance with the laws of that state.
---------------------------------------------------------------------------
\270\ Dobbs, 142 S. Ct. at 2309 (Kavanaugh, J., concurring)
(addressing whether a state can ``bar a resident of that State from
traveling to another State to obtain an abortion? [ . . . ] [T]he
answer is not based on the constitutional right to interstate
travel.''); see also ``Application of the Comstock Act to the
Mailing of Prescription Drugs That Can Be Used for Abortions,''
Department of Justice, 46 Op. O.L.C. __, at *19 (Dec. 23, 2022),
https://www.justice.gov/olc/opinion/file/1560596/download.
---------------------------------------------------------------------------
The proposed prohibition would also apply where the use or
disclosure of PHI is sought for use in an investigation into or
proceeding against a person where the reproductive health care is
protected, required, or authorized by Federal law, regardless of the
state in which such care is provided. For example, the proposed
prohibition would prohibit the use or disclosure of PHI for use in an
investigation into or proceeding against a covered entity that provided
reproductive health care in a situation where EMTALA requires offering
such health care. Additionally, the Department's proposal would
prohibit the use or disclosure of PHI for use in an investigation into
or proceeding against employees of the Department of Veterans Affairs
(VA) who provide or facilitate reproductive health care in a manner
authorized by Federal law, including VA regulations.\271\ And it would
apply where the investigation or proceeding is against any person in
connection with seeking, obtaining, providing, or facilitating
reproductive health care--such as contraception--that remains protected
by the Constitution after Dobbs.\272\ In these circumstances, Federal
law bars the imposition of administrative, civil, or criminal liability
on such care.
---------------------------------------------------------------------------
\271\ See ``Intergovernmental Immunity for the Department of
Veterans Affairs and Its Employees When Providing Certain Abortion
Services,'' Department of Justice, 46 Op. O.L.C. __ (Sept. 21,
2022), https://www.justice.gov/d9/2022-11/2022-09-21-va_immunity_for_abortion_services.pdf.
\272\ See Griswold v. Connecticut, 381 U.S. 479 (1965);
Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 142 S. Ct. at 2309
(Kavanaugh, J., concurring) (Dobbs ``does not threaten or cast doubt
on'' the precedents providing constitutional protection for
contraception).
---------------------------------------------------------------------------
Finally, the prohibition would apply when the relevant criminal,
civil, or administrative investigation or proceeding is in connection
with any person seeking, obtaining, providing, or facilitating
reproductive health care that is provided in the state in which the
investigation or proceeding is authorized and that is permitted by the
law of that state. Under this proposal, a regulated entity would not be
permitted to use or disclose PHI in response to an investigation or
proceeding occurring in a state where the reproductive health care is
lawful. The proposal would also prohibit the use or disclosure of PHI
where the health care meets the requirements of an exception to a law
limiting the provision of reproductive health care (e.g., for pregnancy
termination when the pregnancy is the result of rape or incest or
because the life of the pregnant individual is endangered). It would
also prohibit the use or disclosure of PHI where the health care
occurred at a point in pregnancy at which such health care is permitted
by state law. If a state has not made the relevant reproductive health
care unlawful, it lacks a legitimate interest in conducting a criminal,
civil, or administrative investigation or proceeding into such health
care where the investigation is centered on the mere fact that
reproductive health care was or is being provided.
Scope of Proposed Prohibition
The proposed prohibition would apply to any request for PHI to
facilitate a criminal, civil, or administrative investigation or
proceeding against any person, or to identify any person in order to
initiate an investigation or proceeding, where the basis for the
investigation, proceeding, or identification is that the person sought,
[[Page 23532]]
obtained, provided, or facilitated reproductive health care that is
lawful under the circumstances in which such health care is provided.
As discussed above, the proposal would preempt state or other law
requiring a regulated entity to use or disclose PHI in response to a
court order or other type of legal process for a purpose prohibited by
this proposed rule where the prohibition applies. It would not preempt
laws that require use or disclosure of PHI for other purposes,
including public health purposes.\273\ The proposal also would not
prohibit a regulated entity from disclosing an individual's PHI to law
enforcement where the purpose of the disclosure is to investigate a
sexual assault committed against the individual, provided the
attestation described later in this preamble is obtained, or where such
health care is not lawfully obtained in the state in which it is
provided.
---------------------------------------------------------------------------
\273\ While this proposal does not affect reporting to a public
health authority or other appropriate government authority
authorized by law to receive reports of child abuse or neglect as
permitted under 45 CFR 164.512(b)(1)(ii), the proposed definitions
of ``person'' and ``child abuse'' would make clear that seeking,
obtaining, providing, or facilitating the provision of an abortion,
products related to pregnancy, or fertilized egg or embryo disposal
would not constitute child abuse as addressed therein.
---------------------------------------------------------------------------
The Department intends ``criminal, civil, or administrative
investigation into or proceeding against'' to encompass any type of
legal or administrative investigation or proceeding. This includes, but
is not limited to, law enforcement investigations, third party
investigations in furtherance of civil proceedings, state licensure
proceedings, criminal prosecutions, and family law proceedings.
Examples of criminal, civil, or administrative investigations or
proceedings for which regulated entities would be prohibited from using
or disclosing PHI would also include a civil suit brought by a person
exercising a private right of action provided for under state law
against an individual or health care provider who obtained, provided,
or facilitated a lawful abortion, or a law enforcement investigation
into a health care provider for lawfully providing or facilitating the
disposal of an embryo at the direction of the individual.
The proposal would prohibit a regulated entity from using or
disclosing PHI for a criminal, civil, or administrative investigation
into or proceeding against ``any person'' in connection with seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which it is provided, or for
identifying ``any person'' for the purpose of initiating such an
investigation or proceeding. ``Against any person'' means, based on the
HIPAA Rules' definition of ``person,'' \274\ that the proposed
prohibition would not be limited to use or disclosure of PHI for use
against the individual; rather, the prohibition would apply to the use
or disclosure of PHI against a regulated entity, or any other person,
including an individual or entity, who may have obtained, provided, or
facilitated lawful reproductive health care.\275\
---------------------------------------------------------------------------
\274\ 45 CFR 160.103 (definition of ``Person'').
\275\ Note that in section IV.A.1., the Department proposes to
modify the definition of ``person,'' although that proposed
modification would not have an effect here.
---------------------------------------------------------------------------
Rule of Construction
The Department does not intend for this proposed prohibition to
prevent a regulated entity from using or disclosing PHI for other
permissible purposes under the Privacy Rule where the request is not
made primarily for the purpose of investigating or imposing liability
on any person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided, and proposes to clarify that
through a Rule of Construction. In so doing, the Department clarifies
that it does not intend for the prohibition to prevent certain uses or
disclosures of PHI where they are permitted by other provisions of the
Privacy Rule as discussed below.
For example, just as an individual would be able to obtain their
own PHI to initiate a claim against a covered health care provider for
professional misconduct or negligence under the Privacy Rule's right of
access,\276\ the proposed Rule of Construction would make clear that
the proposed prohibition does not inhibit the ability of a covered
health care provider to use or disclose that same PHI to defend
themselves in an investigation or proceeding related to professional
misconduct or negligence where the alleged professional misconduct or
negligence involved reproductive health care. In such instance, there
would be due process concerns that could ultimately prevent the covered
health care provider from being held liable for the professional
misconduct or negligence. Thus, the Department proposes to limit the
Rule of Construction to applying only in circumstances in which the
health care provider would not be using or disclosing such PHI for the
purpose of ``investigating or conducting a legal proceeding against a
person,'' but rather for the purpose of defending itself against such
an investigation or a proceeding. In addition, such an investigation or
proceeding would not be based on the mere act of seeking, obtaining,
providing, or facilitating reproductive health care. Instead, the
investigation or proceeding would be based on allegations of
professional misconduct or negligence in providing reproductive health
care. The use or disclosure of PHI would be permitted under such
circumstances. The Federal government could similarly use PHI (obtained
with an attestation) to defend itself against claims brought by
individuals where professional misconduct based on a health care
provider's failure to meet an applicable standard of care, as described
herein, may not be the primary focus of the claim, but where the
provision of such care is central to the claim.
---------------------------------------------------------------------------
\276\ 45 CFR 164.524.
---------------------------------------------------------------------------
As discussed above, under the Rule of Applicability, the proposed
prohibition on the use or disclosure of PHI for the purposes of a
criminal, civil, or administrative investigation or proceeding against
any person in connection with seeking, obtaining, providing, or
facilitating reproductive health care, or the identification of any
person for such investigations or proceedings, would apply only when
such reproductive health care is provided under circumstances in which
it is lawful to do so. When read in isolation, this would seemingly
prevent regulated entities from using or disclosing PHI for the purpose
of defending themselves or others against allegations that they sought,
obtained, provided, or facilitated unlawful care. To address this
potential misreading, the proposed Rule of Construction limits the
proposed prohibition to circumstances in which the PHI is sought for
the purpose of investigating or imposing liability on any person for
the mere act of seeking, obtaining, providing, or facilitating
reproductive health care. Thus, under the proposal, a regulated entity
could not use or disclose PHI as part of an investigation into any
person for allegedly seeking, obtaining, providing, or facilitating
reproductive health care; in contrast, the regulated entity could use
or disclose PHI to defend any person in a criminal, civil, or
administrative proceeding where liability could be imposed on that
person for providing such health care.
Additionally, the proposed Rule of Construction would clarify that
the proposed prohibition does not prohibit uses or disclosures to a
health oversight agency for health oversight activities, such as for
the purpose of investigating
[[Page 23533]]
whether reproductive health care was actually provided or appropriately
billed in connection with a claim for such services.\277\ For example,
the proposed Rule of Construction would not prohibit the use or
disclosure of PHI where the PHI is sought to investigate or pursue
proceedings against a person for knowingly submitting a claim for
reproductive health care for payment to the government where the
reproductive health care was not provided or improperly billed. In this
case, the request would not be made primarily for the purpose of
investigating or imposing liability on any person for the mere act of
seeking, obtaining, providing, or facilitating reproductive health
care; instead, the request would be primarily for the purpose of
investigating or imposing liability on a person for, in this particular
scenario, an alleged violation of the Federal False Claims Act or a
state equivalent.\278\ As another example, the proposed Rule of
Construction also would not prohibit the use or disclosure of PHI to an
Inspector General where the PHI is sought to conduct an audit aimed at
protecting the integrity of the Medicare or Medicaid program. The
proposed Rule of Construction also would make clear that the proposed
prohibition does not prevent uses or disclosures for the purpose of
investigating alleged violations of Federal nondiscrimination laws or
abusive conduct, such as sexual assault, that occur in connection with
reproductive health care.
---------------------------------------------------------------------------
\277\ See 45 CFR 164.512(d)(1)(i) through (iv) for health
oversight activities for which the Privacy Rule permits uses and
disclosures of PHI. The proposal would permit these uses and
disclosures of PHI to effectuate Federal agencies' health oversight
activities.
\278\ 31 U.S.C. 3729-3733.
---------------------------------------------------------------------------
The proposed Rule of Construction would also clarify that the
proposed prohibition would not prohibit a regulated entity from
responding to a request for relevant records in a criminal or civil
investigation or proceeding pursuant to 18 U.S.C. 248 regarding freedom
of access to clinic entrances. Investigations under this provision are
conducted for the purpose of determining whether a person physically
obstructed, intimidated, or interfered with persons providing
``reproductive health services,'' \279\ or attempted to do so. They
therefore do not involve investigations or proceedings against a person
in connection with the mere act of ``seeking, obtaining, providing, or
facilitating of reproductive health care'' under circumstances in which
it was lawful to do so.
---------------------------------------------------------------------------
\279\ 18 U.S.C. 248(e)(5) (definition of ``Reproductive health
services'').
---------------------------------------------------------------------------
Disclosures Required by the Privacy Rule
Regulated entities are expected to continue to comply with and
disclose PHI in response to an individual's request for access to their
own PHI,\280\ or a request from the Secretary to disclose PHI as part
of an investigation into a regulated entity's compliance with the HIPAA
Rules. These requirements to disclose PHI at 45 CFR 164.502(a)(2) and
(4) are unlikely to come into conflict with the proposed prohibition
because neither an individual's request for their own PHI nor a HIPAA
compliance investigation are disclosures sought primarily because a
person sought, obtained, provided, or facilitated reproductive health
care.
---------------------------------------------------------------------------
\280\ Under 45 CFR 164.502(a)(2)(i), covered entities are
primarily responsible for compliance with the Privacy Rule's
individual right of access provisions. The Privacy Rule imposes
narrow direct liability on business associates for compliance with
the individual right of access at 45 CFR 164.502(a)(4)(ii). However,
it is the Department's understanding that many covered entities
engage business associates, such as release-of-information vendors,
to accept and respond to such requests. For additional information
on business associates and their obligations under the HIPAA Rules,
visit https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/.
---------------------------------------------------------------------------
The Department also reaffirms that an individual's right of access
to their own PHI cannot be denied based on their intended use of the
PHI.\281\ Thus, an individual would retain their current ability to
obtain a copy of their own PHI in a designated record set from a
covered entity, as well as to direct a covered entity to transmit to
another person (which could be a law enforcement official if the
individual so chooses) an electronic copy of their PHI in an electronic
health record (EHR). The Department is concerned that a law enforcement
official or other person could potentially coerce an individual into
exercising their right of access for the purpose of circumventing the
prohibition. However, the Department also views the right of access as
paramount to an individual's ability to make decisions regarding their
own health care and does not intend to impede an individual's ability
to exercise this right. Therefore, the Department does not propose to
modify the right of access to address this specific concern.
---------------------------------------------------------------------------
\281\ As explained in the preamble to the 2000 Privacy Rule,
covered entities may only deny access for the reasons specifically
provided in the rule. 65 FR 82556.
---------------------------------------------------------------------------
3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
Current Provision and Issues To Address
Section 164.502(g) of the Privacy Rule contains the standard for
personal representatives and generally requires a regulated entity to
treat an individual's personal representative as the individual when
consistent with state law.\282\ For example, the Privacy Rule would
treat a legal guardian of an individual who has been declared
incompetent by a court as the personal representative of that
individual, if consistent with applicable law (e.g., state law).\283\
In this and certain other provisions, the Department seeks to maintain
the balance between the interest of a state or others to regulate
health and safety and protect vulnerable individuals \284\ with the
goal of maintaining the privacy protections established in the Privacy
Rule.\285\
---------------------------------------------------------------------------
\282\ See 45 CFR 164.502(g)(1).
\283\ See 45 CFR 164.502(g)(3)(i). See also ``Personal
Representatives,'' U.S. Dep't of Health and Human Servs., Office for
Civil Rights, https://www.hhs.gov/hipaa/for-individuals/personal-representatives/.
\284\ See, e.g., 45 CFR 164.510(b)(3) and 164.512(j)(1)(i)(A).
\285\ See 65 FR 82471.
---------------------------------------------------------------------------
The Department is concerned that some regulated entities may
interpret the Privacy Rule as providing them with the ability to refuse
to recognize as an individual's personal representative a person who
makes reproductive health care decisions, on behalf of the individual,
with which the regulated entity disagrees. Under these circumstances,
current section 502(g)(5) of the Privacy Rule could be interpreted to
permit a regulated entity to assert that, by virtue of the personal
representative's involvement in the reproductive health care of the
individual, the regulated entity believes that the personal
representative is subjecting the individual to abuse. Further, in the
absence of clarification as proposed in this NPRM, this regulated
entity could exercise professional judgment to decide that it is in the
best interest of the individual not to recognize the personal
representative's authority to make medical decisions for that
individual.
Proposal
To protect the balance of interests struck by the Privacy Rule, the
Department proposes to modify 45 CFR 164.502 by adding a new paragraph
(g)(5)(iii). Proposed 45 CFR 164.502(g)(5)(iii) would ensure that a
[[Page 23534]]
regulated entity could not deny personal representative status to a
person, where such status would otherwise be consistent with state and
other applicable law, primarily because that person facilitates or
facilitated or provided reproductive health care for an individual. The
Department believes this proposal is narrowly tailored and respects the
interests of states and the Department by not unduly interfering with
the ability of states to define the nature of the relationship between
an individual and another person, including between a minor and a
parent, upon whom the state deems it appropriate to bestow personal
representative status. This proposal would, however, maintain the
existing HIPAA standard by ensuring personal representative status,
when otherwise consistent with state law, is not affected by the type
of underlying health care sought.
4. Request for Comment
The Department requests comment on the foregoing proposals,
including any benefits, drawbacks, or unintended consequences. The
Department also requests comment on the following considerations in
particular:
e. Whether the proposed prohibition in section IV.B.2. is
sufficiently narrow so as to limit harmful uses or disclosures (such as
for investigating individuals who have obtained, or health care
providers who have provided, lawful health care primarily because they
obtained or provided the lawful health care) and to permit beneficial
uses or disclosures (such as for conducting investigations into health
care fraud or audits examining general compliance with claims billing
requirements). If not, please explain and provide examples.
f. The effects of individuals' concerns about the potential
disclosure of their PHI to law enforcement or others on their
willingness to confide in their health care providers.
g. The effects of individuals' withholding information about their
health from their health care providers.
h. The effects of health care providers' concerns about potential
criminal, civil, or administrative investigations into or proceedings
against them or their patients in connection with the provision of
lawful reproductive health care on the completeness and accuracy of
medical records and continuity of care.
i. Whether it would be beneficial to further clarify or provide
additional examples of instances in which the use or disclosure of PHI
would be permitted under the proposal, such as examples of type of
investigations or proceedings that are focused on health care fraud and
for which PHI is necessary.
j. Whether the Department should permit the use and disclosure of
an individual's PHI for the purpose described in section IV.B.2. with a
valid authorization from the individual.
i. If so, please provide recommendations for how the Department
could ensure that individuals are adequately protected from coercive
tactics to provide such authorization. For example, should the
Department permit such use or disclosure based on an authorization only
if a regulated entity also obtains some form of attestation or
assurance from the recipient of the PHI?
ii. Whether third parties might circumvent the prohibition by
coercing individuals to exercise their right to direct a covered entity
to transmit to a third party an electronic copy of their PHI in an EHR.
If so, please suggest ways the Department could address this problem
without curtailing an individual's right of access or increasing the
burden on regulated entities.
k. Whether the Department should apply the proposed prohibition
broadly to any health care, rather than limiting it to reproductive
health care. Please explain.
l. Whether the Department should prohibit or limit uses or
disclosures of ``highly sensitive PHI'' for certain purposes. If so:
i. How should the Department define ``highly sensitive PHI''?
Please explain and provide reference materials to support any suggested
definition.
ii. What additional protections should ``highly sensitive PHI'' be
accorded?
iii. Do regulated entities have the technical ability to
differentiate between types of PHI in their electronic record systems
and apply special protections to a new category of ``highly sensitive
PHI''?
iv. What would be the estimated burden on regulated entities of
providing additional protections for ``highly sensitive PHI''?
m. Whether in addition to, or instead of, the proposed prohibition,
the Department should:
i. Require a regulated entity to obtain an individual's
authorization for certain uses and disclosures of PHI that currently
are permitted without an authorization.
ii. Require a regulated entity to obtain an individual's
authorization for any uses and disclosures of a defined category of PHI
(e.g., ``highly sensitive PHI'').
iii. Require a regulated entity to accept and comply with an
individual's request for restrictions of uses and disclosures of
``highly sensitive PHI.''
iv. Eliminate or narrow any existing permissions to use or disclose
``highly sensitive PHI'' (e.g., permissions to report crime on the
premises or report crime in emergencies).
n. What are the practices and procedures that a regulated entity
currently uses to determine what actions they will take when faced with
a conflict of state and Federal laws regarding uses and disclosures of
PHI?
o. Whether the scope of the proposed rule of applicability will be
sufficiently clear to individuals and covered entities, and whether the
provision should be made more specific or otherwise modified to ensure
individuals and covered entities know when disclosures of PHI will be
permitted.
p. Whether the proposed Rule of Construction is sufficient, or
whether the Rule of Construction should be expanded, narrowed, or
otherwise modified. Please explain and provide support for this
response.
q. Whether the proposed clarification to personal representative
status in the context of reproductive health care is sufficient to
clarify that personal representatives who provide or facilitate
reproductive health care have not committed an act of ``child abuse.''
Please explain and provide support for this response.
C. Section 164.509--Uses and Disclosures for Which an Attestation Is
Required (Proposed Heading)
1. Current Provision and Issues To Address
The Privacy Rule currently separates uses and disclosures into
three categories: required, permitted, and prohibited. Permitted uses
and disclosures are further subdivided into those to carry out
treatment, payment, or health care operations; \286\ those for which an
individual's authorization is required; \287\ those requiring an
opportunity for the individual to agree or object; \288\ and those for
which an authorization or opportunity to agree or object is not
required.\289\ For an individual's authorization to be valid, the
Privacy Rule requires that it contain certain specific information to
ensure that an individual authorizing a regulated entity to use or
disclose their PHI to another person knows and
[[Page 23535]]
understands to what it is they are agreeing.\290\
---------------------------------------------------------------------------
\286\ 45 CFR 164.506.
\287\ 45 CFR 164.508.
\288\ 45 CFR 164.510.
\289\ 45 CFR 164.512.
\290\ 45 CFR 164.508(b).
---------------------------------------------------------------------------
Pursuant to proposals in this NPRM, a regulated entity presented
with a request for PHI that is potentially related to reproductive
health care would need to discern whether using or disclosing PHI in
response to the request would be prohibited by the proposed 45 CFR
164.502(a)(5)(iii). Without a mechanism for assisting regulated
entities in determining the purpose of a use or disclosure request from
certain persons, the Department believes it would be difficult for
regulated entities to distinguish between use and disclosure requests
for permitted and prohibited purposes, potentially leading regulated
entities to deny use or disclosure requests for permitted purposes.
Additionally, absent an enforcement mechanism, the Department believes
requesters of PHI could seek to use existing Privacy Rule permissions
for purposes that would be prohibited under 45 CFR 164.502(a)(5)(iii).
2. Proposal
To facilitate compliance with the proposed prohibition while also
providing a pathway to disclose PHI for permitted purposes for which
authorization is not required and an opportunity to agree or object is
not required, the Department proposes to add a requirement to obtain an
attestation from the person requesting the use and disclosure as a
condition for certain permitted uses and disclosures.
Specifically, the Department proposes to add a new section 45 CFR
164.509: ``Uses and disclosures for which an attestation is required.''
This proposed condition would require a regulated entity to obtain
assurances from the person requesting the PHI, in the form of a signed
and dated written statement attesting that the use or disclosure would
not be for a purpose prohibited under 45 CFR 164.502(a)(5)(iii), where
the person is making the request under the Privacy Rule permissions at
45 CFR 164.512(d) (disclosures for health oversight activities), (e)
(disclosures for judicial and administrative proceedings), (f)
(disclosures for law enforcement purposes), or (g)(1) (disclosures
about decedents to coroners and medical examiners). This proposed
condition would apply when the request is for PHI that is potentially
related to reproductive health care, as defined in proposed 45 CFR
160.103. Thus, an attestation would not be required when the person
making the request does not seek PHI potentially related to
reproductive health care. If, however, the request would require a
regulated entity to disclose PHI potentially related to reproductive
health care, a regulated entity would have to first obtain an
attestation from the person making the request to ensure that the PHI
would not be used or disclosed for a prohibited purpose.
Additionally, where one of these permissions applies, the
attestation must include a statement that the use or disclosure is not
prohibited as described at 45 CFR 164.502(a)(5)(iii). Thus, the
Department proposes to limit the attestation requirement to the Privacy
Rule provisions that have the greatest potential to result in use or
disclosure of an individual's PHI for a criminal, civil, or
administrative investigation into or proceeding against, any person for
seeking, obtaining, providing, or facilitating reproductive health care
or to identify any person for the purpose of initiating such an
investigation or proceeding.
The attestation proposal is intended both to ensure that the
existing Privacy Rule permissions could not be used to circumvent the
new proposed prohibition at 45 CFR 164.502(a)(5)(iii) and to continue
permitting essential disclosures. The proposed attestation requirement
also would limit the additional burden on the regulated entity
receiving requests for such uses and disclosures by providing a
standard mechanism by which the regulated entity would ascertain
whether a requested use or disclosure would be prohibited under the
proposal.
The Department's attestation proposal is modeled after the
authorization requirement at 45 CFR 164.508.\291\ Modeling the proposed
attestation provision after the authorization provision would ensure
that a person requesting the PHI provides a regulated entity with the
information needed to ascertain whether the request is for a prohibited
purpose because the proposed attestation requirement would require the
person requesting the disclosure to confirm the types of PHI that they
are requesting; to clearly identify the name of the individual whose
PHI is being requested, if practicable, or if not practicable, the
class of individuals whose PHI is being requested, and to confirm, in
writing, that the use or disclosure is not for a purpose prohibited
under 45 CFR 164.502(a)(5)(iii). For purposes of the ``class of
individuals'' described in 45 CFR 164.509(c)(1)(i)(B), the requesting
entity may describe such a class in general terms--for example, as all
individuals who were treated by a certain health care provider or for
whom a certain health care provider submitted claims, all individuals
who received a certain procedure, or all individuals with given health
insurance coverage. Similar to the authorization provision, the
proposed attestation provision would also include the general
requirements for a valid attestation, and defects of an invalid
attestation. The provision would also include the attestation's content
requirements and would apply to both uses and disclosures for the
specified purposes.\292\ In addition, the attestation must be written
in plain language.\293\
---------------------------------------------------------------------------
\291\ Section 164.508 of title 45 CFR details the general rules
for authorizations, such as the rules specific to types of PHI or
purposes for disclosure, compound authorizations, the elements
required for a valid authorization, and how authorizations may be
revoked.
\292\ Pursuant to 45 CFR 164.530(j), regulated entities would be
required to maintain a written or electronic copy of the
attestation.
\293\ The Federal plain language guidelines under the Plain
Writing Act of 2010 only applies to Federal agencies, but it serves
as a helpful resource. See .
---------------------------------------------------------------------------
The proposed attestation provision would also include a prohibition
on compound attestations. Specifically, the proposal would prohibit the
attestation from being ``combined with'' any other document. The
Department intends this prohibition to mean that an attestation must be
clearly labeled and distinct from any surrounding text. For example, an
attestation would not be impermissibly ``combined with'' a subpoena if
it is attached to it, provided that the attestation is clearly labeled
as such. As another example, an electronic attestation would not to be
impermissibly ``combined with'' another document where the attestation
is on the same screen as the other document, provided that the
attestation is clearly and distinctly labeled as such.
Further, the attestation proposal would explicitly permit the
attestation document to be in electronic format, as well as
electronically signed by the person requesting the disclosure.\294\ At
this time, the Department declines to propose mandating a specific
electronic format for the attestation. The attestation would be
facially valid when the document meets the required elements of the
attestation proposal and includes an electronic signature that is valid
under applicable Federal and state law.\295\
---------------------------------------------------------------------------
\294\ Proposed 45 CFR 164.509(b)(1)(iv) and (c)(1)(v).
\295\ While not explicitly stated in the Privacy Rule, the
Department previously issued guidance clarifying that authorizations
are permitted to be submitted and signed electronically. See HIPAA
FAQ #475, and HIPAA FAQ #554, https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/.
---------------------------------------------------------------------------
[[Page 23536]]
Unlike the authorization provision, the proposed attestation would
be limited to the specific use or disclosure. Generally, when a
regulated entity receives a valid authorization, they may continue to
use or disclose PHI to such requestor pursuant to that authorization
after the initial disclosure, provided that such subsequent uses and
disclosures are valid and related to that authorization. Under the
proposal, the Department anticipates that each use or disclosure
request would require a new attestation.
The Department is explicitly declining to propose a new exception
to the minimum necessary standard for uses and disclosures made
pursuant to an attestation under 45 CFR 164.509.\296\ Thus, a regulated
entity would have to limit a use or disclosure to the minimum necessary
when provided in response to a request that would be subject to the
proposed attestation requirement. Where the person requesting the PHI
is also a regulated entity, that person would also need to make
reasonable efforts to limit their request to the minimum necessary to
accomplish the intended purpose of the use, disclosure, or
request.\297\
---------------------------------------------------------------------------
\296\ See 45 CFR 164.502(b). The minimum necessary standard of
the Privacy Rule applies to all uses and disclosures where a request
does not meet one of the specified exceptions in paragraph (b)(2).
\297\ 45 CFR 164.502(b)(1).
---------------------------------------------------------------------------
The Department does not propose to require a regulated entity to
investigate the validity of an attestation provided by a person
requesting a use or disclosure of PHI; rather, a regulated entity would
be able to rely on the attestation provided that it is objectively
reasonable under the circumstances for the regulated entity to believe
the statement required by 45 CFR 164.509(c)(1)(iv) that the requested
disclosure of PHI is not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii).\298\ If such reliance is not objectively
reasonable, then the regulated entity may not rely on the attestation.
Under the proposal, it would not be objectively reasonable for a
regulated entity to rely on a requester's representation as to whether
the reproductive health care was provided under circumstances in which
it was lawful to provide such care. This is because the regulated
entity, and not the requester, has the information about the provision
of such care that is necessary to make this determination. Therefore,
this determination would need to be made by the regulated entity prior
to using or disclosing PHI in response to a request for a use or
disclosure of PHI that would require an attestation under the proposal.
---------------------------------------------------------------------------
\298\ This approach is consistent with 45 CFR
164.514(h)(2)(iii), which permits a covered entity to rely on
certain statements or requests to meet the requirement to verify the
legal authority of a public official or a person acting on behalf of
the public official if such reliance is reasonable under the
circumstances.
---------------------------------------------------------------------------
The proposed attestation also would require a regulated entity to
cease use or disclosure of PHI if the regulated entity developed reason
to believe, during the course of the use or disclosure, that the
representations contained within the attestation were materially false,
leading to uses or disclosures for a prohibited purpose.\299\ The
Department notes that pursuant to HIPAA, a person who knowingly and in
violation of the Administrative Simplification provisions obtains or
discloses IIHI relating to another individual or discloses IIHI to
another person would be subject to criminal liability.\300\ Thus, a
requester who knowingly falsifies an attestation (e.g., makes material
misrepresentations as to the intended uses of the PHI requested) to
obtain (or cause to be disclosed) an individual's IIHI would be in
violation of HIPAA and could be subject to criminal penalties as
outlined in the statute.\301\ Additionally, the Department notes that a
disclosure made based on an attestation that contains material
misrepresentations after the regulated entity becomes aware of such
misrepresentations would constitute an impermissible disclosure, which
may require notifications of a breach to the individual, the Secretary,
and in some cases, the media.\302\
---------------------------------------------------------------------------
\299\ Proposed 45 CFR 164.509(d).
\300\ See 42 U.S.C. 1320d-6(a).
\301\ See 42 U.S.C. 1320d-6(b).
\302\ 45 CFR 164.400 et seq. The HIPAA Breach Notification Rule,
45 CFR 164.400-414, requires HIPAA covered entities and their
business associates to provide notification following a breach of
unsecured PHI.
---------------------------------------------------------------------------
The proposed attestation does not replace the requirements of the
Privacy Rule's permissions for a regulated entity to disclose PHI in
response to a subpoena, discovery request, or other lawful process
\303\ or administrative request; \304\ instead, it is designed to work
with these permissions and their requirements. Under this proposal, for
PHI to be disclosed pursuant to 45 CFR 164.512(e)(1)(ii) and
(f)(1)(ii)(C), a regulated entity would need to verify that the
requirements of each provision are met and also satisfy the
requirements of the new attestation provision under the proposed 45 CFR
164.509. In addition, the requirements of 45 CFR 164.528, the right to
an accounting of disclosures of PHI made by a covered entity, would not
be affected by the proposed attestation. Therefore, disclosures made
pursuant to a permission under 45 CFR 164.512(d), (e), (f), or (g) must
be included in the accounting, including when they are made pursuant to
an attestation.\305\
---------------------------------------------------------------------------
\303\ 45 CFR 165.512(e)(1)(ii).
\304\ 45 CFR 164.512(f)(1)(ii)(C).
\305\ See also 45 CFR 164.528(a)(2) regarding when the covered
entity must temporarily suspend an individual's right to receive an
accounting of disclosures to a health oversight agency or law
enforcement official.
---------------------------------------------------------------------------
To reduce the burden on regulated entities implementing this
proposed attestation, the Department is considering developing a model
attestation that a regulated entity may use when developing its own
attestation templates. The Department does not anticipate requiring
regulated entities to use the model attestation at this time, thereby
leaving a regulated entity free to draft an attestation that meets the
specific needs of their organization. However, we do note that under
the proposal, an attestation would be defective if it contained
anything beyond the elements and statements required by paragraphs
(c)(1) of Sec. 164.509.
3. Request for Comment
The Department requests comment on the foregoing proposals,
including any benefits, drawbacks, or unintended consequences. The
Department also requests comment on the following considerations in
particular:
r. Whether the proposed attestation requirement in section IV.C.
would address all relevant types of permitted uses and disclosures
under the Privacy Rule. That is, should the proposed requirement apply
as a condition of any additional permitted uses and disclosures that
could be used to request uses and disclosures of PHI for a prohibited
purpose?
i. Conversely, would the proposed requirement be overinclusive,
placing unreasonable barriers to disclosures for beneficial purposes
such that the Department should narrow the scope of the proposed
requirement?
ii. The Department requests comment on specific examples of
unreasonable barriers and recommended alternatives.
s. Whether requesters of PHI should be required to name the
individuals whose PHI they are requesting, or if describing a class of
individuals whose PHI is requested is sufficient. Please explain how
the Department can further protect the privacy of individuals from
requests for large amounts of PHI ostensibly sought for a non-
prohibited
[[Page 23537]]
purpose if requesters of PHI are permitted to describe a class of
individuals whose PHI is requested.
t. How the Department should interpret the terms ``practicable''
and ``class of individuals.''
u. Whether a model attestation would be useful for regulated
entities.
i. If so, what other information should be included within such
model attestation to improve regulated entities' understanding of the
proposed attestation requirements, if adopted?
ii. What should be the format of a model attestation?
v. Whether the Department should require a particular attestation
format, rather than providing a model attestation.
w. How the Department should interpret ``combined with'' at
proposed 45 CFR 164.509(b)(3) with respect to both paper and electronic
attestations to minimize the burden on regulated entities of
understanding and responding to requests that require an attestation.
x. Whether the Department should consider permitting the
attestation to be combined with other types of documents.
i. If so, which types of documents should regulated entities be
permitted to combine with the attestation?
ii. What potential negative impacts could this have on the clarity
of the attestation?
y. Whether the Department should require the attestation to include
a signed declaration made under penalty of perjury that the requester
is not making the request for a purpose prohibited by this proposal and
any ramifications, positive or negative, of such a requirement.
z. Whether there are any other elements that should be included
within the proposed attestation that are not currently listed.
aa. Whether the Department should consider it a material
misrepresentation if a person who signs an attestation does not have an
objectively reasonable basis to suspect that the reproductive health
care was provided under circumstances in which it was unlawful. If so,
what should the Department consider a reasonable basis for suspicion?
bb. How the proposed attestation requirement would affect a
regulated entity's process for responding to regular or routine
requests from certain requestors, such as government agencies that
request PHI for purposes of health oversight activities. For such
requests, what information should such requestors provide to reduce
regulated entities' compliance burden associated with the proposed
attestation requirements?
cc. Whether there is alternative documentation that a requestor
could provide, instead of an attestation, to assist a regulated entity
in complying with 45 CFR 164.502(a)(5)(iii). For example, would a
notice from a health oversight agency that identifies the objective of
an audit, information sought, and the requesting agency provide
sufficient information to assure the regulated entity that the audit is
not subject to the prohibition at proposed 45 CFR 164.502(a)(5)(iii)?
Please provide examples of documentation that may be helpful.
D. Section 164.512--Uses and Disclosures for Which an Authorization or
Opportunity To Agree or Object Is Not Required
1. Applying the Proposed Prohibition and Attestation Requirement to
Certain Permitted Uses and Disclosures
Current Provision and Issues To Address
Section 164.512 of the Privacy Rule contains the standards for uses
and disclosures for which an authorization or opportunity to agree or
object is not required. Many of the uses and disclosures addressed by
45 CFR 164.512 relate to government or administrative functions,\306\
or as described in the 2000 Privacy Rule preamble, ``national priority
purposes.'' \307\ These permissions for uses and disclosures were not
required by HIPAA but instead represented the Secretary's previous
balancing of the privacy interests and expectations of individuals and
the interests of communities in making certain information available
for community purposes, such as for certain public health, health care
oversight, and research purposes.\308\ As discussed previously, the
regulations implementing HIPAA have sought to ensure that individuals
do not forgo health care when needed--or withhold important information
from their health care providers that may affect the quality of health
care they receive--out of a fear that their sensitive information would
be revealed outside of their relationships with their health care
providers.
---------------------------------------------------------------------------
\306\ See, e.g., 45 CFR 164.512(a), Uses and disclosures
required by law; 45 CFR 164.512(b), Uses and disclosures for public
health activities; 45 CFR 164.512(c), Disclosures about victims of
abuse, neglect or domestic violence; 45 CFR 164.512(d) Uses and
disclosures for health oversight activities; 45 CFR 164.512(e),
Disclosures for judicial and administrative proceedings; 45 CFR
164.512(f), Disclosures for law enforcement purposes; 45 CFR
164.512(g) Uses and disclosures about decedents; 45 CFR 164.512(h),
Uses and disclosures for cadaveric organ, eye or tissue donation
purposes; 45 CFR 164.512(i), Uses and disclosures for research
purposes; 45 CFR 164.512(j), Uses and disclosures to avert a serious
threat to health or safety; 45 CFR 164.512(k), Uses and disclosures
for specialized government functions; and 45 CFR 164.512(l),
Disclosures for workers' compensation.
\307\ 65 FR 82524.
\308\ See 65 FR 82471.
---------------------------------------------------------------------------
The changes proposed in this NPRM attempt to address the need to
ensure that PHI continues to be used and disclosed only in a manner
consistent with the standard established in the Privacy Rule, given
recent developments in Federal and state law that may undermine the
privacy protections for PHI.
As discussed above, the proposed 45 CFR 164.502(a)(5)(iii) may
prohibit uses and disclosures of PHI in some circumstances that are
currently permitted. To clarify that this proposal is inclusive of
purposes currently permitted under 45 CFR 164.512, the Department
believes it is necessary to modify the general rule for such permitted
uses and disclosures. In addition, the Department believes it is
necessary to modify the general rule to reflect the new condition that
would be imposed upon certain uses and disclosures permitted under 45
CFR 164.512 through the proposed attestation requirement at 45 CFR
164.509.
Proposal
The Department proposes to modify the introductory text of 45 CFR
164.512 by citing the proposed prohibition at the beginning of the
first sentence and conditioning certain disclosures on the receipt of
the attestation proposed at 45 CFR 164.509. The proposed modification
would add the clause ``Except as provided by 45 CFR 164.502(a)(5)(iii),
[ . . . ]'' and ``and 45 CFR 164.509'' to ``subject to the applicable
requirements of this section.''
As discussed above, the proposed change would create a new
requirement to obtain an attestation from the person requesting the use
and disclosure of PHI potentially related to reproductive health care
as a condition for certain types of permitted uses and disclosures of
PHI. For example, the Privacy Rule currently permits uses and
disclosures for health care oversight,\309\ judicial and administrative
proceedings,\310\ law enforcement purposes,\311\ and coroners and
medical examiners,\312\ provided specified conditions are met. If
paragraph (a)(5)(iii) of 45 CFR 164.502
[[Page 23538]]
is finalized, uses and disclosures of PHI for these purposes would be
subject to an additional condition; that is, such uses and disclosures
would be prohibited unless a regulated entity first obtained an
attestation from the person requesting the use and disclosure under
proposed 45 CFR 164.509.
---------------------------------------------------------------------------
\309\ 45 CFR 164.512(d).
\310\ 45 CFR 164.512(e).
\311\ 45 CFR 164.512(f).
\312\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------
The Department assumes that there would be instances in which a
state or other law requires a regulated entity to use or disclose PHI
for health care oversight, judicial and administrative proceedings, law
enforcement purposes, or coroners and medical examiners for a purpose
not related to one of the prohibited purposes in proposed 45 CFR
164.502(a)(5)(iii). The Department believes that a regulated entity
would be able to comply with such laws, as well as the proposed
attestation requirement if the PHI is potentially related to
reproductive health care. For example, a regulated entity may continue
to disclose PHI without an authorization to a state medical board, a
prosecutor, or a coroner, in accordance with the Privacy Rule, when the
request is for PHI that is not potentially related to reproductive
health care or accompanied by the required attestation. As a result, a
regulated entity may continue to assist the state in carrying out its
health care oversight, judicial and administrative functions, law
enforcement, and coroner duties with the use or disclosure of PHI that
is potentially related to reproductive health care once a facially
valid attestation has been provided to the regulated entity from whom
PHI is sought, except in matters involving restrictions on seeking,
obtaining, providing, or facilitating reproductive health care. In such
cases, the state would need to obtain information about an individual's
reproductive health or reproductive health care received by the
individual from an entity not regulated under the Privacy Rule. As a
reminder, the Privacy Rule only applies to PHI, which is IIHI that is
maintained or transmitted by, for, or on behalf of a covered entity.
Thus, it does not apply to individuals' health information when it is
in the possession of a person that is not a covered entity or business
associate, such as a friend, family member, or is stored on a personal
cellular telephone or tablet.\313\
---------------------------------------------------------------------------
\313\ See Guidance on ``Protecting the Privacy and Security of
Your Health Information When Using Your Personal Cell Phone or
Tablet,'' U.S. Dep't of Health and Human Servs. (June 29, 2022),
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/.
---------------------------------------------------------------------------
Additionally, for clarity, the Department proposes to change the
word ``orally'' at the end of the introductory paragraph to
``verbally.'' No substantive change is intended.
2. Making a Technical Correction to the Heading of 45 CFR 164.512(c)
and Clarifying That Providing or Facilitating Reproductive Health Care
Is Not Abuse, Neglect, or Domestic Violence
Current Provisions and Issues to Address
Paragraph (c) of 45 CFR 164.512 permits disclosures of PHI about
victims of abuse, neglect, or domestic violence under specified
conditions. While the regulatory text includes the serial comma,
clearly indicating that the provision addresses victims of three
different types of crimes, the standard heading is less clear.
This section permits a regulated entity to disclose an individual's
PHI under certain conditions to an authorized government agency where
the regulated entity reasonably believes the individual to be a victim
of abuse, neglect, or domestic violence. The Department is concerned
that recent state actions may lead regulated entities to think that
they are permitted to make such disclosures of PHI when they believe
that persons who provide or facilitate access to reproductive health
care are perpetrators of such crimes. Thus, the Department believes it
is necessary to clarify that providing or facilitating access to
appropriate reproductive health care is not abuse, neglect, or domestic
violence.
Proposals
For grammatical clarity, the Department proposes to add the serial
comma after the word ``neglect'' in the heading of the standard
contained at 45 CFR 164.512(c), so it would read ``Standard:
Disclosures about victims of abuse, neglect, or domestic violence.''
The Department also proposes to add a new paragraph (c)(3) to 45
CFR 164.512(c), with the heading ``Rules of construction,'' that would
read, ``Nothing in this section shall be construed to permit uses or
disclosures prohibited by Sec. 164.502(a)(5)(iii).'' This new
paragraph would clarify that the permission to use or disclose PHI in
reports of abuse, neglect, or domestic violence does not permit uses or
disclosures based primarily on the provision or facilitation of
reproductive health care to the individual. The proposed provision is
intended to safeguard the privacy of individuals' PHI against claims
that uses and disclosures of that PHI are warranted because the
provision or facilitation of reproductive health care, in and of
itself, may constitute abuse, neglect, or domestic violence. Similar to
the discussion above in section IV.D.1, the Department also does not
intend for this proposal to obstruct oversight related to professional
conduct or similar legal proceedings for which PHI related to
reproductive health care is needed.
3. Clarifying the Permission for Disclosures Based on Administrative
Processes
Current Provision and Issues To Address
Under 45 CFR 164.512(f)(1), a regulated entity may disclose PHI
pursuant to an administrative request, provided that: (1) the
information sought is relevant and material to a legitimate law
enforcement inquiry; (2) the request is specific and limited in scope
to the extent reasonably practicable in light of the purpose for which
the information is sought; and (3) de-identified information could not
reasonably be used.\314\ Examples of administrative requests include
administrative subpoena or summons, a civil or an authorized
investigative demand, or similar process authorized under law.\315\ The
examples of administrative requests provided in the existing regulatory
text include only those requests that are enforceable in a court of
law, and the catchall ``or similar process authorized by law''
similarly is intended to include only requests that, by law, require a
response. This interpretation is consistent with the Privacy Rule's
definition of ``required by law,'' which enumerates these and other
examples of administrative requests that constitute ``a mandate
contained in law that compels an entity to make a use or disclosure of
protected health information and that is enforceable in a court of
law.'' \316\ However, the Department has become aware that some
regulated entities may be interpreting this provision in a manner that
is inconsistent with the Department's intent. Therefore, the Department
is taking this opportunity to clarify the types of administrative
processes that this provision was intended to address.
---------------------------------------------------------------------------
\314\ 45 CFR 164.512(f)(1)(ii)(C).
\315\ Id.
\316\ See 45 CFR 164.103. The Privacy Rule's definition of
``Required by law'' includes administrative requests and lists the
examples of processes that are enumerated under 45 CFR
164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------
Proposal
Specifically, the Department proposes to insert language to clarify
that the administrative processes that give rise to a permitted
disclosure include only those that, by law, require a regulated
[[Page 23539]]
entity to respond. Accordingly, the proposal would specify that PHI may
be disclosed pursuant to an administrative request ``for which a
response is required by law.'' This is not intended to be a substantive
change, as the proposal is consistent with preamble discussion on this
topic in the 2000 Privacy Rule.\317\
---------------------------------------------------------------------------
\317\ See 65 FR 82531.
---------------------------------------------------------------------------
4. Request for Comment
The Department requests comment on the forgoing proposals,
including any benefits, drawbacks, or unintended consequences. The
Department also requests comment on the following considerations in
particular:
dd. The way in which regulated entities currently receive and
address requests for PHI when requested pursuant to the Privacy Rule
permissions at 45 CFR 164.512(d) (uses and disclosures for health
oversight activities), (e) (disclosures for judicial and administrative
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1)
(uses and disclosures about decedents to coroners and medical
examiners). Specifically:
i. How are such requests currently submitted (e.g., hard copy
letter, electronically via email, an online form)?
ii. For requests under 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C):
i. When using or disclosing information after receiving the
required assurances,\318\ does the entity choose to obtain assurances
for every subsequent related request, or does the entity continue to
disclose PHI to such entity after receiving the initial assurance,
provided that subsequent requests are related to the initial request in
which the initial assurance was received?
---------------------------------------------------------------------------
\318\ See 45 CFR 164.512(e)(1)(iii) and (f)(1)(ii)(C).
---------------------------------------------------------------------------
ii. How do regulated entities accept assurances (e.g., hard copy
letter, electronically via email, uploading to an online portal)?
ee. Examples, if any, of uses or disclosures of PHI that are
required by law and are not for prohibited purposes but may no longer
be permitted under this proposal.
ff. The effect expanding the scope of the proposed prohibition to
include any health care would have on the proposed attestation
requirement and the ability of regulated entities to implement it.
gg. Whether the phrase ``based primarily'' is sufficient to clarify
that the proposed rule of construction is only intended to address
situations where the purpose is to investigate or impose liability
because reproductive health care was provided, rather than, for
example, the quality of the health care provided or whether claims
submitted for that health care were appropriate.
hh. Whether there are disclosures currently made under Federal
agencies' interpretations of the Privacy Act that would not be
permitted under the proposal. If so, what would they be, and should the
Department permit them?
E. Section 164.520--Notice of Privacy Practices for Protected Health
Information
1. Current Provision and Issues To Address
The Privacy Rule generally requires that a covered entity provide
individuals with an NPP to ensure that they understand how a covered
entity may use and disclose their PHI, as well as their rights and the
covered entity's legal duties with respect to PHI.\319\ Section
164.520(b)(1)(ii) of the Privacy Rule describes the required contents
of the NPP, including descriptions of the types of permitted uses and
disclosures of their PHI. It does not, however, currently require a
covered entity to provide information about prohibited uses and
disclosures of PHI. The Department is concerned that the current NPP
requirements might not provide individuals with adequate assurances
that a revised Privacy Rule would prohibit the use or disclosure of
their PHI in certain circumstances. Without such assurances, the
Department is concerned that individuals may avoid accessing crucial
health care.
---------------------------------------------------------------------------
\319\ 45 CFR 164.520. Unlike many provisions of the Privacy
Rule, 45 CFR 164.520 applies only to covered entities, as opposed to
both covered entities and their business associates.
---------------------------------------------------------------------------
2. Proposal
The Department proposes to modify 45 CFR 164.520(b)(1)(ii) to
require that a covered entity add two types of uses and disclosures to
those already described in the NPP, putting individuals on notice about
how their PHI may or may not be used. Specifically, the Department
proposes at 45 CFR 164.520(b)(1)(ii)(F) to add to the NPP's list of
required elements two that address the proposed use and disclosure
prohibition at 45 CFR 164.502(a)(5)(iii). Under this proposal, a
covered entity must separately describe each type of use or disclosure
prohibited by 45 CFR 164.502(a)(5)(iii) and must do so in sufficient
detail for an individual to understand this prohibition and the
proposed attestation requirement.
By modifying the NPP, a covered entity would continue to provide an
individual with information the individual needs to make decisions
about their health care, as well as information about how the covered
entity will treat PHI the individual chooses to disclose to the covered
entity, and about how to exercise their rights of access \320\ and to
request restrictions.\321\ The modification would also enable the
covered entity to provide the individual with reassurance about their
privacy rights and their ability to discuss their reproductive health
and related care with any health care provider without fear of harm
because it would inform an individual that their PHI may not be used or
disclosed for the purposes the Department proposes to prohibit.
---------------------------------------------------------------------------
\320\ With certain exceptions, an individual has a right of
access to inspect and obtain a copy of PHI about the individual in a
designated record set for as long as the PHI is maintained in the
designated record set. See 45 CFR 164.524.
\321\ A covered entity must permit an individual to request that
the covered entity restrict uses or disclosures of PHI for certain
purposes. While the covered entity is not required to agree to the
restriction, they may not use or disclose PHI if they agree to do
so, except in limited circumstances. Additionally, a covered health
care provider must permit an individual to request and must
accommodate a reasonable request by an individual to receive
communications of PHI from the covered entity by alternative means
or at alternative locations. A health plan must do the same in
certain circumstances. See 45 CFR 164.522.
---------------------------------------------------------------------------
3. Request for Comment
The Department requests comment on the foregoing proposals,
including any benefits, drawbacks, or unintended consequences. The
Department also requests comment on the following considerations in
particular:
ii. Whether it would benefit individuals for the Department to
require that covered entities include a statement in the NPP explaining
that when PHI is disclosed for a permitted purpose to an entity other
than a covered entity (e.g., disclosed to a non-covered health care
provider for treatment purposes), the recipient of the PHI would not be
bound by the proposed prohibition because the Privacy Rule would no
longer apply.
V. Executive Order 12866 and Related Executive Orders on Regulatory
Review
A. Regulatory Impact Analysis
The Department of Health and Human Services (HHS or Department) has
examined the effects of the proposed rule under Executive Order (E.O.)
12866, Regulatory Planning and Review,\322\ E.O. 13563, Improving
Regulation and Regulatory Review,\323\
[[Page 23540]]
the Regulatory Flexibility Act \324\ (RFA), and the Unfunded Mandates
Reform Act of 1995 \325\ (UMRA). E.O.s 12866 and 13563 direct the
Department to assess all costs and benefits of available regulatory
alternatives and, when regulation is necessary, to select regulatory
approaches that maximize net benefits (including potential economic,
environmental, public health and safety, and other advantages;
distributive effects; and equity). This proposed rule is significant
under section 3(f)(1) of E.O. 12866.
---------------------------------------------------------------------------
\322\ 58 FR 51735 (Oct. 4, 1993).
\323\ 76 FR 3821 (Jan. 21, 2011).
\324\ Public Law 96-354, 94 Stat. 1164 (codified at 5 U.S.C.
601-612).
\325\ Pubic Law 104-4, 109 Stat. 48 (codified at 2 U.S.C. 1501).
---------------------------------------------------------------------------
The RFA requires us to analyze regulatory options that would
minimize any significant effect of a rule on small entities. As
discussed in greater detail below, this analysis concludes, and the
Secretary proposes to certify, that the proposed rule, if finalized,
would not result in a significant economic effect on a substantial
number of small entities.
The UMRA (section 202(a)) generally requires us to prepare a
written statement, which includes an assessment of anticipated costs
and benefits, before proposing ``any rule that includes any Federal
mandate that may result in the expenditure by State, local, and tribal
governments, in the aggregate, or by the private sector, of
$100,000,000 or more (adjusted annually for inflation) in any one
year.'' The current threshold after adjustment for inflation is $165
million, using the most current (2021) Implicit Price Deflator for the
Gross Domestic Product. UMRA does not address the total cost of a rule.
Rather, it focuses on certain categories of cost, mainly Federal
mandate costs resulting from imposing enforceable duties on state,
local, or Tribal governments, or on the private sector; or increasing
the stringency of conditions in, or decreasing the funding of, state,
local, or Tribal governments under entitlement programs. This proposed
rule would impose mandates that would result in the expenditure by
state, local, and Tribal governments, in the aggregate, or by the
private sector, of more than $165 million in any one year. The impact
analysis in this proposed rule addresses those impacts both
qualitatively and quantitatively. In general, each regulated entity,
including government entities such as state Medicaid agencies that meet
the definition of covered entity, would be required to ensure it adopts
new policies and procedures for handling requests for PHI for which an
attestation is required and train its workforce members on the new
requirements. Additionally, although the Department has not quantified
the costs, state, local, and Tribal investigative agencies would need
to analyze requests that they initiate for PHI and provide regulated
entities with an attestation that the request is not for a prohibited
purpose where the request is for PHI that is potentially related to
reproductive health care. One-time costs for all regulated entities to
make these policy changes would result in costs over the UMRA threshold
in one year. The Department has initially estimated that ongoing
expenses for the new attestation requirement would not rise
significantly; however, it seeks additional data to inform its
estimates. Although Medicaid has funds available for states for certain
administrative costs, these are limited to costs specific to operating
the Medicaid program. There are no Federal funds directed at HIPAA
compliance activities.
The Summary of Major Proposals and Need for Rulemaking sections at
the beginning of this preamble contain a summary of this proposed rule
and describe the reasons it is needed. The Department presents a
detailed analysis below.
1. Summary of Costs and Benefits
The Department has identified six general categories of
quantifiable costs arising from these proposals: (1) creating an
attestation form and handling requests for disclosures for which an
attestation is required; (2) revising business associate agreements;
(3) updating the Notice of Privacy Practices (NPP) and posting it
online; (4) developing new or modified policies and procedures; (5)
revising training programs for workforce members; and (6) requesting an
exception from preemption of state law. The first five categories apply
primarily to covered entities such as health care providers and health
plans, while the sixth category applies to states and other interested
persons.
The Department estimates that the first-year costs attributable to
the proposed rule would total approximately $612 million. These costs
are associated with covered entities creating an attestation form and
responding to requests for protected health information (PHI) that may
require an attestation; revising business associate agreements;
revising policies and procedures; updating, posting, and mailing the
NPP; and revising training programs for workforce members, and with
states or other persons requesting exceptions from preemption. These
costs also include increased estimates for wages, postage, and the
number of NPPs distributed by health plans. For years two through five,
estimated annual costs of approximately $68 million are attributable to
ongoing costs related to the proposed attestation requirement. Table 1
reports the present value and annualized estimates of the costs of the
proposed rule covering a 5-year time horizon. Using a 7% discount rate,
the Department estimates the proposed rule would result in annualized
costs of $192 million; and using a 3% discount rate, these annualized
costs are $183 million.
Table 1--Accounting Table, Costs of the Proposed Rule, $ Millions
----------------------------------------------------------------------------------------------------------------
Primary Period
Costs estimate Year dollars Discount rate covered
----------------------------------------------------------------------------------------------------------------
Present Value......................... $883.4 2021 Undiscounted............ 2023-2027
Present Value......................... 786.8 2021 7%...................... 2023-2027
Present Value......................... 839.1 2021 3%...................... 2023-2027
Annualized............................ 191.9 2021 7%...................... 2023-2027
Annualized............................ 183.2 2021 3%...................... 2023-2027
----------------------------------------------------------------------------------------------------------------
The proposed changes to the Privacy Rule would likely result in
important benefits that the Department is unable to fully quantify at
this time. As explained further below, unquantified benefits include
improved trust between individuals and health care providers; enhanced
privacy and improved access to reproductive health care and
information, which may prevent increases in maternal mortality and
morbidity; increased accuracy and
[[Page 23541]]
completeness in patient medical records, which may prevent poor health
outcomes; enhanced support for victims of rape, incest, and sex
trafficking; and maintenance of family economic stability.
Additionally, the Department believes that allowing regulated entities
to accept an attestation from a requester of PHI that is potentially
related to reproductive health care will reduce potential liability for
regulated entities by providing some assurance that the requested
disclosure is not prohibited.
Table 2--Potential Non-Quantified Benefits for Covered Entities and
Individuals
------------------------------------------------------------------------
Benefits
-------------------------------------------------------------------------
Improve access to complete information about lawful reproductive health
care options for individuals who are pregnant or considering a
pregnancy (i.e., health literacy).
Maintain or reduce levels of maternal mortality and morbidity by
ensuring that individuals and their clinicians can freely communicate
and have access to complete information needed for quality health care,
including coordination of care.
Decrease barriers to accessing prenatal health care by maintaining
privacy for individuals who seek a complete range of reproductive
health care options.
Enhance mental health and emotional well-being of pregnant individuals
by reducing fear of prosecution based on potential disclosures of their
PHI.
Improve or maintain trust between individuals and health care providers
by reducing the potential for health care providers reporting PHI in a
manner that could harm the individuals' interests.
Prevent or reduce re-victimization of pregnant individuals who have
survived rape or incest by protecting their PHI from undue scrutiny.
Improve or maintain families' economic well-being by not exposing
individuals to costly criminal, civil, or administrative investigations
or proceedings for engaging in lawful activities if their PHI or a
family member's PHI is disclosed.
Maintain the economic well-being of regulated entities by not exposing
regulated entities or workforce members to costly civil litigation,
investigation, or prosecution for engaging in lawful activities.
Ensure individuals' ability to obtain full and complete information and
make lawful decisions concerning fertility- or infertility-related
health care that may include selection or disposal of embryos without
risk of criminal, civil, or administrative investigation or proceedings
based on the disclosure of their PHI.
------------------------------------------------------------------------
2. Baseline Conditions
The Privacy Rule, in conjunction with the Security and Breach
Notification Rules, protects the privacy and security of individuals'
PHI, that is, individually identifiable health information (IIHI)
transmitted by or maintained in electronic media or any other form or
medium, with certain exceptions. It limits the circumstances under
which regulated entities are permitted or required to use or disclose
PHI and requires covered entities to have safeguards in place to
protect the privacy of PHI. The Privacy Rule also establishes certain
rights for individuals with respect to their PHI. The Rule requires
appropriate safeguards to protect the privacy of PHI and sets limits
and conditions on the uses and disclosures that may be made of such
information without an individual's authorization.
As explained in the preamble, the Department has the authority
under the Health Insurance Portability and Accountability Act of 1996
(HIPAA) to modify the Privacy Rule to prohibit the use or disclosure of
PHI for a criminal, civil, or administrative investigation into or
proceeding against any person in connection with obtaining, providing,
or facilitating reproductive health care, as well as to identify any
person for the purpose of initiating such an investigation or
proceeding. The Privacy Rule has been modified several times since it
was first issued in 2000 to address statutory requirements, changed
circumstances, and concerns and issues raised by stakeholders regarding
the effects of the Privacy Rule on regulated entities, individuals, and
others. Recently, as the preamble discusses, changed circumstances
resulting from new inconsistencies in the regulation of reproductive
health care nationwide and the negative effects on individuals'
expectations for privacy and their relationships with their health care
providers, as well as the additional burdens imposed on regulated
entities, necessitate consideration of additional modifications.
For purposes of this Regulatory Impact Analysis (RIA), the proposed
rule adopts the list of covered entities and cost assumptions
identified in the Department's 2019 Information Collection Request
(ICR).\326\ The Department also relies on certain estimates and
assumptions from the 1999 Privacy Rule NPRM \327\ that remain relevant,
and the 2013 Omnibus Rule,\328\ as referenced in the analysis that
follows.
---------------------------------------------------------------------------
\326\ 84 FR 34905 (July 19, 2019).
\327\ 64 FR 59918 (Nov. 3, 1999).
\328\ 78 FR 5566 (Jan. 25, 2013).
---------------------------------------------------------------------------
The Department quantitatively analyzes and monetizes the effect
that this proposed rule may have on regulated entities' actions to:
revise business associate agreements between covered entities and their
business associates, including release-of-information contractors;
create new forms; respond to certain types of requests for PHI that is
potentially related to reproductive health care; update their NPP;
adopt policies and procedures to implement the legal requirements of
this proposed rule, and train their employees on the updated policies
and procedures. The Department analyzes the remaining benefits and
burdens qualitatively because of the uncertainty inherent in predicting
other concrete actions that such a diverse scope of regulated entities
might take in response to this proposed rule.
Analytic Assumptions
The Department bases its assumptions for calculating estimated
costs and benefits on a number of publicly available datasets,
including data from the U.S. Census, the U.S. Department of Labor,
Bureau of Labor Statistics (BLS), Centers for Medicare & Medicaid
Services, and the Agency for Healthcare Research and Quality.
Implementing the proposed regulatory changes likely would require
covered entities to engage workforce members or consultants for certain
activities. The Department assumes that an attorney would draft or
review the new attestation form, revisions to business associate
agreements, revisions to the NPP, and required changes to HIPAA
policies and procedures. The Department expects that a training
specialist would revise the necessary HIPAA training and a web designer
would post the updated NPP. The Department further anticipates that a
workforce member at the pay level of general health care practitioner
would
[[Page 23542]]
confirm receipt of required attestations. To the extent that these
assumptions would affect the Department's estimate of costs, the
Department welcomes comment on its assumptions, particularly those in
which the Department identifies the level of workforce member (i.e.,
clerical staff, professional) that would be engaged in activities, and
the amount of time that particular types of workforce members spend
conducting activities related to this NPRM as further described below.
Table 3 also lists pay rates for occupations referenced in the
explanation of estimated information collection burdens in section F of
this RIA and related tables.
For changes in time use for on-the-job activities considered in
this analysis, the Department adopts an hourly value of time based on
the cost of labor, including wages and benefits, and also indirect
costs, which ``reflect resources necessary for the administrative
oversight of employees and generally include time spent on
administrative personnel issues (e.g., human resources activities such
as hiring, performance reviews, personnel transfers, affirmative action
programs), writing administrative guidance documents, office expenses
(e.g., space rental, utilities, equipment costs), and outreach and
general training (e.g., employee development).'' \329\ For each
occupation performing activities as a result of the proposed rule, the
Department identifies a pre-tax hourly wage using a database maintained
by the BLS.\330\ For the purposes of this analysis, the Department
assumes that benefits plus indirect costs equal approximately 100
percent of pre-tax wages, and adjusts the hourly wage rates by
multiplying by two, for a fully loaded hourly wage rate. The Department
adopts this as the estimate of the hourly value of time for changes in
time use for on-the-job activities.
---------------------------------------------------------------------------
\329\ See ``Valuing Time in U.S. Department of Health and Human
Services Regulatory Impact Analyses: Conceptual Framework and Best
Practices,'' U.S. Dep't of Health and Human Servs., Office of the
Assistant Secretary for Planning and Evaluation (2017), p. v,
https://aspe.hhs.gov/reports/valuing-time-us-department-health-human-services-regulatory-impact-analyses-conceptual-framework.
\330\ See ``Occupational Employment and Wages,'' Bureau of Labor
Statistics, U.S. Dep't of Labor (May 2021), https://www.bls.gov/oes/current/oes_nat.htm.
Table 3--Occupational Pay Rates
------------------------------------------------------------------------
Mean hourly Fully loaded
Occupation code and title wage hourly wage
------------------------------------------------------------------------
00-0000 All Occupations................. $28.01 $56.02
43-3021 Billing and Posting Clerks...... 20.55 41.10
29-0000 Healthcare Practitioners and 43.80 87.60
Technical Occupations..................
29-9021 Health Information Technologists 29.53 59.06
and Medical Registrars.................
29-9099 Healthcare Practitioners and 31.19 62.38
Technical Workers, All Other...........
15-1212 Information Security Analysts... 54.46 108.92
23-1011 Lawyers......................... 71.17 142.34
13-1111 Management Analysts............. 48.33 96.66
11-9111 Medical and Health Services 57.61 115.22
Manager................................
29-2072 Medical Records Specialist...... 23.23 46.46
43-0000 Office and Administrative 20.88 41.76
Support Occupations....................
11-2030 Public Relations and Fundraising 63.85 127.70
Managers...............................
13-1151 Training and Development 32.51 65.02
Specialist.............................
43-4171 Receptionists and Information 15.82 31.64
Clerks.................................
15-1255 Web and Digital Interface 45.90 91.80
Designers..............................
Composite Wage for Breach Notice........ 38.33 76.66
------------------------------------------------------------------------
The Department assumes that the vast majority of covered entities
would be able to incorporate changes to their workforce training into
existing HIPAA training programs because the total time frame for
compliance from date of finalization would be 240 days.\331\
---------------------------------------------------------------------------
\331\ This includes 60 days from publication of a final rule to
the effective date and an additional 180 days until the compliance
date.
---------------------------------------------------------------------------
Covered Entities Affected
This proposed rule would apply to HIPAA covered entities, including
health care providers \332\ that conduct covered electronic
transactions, health plans, and in certain circumstances, health care
clearinghouses.\333\ The Department estimates that there are 774,331
business establishments that meet the definition of a covered entity
(see Table 4). By calculating costs for establishments, rather than
firms (which may be an umbrella organization over multiple
establishments), there is a tendency toward overestimating some
burdens, because certain costs would be borne by a parent organization
rather than each separate facility. However, the level of an
organization that is financially responsible for covering costs to
implement Privacy Rule requirements may vary across the health care
industry. The Department requests data on the extent to which certain
burdens of the proposed rule would be borne by each facility versus an
umbrella organization. Unless otherwise indicated, the Department
relies on data about the number of firms and establishments from the
U.S. Census.\334\
---------------------------------------------------------------------------
\332\ The Department notes that pharmacies, discussed later in
the preamble, are a type of health care provider under HIPAA. HIPAA
defines the term health care provider for the purposes of the
Administrative Simplification provisions at section 262: ``The term
`health care provider' includes a provider of services (as defined
in section 1861(u)), a provider of medical or other health services
(as defined in section 1861(s)), and any other person furnishing
health care services or supplies.''
\333\ Only certain provisions of the Privacy Rule apply to
clearinghouses as covered entities. In addition, certain provisions
apply to clearinghouses in their role as business associates of
other covered entities. See 45 CFR 164.500(b) and (c). Because the
provisions addressed in this proposed rule generally do not apply
directly to clearinghouses, the Department does not anticipate that
these entities would experience costs associated with this proposed
rule.
\334\ See ``2015 Statistics of U.S. Businesses (SUSB) Annual
Data Tables by Establishment Industry'' (Jan. 2018), https://www.census.gov/data/tables/2015/econ/susb/2015-susb-annual.html.
---------------------------------------------------------------------------
The Department expects that the proposed rule will have varying
effects on different covered entities and would have the most direct
effect on covered health care providers and health plans. However, all
affected covered entities would at least need to adopt or change some
policies and procedures and re-train some employees. Affected covered
entities would include many Federal, state, local, Tribal, and private
sector health care providers.
[[Page 23543]]
Census data for businesses in the category of Third Party
Administration of Insurance and Pension Funds does not separately
enumerate those that service health and medical insurance. However, the
Department is able to extrapolate from data about insurance carriers
the percentage of businesses that service health and medical insurance.
According to Census data, there are 880 Direct Health and Medical
Insurance Carrier firms compared to 5,350 Insurance Carrier firms, such
that health and medical insurance firms make up 16.4% of insurance
firms. Thus, the Department assumes for purposes of this analysis that
16.4% of Third Party Administration of Insurance and Pension Funds
firms and establishments service health and medical insurance. Applying
this percentage to the 2,773 firms and 4,772 establishments in the
category Third Party Administration of Insurance and Pension Funds, the
Department estimates that 455 of these firms and 783 establishments are
affected by this proposed rule.\335\ See Table 4 below.
---------------------------------------------------------------------------
\335\ [2,773 x .164 = 454.7; 4,772 x .164 = 782.6].
---------------------------------------------------------------------------
Covered pharmacies would also be affected by the proposed rule.
There were 67,753 community pharmacies (including 19,500 pharmacy and
drug store firms and 44,130 establishments identified in U.S. Census
data) operating in the U.S. in 2015.\336\ Small pharmacies largely use
pharmacy services administration organizations (PSAOs) to provide
administrative services, such as negotiations, on their behalf.\337\ A
2013 study identified 22 PSAOs and notes there may be more in
operation.\338\ Based on information received from industry, the
Department adjusts this number upward and estimates that the proposed
rule would affect 40 PSAOs. The Department assumes that costs affecting
pharmacies are incurred at each pharmacy and drug store establishment
and each PSAO.
---------------------------------------------------------------------------
\336\ See Dima Mazen Qato, Shannon Zenk, Jocelyn Wilder, et al.,
``The availability of pharmacies in the United States: 2007-2015,''
PLOS ONE (Aug. 2017), https://doi.org/10.1371/journal.pone.0183172.
\337\ Discussing generally that small and independent pharmacies
often lack internal resources to support these services. See
``Prescription Drugs: The Number, Role, and Ownership of Pharmacy
Services Administrative Organizations,'' U.S. Government
Accountability Office, GAO-13-176 (Jan. 29, 2013), https://www.gao.gov/products/GAO-13-176.
\338\ Id.
---------------------------------------------------------------------------
The Department has not separately calculated the effect of the
proposed rule on business associates because the primary effect is on
the covered entities for which they provide services. To the extent
that covered entities engage business associates to perform activities
under the proposed rule, the Department assumes that any additional
costs will be borne by the covered entities through their contractual
agreements with business associates. The Department's estimate that
each revised business associate agreement would require no more than 1
hour of a lawyer's labor assumes that the hourly burden could be split
between the covered entity and the business associate. Thus, the
Department has calculated estimated costs based on the potential number
of business associate agreements that are revised rather than the
number of covered entities or business associates with revised
agreements. The Department requests data on the number of business
associates (which may include health care clearinghouses acting in
their role as business associates of other covered entities) that would
be affected by the proposed rule and the extent to which they may
experience costs or other burdens not already accounted for in the
estimates of burdens for revising business associate agreements. The
Department also requests comment on the number of business associate
agreements that would need to be revised, if any.
The Department requests public comment on these estimates,
including those for third party administrators and pharmacies where the
Department has provided additional explanation. The Department
additionally requests detailed comment on any situations in which
covered entities other than those identified here would be affected by
this rulemaking.
Table 4--Estimated Number and Type of Covered Entities
----------------------------------------------------------------------------------------------------------------
Covered Entities
-----------------------------------------------------------------------------------------------------------------
NAICS code Type of entity Firms Establishments
----------------------------------------------------------------------------------------------------------------
524114...................................... Health and Medical Insurance 880 5,379
Carriers.
524292...................................... Third Party Administrators..... 456 783
622......................................... Hospitals...................... 3,293 7,012
44611....................................... Pharmacies..................... 19,540 \a\ 67,753
6211-6213................................... Office of Drs. & Other 433,267 505,863
Professionals.
6215........................................ Medical Diagnostic & Imaging... 7,863 17,265
6214........................................ Outpatient Care................ 16,896 39,387
6219........................................ Other Ambulatory Care.......... 6,623 10,059
623......................................... Skilled Nursing & Residential 38,455 86,653
Facilities.
6216........................................ Home Health Agencies........... 21,829 30,980
532291...................................... Home Health Equipment Rental... 611 3,197
----------------------------------
Total................................... ............................... 549,713 774,331
----------------------------------------------------------------------------------------------------------------
\a\ Number of pharmacy establishments is taken from industry statistics.
Individuals Affected
The Department believes that the population of individuals
potentially affected by the proposed rule is approximately 74 million
overall,\339\ representing nearly one-fourth of the U.S. population,
including approximately 6 million pregnant women and girls annually and
an unknown number of individuals facing a potential pregnancy or
pregnancy risk due to sexual activity, contraceptive avoidance or
failure, rape (including statutory rape), and incest. According to
Federal data, 78 percent of sexually active females received
reproductive health care in 2015-2017.\340\
---------------------------------------------------------------------------
\339\ See females aged 10-44, American Community Survey S0101
AGE AND SEX 2020: ACS 5-Year Estimates Subject Tables, https://data.census.gov/cedsci/table?q=United%20States%20females&t=Populations%20and%20People&g=0100000US&tid=ACSST5Y2020.S0101.
\340\ See Sexually active females who received reproductive
health services (FP-7.1), Healthypeople.gov, https://wayback.archive-it.org/5774/20220415172039/https:/www.healthypeople.gov/2020/leading-health-indicators/2020-lhi-topics/Reproductive-and-Sexual-Health/data.
[[Page 23544]]
Table 5--Estimated Number of Individuals Affected
------------------------------------------------------------------------
Females of potentially childbearing Population Number of 2017
age estimate Pregnancies \341\
------------------------------------------------------------------------
Females Aged 10--14 \342\............ 10,310,162 4,460
Females 15--44 \343\................. 64,130,037 5,575,150
----------------------------------
Total............................ 74,440,199 5,579,610
------------------------------------------------------------------------
3. Costs of the Proposed Rule
---------------------------------------------------------------------------
\341\ See Isaac Maddow[hyphen]Zimet and Kathryn Kost,
``Pregnancies, Births and Abortions in the United States, 1973-2017:
National and State Trends by Age Appendix Tables,'' Guttmacher
Institute, https://www.guttmacher.org/sites/default/files/report_downloads/pregnancies-births-abortions-us-1973-2017-appendix-tables.pdf.
\342\ See American Community Survey S0101 AGE AND SEX 2020: ACS
5-Year Estimates Subject Tables, https://data.census.gov/cedsci/table?q=United%20States%20females&t=Populations%20and%20People&g=0100000US&tid=ACSST5Y2020.S0101.
\343\ Id.
---------------------------------------------------------------------------
Below, the Department provides the basis for its estimated
quantifiable costs resulting from the proposed changes to specific
provisions of the Privacy Rule and invites comments on the Department's
assumptions, data, and calculations, as well as any additional
considerations that the Department has not identified here. Many of the
estimates are based on assumptions formed through the Office for Civil
Rights' (OCR's) experience in its compliance and enforcement program
and accounts from stakeholders received at outreach events. The
Department has not quantified recurring burdens for the proposed rule
beyond that of obtaining a required attestation from the requester for
health oversight, legal proceedings, law enforcement, and coroners or
medical examiners.
The Department welcomes information or data points from commenters
to further refine its estimates and assumptions.
a. Costs Associated With Requests for Exception From Preemption
The Department anticipates that states that restrict access to
reproductive health care are likely to seek an exception to the
proposed requirements of this rule that would preempt state law. Given
the fast-developing status of state laws governing access to
reproductive health care, the Department estimates a potential increase
of 26 states \344\ incurring costs to develop an exception request to
submit to the Secretary. Based on existing burden estimates for this
activity,\345\ the Department estimates that each exception request
would require approximately 16 hours of labor at the rate of a general
health care practitioner and that approximately 26 states would make
such requests. Thus, the Department estimates that states will spend a
total of 416 hours requesting exception from preemption and monetize
this as a one-time cost of $36,442 [= 16 x 26 x $87.60].
---------------------------------------------------------------------------
\344\ See Elizabeth Nash, Lauren Cross, ``26 States Are Certain
or Likely to Ban Abortion Without Roe: Here's Which Ones and Why,''
Guttmacher Institute (published Oct. 28, 2021; updated Apr. 19,
2022; an updated analysis was published on Jan. 10, 2023), https://www.guttmacher.org/article/2021/10/26-states-are-certain-or-likely-ban-abortion-without-roe-heres-which-ones-and-why. The number of
states identified dropped to 24 in 2023; however, due to the pace of
change in this area the Department relies on the higher number as a
basis for its cost estimates.
\345\ Information Collection, Process for Requesting Exception
Determinations (states or persons), https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201909-0945-001&icID=10428.
---------------------------------------------------------------------------
b. Estimated Costs From Adding a Requirement for an Attestation for
Disclosures for Certain Purposes
The Department analyzed the costs of the proposed attestation
requirement in comparison to the estimated costs of complying with the
existing authorization requirement because both activities involve
reviewing requests for disclosures and required documentation. The
Department estimates that the annual costs of implementing a
requirement to obtain an attestation that certain types of requests for
PHI that is potentially related to reproductive health care are not for
a prohibited purpose would be similar to the costs associated with uses
and disclosures for which an authorization is required because the
number of attestation-based requests likely would be lower even if the
handling of such requests were more burdensome. For purposes of this
analysis, the Department adopts the cost estimates already approved for
documenting disclosures based on an authorization because those
estimates provide an established baseline. The Department draws this
estimate from its approved ICR for 45 CFR 164.508, which allows for one
burden hour per covered entity based on the hourly wage of a general
health care practitioner.\346\ For 774,331 covered entities, this would
amount to a total annual cost of $67,831,396 [= 774,331 x 1 x $87.60].
The quantified burden is associated with the requirement to keep
records of attestations received. The Department anticipates an
increase in time needed by regulated entities to process each request
for PHI under 45 CFR 164.512(d), (e), (f), or (g)(1) that is not
accompanied by an attestation. The Department believes that the
regulated entity would likely need to determine whether the requested
PHI includes PHI potentially related to reproductive health care.
However, the Department lacks sufficient information to estimate the
amount such a burden would vary from the burden of processing requests
for PHI with an authorization. Additionally, the Department believes
that regulated entities may need to evaluate whether the reproductive
health care encompassed within the scope of a request under 45 CFR
164.512(d) through (f) and (g)(1) was lawful under the circumstances in
which it was provided, and solicits comments on data about the
associated costs of such reviews.
---------------------------------------------------------------------------
\346\ See Section F. of this RIA, Paperwork Reduction Act of
1995.
---------------------------------------------------------------------------
In addition to the recurring costs of responding to requests for
PHI under the proposed revisions, the Department estimates that covered
entities would incur a one-time cost for creating a new attestation
form for a total of $55,109,137 [= 774,331 x (30/60) x $142.34]. This
would be based on 30 minutes of labor by a lawyer using the
Department's sample form.
c. Costs Arising From Revised Business Associate Agreements
The Department anticipates that a certain percentage of business
associate agreements would likely need to be updated to reflect a
determination made by covered entities and business associates that,
where the business associate receives requests for disclosures of PHI
under proposed 45 CFR 164.512(d), (e), (f), or (g)(1), the covered
entity will bear the burden of determining whether a requested
disclosure would include PHI that is potentially related to
reproductive health care. Based on estimates in previous HIPAA
rulemaking, the
[[Page 23545]]
Department estimates that each new or significantly modified contract
between a business associate and its subcontractors would require, at
most, one hour of labor by a lawyer at the wage reported in Table 3. We
believe that approximately 35 percent of 1 million business associates,
or 350,000 entities, would decide to create or significantly modify
subcontracts, resulting in total costs of $49,819,000 [= 350,000 x
$142.34]. The Department invites comments on these assumptions and the
number of business associate agreements likely to be revised due to the
proposed regulatory changes.
d. Costs Arising From Changes to the Notice of Privacy Practices
The Department proposes to modify the NPP to notify individuals
that covered entities cannot use or disclose PHI for certain purposes
and that in certain circumstances, covered entities must obtain an
attestation from the person requesting the use or disclosure affirming
that the request is not for a prohibited purpose, and where applicable,
that the use or disclosure is primarily for a purpose described at 45
CFR 164.502(a)(5)(iii)(C).
The Department believes the burden associated with revising the NPP
consists of costs related to developing and drafting the revised NPP
for covered entities. The Department estimates that the proposal to
update and revise the language in the NPP would require 30 minutes of
professional legal services at the wage reported in Table 3. Across all
covered entities, the Department estimates a cost of $55,109,137 [=
774,331 x (30/60) x $142.34]. The Department does not anticipate any
new costs for health care providers associated with distribution of the
revised notice other than posting it on the entity's website (if it has
one) because health care providers have an ongoing obligation to
provide the notice to first-time patients that is already accounted for
in cost estimates for the HIPAA Rules. Health plans that post their NPP
online would incur minimal costs by posting the updated notice, and
then, including the updated NPP in the next annual mailing to
subscribers.\347\ Health plans that do not provide an annual mailing
would potentially incur an additional $12,743,700 in capital expenses
for mailing the revised NPP to an estimated 10 percent of the
150,000,000 health plan subscribers who receive a mailed, paper copy of
the notice, as well as the labor expense for an administrative support
staff member at the rate shown in Table 3 to complete the mailing, for
approximately $2,610,000 [= 62,500 hours x $41.76]. The Department
further estimates the cost of posting the revised NPP on the covered
entity's website would be 15 minutes of a web designer's time at the
wage reported in Table 3. Across all covered entities, the Department
estimates a cost of online posting as $17,770,896 [= 774,331 x (15/60)
x $91.80].
---------------------------------------------------------------------------
\347\ 45 CFR 164.520(c)(1)(v)(A).
---------------------------------------------------------------------------
e. Estimated Costs for Developing New or Modified Policies and
Procedures
The Department anticipates that covered entities would need to
develop new or modified policies and procedures related to new
requirements for attestations, prohibited uses and disclosures, certain
uses and disclosures permitted under 45 CFR 164.512, and clarification
of personal representative qualifications. The Department estimates
that the costs associated with developing policies and procedures would
be the labor of a lawyer for 2.5 hours and that this expense would
represent the largest area of cost for compliance with the rule once
finalized, for a total of $275,545,686 [= 774,331 x 2.5 x $142.34].
f. Costs Associated With Training Workforce Members
The Department anticipates that covered entities would be able to
incorporate new content into existing HIPAA training requirements and
that the costs associated with doing so would be attributed to the
labor of a training specialist for an estimated 90 minutes for a total
of $75,543,732 [= 774,331 x (90/60) x $65.04].
The Department invites comments on all aspects of its estimates and
assumptions, including the time spent on the identified activities and
the occupations or professions of persons designated to perform those
tasks.
g. Total Quantifiable Costs
The Department summarizes in Table 6 the estimated nonrecurring
costs that covered entities and states would experience in the first
year of implementing the proposed regulatory changes. The Department
anticipates that these costs would be for requesting exceptions from
preemption of state law, implementing the attestation requirement,
revising business associate agreements, revising the NPP, mailing it,
and posting it online, revising policies and procedures, and updating
HIPAA training programs.
Table 6--New Nonrecurring Costs of Compliance With the Proposed Rule
----------------------------------------------------------------------------------------------------------------
Burden hours/action x Total costs
Nonrecurring costs hourly wage Respondents (millions)
----------------------------------------------------------------------------------------------------------------
Exception Requests...................... 16 x $87.60............... 26 States................. $0.04
Attestations, New Form.................. 30/60 x $142.34........... 774,331 Covered entities.. 55
BAAs, Revising.......................... 1 x $142.34............... 350,000 BAAs.............. 50
NPP, Updating........................... 30/60 x $142.34........... 774,331 Covered entities.. 55
NPP, Mailing............................ 0.25/60 x $41.76.......... 15,000,000 Subscribers.... 3
NPP, Posting Online..................... 15/60 x $91.80............ 774,331 Covered entities.. 18
Policies & Procedures................... 150/60 x $142.34.......... 774,331 Covered entities.. 276
Training................................ 90/60 x $65.04............ 774,331 Covered entities.. 76
Capital Expenses, Mailing NPPs--Health $.85/NPP.................. 15,000,000 Subscribers.... 13
Plans.
---------------
Total Nonrecurring Burden........... .......................... .......................... \a\ 544
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.
Table 7 summarizes the recurring costs that the Department
anticipates covered entities would incur annually as a result of the
proposed regulatory changes. These new costs would be based on
responding to requests for disclosures for which an attestation is
required.
[[Page 23546]]
Table 7--Recurring Annual Costs of Compliance With the Proposed Rule \a\
----------------------------------------------------------------------------------------------------------------
Total annual
Recurring costs Burden hours/CE x wage Respondents cost
(millions)
----------------------------------------------------------------------------------------------------------------
Disclosures for which an attestation is 1 x $87.60................ 774,331 Covered entities.. $67,831,396
required.
---------------
Total Recurring Annual Burden....... .......................... .......................... 67,831,396
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.
Costs Borne by the Department
The covered entities that are operated by the Department would be
affected by the proposed changes in a similar manner to other covered
entities, and those costs have been factored into the estimates above.
The Department expects that it would incur costs related to
drafting and disseminating information about the proposed regulatory
changes to covered entities, including health care providers and health
plans. In addition, the Department anticipates that it may incur a 26-
fold increase in the number of requests for exceptions from state law
preemption in the first year after a final rule becomes effective, at
an estimated total cost of approximately $146,319 to analyze and
develop responses for an average cost of $7,410 per request. This
increase is based on the number of states that have or are likely to
pass more restrictive abortion laws \348\ and may seek to use or
disclose individuals' PHI to enforce those laws. This estimate assumes
that the Department receives and reviews exception requests from each
of those 26 states, that half of those require a more complex analysis,
and that all requests result in a written response within one year of
the final rule's publication.
---------------------------------------------------------------------------
\348\ See Elizabeth Nash, Lauren Cross, ``26 States Are Certain
or Likely to Ban Abortion Without Roe: Here's Which Ones and Why,''
Guttmacher Institute (published Oct. 28, 2021; updated Apr. 19, 2022
and Jan. 10, 2023), https://www.guttmacher.org/article/2021/10/26-states-are-certain-or-likely-ban-abortion-without-roe-heres-which-ones-and-why. In January 2023, the number of projected states
dropped to 24.
---------------------------------------------------------------------------
Benefits of the Proposed Rule
The benefits of the proposed rule to individuals and families are
likely substantial, and yet are not fully quantifiable because the area
of health care the proposed rule addresses is among the most sensitive
and life-altering if privacy is violated. Additionally, the value of
privacy, which cannot be recovered once lost, and trust that privacy
will be protected by others, is difficult to quantify fully. Notably,
matters of reproductive health may include circumstances resulting in a
pregnancy, considerations concerning maternal and fetal health, family
genetic conditions, information concerning sexually transmitted
infections, and the relationship between prospective parents (including
victimization due to rape, incest, or sex trafficking). Involuntary or
poorly-timed disclosures can irreparably harm relationships and
reputations, and even result in job loss or other negative consequences
in the workplace,\349\ as well as investigation, civil litigation or
proceedings, and prosecution for lawful activities.\350\Additionally,
fear of potential penalties or liability that may result from
disclosing information to a health care provider related to accessing
abortion or other reproductive health care may cast a long shadow,
decreasing trust between individuals and health care providers,
discouraging and deterring access to other valuable and necessary
health care, or compromising ongoing or subsequent care if patient
medical records are not accurate or complete.\351\ The proposed rule
would prevent or reduce the harms discussed here, resulting in non-
quantifiable benefits to individuals and their families, friends, and
health care providers. In particular, the role of trust in the health
care system and its importance to the provision of high-quality health
care is discussed extensively in section III of this preamble.
---------------------------------------------------------------------------
\349\ See Danielle Keats Citron and Daniel J. Solove, ``Privacy
Harms,'' GWU Legal Studies Research Paper No. 2021-11, GWU Law
School Public Law Research Paper No. 2021-11, 102 Boston University
Law Review 793, 830--861 (Feb. 9, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222.
\350\ See ``Lawyers preparing for abortion prosecutions warn
about health care, data privacy,'' supra note 166.
\351\ See ``Women with chronic conditions struggle to find
medications after abortion laws limit access,'' Centers for Disease
Control and Prevention, Division of Reproductive Health, National
Center for Chronic Disease Prevention and Health Promotion (Jan. 4,
2023), https://www.cdc.gov/teenpregnancy/health-care-providers/index.htm; and ``Abortion Bans May Limit Essential Medications for
Women with Chronic Conditions,'' supra note 176.
---------------------------------------------------------------------------
The Department believes the proposed rule would increase health
literacy by improving access to complete information about health care
options for individuals.\352\ For example, the proposal to prohibit use
and disclosure of PHI for purposes of prosecuting an individual, a
person assisting them, or their health care provider would enable
health care providers to obtain and provide complete and accurate
medical information about reproductive health care without undue fear
of serious and costly repercussions.
---------------------------------------------------------------------------
\352\ See Lynn M. Yee, Robert Silver, David M. Haas, et al.,
``Association of Health Literacy Among Nulliparous Individuals and
Maternal and Neonatal Outcomes,'' JAMA Network Open (Sept. 1, 2021),
https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2783674.
---------------------------------------------------------------------------
The Department believes that the proposed rule would also
contribute to increased access to prenatal health care at the critical
early stages of pregnancy by affording individuals the assurance that
they may obtain reproductive health care without fearing that records
related to that care would be subject to disclosure. For example, if a
sexually active individual fears they or their health care providers
could be subject to prosecution as a result of disclosure of their PHI,
the individual may avoid informing health care providers about symptoms
or asking questions of medical experts and may consequently fail to
receive the support and health care they need to obtain a pregnancy
diagnosis and receive appropriate, lawful health care.\353\ Similarly,
the proposed rule would likely contribute to decreasing the rate of
maternal mortality and morbidity by improving access to information
about health services.\354\
---------------------------------------------------------------------------
\353\ See Texas Maternal Mortality and Morbidity Review
Committee and Department of State Health Services Joint Biennial
Report 2022, supra note 16.
\354\ See Helen Levy, Alex Janke, ``Health Literacy and Access
to Care,'' Journal of Health Communication (2016), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/; see also Brief for
Zurawski.
---------------------------------------------------------------------------
The Department believes that the proposed rule would contribute to
enhancing the mental health and emotional well-being of individuals
seeking or obtaining reproductive health care by reducing fear that
their PHI would be disclosed for an investigation
[[Page 23547]]
of or proceeding against, or prosecution of the individual, their
health care provider, or any persons facilitating the individual's
access to reproductive health care. This is especially important for
individuals who need access to reproductive health care because they
are survivors of rape, incest, or sex trafficking. For at least some
such individuals, certain types of reproductive health care, including
abortion, generally remain legal even if the option to terminate a
pregnancy is no longer available to the broader population under state
laws. The proposed rule is projected to prevent or reduce re-
victimization of pregnant individuals who have been subject to rape,
incest, or sex trafficking by protecting their PHI from disclosure.
Investigations and prosecutions that rely on that information may
be costly to defend against and thus financially draining for the
target of the investigation or prosecution and for persons who are not
the target of the investigation or prosecution but whose information
may be used as evidence against others. Witnesses or targets of an
investigation or prosecution may lose time from work and incur steep
legal bills that create unmanageable debt or otherwise harm the
economic stability of the individual, their family, and their health
care provider. In the absence of the proposal, much of those costs may
be for defending against the disclosure or use of PHI. Thus, the
Department expects that the proposed rule would contribute to families'
economic well-being by reducing the risk of exposure to costly
investigation or prosecution for lawful activities as a result of
disclosures of PHI.
The Department believes that the proposed rule would also
contribute to improved continuity of care and ongoing and subsequent
health care for individuals, thereby improving health outcomes. If a
health care provider believes that the patient's PHI is likely to be
disclosed without the patient's or the health care provider's knowledge
or consent, possibly to initiate or be used in criminal or civil
proceedings against the patient, their health care provider, or others,
the health care provider is more likely to omit information about a
patient's medical history or condition, or leave gaps or include
inaccuracies, when preparing patient medical records. And if an
individual's medical records lack complete information about the
individual's health history, a subsequent health care provider may not
be able to conduct an appropriate health assessment to reach a sound
diagnosis and recommend the best course of action for the individual.
Alternatively, health care providers may withhold from the individual
full and complete information about their treatment options because of
liability concerns stemming from fears about the privacy of an
individual's PHI.\355\ Heightened confidentiality and privacy
protections enable a health care provider to feel confident maintaining
full and complete patient records. Without complete patient records, an
individual is less likely to receive appropriate ongoing or future
health care, including correct diagnoses, and will be impeded in making
informed treatment decisions.
---------------------------------------------------------------------------
\355\ See Brief for Zurawski at p. 10.
---------------------------------------------------------------------------
Comparison of Benefits and Costs
The Department expects the totality of the benefits of the proposed
rule to outweigh the costs because the rule would create a net benefit
to society, particularly for the significant number of individuals who
could become pregnant (nearly one-fourth of the population of the U.S.)
and who need access to lawful health care without the risk of their PHI
being used or disclosed in furtherance of criminal, civil, or
administrative investigations or proceedings. The Department expects
covered entities and individuals to benefit from covered entities'
increased flexibility and confidence to be able to provide health care
according to professional standards.
The Department's benefit-cost analysis asserts that the proposed
regulatory changes would help support individuals' right to access
health care and information about their health care options free of
government intrusion, enhance the relationship between health care
professionals and individuals, strengthen maternal well-being and
family stability, and support victims of rape, incest, and sex
trafficking. The regulatory proposals would also aid health care
providers in developing and maintaining a high level of trust between
health care professionals and individuals and maintaining complete and
accurate patient medical records to aid ongoing and subsequent health
care. Greater levels of trust would further enable individuals to
develop and maintain relationships with health care professionals,
which would enhance continuity of health care for all individuals
receiving care from the health care provider, not only those in need of
reproductive health care.
The financial costs of the proposed rule would accrue primarily to
covered entities, particularly health care providers and health plans
in the first year after implementation of a final rule, with recurring
costs accruing annually at a lower rate.
4. Request for Comment
jj. The Department requests comment on all the estimates,
assumptions, and analyses within the cost-benefits analysis, including
the costs to regulated entities and individuals.
kk. The Department also requests comments on any relevant
information or data that would inform a quantitative analysis of
proposed reforms that the Department qualitatively addresses in this
RIA. Specifically, the Department requests comment on the following:
i. Whether this proposed rule would affect other activities of
regulated entities, including their ability to comply with other laws,
and, if so, how.
ii. Whether the proposed prohibition on the use or disclosure of
PHI for a criminal, civil, or administrative investigation or
proceeding against any person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that is lawful
under the circumstances in which it is provided would affect the
disclosure of PHI between health care providers or between health care
providers and health plans for treatment purposes.
iii. Whether the proposed prohibition on the use or disclosure of
PHI for a criminal, civil, or administrative investigation or
proceeding against any person in connection with seeking obtaining,
providing, or facilitating reproductive health care that is lawful
under the circumstances in which it is provided would affect the
provision of access to individuals who request copies of their own PHI.
iv. Data about the costs to regulated entities of determining
whether reproductive health care revealed in PHI that is the subject of
a request under 45 CFR 164.512(d) through (f) and (g)(1) was lawful
under the circumstances in which it was provided.
v. Data about the costs to regulated entities of determining
whether a request for the use or disclosure of PHI is for a prohibited
purpose where an attestation is not provided.
vi. Whether the ongoing cost associated with the burden of
responding to requests for PHI with an authorization is an appropriate
comparator for the ongoing cost associated with the burden of
responding to requests for PHI that may require an attestation.
vii. The number of requests regulated entities receive annually for
uses and disclosures under 45 CFR 164.512(d) through (f) and (g)(1),
and the number of individuals' records encompassed by those requests.
[[Page 23548]]
viii. Data about the costs and any other burdens for regulated
entities associated with determining that a request is for PHI that is
potentially related to reproductive health care.
ix. Whether the lack of an attestation for some requests received
under 45 CFR 164.512(d) through (f) and (g)(1) would increase the time
needed to process each request.
ll. The Department also requests comments on whether there may be
other indirect costs and benefits resulting from the changes in the
proposed rule and welcomes additional information that may help
quantify those costs and benefits.
B. Regulatory Alternatives to the Proposed Rule
The Department welcomes public comment on any benefits or drawbacks
of the following alternatives it considered, but did not propose, while
developing this proposed rule. The Department also requests comment on
whether the Department should reconsider any of the alternatives
considered, and if so, why.
No Regulatory Changes
The Department carefully considered several alternatives to issuing
this NPRM, including the option of not pursuing any regulatory changes,
but rejected that approach for several reasons. Recent developments in
state law that impose greater restrictions on access to reproductive
health care are generating significant confusion for individuals,
health care providers, and family, friends, and caregivers regarding
their ability to privately seek, obtain, provide, or facilitate lawful
reproductive health care. In light of these developments, there is
significant confusion about the extent to which reproductive health
care information is protected by the Privacy Rule. Perhaps most
importantly, the current regulatory environment is diminishing the
ability of individuals to receive medically appropriate health care
that remains legal under the circumstances in which it is provided--
including in a wide range of contexts beyond reproductive care--thus
putting their health at increased risk.\356\ The Department believes
that the Privacy Rule should be modified to protect the privacy of PHI
to better support the provision of appropriate, timely, and lawful
reproductive health care and other health care for pregnant individuals
in the current environment. The proposed regulatory changes would
further Congressional intent to protect the privacy of IIHI and bolster
patient-provider confidentiality. Revising the Privacy Rule would
clarify covered entities' obligations and flexibilities, protect the
privacy of individuals' PHI, and improve the quality of individuals'
health care.
---------------------------------------------------------------------------
\356\ See ``Methotrexate access becomes challenging for some
patients following Supreme Court decision on abortion,'' ``Abortion
restrictions may be making it harder for patients to get a cancer
and arthritis drug,'' ``Abortion bans complicate access to drugs for
cancer, arthritis, even ulcers,'' supra note 175. See also, e.g.,
``Women with chronic conditions struggle to find medications after
abortion laws limit access,'' ``Abortion Bans May Limit Essential
Medications for Women with Chronic Conditions,'' supra note 176.
---------------------------------------------------------------------------
Modify Privacy Rule Without Preempting State Law
The Department also considered whether to remove the Privacy Rule
permissions for a covered entity to comply with certain other legal
requirements to use or disclose PHI, such as the terms of a court order
or other judicial or administrative process without preempting statutes
or regulations that specifically require regulated entities to make
uses and disclosures of PHI about an individual's reproductive health.
The Department believes that this approach would not protect an
individual from having their PHI disclosed and used against them when
another law requires the disclosure. As discussed in the preamble, the
Department believes that this result would undermine trust in the
health care system and thereby decrease access to quality health care,
as well as interfere with continuity of care by compromising the
accuracy and completeness of patient medical records, contrary to
Congress' intent in enacting HIPAA. The Department believes that these
harms outweigh the states' interests in this context. The Department
therefore proposes to preempt state law that would require use or
disclosure of PHI about an individual's reproductive health for
prohibited purposes, as discussed herein.
Modify the Privacy Rule To Align With 42 CFR Part 2 for Uses and
Disclosures of PHI for Certain Criminal and Noncriminal Proceedings
Against an Individual
The Department also considered proposing to apply requirements
equivalent to 42 CFR part 2 (referred to as ``part 2'') for uses and
disclosures of PHI for certain criminal and noncriminal proceedings
against an individual based on their alleged decision to obtain, or
attempt to obtain, reproductive health care. However, the Department
believes this approach also would not protect an individual from having
their PHI disclosed and potentially used against them pursuant to a
court order, and thus it also would not prevent regulated entities from
disclosing an individual's PHI for purposes of imposing criminal or
civil liability on an individual, health care provider, or other
person, for obtaining, providing, or facilitating lawful reproductive
health care. Part 2 affords some discretion to courts to order
disclosures of part 2 records in certain circumstances; however, part 2
also expressly prohibits further use or disclosure of those records by
any recipient for a proceeding against a patient. The Privacy Rule only
regulates uses and disclosures by regulated entities; the Privacy Rule
cannot limit further uses or disclosures by other persons who receive
an individual's health information from a regulated entity. Therefore,
an approach similar to part 2 would not sufficiently strengthen privacy
protections with respect to the purposes for which this proposal would
prohibit the use or disclosure of PHI.
Require a Valid Authorization Before Using or Disclosing PHI for
Certain Purposes
As an alternative to prohibiting certain uses and disclosures as
proposed in this NPRM, the Department considered proposing to permit
regulated entities to make such uses or disclosures of PHI only after
obtaining a valid authorization. However, the Department has concerns
regarding the potential for coercion or harassment of individuals to
pressure them into providing authorization for access to their PHI by
persons requesting the disclosure, such as law enforcement. In such a
scenario, covered entities would be forced to choose between their
obligations under state law and their Privacy Rule compliance
responsibilities in the event that an individual declined to provide an
authorization, undermining health information privacy protections for
individuals. As a result, the Department's current view is that an
authorization approach would not adequately ensure trust in the
relationship between health care professionals and individuals.
Require Covered Entities To Agree to Requests for Restrictions on
Disclosures of PHI for Treatment, Payment, and Health Care Operations
Concerns have arisen that some states may attempt to criminalize or
otherwise penalize individuals for traveling out of state to obtain
reproductive health care, or other persons for assisting individuals
who do, notwithstanding
[[Page 23549]]
relevant constitutional protections. The Department thus considered
including a proposal that would have required regulated entities to
agree to requests from individuals to restrict disclosures of PHI
related to reproductive health care for treatment, payment, or health
care operations. This may lower the risk of PHI being disclosed to
covered entities in states that may seek to obtain it pursuant to a
criminal, civil, or administrative investigation or proceeding related
to the receipt or facilitation of reproductive health care. However,
the Department has concerns about the ability of regulated entities to
operationalize such a requirement. Further, the requirement would
likely be overly restrictive for regulated entities and may not improve
the quality of health care. Additionally, this approach would be
dependent on individuals' awareness of their right to make a request
for restrictions and confidence that such requests would be granted.
The Privacy Rule permits regulated entities to accept requests for
restrictions from individuals, although they are only mandated to
accept such requests to prevent disclosures to an individual's health
plan for health care that has been paid in full by the individual.
Prohibit Uses and Disclosures of PHI Related to Reproductive Health
Care
The Department considered limiting the prohibition to uses and
disclosures of PHI related to reproductive health care for certain
purposes. However, as discussed in the preamble, this would have
required the Department to define what constitutes ``related to''
reproductive health care. Given the connection between reproductive
health care and other types of health care, the Department believes
that it would not be possible to create such a definition at this time
without being both under- and over-inclusive. The difficulty of
defining this category could make it impossible for electronic health
records to reliably segregate the information.
In addition, requiring regulated entities to take actions that
necessitate treating one category of PHI differently than other PHI
(e.g., imposing conditions on uses and disclosures that would require
such entities to label or segment certain PHI within medical records)
would hinder coordinated care and potentially result in negative health
outcomes if treating clinicians are unaware of an individual's complete
medical history. As a result, the Department believes that this
approach would not enhance access to quality health care.
Under the current proposal, regulated entities would be required to
obtain an attestation from persons requesting PHI that is ``potentially
related to reproductive health care'' when the request is made pursuant
to the use and disclosure permissions at 45 CFR 164.512(d) through (f)
or (g)(1). While the language itself is similar, the Department
believes using it in this instance would not create the same
operational challenges described above. For example, because the
proposed attestation requirement would apply only to certain
permissions that are not used by covered health care providers to
disclose PHI to other health care providers for treatment purposes,
care coordination would not be hindered. Additionally, we do not
believe that this approach would implicate the segmentation concerns
described above because ``potentially related to reproductive health
care'' is broader than ``related to reproductive health care.'' This
would require regulated entities to consider the full scope and context
of the PHI requested to determine whether it could reveal information
about the individual's reproductive health.
Prohibit the Uses and Disclosures of PHI Proposed in This Rule Without
the Rule of Applicability
The Department considered prohibiting the use or disclosure of PHI
for the purpose of investigating or conducting a proceeding against any
person for seeking, obtaining, providing, or facilitating reproductive
care, regardless of whether the care was lawful under state or Federal
law. However, the Department is concerned that this uniform approach
would have placed significant burdens on states' abilities to enforce
their laws. The Department has therefore proposed the more tailored
approach in this proposed rule.
Require Attestations for Requests for Any PHI Under 45 CFR 164.512(d)
Through (f) and (g)(1)
The Department considered requiring that regulated entities obtain
an attestation before using or disclosing any PHI under 45 CFR
164.512(d) through (f) and (g)(1). However, this could have placed an
unnecessary burden on regulated entities and persons requesting PHI by
requiring attestations even under circumstances in which the requested
disclosure would be unlikely to implicate the prohibition. Thus, the
Department has taken a narrower approach to the proposed attestation
requirement.
Require Attestations To Include Names of Individuals Whose PHI Is Being
Sought for All Requests
The Department considered requiring that an attestation include the
name of any individual whose PHI is being requested, without providing
an option for the requestor to identify a class of individuals if it is
not practicable to provide the individuals' names. However, this could
have impeded investigations of health care fraud, for example, where
health oversight agencies and law enforcement authorities know the name
of a suspected health care provider, but may not know the names of
individuals before the request is made. Therefore, where providing the
names of individuals is not practicable, the Department has proposed an
option for identifying a class of individuals.
C. Regulatory Flexibility Act--Small Entity Analysis
The Department has examined the economic implications of this
proposed rule as required by the RFA. This analysis, as well as other
sections in this RIA, serves as the Initial Regulatory Flexibility
Analysis, as required under the RFA.
For purposes of the RFA, small entities include small businesses,
nonprofit organizations, and small governmental jurisdictions. The Act
defines ``small entities'' as (1) a proprietary firm meeting the size
standards of the Small Business Administration (SBA), (2) a nonprofit
organization that is not dominant in its field, and (3) a small
government jurisdiction of less than 50,000 population. Because 90
percent or more of all health care providers meet the SBA size standard
for a small business or are a nonprofit organization, the Department
generally treats all health care providers as small entities for
purposes of performing a regulatory flexibility analysis. The SBA size
standard for health care providers ranges between a maximum of $8
million and $41.5 million in annual receipts, depending upon the type
of entity.\357\
---------------------------------------------------------------------------
\357\ See ``Table of Small Business Size Standards,'' U.S. Small
Business Administration (July 14, 2022), https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf.
---------------------------------------------------------------------------
With respect to health insurers, the SBA size standard is a maximum
of $41.5 million in annual receipts, and for third party administrators
it is $40 million.\358\ While some insurers are classified as
nonprofit, it is possible
[[Page 23550]]
they are dominant in their market. For example, a number of Blue Cross/
Blue Shield insurers are organized as nonprofit entities; yet they
dominate the health insurance market in the states where they are
licensed.
---------------------------------------------------------------------------
\358\ Id.
---------------------------------------------------------------------------
For the reasons stated below, it is not expected that the cost of
compliance would be significant for small entities. Nor is it expected
that the cost of compliance would fall disproportionately on small
entities. Although many of the covered entities affected by the
proposed rule are small entities, they would not bear a
disproportionate cost burden compared to the other entities subject to
the proposed rule.
The projected total costs are discussed in detail in the RIA. The
Department does not view this as a burden because the result of the
changes would be annualized costs per covered entity of approximately
$236 [= $183 million \359\/774,331 covered entities]. Thus, this
analysis concludes, and the Secretary proposes to certify, that the
proposed rule, if finalized, would not result in a significant economic
effect on a substantial number of small entities.
---------------------------------------------------------------------------
\359\ This figure represents annualized costs discounted at a 3%
rate.
---------------------------------------------------------------------------
D. Executive Order 13132--Federalism
As required by E.O. 13132 on Federalism, the Department has
examined the effects of provisions in the proposed regulation on the
relationship between the Federal Government and the states. In the
Department's view, this proposed regulation would have federalism
implications because it would have direct effects on the states, the
relationship between the National Government and states, and on the
distribution of power and responsibilities among various levels of
government relating to the disclosure of PHI.
Any federalism implications of the rule, however, flow from and are
consistent with the underlying statute--and the proposed Rule of
Applicability would limit the proposed regulation to those
circumstances in which the state lacks any substantial interest in
seeking the disclosure. The statute allows the Department to preempt
state or local rules that provide less stringent privacy protection
requirements than Federal law.\360\ Section 3(b) of E.O. 13132
recognizes that national action limiting the policymaking discretion of
states will be imposed only where there is constitutional and statutory
authority for the action and the national activity is appropriate in
light of the presence of a problem of national significance. The
privacy of PHI is of national concern by virtue of the scope of
interstate health commerce. As described in the preamble, recent state
actions on reproductive health care have undermined the longstanding
expectation among individuals in all states that their highly sensitive
reproductive health information will remain private. These state
actions thus directly threaten the trust that is essential to ensuring
access to, and quality of, lawful health care. HIPAA's provisions
reflect this position by authorizing the Secretary to promulgate
regulations to implement the Privacy Rule.
---------------------------------------------------------------------------
\360\ 42 U.S.C. 1320d-7(a)(1).
---------------------------------------------------------------------------
Section 4(a) of E.O. 13132 expressly contemplates preemption when
there is a conflict between exercising state and Federal authority
under a Federal statute. Section 4(b) of the E.O. authorizes preemption
of state law in the Federal rulemaking context when ``the exercise of
State authority directly conflicts with the exercise of Federal
authority under the Federal statute.'' The approach in this regulation
is consistent with these standards in the Executive order in
superseding state authority only when such authority is inconsistent
with standards established pursuant to the grant of Federal authority
under the statute. State and local laws that impose less stringent
requirements for the protection of reproductive health information
undermine Congress' intent to ensure that all individuals who receive
health care are assured a minimum level of privacy for their PHI. Both
the personal and public interest is served by protecting PHI so as not
to undermine an individual's access to and quality of health care
services and their trust in the health care system.
Section 6(b) of E.O. 13132 includes some qualitative discussion of
substantial direct compliance costs that state and local governments
would incur as a result of a proposed regulation. The Department
anticipates that the most significant direct costs on state and local
governments would be the cost for state and local government-operated
covered entities to revise business associate agreements, revise
policies and procedures, create a new form for attestations, update the
NPP, update training programs, and process requests for disclosures for
which an attestation is required. In addition, the Department
anticipates that approximately half of the states may choose to file a
request for an exception to preemption. The longstanding regulatory
provisions that govern preemption exception requests under the HIPAA
Rules would remain undisturbed by this proposed rule.\361\ However,
based on the legal developments in some states that are described
elsewhere in this preamble, the Department believes it is likely that,
in the first year of implementation of a final rule, more states will
submit requests for exceptions from preemption than have done so in the
past. The RIA above addresses these costs in detail.
---------------------------------------------------------------------------
\361\ 45 CFR 160.201 through 160.205.
---------------------------------------------------------------------------
The Department requests comment from local and state governments on
provisions in the proposed rule that would preempt state and local laws
and on whether state and local governments are likely to incur
additional costs, such as those associated with the effects of the
prohibited disclosures on law enforcement's access to information.
E. Assessment of Federal Regulation and Policies on Families
Section 654 of the Treasury and General Government Appropriations
Act of 1999 \362\ requires Federal departments and agencies to
determine whether a proposed policy or regulation could affect family
well-being. If the determination is affirmative, then the Department or
agency must prepare an impact assessment to address criteria specified
in the law.
---------------------------------------------------------------------------
\362\ Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
---------------------------------------------------------------------------
The proposed rule would strengthen the stability of the family and
marital commitment because it enables individuals and families to have
access to the full range of reproductive health care information and
access to options for consideration when making sensitive decisions
about family planning. The proposed rule may be carried out only by the
Federal Government because it would modify Federal health privacy law,
ensuring that American families have access to reproductive health care
information and can freely discuss their reproductive health,
regardless of the state where they are located when health care is
accessed. Access to reproductive health care and information about the
full range of reproductive health care is vital for individuals who may
become pregnant or who are capable of becoming pregnant.
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act of 1995 \363\ (PRA), agencies are
required to submit to the Office of Management and Budget (OMB) for
review and approval any reporting or record-keeping requirements
inherent in a
[[Page 23551]]
proposed or final rule, and are required to publish such proposed
requirements for public comment. The PRA requires agencies to provide a
60-day notice in the Federal Register and solicit public comment on a
proposed collection of information before it is submitted to OMB for
review and approval. To fairly evaluate whether an information
collection should be approved by the OMB, section 3506(c)(2)(A) of the
PRA requires that the Department solicit comment on the following
issues:
---------------------------------------------------------------------------
\363\ Public Law 104-13, 109 Stat. 163 (May 22, 1995).
---------------------------------------------------------------------------
1. Whether the information collection is necessary and useful to
carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information
collection burden;
3. The quality, utility, and clarity of the information to be
collected; and
4. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
The PRA requires consideration of the time, effort, and financial
resources necessary to meet the information collection requirements
referenced in this section. The Department explicitly seeks, and will
consider, public comment on its assumptions as they relate to the PRA
requirements summarized in this section. To comment on the collection
of information or to obtain copies of the supporting statements and any
related forms for the proposed paperwork collections referenced in this
section, email your comment or request, including your address and
phone number to [email protected], or call the Reports Clearance
Office at (202) 690-6162. Written comments and recommendations for the
proposed information collections must be directed to the OS Paperwork
Clearance Officer at the above email address within 60 days.
In this NPRM, the Department is revising certain information
collection requirements and, as such, is revising the information
collection last prepared in 2019 and previously approved under OMB
control # 0945-0003. The revised information collection describes all
new and adjusted information collection requirements for covered
entities pursuant to the implementing regulation for HIPAA at 45 CFR
parts 160 and 164, the HIPAA Privacy, Security, Breach Notification,
and Enforcement Rules.
The estimated annual labor burden presented by the proposed
regulatory modifications in the first year of implementation, including
nonrecurring and recurring burdens, is 5,189,569 burden hours at a cost
of $596,728,985 \364\ and $67,831,396 of estimated annual labor costs
in years two through five. The overall total burden for respondents to
comply with the information collection requirements of all of the HIPAA
Privacy, Security, and Breach Notification Rules, including
nonrecurring and recurring burdens presented by proposed program
changes, is 955,098,062 burden hours at a cost of $101,685,085,101,
plus $188,873,438 in capital costs for a total estimated annual burden
of $101,873,958,539 in the first year following the effective date of
the final rule, assuming all changes are adopted as proposed. Details
describing the burden analysis for the proposals associated with this
NPRM are presented below.
---------------------------------------------------------------------------
\364\ This includes an increase of 416 burden hours and $36,442
in costs added to the existing information collection for requesting
exemption determinations under 45 CFR 160.204.
---------------------------------------------------------------------------
1. Explanation of Estimated Annualized Burden Hours
Below is a summary of the significant program changes and
adjustments made since the 2019 information collection. These program
changes and adjustments form the bases for the burden estimates
presented in information collection request associated with this NPRM.
Adjusted Estimated Annual Burdens of Compliance
(1) Increasing the number of covered entities from 700,000 to
774,331 based on program change;
(2) Increasing the number of respondents requesting exceptions to
state law preemption from 1 to 27 based on an expected reaction by
states that have enacted restrictions on reproductive health care
access;
(3) Increasing the burden hours by a factor of two for responding
to individuals' requests for restrictions on disclosures of their PHI
under 45 CFR 164.522 to represent a doubling of the expected requests;
and
(4) Increasing the total number of NPPs distributed by health plans
by 50% to total 300,000,000 due to the increase in number of Americans
with health coverage.
New Burdens Resulting From Program Changes
In addition to these changes, the Department added new annual
burdens as a result of program changes:
(1) A nonrecurring burden of 30 minutes per covered entity to
create a new attestation form using the sample provided by the
Department;
(2) A recurring burden of 1 hour per covered entity for uses and
disclosures for which an attestation must be obtained from the person
requesting the use and disclosure;
(3) A nonrecurring burden of 1 hour per business associate
agreement that is revised as a result of the proposed changes to
handling requests under 45 CFR 164.512(d), (e), (f), and (g)(1), to
allocate responsibilities between covered entities and their release-
of-information contractors;
(4) A nonrecurring burden of 30 minutes per covered entity to
update the required content of its NPP;
(5) A nonrecurring burden of 15 minutes per covered entity for
posting an updated NPP online;
(6) A nonrecurring burden of 2.5 hours for each covered entity to
update its policies and procedures; and
(7) A nonrecurring burden of 90 minutes for each covered entity to
update the content of its HIPAA training program.
VI. Request for Comment
In addition to the questions posed above, the Department also seeks
comment on the following questions:
mm. Whether individuals who are members of historically underserved
and minority communities are more likely to be subjects of
investigations into or proceedings against persons in connection with
obtaining, providing, or facilitating lawful reproductive health care.
If so, please explain the relationship to and effects on the health
information privacy of community members, including data and citations
to relevant literature.
nn. Whether individuals who are members of historically underserved
and minority communities are less likely to have access to legal
counsel when facing investigations into or proceedings against persons
in connection with obtaining, providing, or facilitating lawful
reproductive health care. If so, please explain the relationship to and
effects on the health information privacy of community members,
including data and citations to relevant literature.
oo. With respect to an individual's right to restrict uses and
disclosures of their PHI under 45 CFR 164.522(a)(1):
i. Whether individuals are generally aware of this right.
ii. Whether covered entities have experienced an increase in
requests from individuals to exercise this right.
iii. Whether regulated entities have been or are more likely to
grant individuals such requests considering the recent developments in
the legal environment.
[[Page 23552]]
VII. Public Participation
The Department seeks comment on all issues raised by the proposed
regulation, including any unintended adverse consequences. Because of
the large number of public comments normally received on Federal
Register documents, the Department is not able to acknowledge or
respond to them individually. In developing the final rule, the
Department will consider the public comments that are received by the
date and time specified in the DATES section of the Preamble, in
accordance with the agency practices described in the section labeled
ADDRESSES.
List of Subjects
45 CFR Part 160
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health professions, Health records, Hospitals, Investigations,
Medicaid, Medical research, Medicare, Penalties, Preemption, Privacy,
Public health, Reporting and recordkeeping requirements, Reproductive
health care, Security.
45 CFR Part 164
Administrative practice and procedure, Computer technology, Drug
abuse, Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health professions, Health records, Hospitals, Medicaid, Medical
research, Privacy, Public health, Reporting and recordkeeping
requirements, Reproductive health care, Security.
Proposed Rule
For the reasons stated in the preamble, the Department of Health
and Human Services proposes to amend 45 CFR subtitle A, subchapter C,
parts 160 and 164 as set forth below:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 160 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec.
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2
(note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat.
258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.
0
2. Amend Sec. 160.103 by:
0
a. Revising the definition of ``Person''; and
0
b. Adding in alphabetical order the definitions of ``Public health''
and ``Reproductive health care''.
The revision and additions read as follows:
Sec. 160.103 Definitions.
* * * * *
Person means a natural person (meaning a human being who is born
alive), trust or estate, partnership, corporation, professional
association or corporation, or other entity, public or private.
* * * * *
Public health, as used in the terms ``public health surveillance,''
``public health investigation,'' and ``public health intervention,''
means population-level activities to prevent disease and promote health
of populations. Such activities do not include uses and disclosures for
the criminal, civil, or administrative investigation into or proceeding
against a person in connection with obtaining, providing, or
facilitating reproductive health care, or for the identification of any
person in connection with a criminal, civil, or administrative
investigation into or proceeding against a person in connection with
obtaining, providing, or facilitating reproductive health care.
Reproductive health care means care, services, or supplies related
to the reproductive health of the individual.
* * * * *
PART 164--SECURITY AND PRIVACY
0
3. The authority citation for part 164 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec.
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note));
and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
0
4. Amend Sec. 164.502 by revising paragraphs (a)(1)(iv) and (vi) and
adding paragraphs (a)(5)(iii) and (g)(5)(iii) to read as follows:
Sec. 164.502 Uses and disclosures of protected health information:
General rules.
(a) * * *
(1) * * *
(iv) Except for uses and disclosures prohibited under paragraph
(a)(5)(i) or (iii) of this section, pursuant to and in compliance with
a valid authorization under Sec. 164.508;
* * * * *
(vi) As permitted by and in compliance with any of the following:
(A) This section.
(B) Section 164.512 and, where applicable, Sec. 164.509.
(C) Section 164.514(e).
(D) Section 164.514(f).
(E) Section 164.514(g).
* * * * *
(5) * * *
(iii) Reproductive health care--(A) Prohibition. Subject to
paragraphs (a)(5)(iii)(C) and (D) of this section, a covered entity or
business associate may not use or disclose protected health information
for either of the following purposes.
(1) Where the use or disclosure is for a criminal, civil, or
administrative investigation into or proceeding against any person in
connection with seeking, obtaining, providing, or facilitating
reproductive health care.
(2) To identify any person for the purpose of initiating an
activity described at paragraph (a)(5)(iii)(A)(1) of this section.
(B) Scope of prohibition. For the purposes of this subpart,
seeking, obtaining, providing, or facilitating reproductive health care
includes, but is not limited to, any of the following: expressing
interest in, inducing, using, performing, furnishing, paying for,
disseminating information about, arranging, insuring, assisting, or
otherwise taking action to engage in reproductive health care; or
attempting any of the same.
(C) Rule of applicability. The prohibition at paragraph (a)(5)(iii)
of this section applies where one or more of the following conditions
exists.
(1) The relevant criminal, civil, or administrative investigation
or proceeding is in connection with any person seeking, obtaining,
providing, or facilitating reproductive health care outside of the
state where the investigation or proceeding is authorized and where
such health care is lawful in the state in which it is provided.
(2) The relevant criminal, civil, or administrative investigation
or proceeding is in connection with any person seeking, obtaining,
providing, or facilitating reproductive health care that is protected,
required, or authorized by Federal law, regardless of the state in
which such health care is provided.
(3) The relevant criminal, civil, or administrative investigation
or proceeding is in connection with any person seeking, obtaining,
providing, or facilitating reproductive health care that is provided in
the state in which the investigation or proceeding is authorized and
that is permitted by the law of that state.
(D) Rule of construction. Nothing in this section shall be
construed to prohibit a use or disclosure of protected health
information otherwise permitted by this subpart unless such use or
[[Page 23553]]
disclosure is primarily for the purpose of investigating or imposing
liability on any person for the mere act of seeking, obtaining,
providing, or facilitating reproductive health care.
* * * * *
(g) * * *
(5) * * *
(iii) Paragraph (g)(5) of this section does not apply where the
primary basis for the covered entity's belief is the facilitation or
provision of reproductive health care by such person for and at the
request of the individual.
* * * * *
0
5. Add Sec. 164.509 to read as follows:
Sec. 164.509 Uses and disclosures for which an attestation is
required.
(a) Standard: Attestations for certain uses and disclosures of
protected health information to persons other than covered entities. A
covered entity may not use or disclose protected health information
potentially related to reproductive health care for purposes specified
in Sec. 164.512(d), (e), (f), or (g)(1), without obtaining an
attestation that is valid under this section from the person requesting
the use or disclosure.
(b) Implementation specifications: General requirements--(1) Valid
attestations. (i) A valid attestation is a document that meets the
requirements of paragraph (c)(1) of this section.
(ii) A valid attestation verifies that the use or disclosure is not
otherwise prohibited by Sec. 164.502(a)(5)(iii).
(iii) A valid attestation may be electronic, provided that it meets
the requirements in paragraph (c)(1) of this section, as applicable.
(2) Defective attestations. An attestation is not valid if the
document submitted has any of the following defects:
(i) The attestation lacks an element or statement required by
paragraph (c) of this section.
(ii) The attestation contains an element or statement not required
by paragraph (c) of this section.
(iii) The attestation violates paragraph (b)(3) of this section.
(iv) The covered entity has actual knowledge that material
information in the attestation is false.
(v) It is objectively unreasonable for the covered entity to
believe that the attestation is true with respect to the requirement at
paragraph (c)(1)(iv) of this section.
(3) Compound attestation. An attestation may not be combined with
any other document.
(c) Implementation specifications: Content requirements and other
obligations--(1) Required elements. A valid attestation under this
section must contain the following elements:
(i) A description of the information requested that identifies the
information in a specific fashion, including one of the following:
(A) The name of any individual(s) whose protected health
information is sought, if practicable.
(B) If including the name(s) of any individual(s) whose protected
health information is sought is not practicable, a description of the
class of individuals whose protected health information is sought.
(ii) The name or other specific identification of the person(s), or
class of persons, who are requested to make the use or disclosure.
(iii) The name or other specific identification of the person(s),
or class of persons, to whom the covered entity is to make the
requested use or disclosure.
(iv) A clear statement that the use or disclosure is not for a
purpose prohibited under Sec. 164.502(a)(5)(iii).
(v) Signature of the person requesting the protected health
information, which may be an electronic signature, and date. If the
attestation is signed by a representative of the person requesting the
information, a description of such representative's authority to act
for the person must also be provided.
(2) Plain language requirement. The attestation must be written in
plain language.
(d) Material misrepresentations. If, during the course of using or
disclosing protected health information in reasonable reliance on a
facially valid attestation, a covered entity discovers information
reasonably showing that the representations in the attestation were
materially false, leading to uses or disclosures for a prohibited
purpose, the covered entity must cease such use or disclosure.
0
6. Amend Sec. 164.512 by:
0
a. Revising the introductory text and the heading of paragraph (c);
0
b. Adding paragraph (c)(3); and
0
c. Revising paragraph (f)(1)(ii)(C) introductory text.
The revisions and addition read as follows:
Sec. 164.512 Uses and disclosures for which an authorization or
opportunity to agree or object is not required.
Except as provided by Sec. 164.502(a)(5)(iii), a covered entity
may use or disclose protected health information without the written
authorization of the individual, as described in Sec. 164.508, or the
opportunity for the individual to agree or object as described in Sec.
164.510, in the situations covered by this section, subject to the
applicable requirements of this section and Sec. 164.509. When the
covered entity is required by this section to inform the individual of,
or when the individual may agree to, a use or disclosure permitted by
this section, the covered entity's information and the individual's
agreement may be given verbally.
* * * * *
(c) Standard: Disclosures about victims of abuse, neglect, or
domestic violence. * * *
(3) Rule of construction. Nothing in this section shall be
construed to permit disclosures prohibited by Sec. 164.502(a)(5)(iii)
when the report of abuse, neglect, or domestic violence is based
primarily on the provision of reproductive health care.
* * * * *
(f) * * *
(1) * * *
(ii) * * *
(C) An administrative request for which response is required by
law, including an administrative subpoena or summons, a civil or an
authorized investigative demand, or similar process authorized under
law, provided that:
* * * * *
0
7. Amend Sec. 164.520 by adding paragraphs (b)(1)(ii)(F) and (G) to
read as follows:
Sec. 164.520 Notice of privacy practices for protected health
information.
* * * * *
(b) * * *
(1) * * *
(ii) * * *
(F) A description, including at least one example, of the types of
uses and disclosures prohibited under Sec. 164.502(a)(5)(iii) in
sufficient detail for an individual to understand the prohibition.
(G) A description, including at least one example, of the types of
uses and disclosures for which an attestation is required under Sec.
164.509.
* * * * *
Dated: April 5, 2023.
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2023-07517 Filed 4-12-23; 8:45 am]
BILLING CODE 4153-01-P
