HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 23506-23553 [2023-07517]

Download as PDF 23506 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160 and 164 RIN 0945–AA20 HIPAA Privacy Rule To Support Reproductive Health Care Privacy Office for Civil Rights (OCR), Office of the Secretary, Department of Health and Human Services. ACTION: Notice of proposed rulemaking; notice of Tribal consultation. AGENCY: The Department of Health and Human Services (HHS or ‘‘Department’’) is issuing this notice of proposed rulemaking (NPRM) to solicit comment on its proposal to modify the Standards for Privacy of Individually Identifiable Health Information (‘‘Privacy Rule’’) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The proposal would modify existing standards permitting uses and disclosures of protected health information (PHI) by limiting uses and disclosures of PHI for certain purposes where the use or disclosure of information is about reproductive health care that is lawful under the circumstances in which such health care is provided. The proposal would modify existing standards by prohibiting uses and disclosures of PHI for criminal, civil, or administrative investigations or proceedings against individuals, covered entities or their business associates (collectively, ‘‘regulated entities’’), or other persons for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. DATES: Comments: Submit comments on or before June 16, 2023. Meeting: Pursuant to Executive Order 13175, Consultation and Coordination with Indian Tribal Governments, the Department of Health and Human Services’ Tribal Consultation Policy, and the Department’s Plan for Implementing Executive Order 13175, the Office for Civil Rights solicits input from Tribal officials as the Department develops the modifications to the HIPAA Privacy Rule at 45 CFR parts 160 and 164, subparts A and E. The Tribal consultation meeting will be held on May 17, 2023, at 2 p.m. to 3:30 p.m. EDT. ADDRESSES: You may submit comments, identified by RIN Number 0945–AA20, lotter on DSK11XQN23PROD with PROPOSALS2 SUMMARY: VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 by any of the following methods. Please do not submit duplicate comments. To participate in the Tribal consultation meeting, you must register in advance at https:// www.zoomgov.com/meeting/register/ vJItf-2hqD8jHfdtmYaUoWidy9 odBZMYQ4Q. • Federal eRulemaking Portal: You may submit electronic comments at https://www.regulations.gov by searching for the Docket ID number HHS–OCR– 0945–AA20. Follow the instructions at https://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF). • Regular, Express, or Overnight Mail: You may mail written comments to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA and Reproductive Health Care Privacy NPRM, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201. Please allow sufficient time for mailed comments to be timely received in the event of delivery or security delays. Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted. Inspection of Public Comments: All comments received by the accepted methods and due date specified above may be posted without change to content to https://www.regulations.gov, which may include personal information provided about the commenter, and such posting may occur after the closing of the comment period. However, the Department may redact certain non-substantive content from comments or attachments to comments before posting, including: threats, hate speech, profanity, sensitive health information, graphic images, promotional materials, copyrighted materials, or individually identifiable information about a third-party individual other than the commenter. In addition, comments or material designated as confidential or not to be disclosed to the public will not be accepted. Comments may be redacted or rejected as described above without notice to the commenter, and the Department will not consider in rulemaking any redacted or rejected content that would not be made available to the public as part of the administrative record. Docket: For complete access to background documents or posted comments, go to https:// www.regulations.gov and search for PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 Docket ID number HHS–OCR–0945– AA20. FOR FURTHER INFORMATION CONTACT: Lester Coffer at (202) 240–3110 or (800) 537–7697 (TDD). SUPPLEMENTARY INFORMATION: The discussion below includes an Executive Summary, a description of relevant statutory and regulatory authority and history, the justification for this proposed regulation, a section-bysection description of the proposed modifications, and a regulatory impact analysis and other required regulatory analyses. The Department solicits public comment on all aspects of the proposed rule. The Department requests that persons commenting on the provisions of the proposed rule label their discussion of any particular provision or topic with a citation to the section of the proposed rule being addressed and identify the particular request for comment being addressed, if applicable. I. Executive Summary A. Overview B. Applicability C. Table of Abbreviations/Commonly Used Acronyms in This Document II. Statutory Authority and Regulatory History A. Statutory Authority and History 1. Health Insurance Portability and Accountability Act of 1996 (HIPAA) 2. The Health Information Technology for Economic and Clinical Health (HITECH) Act B. Rulemaking Authority and Regulatory History 1. The Department’s Rulemaking Authority Under HIPAA 2. Regulatory History III. Justification for This Proposed Rulemaking A. HIPAA Encourages Trust by Carefully Balancing Individuals’ Privacy Interests With Others’ Interests in Using or Disclosing PHI B. Developments in the Legal Environment are Eroding Individuals’ Trust in the Health Care System C. To Protect the Trust Between Individuals and Health Care Providers, the Department Proposes To Restrict Certain Uses and Disclosures of PHI for Non-Health Care Purposes IV. Section-by-Section Description of Proposed Amendments to the Privacy Rule A. Section 160.103—Definitions 1. Clarifying the Definition of ‘‘Person’’ 2. Interpreting Terms Used in Section 1178(b) of the Social Security Act 3. Adding a Definition of ‘‘Reproductive Health Care’’ 4. Request for Comment B. Section 164.502—Uses and Disclosures of Protected Health Information: General Rules 1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities 2. Adding a New Category of Prohibited Uses and Disclosures E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules 3. Clarifying Personal Representative Status in the Context of Reproductive Health Care 4. Request for Comment C. Section 164.509—Uses and Disclosures for Which an Attestation Is Required (Proposed Heading) 1. Current Provision and Issues To Address 2. Proposal 3. Request for Comment D. Section 164.512—Uses and Disclosures for Which an Authorization or Opportunity To Agree or Object Is Not Required 1. Applying the Proposed Prohibition and Attestation Requirement to Certain Permitted Uses and Disclosures 2. Making a Technical Correction to the Heading of 45 CFR 164.512(c) and Clarifying That Providing or Facilitating Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence 3. Clarifying the Permission for Disclosures Based on Administrative Processes 4. Request for Comment E. Section 164.520—Notice of Privacy Practices for Protected Health Information 1. Current Provision and Issues To Address 2. Proposal 3. Request for Comment V. Executive Order 12866 and Related Executive Orders on Regulatory Review A. Regulatory Impact Analysis 1. Summary of Costs and Benefits 2. Baseline Conditions 3. Costs of the Proposed Rule 4. Request for Comment B. Regulatory Alternatives to the Proposed Rule C. Regulatory Flexibility Act—Small Entity Analysis D. Executive Order 13132—Federalism E. Assessment of Federal Regulation and Policies on Families F. Paperwork Reduction Act of 1995 1. Explanation of Estimated Annualized Burden Hours VI. Request for Comment VII. Public Participation I. Executive Summary lotter on DSK11XQN23PROD with PROPOSALS2 A. Overview In this notice of proposed rulemaking (NPRM), the Department of Health and Human Services (HHS or ‘‘Department’’) proposes modifications to the Standards for Privacy of Individually Identifiable Health Information (‘‘Privacy Rule’’), issued pursuant to section 264 of the Administrative Simplification provisions of title II, subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 1 Subtitle F of title II of HIPAA (Pub. L. 104–191, 110 Stat. 1936 (Aug. 21, 1996)) added a new part C to title XI of the Social Security Act (SSA), Public Law 74–271, 49 Stat. 620 (Aug. 14, 1935), (see sections 1171–1179 of the SSA (codified at 42 U.S.C. 1320d–1320d–8)), as well as promulgating section 264 of HIPAA (codified at 42 U.S.C. 1320d– 2 note), which authorizes the Secretary to promulgate regulations with respect to the privacy of individually identifiable health information. The VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 The Privacy Rule 2 is one of several rules, collectively known as the HIPAA Rules,3 that protect the privacy and security of individuals’ protected health information 4 (PHI), which is individually identifiable health information 5 (IIHI) transmitted by or maintained in electronic media or any other form or medium, with certain exceptions.6 Under its statutory authority to administer and enforce the HIPAA Rules, the Department modifies the HIPAA Rules as needed, but not more than once every 12 months.7 The Department makes the determination that such modifications may be needed using information it receives on an ongoing basis—from the public, regulated entities, media reports, and its own analysis of the state of privacy for IIHI. Based on information the Department has received in recent months, we believe it may be necessary to modify the Privacy Rule to avoid the circumstance where an existing provision of the Privacy Rule is used to request the use or disclosure of an individual’s PHI as a pretext for obtaining PHI related to reproductive health care for a non-health care purpose where such use or disclosure would be detrimental to any person. The proposals in this NPRM would amend provisions of the Privacy Rule to strengthen privacy protections for individuals’ PHI related to reproductive health care. The Supreme Court’s decision in Dobbs v. Jackson Women’s Health Privacy Rule has subsequently been amended pursuant to the Genetic Information Nondiscrimination Act of 2008 (GINA), title I, section 105, Public Law 110–233, 122 Stat. 881 (May 21, 2008) (codified at 42 U.S.C. 2000ff), and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Public Law 111–5, 123 Stat. 226 (Feb. 17, 2009) (codified at 42 U.S.C. 139w–4(0)(2)). 2 45 CFR parts 160 and 164, subparts A and E. For a history of the Privacy Rule, see Section II.B.2., ‘‘Regulatory History,’’ below. 3 See also the HIPAA Security Rule, 45 CFR parts 160 and 164, subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part 164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D, and E. 4 45 CFR 160.103 (definition of ‘‘Protected health information’’). 5 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of ‘‘Individually identifiable health information’’). 6 At times throughout this NPRM, the Department uses the terms ‘‘health information’’ or ‘‘individuals’ health information’’ to refer generically to health information pertaining to an individual or individuals. In contrast, the Department’s use of the term ‘‘IIHI’’ refers to a category of health information defined in HIPAA, and ‘‘PHI’’ is used to refer specifically to a category of IIHI that is defined by and subject to the privacy and security standards promulgated in the HIPAA Rules. 7 45 CFR 160.104. PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 23507 Organization 8 (Dobbs) makes it more likely than before that individuals’ PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect but that are not adequately addressed in this context,9 such as criminal, civil, or administrative investigations or proceedings that chill access to lawful health care and full communication between individuals and health care providers. These developments in the legal environment increase the potential for uses or disclosures about an individual’s reproductive health to undermine access to and the quality of health care generally. Some states have already imposed criminal, civil, or administrative liability for, or created private rights of action against, individuals who obtain certain reproductive health care, including pregnancy termination; the health care providers who furnish such reproductive health care; or other persons who facilitate the furnishing or receipt of certain reproductive health care.10 Other states may follow suit in the future. And in yet other states, law enforcement agencies may attempt to use general criminal laws to prosecute individuals for seeking or obtaining such reproductive health care.11 After Dobbs, the Department has heard concerns that civil, criminal, or administrative investigations or proceedings have been instituted or threatened on the basis of reproductive health care that is lawful under the circumstances in which it is provided. The threat that PHI will be obtained and used in such an investigation or proceeding is likely to chill individuals’ willingness to seek lawful treatment or to provide full information to their 8 597 U.S. __, 142 S. Ct. 2228 (2022) (No. 19– 1392) (June 24, 2022). 9 See National Committee on Vital and Health Statistics (NCVHS or ‘‘Committee’’) discussion below, section II.A.1., expressing concern for harm caused by disclosing identifiable health information for non-health care purposes. 10 See, e.g., S.C. Code Ann. sec. 44–41–80(b), NRS 200.220, Tex. Health & Safety Code Ann. sec. 171.208 (2021); 63 OK Stat sec. 1–745.34–35 (2022). See also Abortion Policy Tracker, Kaiser Family Foundation (Jan. 20, 2023), https://www.kff.org/ other/state-indicator/abortion-policy-tracker/ ?currentTimeframe=0& sortModel=%7B%22colId%22:%22Location %22,%22sort%22:%22asc%22%7D. 11 See Laura Huss, Farah Diaz-Tello, Goleen Samari, ‘‘Self-Care, Criminalized: August 2022 Preliminary Findings,*’’ If/When/How: Lawyering for Reproductive Justice (2022), https:// www.ifwhenhow.org/resources/self-carecriminalized-preliminary-findings/; Caroline Kitchener and Ellen Francis, ‘‘Talk of prosecuting women for abortion pills roils antiabortion movement,’’ The Washington Post (Jan. 11. 2023), https://www.washingtonpost.com/nation/2023/01/ 11/alabama-abortion-pills-prosecution/. E:\FR\FM\17APP2.SGM 17APP2 23508 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 health care providers when obtaining that treatment. A positive, trusting relationship between individuals and their health care providers is essential to an individual’s health and well-being.12 The prospect of releasing highly sensitive PHI can result in medical mistrust and the deterioration of the confidential, safe environment that is necessary to quality health care, a functional health care system, and the public’s health generally.13 That is even more true in the context of reproductive health care, given the potential for stigmatization and other adverse consequences to individuals resulting from disclosures they do not want or expect.14 Experience shows that medical mistrust—especially in vulnerable communities that have been negatively affected by historical and current health care disparities 15—can create damaging and chilling effects on individuals’ willingness to seek appropriate and lawful care for medical conditions that can worsen without treatment.16 If 12 See Fallon E. Chipidza, Rachel S. Wallwork, Theodore A. Stern, ‘‘Impact of the Doctor-Patient Relationship,’’ The Primary Care Companion for CNS Disorders (Oct. 2015), https:// www.psychiatrist.com/pcc/delivery/patientphysician-communication/impact-doctor-patientrelationship/. 13 See, e.g., Kim Bellware, ‘‘Doctor says she shouldn’t have to turn over patients’ abortion records,’’ The Washington Post (Nov. 19, 2022), https://www.washingtonpost.com/politics/2022/11/ 19/caitlin-bernard-rokita-lawsuit/ (citing the testimony of pediatric bioethics expert Kyle Brothers about the potential negative effects requests for this type of sensitive medical record could have on individuals: ‘‘This kind of disclosure, especially for a minor, is just heartbreaking.’’). See also Eric Boodman, ‘‘In a doctor’s suspicion after a miscarriage, a glimpse of expanding medical mistrust,’’ STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/ doctor-suspicion-after-miscarriage-glimpse-ofexpanding-medical-mistrust/ (Sarah Prager, professor of obstetrics and gynecology at the University of Washington said that it’s a bad precedent if clinical spaces become unsafe for patients because, ‘‘[a health care provider’s] ability to take care of patients relies on trust, and that will be impossible moving forward.’’). 14 See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary Michael O. Leavitt (Feb. 20, 2008) (listing categories of health information that are commonly considered to contain sensitive information), p. 5, https://ncvhs.hhs.gov/wpcontent/uploads/2014/05/080220lt.pdf. 15 See Lisa P. Oakley, Marie Harvey, Daniel F. Lopez-Cevallos, ‘‘Racial and Ethnic Discrimination, Medical Mistrust, and Satisfaction with Birth Control Services among Young Adult Latinas,’’ Women’s Health Issues (July–August 2018), p. 313, https://www.sciencedirect.com/science/article/abs/ pii/S1049386717305443; and Cynthia Prather, Taleria R. Fuller, Khiya J. Marshall, et al., ‘‘The Impact of Racism on the Sexual and Reproductive Health of African American Women,’’ Journal of Women’s Health (July 2016), p. 664, https:// www.liebertpub.com/doi/abs/10.1089/jwh.2015. 5637. 16 See Texas Maternal Mortality and Morbidity Review Committee and Department of State Health VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 individuals believe that their PHI may be disclosed without their knowledge or consent to initiate criminal, civil, or administrative investigations or proceedings against them or others based primarily upon their receipt of lawful reproductive health care, they are likely to be less open, honest, or forthcoming about their symptoms and medical history. As a result, individuals may refrain from sharing critical information with their health care providers, regardless of whether they are seeking reproductive health care that is lawful under the circumstances in which it is provided. For instance, an individual who has obtained a lawful abortion in one state may fear receiving emergency care in a state where abortion is unlawful because providing information to a health care provider in such a state could place them into legal jeopardy, even if that information is relevant to the immediate health emergency. If an individual believes they cannot be honest about their health history, the health care provider cannot conduct an appropriate health assessment to reach a sound diagnosis and recommend the best course of action for that individual. Heightened confidentiality and privacy protections enable an individual to develop a trustbased relationship with their health care provider and to be open and honest with their health care provider. That health care provider is then more likely to provide a correct diagnosis and aid the individual in making informed treatment decisions. Similarly, if a health care provider believes that an individual’s highly sensitive PHI is likely to be disclosed without the individual’s or the health care provider’s knowledge or consent in connection with a criminal, civil, or administrative investigation or proceeding against the individual, their health care provider, or others primarily because of the type of health care the individual received or sought, the health care provider is more likely to omit information about an individual’s medical history or condition, leave gaps, or include inaccuracies when preparing the individual’s medical records. And if an individual’s medical records lack complete information about the individual’s health history, a subsequent health care provider may not be able to conduct an appropriate health assessment to reach a sound diagnosis and recommend the best Services Joint Biennial Report 2022, Texas Department of State Health Services (Dec. 2022), p. 41, https://www.dshs.texas.gov/sites/default/files/ legislative/2022-Reports/Joint-Biennial-MMMRCReport-2022.pdf. PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 course of action for the individual. Alternatively, a health care provider may even withhold from an individual full and complete information about their treatment options because of liability fears stemming from concerns about the level of privacy afforded to PHI.17 Heightened confidentiality and privacy protections enable a health care provider to feel confident maintaining full and complete medical records. With complete medical records, an individual is more likely to receive appropriate ongoing or future health care, including correct diagnoses, and obtain appropriate guidance, empowering the individual in making informed treatment decisions. This further enables the individual to access lawful health care—and health care providers to practice medicine—in an environment that promotes social, environmental, mental, and physical wellness. Furthermore, an individual’s lack of trust in their health care provider to maintain the confidentiality of the individual’s most sensitive medical information and a lack of trust in the medical system more generally may have significant repercussions for the public’s health more generally. Individuals who are not candid with their health care providers about their reproductive health care may also withhold information about other matters that have public health implications, such as sexually transmitted infections or vaccinations.18 When proposing the initial Privacy Rule, the Department described its policy choices as being motivated to develop and maintain a relationship of trust between individuals and health care providers. ‘‘A fundamental assumption of this regulation is that the greatest benefits of improved privacy protection will be realized in the future as patients gain increasing trust in health care practitioner’s ability to 17 See Brief for Zurawski at p. 10, Zurawski v. State of Texas (No. D–1–GN–23–000968) (W.D. Tex. 2023) (stating that ‘‘[i]n every interaction with their medical team in Texas, Lauren M. and her husband felt confused and frustrated and could not get direct answers,’’ and that ‘‘[i]t was apparent that their doctors, nurses, and counselors were all fearful of speaking directly and openly about abortion for fear of liability under Texas’s abortion bans.’’). 18 See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary Michael O. Leavitt (June 22, 2006), p. 2 (with forwarded NCVHS recommendations, ‘‘Individual trust in the privacy and confidentiality of their personal health information also promotes public health, because individuals with potentially contagious or communicable diseases are not inhibited from seeking treatment.’’), https://ncvhs.hhs.gov/rrp/ june-22-2006-letter-to-the-secretaryrecommendations-regarding-privacy-andconfidentiality-in-the-nationwide-healthinformation-network/. E:\FR\FM\17APP2.SGM 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules maintain the confidentiality of their health information.’’ 19 The Department also described the benefits of increasing individuals’ access to their own health care information in the development and maintenance of that trust. Providing individuals with ‘‘[o]pen access to [their] health information can benefit both the individuals and the covered entities. [ . . . ] It can increase communication, thereby enhancing individuals’ trust in their health care providers and increasing compliance with the providers’ instructions.’’ 20 The Department reiterated this need for trust between individuals and health care providers in the 2000 Privacy Rule, noting that ‘‘[t]he provision of highquality health care requires the exchange of personal, often-sensitive information between an individual and a skilled practitioner. Vital to that interaction is the patient’s ability to trust that the information shared will be protected and kept confidential.’’ 21 As the Department also stated, ‘‘[h]ealth care professionals who lose the trust of their patients cannot deliver highquality care.’’ 22 However, the Department also noted that the policy choices it made when issuing the 2000 Privacy Rule were a result of balancing the interests of the individual in the privacy of their PHI with the interests of society in disclosures of PHI for non-health care purposes. Thus, the 2000 Privacy Rule included permissions for regulated entities to disclose PHI under certain conditions for judicial and administrative proceedings and law enforcement purposes. As the Department explained at that time, ‘‘Individuals’ right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed.’’ 23 The proposed modifications to the Privacy Rule in this NPRM directly advance the purposes of HIPAA. From their inception, the Department’s regulations implementing the statute have sought to ensure that individuals do not forgo lawful health care when needed—or withhold important information from their health care providers that may affect the quality of health care they receive—out of a fear that their sensitive information would 19 See 64 FR 59918, 60006 (Nov. 3, 1999). 64 FR 59980. 21 See 65 FR 82462, 82463 (Dec. 28, 2000). 22 See 65 FR 82468. 23 65 FR 82464. 20 See VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 23509 be revealed outside of their relationships with their health care providers. In the past, the Department generally has applied the same privacy standards to nearly all PHI, regardless of the type of health care at issue. But the Department has also recognized that some forms of PHI may be particularly sensitive and thus may warrant heightened protections. For example, the Department has accorded ‘‘special protections’’ to psychotherapy notes under the Privacy Rule, owing in part to the ‘‘particularly sensitive information’’ those notes contain.24 Many individuals regard information about their reproductive health as highly private and personal. That information is likely to come up in a wide variety of encounters between individuals and their health care providers, including routine physicals, gynecological examinations, and a range of other encounters that do not involve an individual’s effort to obtain health care, such as an abortion, that is illegal under some post-Dobbs state laws. However, if individuals do not trust that their health care providers will keep their sensitive information private, they may withhold important health information from their health care providers, leading to incomplete and inaccurate medical records and potentially substandard health care. Some individuals may refrain from or defer obtaining necessary health care, which could lead to worse health outcomes and exacerbate health disparities.25 Others may withhold aspects of their medical history from their health care providers, which could impede the ability of health care professionals to make fully informed medical judgments and provide full and complete information about treatment options. Similarly, health care providers may omit information about an individual’s medical history or condition, or leave gaps or include inaccuracies, when preparing medical records, out of fear that the individual’s PHI is likely to be disclosed without the individual’s or the health care provider’s knowledge or consent for use in criminal or civil proceedings against the individual, their health care provider, or others. In so doing, they increase the risk that the individual will receive substandard ongoing or future health care. Regardless of how it occurs, the result is substandard health care and worse health outcomes. Such deferrals or avoidance of lawful health care are not only problematic for individuals’ health, but they are also problematic for public health. As discussed in greater detail below, the objective of public health is to protect and improve the health of people and their communities. Barriers that undermine the willingness of individuals to seek lawful health care in a timely manner or to provide complete and accurate health information to their health care providers undermine the overall objective of public health. Thus, based on the longstanding purposes of HIPAA, there is a compelling need to provide additional protections to this especially sensitive category of information. Following the Dobbs decision in 2022, laws enacted or effective in a number of states 26 raised the prospect that highly sensitive PHI would be disclosed under circumstances that did not exist before the Supreme Court’s decision, generating significant confusion for individuals, health care providers, family, friends, and caregivers regarding their ability to privately seek, obtain, provide, or facilitate health care. The Department has received questions from regulated entities, Members of Congress, and others about the state of privacy protections, particularly for information about an individual’s reproductive health or about reproductive health care an individual may have received. While the Department has already taken steps to address some of the confusion,27 we have received additional inquiries and reports that indicate further clarification is needed to resolve this confusion and strengthen privacy protections. In light of this confusion, the Department believes that there is a need to reaffirm and clarify that maintaining the privacy of an individual’s PHI is important to providing high-quality health care. To do so, the Department believes it is 24 The special protections for psychotherapy notes and the Department’s rationale for them are discussed at greater length in section III of this preamble. 25 See Jessica Winter, ‘‘The Dobbs Decision Has Unleashed Legal Chaos for Doctors and Patients,’’ The New Yorker (July 2, 2022) (Chloe Akers, a criminal defense attorney in Tennessee, discussing agencies authorized to investigate offenses related to abortion ‘‘[t]hat leads to a serious concern about privacy at ob-gyn offices and for other health-care providers.’’), https://www.newyorker.com/news/ news-desk/the-dobbs-decision-has-unleashed-legalchaos-for-doctors-and-patients. 26 See ‘‘After Roe Fell: Abortion Laws by State,’’ Center for Reproductive Rights (updated in real time) (describing actions taken by states, including that ‘‘some states and territories never repealed their pre-Roe abortion bans’’ that have now gone into effect.), https://reproductiverights.org/maps/ abortion-laws-by-state/. 27 See Press Release, ‘‘HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe,’’ U.S. Dep’t of Health and Human Servs. (June 29, 2022), https://www.hhs.gov/about/ news/2022/06/29/hhs-issues-guidance-to-protectpatient-privacy-in-wake-of-supreme-court-decisionon-roe.html. PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 E:\FR\FM\17APP2.SGM 17APP2 23510 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 necessary to provide heightened protections for another especially sensitive category of health information—PHI sought for the purposes of conducting a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. These proposed modifications would provide heightened protections for individuals’ health information privacy under the defined circumstances; foster an open and honest exchange of information between the individual and health care provider, who—with that information—could employ evidencebased clinical practice guidelines; and increase access to high-quality, lawful health care. The Department has determined, in accordance with other Federal agencies, that information about reproductive health care is particularly sensitive and requires heighted protections. For example, the Federal Trade Commission (FTC) has recognized that information related to personal reproductive matters is ‘‘particularly sensitive.’’ 28 In business guidance, FTC staff explained that ‘‘[t]he exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms.’’ 29 As a result, the FTC has committed to using the full scope of its authorities to protect consumers’ privacy, including the privacy of their health information and other sensitive data.30 The Department of Defense (DOD) has also recognized such privacy concerns. In a memorandum to DOD leaders, the Secretary of Defense directed the DOD to ‘‘[e]stablish additional privacy protections for reproductive health care information’’ for service members and ‘‘[d]isseminate guidance that directs Department of Defense health care providers that they may not notify or disclose reproductive health information to commanders unless this presumption is overcome by specific exceptions set forth in policy.’’ 31 The 28 Kristin Cohen, ‘‘Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,’’ Federal Trade Commission Business Blog (July 11, 2022), https://www.ftc.gov/ business-guidance/blog/2022/07/location-healthand-other-sensitive-information-ftc-committedfully-enforcing-law-against-illegal (last accessed Nov. 15, 2022). 29 Id. 30 Id. 31 Memorandum Re: Ensuring Access to Reproductive Health Care, Dep’t of Defense (Oct. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 guidance repeatedly emphasizes not only the importance of privacy for such highly sensitive information but also the importance of privacy in making highly sensitive reproductive health care decisions.32 The Department recognizes that the need for heightened protections for highly sensitive PHI is now more acute than it was before, given the actions taken by states to regulate, and even criminalize, reproductive health care.33 Before the Supreme Court’s decision, the range of circumstances in which persons attempted to seek or use highly sensitive PHI in criminal, civil, and administrative investigations or proceedings in connection with the provision of reproductive health care was much narrower. The general HIPAA privacy protections provided the necessary trust to promote access to and receipt of high-quality and lawful health care in that environment. As states take steps to more broadly regulate reproductive health care, some individuals and their health care providers are at greater risk and have increased fear that especially sensitive PHI detailing the individual’s need for, or receipt of, lawful reproductive health care will be used or disclosed without their knowledge or consent.34 The Department carefully analyzed state prohibitions or restrictions on an individual’s ability to obtain health care and the effects on health information privacy, access to high-quality health care, and the relationships between individuals and their health care providers after Dobbs; and conducted a thorough review of the history and text of HIPAA and the Privacy Rule. The Department has also engaged in extensive discussions with HHS agencies and other Federal departments, including the Department of Justice; examined media reports on state activity affecting privacy protections for reproductive health information; held listening sessions with and reviewed correspondence from stakeholders, including covered entities, requesting technical assistance from the Department and urging the Department to clarify and strengthen privacy protections for PHI; and reviewed correspondence to HHS from Members of Congress who have urged the same. The proposals contained within this NPRM are the result of this work. 20, 2022), p. 1, (emphasis in original), https:// media.defense.gov/2022/Oct/20/2003099747/-1/-1/ 1/MEMORANDUM-ENSURING-ACCESS-TOREPRODUCTIVE-HEALTH-CARE.PDF. 32 Id. 33 See ‘‘Talk of prosecuting women for abortion pills roils antiabortion movement,’’ supra note 11. 34 Id. PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 B. Applicability The effective date of a final rule would be 60 days after publication.35 Regulated entities would have until the ‘‘compliance date’’ to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that regulated entities must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. The Department has previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.36 However, the compliance period cannot be less than the statutory minimum of 180 days.37 The Department does not believe that the proposed rule would pose unique implementation challenges that would justify an extended compliance period (i.e., a period longer than the standard 180 days provided in 45 CFR 160.105). Further, the Department believes that adherence to the standard compliance period is necessary to timely address the circumstances described in this NPRM. Thus, the Department proposes to apply the standard compliance date of 180 days after the effective date of a final rule.38 The Department seeks comment on this time frame for compliance. If any provision in this rulemaking is held to be invalid or unenforceable facially, or as applied to any person, plaintiff, or circumstance, the provision shall be severable from the remainder of this rulemaking, and shall not affect the remainder thereof, and the invalidation of any specific application of a provision shall not affect the application of the provision to other persons or circumstances. C. Table of Abbreviations/Commonly Used Acronyms in This Document As used in this preamble, the following terms and abbreviations have the meanings noted below. 35 See Office of the Federal Register, A Guide to the Rulemaking Process (2011), p. 8, https:// www.federalregister.gov/uploads/2011/01/the_ rulemaking_process.pdf. 36 See 78 FR 5566, 5569 (Jan. 25, 2013). 37 See 42 U.S.C. 1320d–4(b)(2). 38 See 45 CFR 160.104(c)(1), which requires the Secretary to provide at least a 180-day period for covered entities to comply with modifications to standards and implementation specifications in the HIPAA Rules. E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules Term Meaning AMA ............... American Medical Association. Bureau of Labor Statistics. Centers for Disease Control and Prevention. Department of Defense. U.S. Department of Health and Human Services. Electronic Health Record. Executive Order. Federal Trade Commission. Genetic Information Nondiscrimination Act of 2008. Health Information Technology. Health Information Technology for Economic and Clinical Health Act of 2009. Health Insurance Portability and Accountability Act of 1996. Information Collection Request. Individually Identifiable Health Information. National Committee on Vital and Health Statistics. Notice of Privacy Practices. Notice of Proposed Rulemaking. Office for Civil Rights. Office of Management and Budget. Portable Document Format. Protected Health Information. Paperwork Reduction Act of 1995. Pharmacy Services Administration Organization. Regulatory Flexibility Act. Regulatory Impact Analysis. Small Business Administration. Social Security Act of 1935. Unfunded Mandates Reform Act of 1995. Department of Veterans Affairs. BLS ................ CDC ............... DOD ............... HHS or Department. EHR ............... E.O ................. FTC ................ GINA .............. Health IT ........ HITECH Act ... HIPAA ............ ICR ................. IIHI ................. NCVHS or Committee. NPP ................ NPRM ............ OCR ............... OMB ............... PDF ................ PHI ................. PRA ................ PSAO ............. RFA ................ RIA ................. SBA ................ SSA ................ UMRA ............ VA .................. II. Statutory Authority and Regulatory History lotter on DSK11XQN23PROD with PROPOSALS2 A. Statutory Authority and History 1. Health Insurance Portability and Accountability Act of 1996 (HIPAA) In 1996, Congress enacted HIPAA 39 to reform the health care delivery system. In so doing, Congress intended to make health insurance more portable and accessible for consumers, to improve its quality, and to simplify its administration.40 As noted by a leading 39 See HIPAA, supra note 1. H. Rept. 104–736, 104th Cong. (1996) at 177. See also 142 Cong. Rec. H3038 (daily ed. Mar. 28, 1996), (statement of Rep. McDermott) (speaking about how privacy protection is essential to improving health care quality, one of the purposes of the H.R. 3103, Health Coverage Availability and 40 See VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 proponent of the bill during final debate leading up to passage of the law, ‘‘[o]ur objective, then, is to initiate fundamental reforms in access to health care without doing irreversible harm to quality, research and technology.’’ 41 At the time, the health care system was moving from paper-based to electronic medical records. Congress recognized the need to reduce the burden of the transition on health care providers, encourage health care provider adoption of technology by addressing concerns for potential liability for use of new systems, and ensure patient confidentiality of electronic data to foster trust in health care providers and support patient access to health care.42 Congressional statements leading up to HIPAA’s enactment demonstrate Congress’ desire that the law enhance individuals’ trust in health care providers: ‘‘The bill would also establish strict security standards for health information because Americans clearly want to make sure that their health care records can only be used by the medical professionals that treat them. Often we assume that because doctors take an oath of confidentiality that in fact all who touch their records operate by the same standards. Clearly they do not.’’ 43 To address these needs, Congress enacted HIPAA’s Administrative Simplification provisions 44 in subtitle F, sections 261 through 264, which contained requirements for standards to support the electronic exchange of health information. Section 261 states, in part, that ‘‘[i]t is the purpose of this subtitle to improve [ . . . ] the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information [ . . . ].’’ 45 HIPAA protects individuals’ health information in various ways. Congress prohibited, among other things, the disclosure of ‘‘individually identifiable Affordability Act of 1996, the precursor to HIPAA); 142 Cong. Rec. H9568 (daily ed. Aug. 1, 1996) (statement of Rep. Ganske). 41 See 142 Cong. Rec. S9505 (daily ed. Aug. 2, 1996) (statement of Sen. Roth). 42 See H.Rept. 104–736 at 177 and 264, supra note 40. See also 142 Cong. Rec. H9780 (daily ed., No. 116 Part II, Aug. 1, 1996) (statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed. Aug. 1, 1996) (statement of Rep. McDermott); and 142 Cong. Rec. S9515–16 (daily ed. Aug. 2, 1996) (statement of Sen. Simon). 43 142 Cong. Rec. H9780 (statement of Rep. Sawyer), supra note 42. 44 See HIPAA, supra note 1. 45 42 U.S.C. 1320d note (Statutory Notes and Related Subsidiaries: Purpose). Subtitle F also amended related provisions of the SSA. PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 23511 health information to another person’’ 46 and provided for severe penalties for violations, including prison sentences of up to 10 years and monetary fines of up to $250,000.47 Congress also put in place numerous protections for the privacy of individuals’ health information and directed HHS to promulgate rules, recognizing the importance of standards for security and privacy in the developing electronic environment, when Congress did not enact detailed privacy requirements within a specified period.48 HIPAA’s preemption provisions reflect Congress’ intent to protect individuals’ health care privacy. The statute provides a ‘‘[g]eneral rule’’ that, with certain exceptions, HIPAA’s provisions ‘‘supersede any contrary provision of State law.’’ 49 One exception to HIPAA’s preemption provisions is for ‘‘state privacy laws that are contrary to and more stringent than the corresponding federal standard, requirement, or implementation specification.’’ 50 ‘‘The effect of these provisions is to let the law that is most protective of privacy control.’’ 51 Thus, HIPAA created privacy standards that safeguard the health information of all Americans, while respecting the ability 46 42 U.S.C. 1320d–6(a). U.S.C. 1320d–6(b). 48 See, e.g., 42 U.S.C. 1320a–7c(a)(3)(B)(ii) (creating a fraud and abuse control program with measures to protect, among other things, the confidentiality of the information and the privacy of individuals receiving health care services and items.); H.Rept. 104–736 at 242, supra note 40 (explaining that such program ‘‘would ensure the confidentiality of information [ . . . ] as well as the privacy of individuals receiving health care services’’); 42 U.S.C. 1320a–7e(b)(3) (creating a health care fraud and abuse data collection program with procedures to assure the protection of the privacy of individuals receiving health care services.); H.Rept. 104–736 at 252, supra note 40 (explaining that such program would ‘‘protect the privacy of individuals receiving health care services’’); section 264(a) of Public Law 104–191, (codified at 42 U.S.C. 1320d–2 note) (requiring the Secretary of HHS to submit recommendations on privacy standards for individually identifiable health information); section 264(c) of Public Law 104–191, (codified at 42 U.S.C. 1320d–2 note) (requiring the Secretary to issue regulations containing such privacy standards if Congress does not); H.Rept. 104–736 at 265, supra note 40 (recognizing that ‘‘certain uses of individually identifiable information are appropriate, and do not compromise the privacy of an individual[,]’’ such as ‘‘the transfer of information when making referrals from primary care to specialty care’’). 49 42 U.S.C. 1320d–7(a)(1) (providing the general rule that, with limited exceptions, a provision or requirement under HIPAA supersedes any contrary provision of state law.) See also section 264(c)(2) of Public Law 104–191 (codified at 42 U.S.C. 1320d– 2 note). 50 65 FR 82580 (the exception applies under section 1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA). 51 Id. 47 42 E:\FR\FM\17APP2.SGM 17APP2 23512 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 of states to provide individuals with additional privacy protection. The Conference Report resolving differences in House and Senate bill language provides further evidence that Congress gave great weight to the need for privacy standards that adequately protect individual health information privacy at a Federal level but allow for greater health information privacy protection by states. Congressional references to ‘‘rapidly’’ progressing technological innovation 52 and the need to balance the privacy interests of individuals and the benefits of sharing data in certain circumstances (e.g., sharing IIHI for treatment or aggregated data for research 53) demonstrate that Congress considered that health care reform would require a carefully calibrated and appropriate method for exchanging data. Similarly, congressional deliberations demonstrate that Congress viewed individual privacy, confidentiality, and data security as critical for orderly administrative simplification.54 As noted by one Member of Congress, privacy standards would add an additional layer of protection beyond the oath pledged by health care providers to keep information secure and, as described by another Member, would further protect information from being used in a ‘‘malicious or discriminatory manner.’’ 55 Congress applied the Administrative Simplification provisions directly to three types of entities known as ‘‘covered entities’’—health plans, health care clearinghouses, and health care providers who transmit information electronically in connection with a transaction for which HHS has adopted a standard.56 Congress also required the Secretary, no later than 12 months from the date of enactment, to identify ‘‘detailed’’ recommendations for Federal 52 See H.Rept. 104–736 at 270, supra note 40. See also South Carolina Med. Ass’n v. Thompson, 327 F.3d 346, 354 (4th Cir. 2003) (‘‘Recognizing the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems, Congress passed HIPAA in August 1996.’’), cert. denied, 540 U.S. 981 (2003). 53 See H.Rept. 104–736 at 265, supra note 40. 54 On a resolution waiving points of order against the Conference Report to H.R. 3103, members debated an ‘‘erosion of privacy’’ balanced against the administrative simplification provisions. See 142 Cong. Rec. H9777 and H9780, supra note 42. 55 See comment from Rep. Sawyer, supra note 42. See also statement of Sen. Simon, supra note 42. 56 See section 262 of Public Law 104–191, adding section 1172 to the SSA (codified at 42 U.S.C. 1320d–1). See also section 13404 of the American Recovery and Reinvestment Act of 2009, Public Law 111–5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934) (applying privacy provisions and penalties to business associates of covered entities). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 standards to protect the privacy and security of IIHI nationwide addressing, at least, (1) the rights that an individual who is a subject of IIHI should have; (2) the procedures that should be established for the exercise of such rights; and (3) the uses and disclosures of such information that should be authorized or required. Congress further directed the Secretary to promulgate standards to govern the privacy of information no later than 42 months after HIPAA’s enactment if Congress itself had not done so via additional legislation.57 HIPAA section 264(d) required the Secretary to consult with the Department’s National Committee on Vital and Health Statistics (NCVHS) 58 in carrying out the requirements of section 264.59 Like Congress, NCVHS considered the appropriateness of permitting identifiable health information to be used for certain purposes and not others and requiring ‘‘substantive and procedural barriers’’ for still others. For example, NCVHS recommended that ‘‘strong substantive and procedural protections’’ be imposed if health information were to be disclosed to law enforcement, and, where identifiable health information 57 See section 264 of Public Law 104–191 (codified at 42 U.S.C. 1320d–2 note). Although the original regulations were enacted in 2001, more than 42 months from HIPAA’s enactment, ‘‘HHS’s delay in promulgating the final Privacy Rule did not deprive the agency of the power to act.’’ Ass’n of Am. Physicians & Surgeons, Inc. v. HHS, 224 F. Supp. 2d 1115, 1127 (S.D. Tex. 2002), aff’d, 67 F. App’x 253 (5th Cir. 2003) (noting that HHS’s delay, ‘‘particularly in the face of huge administrative burdens . . . do[es] not result in the invalidation of HHS’s authority to promulgate the Privacy Rule’’) (citing Regions Hospital v. Shalala, 522 U.S. 448, 459 n.2 (1998); Brock v. Pierce Cnty., 476 U.S. 253, 260 (1986)). 58 See section 264(a) and (d) of Public Law 104– 191 (codified at 42 U.S.C. 1320d–2 note). The law also required the Secretary to consult with the U.S. Attorney General. 59 42 U.S.C. 242k(k) established the NCVHS as an 18-member committee within the Office of the Secretary. The statute requires the committee to include persons with expertise in the following fields: health statistics, electronic interchange of health care information, privacy and security of electronic information, population-based public health, purchasing or financing health care services, integrated computerized health information systems, health services research, consumer interests in health information, health data standards, epidemiology, and the provision of health services. NCVHS committee members are appointed to serve four-year terms. NCVHS serves as the statutory public advisory body to the Secretary ‘‘for health data, statistics, privacy, and national health information policy and the Health Insurance Portability and Accountability Act.’’ In addition, the Committee advises the Secretary, ‘‘reports regularly to Congress on HIPAA implementation, and serves as a forum for interaction between HHS and interested private sector groups on a range of health data issues.’’ National Comm. on Vital and Health Statistics, About NCVHS, https://ncvhs.hhs.gov/. PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 would be made available for non-health purposes, individuals should be afforded assurances that their data would not be used against them.60 Ultimately, NCVHS ‘‘unanimously’’ believed, ‘‘[ . . . ] the Secretary and the Administration [should] assign the highest priority to the development of a strong position on health privacy that provides the highest possible level of protection for the privacy rights of patients.’’ 61 NCVHS further noted that failure to do so would ‘‘undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner,’’ which would undermine what Congress intended when it enacted HIPAA.62 The NCVHS explicitly stated that: The Committee strongly supports limiting use and disclosure of identifiable information to the minimum amount necessary to accomplish the purpose. The Committee also strongly believes that when identifiable health information is made available for nonhealth uses, patients deserve a strong assurance that the data will not be used to harm them.63 NCVHS acknowledged that secondary uses of individuals’ health information could provide benefits to society but recognized that these uses posed the potential for harm to individuals in certain circumstances. As NCVHS described it, ‘‘[a] restriction prohibiting secondary use against the record subject is an essential part of the ‘bargain’ that allows use of the data for socially beneficial purposes while protecting individual patients.’’ 64 Thus, NCVHS strongly recommended restrictions of the ability of third parties to use information against the individual for purposes unrelated to health, particularly for law enforcement and other governmental purposes. In its recommendations, NCVHS acknowledged that there might be difficulty in distinguishing between categories of users, but it also recognized the importance of doing so.65 NCVHS recommended that ‘‘any rules 60 Letter from NCVHS Chair Don E. Detmer to HHS Secretary Donna E. Shalala (June 27, 1997) (forwarding NCVHS recommendations), https:// ncvhs.hhs.gov/rrp/june-27-1997-letter-to-thesecretary-with-recommendations-on-health-privacyand-confidentiality/. 61 Id. at Principal Findings and Recommendations. 62 Id. 63 Id. at Executive Summary. 64 Id. at E. 65 Id. at F. E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules regulating disclosures of identifiable health information be as clear and as narrow as possible. Each group of users must be required to justify their need for health information and must accept reasonable substantive and procedural limitations on access.’’ 66 This would allow for the disclosures that society deemed necessary and appropriate while providing individuals with clear expectations regarding their health information privacy. 2. The Health Information Technology for Economic and Clinical Health (HITECH) Act On February 17, 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) 67 to promote the widespread adoption and standardization of health information technology (health IT). In passing the law, Congress instructed that any new health IT standards take into account the privacy and security requirements of the HIPAA Rules.68 Within the HITECH Act, Congress enacted new HIPAA privacy and security requirements for covered entities and business associates and expanded certain rights of individuals with respect to their PHI. The HITECH Act affirmed that ‘‘[t]he standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under sections 262(a) and 264’’ of HIPAA ‘‘shall remain in effect to the extent that they are consistent with this subtitle’’ and directed the Secretary to ‘‘amend such Federal regulations as required to make such regulations consistent with this subtitle.’’ 69 The HITECH Act further provided that ‘‘[t]his title may not be construed as having any effect on the authorities of the Secretary under HIPAA privacy and security law,’’ defined to include ‘‘section 264 of the [HIPAA]’’ and ‘‘regulations under [that] provision[ ].’’ 70 Congress understood the relationship between a connected health IT lotter on DSK11XQN23PROD with PROPOSALS2 66 Id. 67 Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law 111–5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note). 68 Section 3009(a)(1)(B) of the HITECH Act (codified at 42 U.S.C. 300jj–19(a)(1)) requires that the health IT standards and implementation specifications adopted under section 3004 take into account the requirements of HIPAA privacy and security law. 69 Section 13421(b) of the HITECH Act (codified at 42 U.S.C. 17951). 70 Section 3009(a) of the HITECH Act (codified at 42 U.S.C. 300jj–19(a)), which, as stated above, preserves the Secretary’s authority to modify the privacy regulations under 45 CFR 160.104(a). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 landscape, a necessary and vital component of health care reform,71 and privacy and security standards when it enacted the HITECH Act. The Purpose statement of an accompanying House of Representatives report 72 on the Energy and Commerce Recovery and Reinvestment Act 73 recognizes that ‘‘[i]n addition to costs, concerns about the security and privacy of health information have also been regarded as an obstacle to the adoption of [health IT].’’ The Senate Report for S. 336 74 similarly acknowledges that ‘‘[i]nformation technology systems linked securely and with strong privacy protections can improve the quality and efficiency of health care while producing significant cost savings.’’ 75 As the Department explained in the 2013 regulation referred to as the ‘‘Omnibus Rule’’ 76 and discussed in greater detail below, the HITECH Act’s new HIPAA privacy and security requirements 77 supported Congress’ goal to promote widespread adoption and interoperability of health IT by ‘‘strengthen[ing] the privacy and security protections for health information established by HIPAA.’’ 78 B. Rulemaking Authority and Regulatory History 1. The Department’s Rulemaking Authority Under HIPAA In passing HIPAA, Congress recognized the importance of privacy for IIHI by requiring the Secretary to issue regulations on privacy in the event that Congress itself did not enact specific privacy legislation.79 That statutory directive complemented the Secretary’s 71 C. Stephen Redhead, ‘‘The Health Information Technology for Economic and Clinical Health (HITECH) Act,’’ Congressional Research Service (updated Apr. 27, 2009), https://crsreports. congress.gov/product/pdf/R/R40161/9 (‘‘[Health IT], which generally refers to the use of computer applications in medical practice, is widely viewed as a necessary and vital component of health care reform.’’). 72 H.Rept. 111–7, accompanying H.R. 629, 111th Cong., at 74 (2009). 73 H.R. 629, Energy and Commerce Recovery and Reinvestment Act of 2009, introduced in the House on January 22, 2009, contained nearly identical provisions to subtitle D of the HITECH Act. 74 Congress enacted the American Recovery and Reinvestment Act of 2009, which included the HITECH Act, on February 17, 2009. While it was the House version of the bill, H.R. 1, that was enacted, the Senate version, S. 336, contained nearly identical provisions to subtitle D of the HITECH Act. 75 S.Rept. 111–3, 111th Cong. accompanying S. 336, 111th Cong., at 59 (2009). 76 78 FR 5566. 77 Subtitle D of title XIII of the HITECH Act (codified at 42 U.S.C. 17921, 42 U.S.C. 17931– 17941, and 42 U.S.C. 17951–17953). 78 78 FR 5568. 79 See Section 264(c)(1) of Public Law 104–191 (codified at 42 U.S.C. 1320d–2 note). PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 23513 general rulemaking authority to ‘‘make and publish such rules and regulations, not inconsistent with this chapter, as may be necessary to the efficient administration of the functions with which each is charged under this chapter.’’ 80 Congress further contemplated that related rulemaking authorities would not be static. Indeed, in a closely analogous section of the HIPAA Administrative Simplification provisions—related to enabling the electronic exchange of health information—Congress built in a mechanism to adapt such regulations as technology and health care evolve, directing that the Secretary review and modify the Administrative Simplification standards as determined appropriate, but not more frequently than once every 12 months.81 The Department recognized how intertwined these particular Administrative Simplification standards would be with the standards for the privacy of individually identifiable health information, and thus promulgated a regulatory standard that limits modifications to all of the rules promulgated under the Administrative Simplification provisions to no more frequently than once every 12 months.82 The Secretary exercised each of these rulemaking authorities in 2000 to adopt 45 CFR 160.104(a), which reserves the Secretary’s power to modify any ‘‘standard or implementation specification adopted under this subchapter’’ of these regulations, including the Administrative Simplification provisions. The Secretary invoked this modification authority to amend the Privacy Rule in 2002.83 Subsequently, as discussed above, Congress affirmed that the HIPAA Rules—including 45 CFR 160.104(a)— are to remain in effect to the extent that they are consistent with the HITECH Act and directed the Secretary to revise the HIPAA Rules as necessary for consistency with the HITECH Act.84 At the same time, Congress also confirmed that the new law was not intended to have any effect on authorities already granted under HIPAA to the Department, including section 264 of that statute and the regulations issued under that provision. Congress’ affirmation of the Secretary’s rulemaking power, including the 80 Section 1102 of the SSA (codified at 42 U.S.C. 1302). 81 See Section 1174(b)(1) of Public Law 104–191 (codified at 42 U.S.C. 1320d–3). 82 45 CFR 160.104. 83 See 67 FR 53182 (Aug. 14, 2002). 84 Section 13421(b) of the HITECH Act (codified at 42 U.S.C. 17951). E:\FR\FM\17APP2.SGM 17APP2 23514 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules authority to modify the Secretary’s own regulations, thus confirms that the Secretary retains the authority to modify the Privacy Rule as often as every 12 months when appropriate, including to strengthen privacy and security protections for IIHI. In fact, after the enactment of the HITECH Act, the Secretary exercised this authority to modify the Privacy Rule again in 2013.85 To properly execute the HIPAA statutory mandate, and in accordance with the regulatory authority granted to it by Congress, the Department regularly evaluates the interaction of the Privacy Rule and state statutes and regulations governing the privacy of health information. In keeping with the Department’s practice, this NPRM attempts to accommodate state autonomy to the extent consistent with the need to maintain rules for health information privacy that serve HIPAA’s objectives. The proposed regulation, if finalized, would thus preempt state law only to the extent necessary to achieve the national objectives of HIPAA. The Secretary has delegated authority to administer the HIPAA Rules and to make decisions regarding their implementation, interpretation, and enforcement to the HHS Office for Civil Rights (OCR).86 2. Regulatory History The 2000 Privacy Rule As directed by HIPAA, the Department provided a series of recommendations to Congress for a potential new law that would address the confidentiality of individually identifiable health information.87 Congress did not act within its threeyear self-imposed deadline. As a result, the Department published a proposed rule setting forth the required standards on November 3, 1999,88 and issued the first final rule establishing ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (‘‘2000 Privacy Rule’’) on December 28, 2000.89 The final rule announced ‘‘standards to protect the privacy of individually 85 See 78 FR 5566. U.S. Dep’t of Health and Human Servs., Office of the Secretary, Office for Civil Rights; Statement of Delegation of Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep’t of Health and Human Servs., Office of the Secretary, Office for Civil Rights; Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep’t of Health and Human Servs., Office of the Secretary, Statement of Organization, Functions and Delegations of Authority, 81 FR 95622 (Dec. 28, 2016). 87 See Confidentiality of Individually Identifiable Health Information, U.S. Dep’t of Health and Human Servs., Section I.A. (Sept. 1997), https:// aspe.hhs.gov/reports/confidentiality-individuallyidentifiable-health-information. 88 64 FR 59918. 89 65 FR 82462. lotter on DSK11XQN23PROD with PROPOSALS2 86 See VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 identifiable health information’’ to ‘‘begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding’’ health information.90 On the eve of that rule’s issuance, the President issued an Executive order recognizing the importance of protecting patient privacy, explaining that ‘‘[p]rotecting the privacy of patients’ protected health information promotes trust in the health care system. It improves the quality of health care by fostering an environment in which patients can feel more comfortable in providing health care professionals with accurate and detailed information about their personal health.’’ 91 Thus, the primary goal of the Privacy Rule was to provide greater protections to individuals’ privacy and to engender a trusting relationship between individuals and health care providers.92 The final rule announced ‘‘standards to protect the privacy of individually identifiable health information’’ to ‘‘begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding’’ health information.93 Since promulgation, the Privacy Rule has protected PHI 94 by limiting the circumstances under which covered entities and their business associates (collectively, ‘‘regulated entities’’) are permitted or required to use or disclose PHI and by requiring covered entities to have safeguards in place to protect the privacy of PHI. In adopting these regulations, the Department acknowledged the need to balance several competing factors, including existing legal expectations, individuals’ privacy expectations, and societal expectations.95 The Department noted ‘‘the large number of comments from individuals and groups representing individuals demonstrate the deep public concern about the need to protect the privacy of individually identifiable health information’’ and ‘‘evidence about the importance of protecting 90 65 FR 82462. Order 13181 (Dec. 20, 2000), 65 FR 91 Executive 81321. 92 Id. 93 65 FR 82462. 94 PHI includes individuals’ IIHI transmitted by or maintained in electronic media or any other form or medium, with certain exceptions. See 45 CFR 160.103 (definition of ‘‘Protected health information’’). 95 See 65 FR 82471. PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 privacy and the potential adverse consequences to individuals and their health if such protections are not extended.’’ 96 The Department struck a balance between the ‘‘competing interests—the necessity of protecting privacy and the public interest in using identifiable health information for vital public and private purposes—in a way that is also workable for the varied stakeholders[.]’’ 97 The Department established ‘‘general rules’’ for uses and disclosures of PHI, codified at 45 CFR 164.502, in the 2000 Privacy Rule.98 The 2000 Privacy Rule also specified the circumstances in which a covered entity was required to obtain an individual’s consent,99 authorization,100 or the opportunity for the individual to agree or object.101 Additionally, it established rules for when a covered entity is permitted to use or disclose PHI without an individual’s consent, authorization, or opportunity to agree or object.102 In particular, the Privacy Rule permits certain uses and disclosures of PHI, without the individual’s authorization, for identified activities that benefit the community, such as public health activities, law enforcement purposes, judicial and administrative proceedings, and research. The Privacy Rule also established the rights of individuals with respect to their PHI, including the right to receive adequate notice of a covered entity’s privacy practices, the right to request restrictions of uses and disclosures, the right to access (i.e., to inspect and obtain a copy of) their PHI, the right to request an amendment of their PHI, and the right to receive an accounting of disclosures.103 As part of the final rule, the Department provided that covered entities were to comply with the 2000 Privacy Rule no later than 24 months following its effective date.104 The 2002 Privacy Rule After publication of the 2000 Privacy Rule, the Department received many 96 65 FR 82472. 97 Id. 98 65 FR 82462. CFR 164.506 was originally titled ‘‘Consent for uses or disclosures to carry out treatment, payment, or health care operations.’’ 100 45 CFR 164.508. 101 45 CFR 164.510. 102 45 CFR 164.512. 103 See 45 CFR 164.520, 164.522, 164.524, 164.526, and 164.528. 104 The effective date of the Privacy Rule was updated to April 14, 2001. A covered entity meeting the definition of a small health plan was given 36 months to comply with the Privacy Rule. The compliance date for most covered entities was April 14, 2003. See 66 FR 12434 (Feb. 26, 2001). 99 45 E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules inquiries and unsolicited comments about the Rule’s impact and operation. As a result, the Department opened the 2000 Privacy Rule for further comment in March 2001, less than one month before the effective date and 25 months before the compliance date, for most covered entities and issued clarifying guidance on the Rule’s implementation.105 NCVHS’ Subcommittee on Privacy, Confidentiality and Security held public hearings about the 2000 Privacy Rule. From those hearings, the Department learned more about concerns related to key provisions and their potential unintended consequences on health care quality and access.106 In March 2002, the Department proposed modifications to the 2000 Privacy Rule to clarify the requirements and correct potential problems that could threaten access to, or quality of, health care.107 In response to the comments on the proposed rule, the Department finalized modifications on August 14, 2002 (‘‘2002 Privacy Rule’’).108 This final rule clarified HIPAA’s requirements while ‘‘maintain[ing] strong protections for the privacy of individually identifiable health information.’’ 109 These modifications addressed certain workability issues, including but not limited to clarifying distinctions between health care operations and marketing; modifying the minimum necessary standard to exclude disclosures authorized by individuals and clarify its operation; clarifying that consent is not required for treatment, payment, or health care operations, and to otherwise clarify the role of consent in the Privacy Rule; and making other modifications and conforming amendments consistent with the proposed rule. The Department also included modifications to the provisions permitting the use or disclosure of PHI for public health activities and for research activities without consent, authorization, or an opportunity to agree or object. 2013 Omnibus Final Rule Following the enactment of the HITECH Act, the Department issued an NPRM, entitled ‘‘Modifications to the HIPAA Privacy, Security, and lotter on DSK11XQN23PROD with PROPOSALS2 105 66 FR 12738 (Feb. 28, 2001). FR 53183. 107 67 FR 14775 (Mar. 27, 2002). 108 67 FR 53182. See the final rule for changes in the entirety. The 2002 Privacy Rule was issued before the compliance date for the 2000 Privacy Rule. Thus, covered entities never implemented the 2000 Privacy Rule. Instead, they implemented the 2000 Privacy Rule as modified by the 2002 Privacy Rule. 109 67 FR 53182. 106 67 VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 Enforcement Rules Under the Health Information Technology for Economic and Clinical Health [HITECH] Act’’ (‘‘2010 NPRM’’),110 to propose implementation of certain HITECH Act requirements. In 2013, the Department issued the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health [HITECH] Act and the Genetic Information Nondiscrimination Act, and Other Modifications to the HIPAA Rules— Final Rule (‘‘2013 Omnibus Rule’’),111 which implemented many of the new HITECH Act requirements, including strengthening individuals’ privacy rights as related to their PHI. The Department also finalized regulatory provisions not required by the HITECH Act, but necessary to address the ‘‘workability and effectiveness’’ of the HIPAA Rules and ‘‘to increase flexibility for and decrease burden on regulated entities.’’ 112 In the 2010 NPRM, the Department noted that it had not amended the HIPAA Privacy and Security Rules since 2002 and 2003, respectively, other than to amend the Enforcement Rule through a 2009 interim final rule.113 It further explained that information gleaned from contact with the public since that time, enforcement experience, and technical corrections required to eliminate ambiguity provided the impetus for the Department’s actions to make certain regulatory changes.114 For example, the Department modified its prior interpretation of the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a description of a research purpose must be ‘‘study specific.’’ The Department explained that, under its new interpretation, the research purposes need only be described adequately so that it would be ‘‘reasonable for the individual to expect that his or her protected health FR 40867 (July 14, 2010). FR 5565. In addition to finalizing requirements of the HITECH Act that were proposed in the NPRM, the Department adopted modifications to the Enforcement Rule not previously adopted in an earlier interim final rule, 74 FR 56123 (Oct. 30, 2009), and to the Breach Notification Rule not previously adopted in an interim final rule, 74 FR 42739 (Aug. 24, 2009). The Department also finalized previously proposed Privacy Rule modifications as required by GINA, 74 FR 51698 (Oct. 7, 2009). 112 78 FR 5566. The Department’s general rulemaking authority is codified in HIPAA section 264(c), and OCR conducts rulemaking under HIPAA based on authority granted by the Secretary. 113 See 75 FR 40871. See also 74 FR 56123. The Department issued an interim final rule on October 30, 2009, to implement HITECH Act statutory changes to the HIPAA Enforcement Rule. 114 75 FR 40871. 23515 information could be used or disclosed for such future research.’’ 115 The Department attributed its changed interpretation to the expressed concerns from covered entities, researchers, and other commenters to the 2010 NPRM that the former requirement did not represent current research practices. The Department expressed a similar rationale for the Privacy Rule modifications permitting certain disclosures of student immunization records to schools without an authorization,116 and another provision redefining the definition of PHI to exclude information regarding an individual who has been deceased for more than 50 years.117 For the latter, the Department noted that it was balancing the privacy interests of decedents’ living relatives and other affected individuals against the legitimate needs of public archivists to obtain records. None of the above-described changes were expressly required by the HITECH Act. Rather, the Department determined them to be necessary pursuant to its ongoing general rulemaking authority.118 III. Justification for This Proposed Rulemaking HIPAA and the HIPAA Rules promote access to health care by establishing standards for the privacy of PHI in order to protect the confidentiality of individuals’ health information. These protections promote the development and maintenance of confidence and trust between individuals and their health care providers and health plans, and help improve the completeness and accuracy of patient records.119 The Privacy Rule, as it has been amended over time, carefully balances the interests of individuals and society in identifiable health information by establishing conditions for when and how such information may be used and 110 75 111 78 PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 115 78 FR 5612. at 5616–17. See also 45 CFR 164.512(b)(1). 117 78 FR 5614. See also 45 CFR 164.502(f) and the definition of ‘‘Protected health information’’ at 45 CFR 160.103, excluding IIHI regarding a person who has been deceased for more than 50 years. 118 In addition to the rulemakings discussed here, the Department has modified the HIPAA Privacy Rule for workability purposes and in response to changes in circumstances on two other occasions, and it issued another notice of proposed rulemaking in 2021 for the same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382 (Jan. 6, 2016), and 86 FR 6446 (Jan. 21, 2021). 119 See 65 FR 82463. See also H. Rept. 104–736 at 177 and 264, supra note 40. See also 142 Cong. Rec. H9780 (statement of Rep. Sawyer), supra note 42; 142 Cong. Rec. H9792 (statement of Rep. McDermott), supra note 42; and 142 Cong. Rec. S9515–16 (statement of Sen. Simon), supra note 42. 116 Id. E:\FR\FM\17APP2.SGM 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 23516 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules disclosed—with and without the individual’s permission. The Privacy Rule is balanced to protect an individual’s privacy while allowing the use or disclosure of PHI for certain non-health care purposes, including in certain criminal, civil, and administrative investigations and proceedings. The Privacy Rule permits, but does not require, covered entities to disclose PHI to law enforcement officials, without the individual’s written authorization, under specific circumstances.120 For example, a covered entity is permitted to disclose PHI to law enforcement in compliance with, and as limited by, the relevant requirements of a court order. A covered entity is also permitted to disclose certain limited types of PHI in response to a law enforcement official’s request for such information for the limited purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Such disclosures are also currently permitted, under certain circumstances, for health oversight purposes,121 judicial and administrative proceedings,122 or to coroners and medical examiners.123 Except when required by law, the disclosures summarized above are subject to a minimum necessary determination by the covered entity.124 When reasonable to do so, the covered entity may rely upon the representations of the public health authority, law enforcement official, or other public official as to what information is the minimum necessary for their lawful purpose.125 Moreover, if the law enforcement official making the request for information is not known to the covered entity, the covered entity must verify the identity and authority of such person prior to disclosing the information.126 However, the Department believes that developments in the legal environment have disrupted the balance. On one hand, there is the individual’s interest in the privacy of their health information and that of society in fostering trust between individuals and health care providers to promote public health. On the other hand, there is the interest of others in using or disclosing that information to achieve certain public policy goals, in this case, for purposes of criminal, civil, and administrative investigations or 120 See 45 CFR 164.152(f). CFR 164.512(d). 122 45 CFR 164.512(e). 123 45 CFR 164.512(g)(1). 124 45 CFR 164.502(b) and 164.514(d). 125 45 CFR 164.514(d)(3)(iii)(A). 126 45 CFR 164.514(h). 121 45 VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 proceedings. Those developments have made information related to reproductive health care, which has long been considered highly sensitive,127 more likely to be of interest for punitive non-health care purposes, and thus more likely to be disclosed if sought for a purpose permitted under the Privacy Rule today. The interest in this sensitive health information is likely to remain high, even where the reproductive health care has been provided under circumstances in which it was lawful to do so. The Department believes PHI will be increasingly targeted by those seeking evidence for criminal, civil, or administrative investigations into or proceedings against persons in connection with seeking, obtaining, providing, or facilitating reproductive health care—or identifying persons for such purposes, thereby jeopardizing the relationships between individuals and their health care providers, even when such health care is lawfully obtained. To address these developments, the Department is proposing to protect this sensitive PHI and preserve that balance by establishing a new purpose for which disclosures are prohibited in certain circumstances—that is, the use or disclosure of PHI for the criminal, civil, or administrative investigation of or proceeding against an individual, regulated entity, or other person for seeking, obtaining, providing, or facilitating reproductive health care, as well as the identification of any person for the purpose of initiating such an investigation or proceeding. Such disclosures of PHI would be prohibited when the reproductive health care: (1) is provided outside of the state where the investigation or proceeding is authorized and where such health care is lawfully provided; (2) is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or (3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state. In these circumstances, the state lacks any substantial interest in seeking the disclosure. Protecting against disclosures of PHI in these circumstances thus directly advances the long-understood purpose of the HIPAA privacy protections without unduly interfering with legitimate state prerogatives. To assist in effectuating this prohibition, the Department proposes to require covered entities in certain circumstances to obtain an attestation from the person requesting the use or 127 See PO 00000 Letter from NCVHS, supra note 14. Frm 00012 Fmt 4701 Sfmt 4702 disclosure that the use or disclosure is not for a prohibited purpose. Additionally, the Department proposes to clarify the definition of ‘‘person’’ and certain other terms that distinguish between state laws that are contrary to the Privacy Rule and are therefore preempted by it and those that are excepted from preemption. The Department also discusses its view of ‘‘child abuse’’ for the purposes of the Privacy Rule and which persons a covered entity may decline to recognize as an individual’s personal representative under particular circumstances. This NPRM contains proposals for minor technical corrections that reflect the Department’s long-standing interpretation of the Privacy Rule. Lastly, the Department proposes to require modifications to the Notice of Privacy Practices (NPP) to ensure that individuals are aware of and understand the proposed prohibition. A. HIPAA Encourages Trust by Carefully Balancing Individuals’ Privacy Interests With Others’ Interests in Using or Disclosing PHI It is well established that a functioning health care system depends in part on patients trusting their health care providers and health care systems.128 According to the American Medical Association (AMA), a key element of patient trust is privacy protection, ‘‘a crucial element for honest health discussions.’’ 129 Privacy is the core foundation of the relationship between individuals and their health care providers.130 The original Hippocratic Oath required physicians to pledge to maintain the confidentiality of information they learn about their patients.131 Individuals’ health privacy concerns affect their trust in health care providers, and thus, their willingness to provide complete and accurate information to health care providers.132 128 See Jennifer Richmond, Marcella H. Boynton, Sachiko Ozawa, et al., ‘‘Development and Validation of the Trust in My Doctor, Trust in Doctors in General, and Trust in the Health Care Team Scales,’’ Social Science & Medicine (Apr. 2022), https://www.sciencedirect.com/science/ article/abs/pii/S0277953622001332?via%3Dihub. 129 See ‘‘Patient Perspectives Around Data Privacy,’’ American Medical Association (2022), https://www.ama-assn.org/system/files/amapatient-data-privacy-survey-results.pdf. 130 Id. 131 Warren T. Reich, editor. Vol. 5. Macmillan; New York, NY: 1995. Oath of Hippocrates; p. 2632. (Encyclopedia of Bioethics). 132 See ‘‘Development and Validation of the Trust in My Doctor, Trust in Doctors in General, and Trust in the Health Care Team Scales,’’ supra note 128; Bradley E. Iott, Celeste Campos-Castillo, Denise L. Anthony, ‘‘Trust and Privacy: How Patient Trust in Providers is Related to Privacy Behaviors and Attitudes,’’ AMIA Annual Symposium Proceedings (Mar. 2020), https:// E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 Individuals must disclose sensitive information to their health care providers to obtain appropriate health care.133 If individuals do not trust that the sensitive information they disclose to their health care providers will be kept private, they may be deterred from seeking or obtaining needed health care or withhold information from their health care providers, compromising the quality of the health care they receive.134 Similarly, if a health care provider does not trust that the information they include in an individual’s medical records will not be kept private, the health care provider might leave gaps or include inaccuracies when preparing medical records, creating a risk that ongoing or future health care would be compromised. Thus, the Privacy Rule promotes access to higher quality health care by protecting the privacy of individuals’ health information in order to engender trust between individuals and health care providers and to help improve the completeness and accuracy of individuals’ medical records. The Federal Government has a strong interest in ensuring that individuals have access to high-quality health care,135 and from its inception, the Privacy Rule has recognized the www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/; Pamela Sankar, Susan Mora, Jon F. Merz, et al., ‘‘Patient perspectives of medical confidentiality: a review of the literature,’’ Journal of General Internal Medicine (Aug. 2003), p. 659–69, https:// pubmed.ncbi.nlm.nih.gov/12911650/. 133 See ‘‘Recommendations on Privacy and Confidentiality, 2006–2008,’’ Nat’l Comm. on Vital and Health Stats. (May 2009), p. 4, https:// ncvhs.hhs.gov/wp-content/uploads/2014/05/ privacyreport0608.pdf; See also Letter from NCVHS (forwarding NCVHS recommendations) (‘‘As a practical matter, it is often essential for individuals to disclose sensitive, even potentially embarrassing, information to a health care provider to obtain appropriate care’’), supra note 18. 134 See 64 FR 60019 (In the 1999 Privacy Rule NPRM, the Department discussed confidentiality as an important component of trust between individuals and health care providers and cited a 1994 consumer privacy survey that indicated that a lack of privacy may deter patients from obtaining preventive care and treatment.); ‘‘Trust and Privacy: How Patient Trust in Providers is Related to Privacy Behaviors and Attitudes,’’ supra note 132. 135 See Testimony (transcribed) of Peter R. Orszag, Director, Congressional Budget Office, Hearing on Comparative Clinical Effectiveness before House of Representatives Committee on Ways and Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007) (‘‘because federal health insurance programs play a large role in financing medical care and represent a significant expenditure, the federal government itself has an interest in evaluations of the effectiveness of different health care approaches’’); Statement of Sen. Durenberger introducing S.1836, American Health Quality Act of 1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991) (‘‘[T]he Federal Government has a demonstrated interest in assessing the quality of care, access to care, and the costs of care through the evaluative activities of several Federal agencies.’’). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 importance of trust to health care quality. Of course, health information—and PHI in particular—can be useful for purposes other than an individual’s own health care. Indeed, society also benefits when individuals trust their health care providers to keep highly sensitive information private for the same reasons that individuals benefit. After all, it is to society’s benefit that individuals seek out necessary medical care, and that when they do, they receive high-quality health care based on information that is more likely to be complete and accurate when individuals trust their health care providers. Individuals’ lack of trust in health care providers and the health care system can have serious consequences for society.136 There is also significant interest in using PHI to address non-health care concerns, such as for research, law enforcement purposes, judicial and administrative proceedings, health oversight activities, and others. As the Department explained in the 1999 Privacy Rule NPRM, ‘‘The information may be sought well before a trial or hearing, to permit the party to discover the existence or nature of testimony or physical evidence, or in conjunction with the trial or hearing, in order to obtain the presentation of testimony or other evidence. These uses of health information are clearly necessary to allow the smooth functioning of the legal system.’’ 137 For example, in the absence of a permission to use or disclose PHI for judicial and administrative proceedings, a regulated entity would be dependent upon an individual’s authorization to use or disclose PHI to defend itself against a medical malpractice claim brought by the individual, rendering the regulated entity dependent upon the very person bringing the claim against them. The Department believes that there is societal benefit to permitting such uses and disclosures where such uses and disclosures do not undermine the public policy goals set by Congress when it passed HIPAA—that is, where they do not undermine the trust of individuals in the health care system and the ability of individuals to receive high-quality health care.138 The Department has long permitted uses and disclosures of PHI Letter from NCVHS, supra note 18. FR 59959. 138 See Letter from NCVHS, at Executive Summary, supra note 60 (with forwarded NCVHS recommendations, ‘‘The importance of trust in the provider-patient relationship must be preserved. Health records are used to improve the quality of health care [ . . . ] protect the public health, and assure public accountability of the health care system.’’). 23517 for non-health care purposes in such circumstances, subject to certain limitations because of the potential harm they could cause to individuals. As discussed in section II of this preamble, the Privacy Rule represents the Department’s careful balancing of individuals’ interests and the interests of others in a way that engenders individuals’ trust and enables highquality health care, while also allowing others to use individuals’ PHI for certain public policy purposes. The Department recognized the need for trust between patients and health care providers in the 2000 Privacy Rule, noting that ‘‘[t]he provision of high-quality health care requires the exchange of personal, oftensensitive information between an individual and a skilled practitioner. Vital to that interaction is the patient’s ability to trust that the information shared will be protected and kept confidential.’’ 139 Further, if individuals do not trust that the sensitive information they give their health care providers will be kept private, they may be deterred from seeking needed health care.140 And when individuals do seek health care, they may be reluctant to be completely forthcoming with their health care providers, thus compromising the quality of the health care they receive. As the Department also stated, ‘‘[h]ealth care professionals who lose the trust of their patients cannot deliver high-quality care.’’ 141 And when the trust of individuals is lost, the public’s health as a whole is jeopardized. Throughout the preamble to the 2000 Privacy Rule and the preambles to the rules revising the Privacy Rule, the Department described and explained its efforts to balance those interests. In the 2002 Privacy Rule, the Department discussed its re-evaluation of the balance established by the 2000 Privacy Rule and revised certain provisions because of concerns that arose as regulated entities prepared to implement its requirements. The Department made certain revisions to protect the privacy interests of individuals by strengthening the requirements for covered entities to inform individuals of their privacy practices through an NPP. These revisions afforded individuals the opportunity to engage in discussions 136 See 137 64 PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 139 65 FR 82463. 64 FR 60019 (In the 1999 Privacy Rule NPRM, the Department discussed confidentiality as an important component of trust between individuals and health care providers and cited a 1994 consumer privacy survey that indicated that a lack of privacy may deter patients from obtaining preventive care and treatment.). 141 65 FR 82468. 140 See E:\FR\FM\17APP2.SGM 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 23518 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules regarding the use and disclosure of their PHI, while protecting the interests of covered entities by allowing activities that are essential to the provision of high-quality health care to occur unimpeded, reducing the burden on such entities.142 The Department made other revisions to ‘‘balance an individual’s privacy expectations with a covered entity’s need for information for reimbursement and quality purposes.’’ 143 In that same rulemaking, in addressing comments on still other revisions, the Department clearly stated, ‘‘Patient privacy must be balanced against other public goods, such as research and the risk of compromising such research projects if researchers could not continue to use such data.’’ 144 In more recent rulemakings, the Department has continued its efforts to build and maintain individuals’ trust in the health care system by balancing the interests of individuals with those of others as it further revised the Privacy Rule. For example, in explaining revisions made as part of the 2013 Omnibus Rule, the Department stated, ‘‘The Privacy Rule, at § 164.512(b), recognizes that covered entities must balance protecting the privacy of health information with sharing health information with those responsible for ensuring public health and safety.’’ 145 As another example from that same rule, the Department revised the requirements for the distribution of the NPP because ‘‘[w]e believe these distribution requirements best balance the right of individuals to be informed of their privacy rights with the burden on health plans to provide the revised [Notice of Privacy Practices].’’ 146 In the 2014 CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports Final Rule, the Department further balanced the interests of individuals and those of others by providing individuals (or their personal representatives) with the right to access test reports directly from laboratories subject to HIPAA.147 This rulemaking afforded the Department with the opportunity to demonstrate the supremacy of the individual’s right of access over the potential burden imposed on others, in this case, the laboratory. And still more recently, the primary focus of the 2016 HIPAA Privacy Rule and the National Instant Criminal Background Check System (NICS) Final Rule was to issue a FR 53209. FR 53216. 144 67 FR 53226. 145 78 FR 5616. 146 78 FR 5625. 147 79 FR 7290 (Feb. 6, 2014). 143 67 17:22 Apr 14, 2023 148 81 FR 382, 386 (Jan. 6, 2016). 45 CFR 164.501 (definition of ‘‘Psychotherapy notes’’) (explicitly providing that psychotherapy notes are separated from the individual’s medical record). 150 64 FR 59941. 151 Id. 152 45 CFR 164.508(a)(2). 149 See 142 67 VerDate Sep<11>2014 narrowly tailored rule that appropriately balanced public safety goals with individuals’ privacy interests to ensure that individuals are not discouraged from seeking voluntary treatment for mental health needs.148 As part of balancing individuals’ interests with those of society, the Department has recognized that it may be necessary to provide certain types of health information with special protection because they are particularly sensitive. For example, while the Department usually applies the same privacy standards to all PHI regardless of the type of health care at issue, it affords ‘‘special protections’’ to psychotherapy notes. These protections are afforded in part because of the ‘‘particularly sensitive information’’ those notes contain and in part because of the unique function of these records, which are by definition maintained separately from an individual’s medical record.149 As the Department explained when it proposed these protections, ‘‘[p]sychotherapy notes are of primary value to the specific provider and the promise of strict confidentiality helps to ensure that the patient will feel comfortable freely and completely disclosing very personal information essential to successful treatment.’’ 150 The Department elaborated that, ‘‘[b]ecause of the sensitive nature of the problems for which individuals consult psychotherapists,’’ and the ‘‘embarrassment or disgrace’’ engendered by ‘‘disclosure of confidential communications made during counseling sessions,’’ even ‘‘the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment.’’ 151 To support the development and maintenance of an individual’s trust and protect the relationship between an individual and their therapist, psychotherapy notes may be disclosed without an individual’s authorization only in limited circumstances, such as to avert a serious and imminent threat to health or safety. Those limited circumstances do not include judicial and administrative proceedings or law enforcement purposes unless the disclosure is ‘‘necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.’’ 152 Jkt 259001 PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 Information related to an individual’s reproductive health and associated health care is also especially sensitive and has long been recognized as such. As stated in the AMA’s Principles of Medical Ethics, the ‘‘decision to terminate a pregnancy should be made privately within the relationship of trust between patient and physician in keeping with the patient’s unique values and needs and the physician’s best professional judgment.153 NCVHS first noted it as an example of a category of health information commonly considered to contain sensitive information in 2008.154 From 2005– 2010, NCVHS held nine hearings that addressed questions about sensitive information in medical records and identified additional categories of sensitive information beyond those addressed in Federal and state law, including ‘‘sexuality and reproductive health information,’’ which NCVHS elaborated on in a 2010 letter to the Secretary: Some reproductive issues may expose people to political controversy [ . . . ], and public knowledge of an individual’s reproductive history may place [them] at risk of stigmatization. Additionally, individuals may wish to have their reproductive history segmented so that it is not viewed by family members who otherwise have access to their records. Parents may wish to delay telling their offspring about adoption, gamete donation, or the use of other forms of assisted reproduction technology in their conception, and, thus, it may be important to have the capacity to segment these records.155 At that time, the general privacy standards promulgated under HIPAA adequately protected information related to reproductive health care. Based on settled Federal constitutional law in 2000, the Department did not see a need to treat uses or disclosures of PHI related to reproductive health care, such as information about a pregnancy termination, differently from other uses or disclosures of PHI related to other categories of health care when establishing the Federal standards for privacy as mandated by HIPAA.156 HHS knew that individuals generally could legally access reproductive health care nationwide. And because such health care generally was legal and constitutionally protected, HHS was confident that law enforcement or other 153 Amendment to Opinion 4.2.7, Abortion H– 140.823, American Medical Association (2022), https://policysearch.amaassn.org/policyfinder/ detail/%224.2.7%20Abortion%22?uri= %2FAMADoc%2FHOD.xml-H-140.823.xml. 154 See Letter from NCVHS, supra note 14. 155 See Letter from NCVHS Chair Justine M. Carr to HHS Secretary Kathleen Sebelius (Nov. 10, 2010) (forwarding NCVHS recommendations). 156 See 65 FR 82464–70. E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules third parties typically would not seek individuals’ health information for purposes of investigating violations of criminal or civil laws related to highly sensitive types of health care, such as the provision of or access to reproductive health care, except in certain limited circumstances aimed at ensuring the quality and safety of such health care. Therefore, until states’ recent efforts to regulate and criminalize the provision of or access to reproductive health care, effectuating the purposes of HIPAA did not require regulatory provisions that restricted uses and disclosures of PHI related to those activities. B. Developments in the Legal Environment Are Eroding Individuals’ Trust in the Health Care System The Supreme Court’s decision in Dobbs on June 24, 2022, created new concerns about the privacy of PHI related to reproductive health care. In that decision, the Court overruled Roe v. Wade 157 and Planned Parenthood of Southeastern Pennsylvania v. Casey 158 and held that constitutional challenges to state abortion regulations are subject to rational-basis review.159 But the Court’s decision did not disturb other longstanding constitutional principles, such as those protecting the right of interstate travel or the right to use contraception.160 Nor did it displace Federal statutes, such as Emergency Medical Treatment and Active Labor Act 161 (EMTALA), that protect access to reproductive health care in particular circumstances. Following the Supreme Court’s decision, states have taken actions, some tacitly and some explicitly, that could interfere with individuals’ longstanding expectations created by HIPAA and the Privacy Rule with respect to the privacy of their PHI.162 The Department is aware of reports that persons or authorities have reached or intend to reach beyond their own states’ 157 410 U.S. 113 (1973). U.S. 833 (1992). 159 Dobbs, 142 S. Ct. at 2283–2284. 160 See id. at 2309 (Kavanaugh, J., concurring). 161 Public Law 99–272, 100 Stat. 164 (Apr. 7, 1986) (codified at 42 U.S.C. 1395dd). For further discussion of a health care provider’s obligations under the EMTALA statute, see https:// www.hhs.gov/sites/default/files/emergencymedical-care-letter-to-health-care-providers.pdf. 162 See, e.g., Kayte Spector-Bagdady, Michelle M. Mello, ‘‘Protecting the Privacy of Reproductive Health Information After the Fall of Roe v Wade,’’ JAMA Network (June 30, 2022), https:// jamanetwork.com/journals/jama-health-forum/ fullarticle/2794032; Lisa G. Gill, ‘‘What does the overturn of Roe v. Wade mean for you?,’’ Consumer Reports (June 24, 2022), https://www.consumer reports.org/health-privacy/what-does-the-overturnof-roe-v-wade-mean-for-you-a1957506408/. lotter on DSK11XQN23PROD with PROPOSALS2 158 505 VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 borders to investigate reproductive health care that has been performed in other states where that health care is legal.163 These actions present new concerns nationwide for the protection of health information privacy mandated by HIPAA. Because the Privacy Rule currently permits uses and disclosures of PHI for certain purposes,164 including when another law requires a regulated entity to make the use or disclosure,165 regulated entities after Dobbs might be compelled to use or disclose PHI to law enforcement or other persons who may use that health information against an individual, a regulated entity, or another person who has sought, obtained, provided, or facilitated reproductive health care, even when such health care is lawful in the circumstances in which the health care is obtained.166 One significant consequence of the developments in Federal and state law is the erosion of individuals’ trust in health care providers to protect their health information privacy, creating barriers or disincentives for individuals to obtain health care, including legal reproductive health care, and increasing the potential for health care providers to possess incomplete or inaccurate medical records. A 2023 qualitative study of individuals who obtained abortions after the passage of a law significantly restricting abortion access in Texas highlighted the concerns of such individuals with respect to the 163 See, e.g., Giulia Carbonaro, ‘‘Texas bill targeting internet abortion access ‘attacks individual liberty’,’’ Newsweek (Mar. 3, 2023), https:// www.newsweek.com/texas-bill-targeting-internetabortion-access-attacks-individual-liberty-1785254; Alice Miranda Ollstein and Megan Messerly, ‘‘Missouri wants to stop out-of-state abortions. Other states could follow,’’ Politico (Mar. 19, 2022), https://www.politico.com/news/2022/03/19/travelabortion-law-missouri-00018539. For pending bills that would impose limitations on the ability of individuals to travel to obtain reproductive health care, see, e.g., H.B. 2012, Missouri 101st General Assembly (2022) (would have permitted a private citizen to sue a person who provides or facilitates an abortion for a Missouri resident, including an out-of-state physician or person who transports an individual across state lines to a health care provider); H.B. No. 787, Texas State Legislature (2023) (prohibiting the receipt of tax incentives by a business entity that assists an employee in obtaining an abortion, including through funding out-of-state travel for the procedure); and H.B. 90 and S.B. 600, Tennessee General Assembly (2023) (prohibiting local governments from spending money to assist ‘‘a person in obtaining an abortion,’’ including through funding out-of-state travel for the procedure). 164 45 CFR 164.502(a)(1). 165 45 CFR 164.512(a). 166 See Eleanor Klibanoff, ‘‘Lawyers preparing for abortion prosecutions warn about health care, data privacy,’’ The Texas Tribune (July 25, 2022), https://www.texastribune.org/2022/07/25/abortionprosecution-data-health-care/(discussing the fact that the most common way PHI is obtained by law enforcement is through health care provider disclosures). PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 23519 privacy of PHI related to reproductive health care they received.167 In fact, a recently filed complaint details the decision made by the plaintiff’s out-ofstate health care provider to describe the plaintiff’s condition as something other than an abortion, even though the abortion was lawful in the state in which it was provided because the health care provider was concerned about the ramifications of documenting the health care provided as an abortion.168 Another significant consequence is the risk that individual medical records will not be maintained with completeness and accuracy, including as they relate to legal reproductive health care. The developments discussed above have increased uncertainty nationwide for individuals, regulated entities, and other persons about the privacy of an individual’s PHI. Recent state actions now place individuals and health care providers in potential civil or criminal jeopardy when PHI related to an individual’s reproductive health is used and disclosed, regardless of whether the health care services are obtained or performed legally. In the past, some law enforcement officials exercised their authority under general criminal statutes to obtain PHI for use against pregnant individuals on the basis of their pregnancy status or pregnancy outcomes.169 But more recent developments in law have created an environment in which law enforcement and others are increasingly likely to request PHI from regulated entities for use against individuals,170 health care 167 Courtney C. Baker, Emma Smith, Mitchell D. Creinin, et al., ‘‘Texas Senate Bill 8 and Abortion Experiences in Patients with Fetal Diagnoses: A Qualitative Analysis,’’ Obstetrics & Gynecology (Mar. 2023), https://pubmed.ncbi.nlm.nih.gov/ 36735418 (citing a representative statement made by a study participant, ‘‘ ‘I would joke around and say, well don’t sue me, but halfway mean it.’ ’’). 168 See Brief for Zurawski at p. 2 (One plaintiff had to travel out of state for an abortion to save the life of one of her twins, and afterwards, fearful of documenting her abortion, her health care provider instead described her condition as ‘‘vanishing twin syndrome.’’). 169 See ‘‘Self-Care, Criminalized: August 2022 Preliminary Findings,*’’ supra note 11; ‘‘Confronting Pregnancy Criminalization: A Practical Guide for Healthcare Providers, Lawyers, Medical Examiners, Child Welfare Workers, and Policymakers,’’ Pregnancy Justice (June 2022), https://www.pregnancyjusticeus.org/confrontingpregnancy-criminalization/. 170 See, e.g., S.C. Code Ann. sec. 44–41–80(b) and NRS 200.220. See also ‘‘Self-Care, Criminalized: August 2022 Preliminary Findings,*’’ supra note 11, p. 2–3 (From 2000 to 2020, out of 54 cases, 74% of the adult cases involved the criminalization of the person for self-managing their own abortion, and 39% of the cases reported to law enforcement were by health care providers.); ‘‘Talk of prosecuting women for abortion pills roils antiabortion movement,’’ supra note 11. E:\FR\FM\17APP2.SGM 17APP2 23520 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 providers, and others, solely because such persons sought, obtained, provided, or facilitated lawful reproductive health care.171 This environment of increased demand for PHI for these purposes is not limited to states in which those legal developments have occurred. Rather, these legal developments have nationwide implications because of the overall effects on the relationship between health care providers and individuals and the flow of health information across state lines. Examples of such cross-state health information flows include disclosures from health care providers to health plans with a multi-state presence or between health care providers in different states to treat individuals as they travel across the country. This reality is in tension with many individuals’ expectation that they have or should have the right to health information privacy, including the right to determine who has access to that information. In fact, in its most recent annual survey on patient privacy, the AMA found that, of 1,000 patients surveyed: (1) nearly 75% are concerned about protecting the privacy of their own health information; and (2) 59% of patients worry about health data being used by companies to discriminate against them or their loved ones.172 In its report on the survey, the AMA opines that a lack of health information privacy raises many questions about circumstances that could put patients and physicians in legal peril, and that the ‘‘primary purpose of increasing [health information] privacy is to build public trust, not inhibit data exchange.’’ 173 The mismatch between privacy expectations and current legal protections for health information privacy undermines trust between individuals and health care providers nationwide, thereby decreasing access 171 The Department believes that those investigating or bringing proceedings against individuals, health care providers, or other persons for seeking, obtaining, providing, or facilitating reproductive health care will increasingly seek to access PHI as part of their investigation or proceeding. See, e.g., Karen Brooks Harper, ‘‘Texas abortion foes use legal threats and propose more laws to increase pressure on providers and their allies,’’ The Texas Tribune (July 18, 2022), https:// www.texastribune.org/2022/07/18/texas-abortionlaws-pressure-campaign/; Timothy Bella, ‘‘Doctor in 10-year-old rape victim’s abortion faces AG inquiry, threats,’’ The Washington Post (July 27, 2022), https://www.washingtonpost.com/politics/ 2022/07/27/abortion-doctor-girl-rape-caitlinbernard-investigation/; ‘‘Doctor says she shouldn’t have to turn over patients’ abortion records,’’ supra note 13. 172 See ‘‘Patient Perspectives Around Data Privacy,’’ supra note 129. 173 Id. at 2. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 to, and effectiveness of, health care for individuals. The present situation also has resulted in ambiguity and confusion for individuals and health care providers, many of whom are uncertain about when health information is protected under the HIPAA Rules given recent legal developments.174 This confusion undermines access to health care and individual privacy—including for individuals seeking or obtaining health care that is lawful nationwide. For example, the Department is aware that some health care providers, both clinicians and pharmacies, are hesitant to prescribe or fill prescriptions for medications that can result in pregnancy loss, even when those prescriptions are intended to treat individuals for other health matters, because of fear of law enforcement action.175 As a result, these health care providers are either denying access to prescriptions that affect an individual’s quality of life or requiring additional PHI to justify an individual’s need for such prescriptions for purposes that are permissible under state law.176 Although most health care providers, including pharmacies, are subject to the HIPAA Rules, and thus, limited in the purposes for which they are permitted 174 See Press Release, American Medical Association, American Pharmacists Association, American Society of Health-System Pharmacists, and National Community Pharmacists Association, ‘‘Statement on state laws impacting patient access to necessary medicine’’ (Sept. 8, 2022), https:// www.ama-assn.org/press-center/press-releases/ statement-state-laws-impacting-patient-accessnecessary-medicine. See also Abigail Higgins, ‘‘Abortion rights advocates fear access to birth control could be curtailed,’’ The Washington Post (June 24, 2022), https://www.washingtonpost.com/ nation/2022/06/24/birth-control-access-supremecourt-abortion-ruling/. 175 See Interview with Donald Miller, PharmD, ‘‘Methotrexate access becomes challenging for some patients following Supreme Court decision on abortion,’’ Pharmacy Times (July 20, 2022), https:// www.pharmacytimes.com/view/methotrexateaccess-becomes-challenging-for-patients-followingsupreme-court-decision-on-abortion; Jamie Ducharme, ‘‘Abortion restrictions may be making it harder for patients to get a cancer and arthritis drug,’’ Time (July 6, 2022), https://time.com/ 6194179/abortion-restrictions-methotrexate-cancerarthritis/; Katie Shepherd and Frances Stead Sellers, ‘‘Abortion bans complicate access to drugs for cancer, arthritis, even ulcers,’’ The Washington Post (Aug. 8, 2022), https://www.washingtonpost. com/health/2022/08/08/abortion-bansmethotrexate-mifepristone-rheumatoid-arthritis/. 176 See, e.g., Jen Christensen, ‘‘Women with chronic conditions struggle to find medications after abortion laws limit access,’’ CNN Health (July 22, 2022), https://www.cnn.com/2022/07/22/health/ abortion-law-medications-methotrexate/; Brittni Frederiksen, Matthew Rae, Tatyana Roberts, et al., ‘‘Abortion Bans May Limit Essential Medications for Women with Chronic Conditions,’’ Kaiser Family Foundation (Nov. 17, 2022), https:// www.kff.org/womens-health-policy/issue-brief/ abortion-bans-may-limit-essential-medications-forwomen-with-chronic-conditions/. PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 to use or disclose such PHI, an individual’s privacy is necessarily reduced as an increasing number of persons have access to an increasing amount of their PHI. Additionally, individuals face an increasing risk to the security of their PHI as the number of information technology systems in which the PHI is stored increases. As the number of persons and information technology systems with access to this PHI increases, this expands the number and types of regulated entities from which law enforcement and others may try to seek disclosure of this highly sensitive information. Individual trust in regulated entities is eroded when individuals’ access to health care is questioned and their PHI is subject to disclosures that previously were unnecessary. Impingements on health information privacy related to reproductive health care are likely to have a disproportionately greater effect on women, individuals of reproductive age, and individuals from communities that have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage by virtue of their race, disability, social or economic status, geographic location, or environment.177 Historically underserved and marginalized individuals are also more likely to be the subjects of investigations and proceedings about any suspected interest in, or obtaining of, reproductive health care, even where such health care is lawful under the circumstances in which it is provided.178 They are also less likely to have adequate access to legal counsel to defend themselves from 177 See Christine Dehlendorf, Lisa H. Harris, Tracy A. Weitz, ‘‘Disparities in Abortion Rates: A Public Health Approach,’’ American Journal of Public Health. (Oct. 2013), https:// www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/. See also Kiara Alfonseca, ‘‘Why Abortion Restrictions Disproportionately Impact People of Color, ABC News (June 24, 2022), https:// abcnews.go.com/Health/abortion-restrictionsdisproportionately-impact-people-color/ story?id=84467809; Susan A. Cohen, ‘‘Abortion and Women of Color: The Bigger Picture,’’ Guttmacher Institute (Aug. 6, 2008), https:// www.guttmacher.org/gpr/2008/08/abortion-andwomen-color-bigger-picture; ‘‘The Disproportionate Harm of Abortion Bans: Spotlight on Dobbs v. Jackson Women’s Health,’’ Center for Reproductive Rights (Nov. 29, 2021), https://reproductiverights. org/supreme-court-case-mississippi-abortion-bandisproportionate-harm/. 178 See Brief of Amici Curiae for Organizations Dedicated to the Fight for Reproductive Justice— Mississippi in Action, et al. at *59–60, Dobbs, 142 S. Ct. (discussing the likelihood that those who terminate their pregnancies and anyone who assists them may face criminal investigation or arrest, exacerbating the mass incarceration of marginalized people in Mississippi and Louisiana, particularly in light of the states’ disproportionate rates of incarceration for people of color). E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 such actions.179 Such individuals are thus especially likely to be concerned that information they give to their health care providers regarding their reproductive health care will not remain private. This is particularly true in light of the historic lack of trust that members of marginalized communities have for the health care system; 180 such individuals are more likely to be deterred from seeking or obtaining health care—or from giving their health care providers full information when they do obtain it. The recent legal landscape that increases the potential for disclosures of PHI to impose liability for seeking, obtaining, providing, or facilitating reproductive health care risks eroding health information privacy and trust in health care providers that has long been supported and advanced by the Privacy Rule. The Department issued guidance in 2022 to clarify its longstanding 179 See ‘‘Equal access to justice: ensuring meaningful access to counsel in civil cases, including immigration proceedings,’’ Columbia Law School Human Rights Institute and Northeastern University School of Law Program on Human Rights and the Global Economy (July 2014), https:// hri.law.columbia.edu/sites/default/files/ publications/equal_access_to_justice_-_cerd_ shadow_report.pdf. See also ‘‘Report: State Abortion Bans Will Harm Women and Families’ Economic Security Across the U.S.’’ (Aug. 25, 2022), https://www.americanprogress.org/article/ state-abortion-bans-will-harm-women-and-familieseconomic-security-across-the-us/. 180 See Leslie Read, Heather Nelson, Leslie Korenda, The Deloitte Ctr. for Health Solutions, ‘‘Rebuilding Trust in Health Care: What Do Consumers Want—and Need—Organizations to Do?’’ (Aug. 5, 2021), p. 3 (With focus groups of 525 individuals in the United States who identify as Black, Hispanic, Asian, or Native American, ‘‘Fiftyfive percent reported a negative experience where they lost trust in a health care provider.’’), https:// www2.deloitte.com/us/en/insights/industry/healthcare/trust-in-health-care-system.html; Liz Hamel, Lunna Lopes, Cailey Mun˜ana, et al., Kaiser Family Foundation, The Undefeated Survey on Race and Health (Oct. 2020), p. 23, (Percent who say they can trust the health care system to do what is right for them or their community almost all of the time or most of the time: Black adults: 44%; Hispanic adults: 50%; White adults: 55%), https:// files.kff.org/attachment/Report-Race-Health-andCOVID-19-The-Views-and-Experiences-of-BlackAmericans.pdf; ‘‘Issue Brief: Health Insurance Coverage and Access to Care for LGBTQ+ Individuals: Current Trends and Key Challenges,’’ U.S. Dep’t of Health and Human Servs., Assistant Sec’y for Policy & Evaluation, Office of Health Policy (June 2021), p. 9 (‘‘According to a recent survey, 18 percent of LGBTQ+ individuals reported avoiding going to a doctor or seeking healthcare out of concern that they would face discrimination or be treated poorly because of their sexual orientation or gender identity.’’), https://aspe.hhs.gov/sites/ default/files/2021-07/lgbt-health-ib.pdf; Abigail A. Sewell, ‘‘Disaggregating Ethnoracial Disparities in Physician Trust,’’ Social Science Research. (Nov. 2015), https://pubmed.ncbi.nlm.nih.gov/26463531/; Irena Stepanikova, Stefanie Mollborn, Karen S. Cook, et al., ‘‘Patients’ Race, Ethnicity, Language, and Trust in a Physician,’’ Journal of Health and Social Behavior (Dec. 2006), https://pubmed.ncbi. nlm.nih.gov/17240927/. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 interpretation of the Privacy Rule’s law enforcement provisions.181 In the guidance, the Department explained that disclosures for non-health care purposes, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. The guidance specifically reminded regulated entities that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule. Additionally, the guidance explained the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety. For example, where state law does not expressly require reporting of suspicions of self-managed reproductive health care, the Privacy Rule would not permit a disclosure by a hospital workforce member of such suspicions to law enforcement under the ‘‘required by law’’ permission. However, many questions remain with respect to the potential for this sensitive PHI to be disclosed and the effects of such disclosure on the individual. Thus, it is incumbent upon the Department to consider whether it should revise the Privacy Rule to ensure the privacy of health information related to an individual’s use of lawful reproductive health care, consistent with Congress’ intent to create standards for the privacy of IIHI that promote trust and support access to high-quality health care.182 C. To Protect the Trust Between Individuals and Health Care Providers, the Department Proposes To Restrict Certain Uses and Disclosures of PHI for Non-Health Care Purposes The Federal Government seeks to ensure that individuals have access to high-quality health care.183 This proposed rule would further that goal by restricting the use and disclosure of 181 See ‘‘HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care,’’ U.S. Dep’t of Health and Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/phi-reproductivehealth/. 182 See FCC v. Fox Television Stations, Inc., 556 U.S. 502, 515 (2009) (holding ‘‘[ . . . ] the agency must show that there are good reasons for the new policy. [ . . . ][I]t suffices that the new policy is permissible under the statute, that there are good reasons for it, and that the agency believes it to be better, which the conscious change of course adequately indicates.’’ (emphasis in original)). 183 See Testimony (transcribed) of Peter R. Orszag and statement of Sen. Durenberger, supra note 135. PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 23521 certain PHI for non-health care purposes. The Department acknowledges that the Privacy Rule has not previously conditioned uses and disclosures for certain purposes on the specific type of health care about which the disclosure relates, as it does herein with reproductive health care. However, the primary reasons behind this rulemaking are the risks to privacy, patient trust, and health care quality that occur when it is the very act of obtaining health care that subjects an individual to an investigation or proceeding, potentially disincentivizing the individual from obtaining medically necessary health care. As discussed above, the Department has long provided special protections for psychotherapy notes when they are not included as part of the medical record because of the sensitivity around this information. Given the particularly sensitive nature of information related to an individual’s reproductive health, the Department is proposing to create new, special safeguards for this information. However, unlike psychotherapy notes, which by their very nature are easily defined and segregated, reproductive health information is not easily defined or segregated. This is in part because many types of PHI may not initially appear to be related to an individual’s reproductive health but may in fact reveal information about an individual’s reproductive health or reproductive health care an individual has received. For example, in a pregnant individual, a high blood pressure reading may be a sign of preeclampsia, and glucose found in a urine test may indicate gestational diabetes. Additionally, it is the Department’s understanding that today’s clinical documentation and health IT do not provide regulated entities with the ability to segment certain PHI such that regulated entities could afford specific categories of PHI special protections, or at least do so in a manner that is not overly burdensome and cost prohibitive.184 Instead, as is consistent 184 See, e.g., 87 FR 74216, 74221 (Dec. 2, 2022) (noting that 42 CFR part 2 previously resulted in the separation of substance use disorder (SUD) treatment records previous from other health records, which led to the creation of data ‘‘silos’’ that hampered the integration of SUD treatment records into covered entities’ electronic record systems and billing processes. When considering amendments to the relevant statute, some lawmakers argued that the silos perpetuated negative stereotypes about persons with SUD and inhibited coordination of care during the opioid epidemic. See also ‘‘Health Information Technology Advisory Committee (HITAC) Annual Report for Fiscal Year 2019,’’ Health Information Technology Advisory Committee (Feb. 19, 2020), p. 37, https:// E:\FR\FM\17APP2.SGM Continued 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 23522 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules with the Privacy Rule’s overall approach,185 the Department proposes a purpose-based prohibition on certain uses and disclosures to protect individuals’ privacy interests in their PHI. The Department believes that this proposed purpose-based prohibition, in concert with the proposed attestation, will restrict the use and disclosure of PHI that could harm HIPAA’s overall goals of increasing trust in the health care system, improving health care quality, and protecting individual privacy, while continuing to allow PHI uses and disclosures that either provide support for those goals or do not interfere with their achievement. Also, consistent with the Privacy Rule’s approach, the Department proposes a Rule of Applicability for the purpose-based prohibition that recognizes the interests of the Federal Government and states in protecting the privacy of persons who seek, obtain, provide, or facilitate lawful reproductive health care. This Rule of Applicability would limit the new prohibition to certain categories of instances in which the state lacks any substantial interest in seeking the disclosure. The Department believes that the proposals described in greater detail later in this NPRM could benefit health care providers and individuals. Although many benefits are not quantifiable, the Department believes the proposals would increase the likelihood that individuals would seek lawful health care by improving their confidence in the confidentiality of their PHI; improve access to high quality and continuous health care by increasing the accuracy and completeness of individuals’ medical records; improve population health by encouraging individuals to receive disease screenings; safeguard the mental health of pregnant individuals; prevent increases in maternal mortality and morbidity; enhance support for victims of rape, incest, and sex trafficking; and maintain family economic stability. Similarly, the proposals are expected to increase certainty for, and therefore reduce the burden on, regulated entities implementing the Privacy Rule. The Department’s proposed modifications are consistent with its existing authority to modify the Privacy Rule. As discussed above, Congress expressly authorized the Department to www.healthit.gov/sites/default/files/page/2020-03/ HITAC%20Annual%20Report%20for%20FY19_ 508.pdf (‘‘The new certification criteria that support the sharing of data via third-party apps will help advance the use of data segmentation, but adoption of this capability by the industry is not yet widespread.’’). 185 See 64 FR 59924, 59939, and 59955. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 develop standards for the privacy of IIHI. The Department has consistently exercised its rulemaking authority to establish, implement, and modify the HIPAA Rules pursuant to this statutory authority, including when necessary to maintain their effectiveness, address workability issues for regulated entities including clarifying amendments, and respond to changed circumstances.186 The proposed changes would effectuate HIPAA’s goals of setting standards with respect to the privacy of IIHI, thereby increasing the quality of and access to health care by fostering trust in the health care system and buttressing continuity of health care.187 Moreover, Congress expressly provided in HIPAA that the Department’s regulations in this area ‘‘shall supersede any contrary provision of State law,’’ absent an explicit exception.188 As discussed below, various state laws that might conflict with the rules proposed herein, such as those that require disclosure of PHI for purposes of criminal, civil, or administrative investigations or proceedings based on seeking, obtaining, providing, or facilitating lawful reproductive health care, are not excepted from this general rule of preemption. In accordance with section 264(d) of HIPAA, the Department has consulted with the Attorney General in the formulation of this proposed rule and intends to continue to engage in these consultations before finalizing the rule. The Department invites NCVHS to review this proposed rule and to provide comments to the Department. IV. Section-by-Section Description of Proposed Amendments to the Privacy Rule The Department proposes to modify the Privacy Rule to strengthen privacy protections for individuals’ PHI by adding a new category of prohibited uses and disclosures. This modification would prohibit a regulated entity from using or disclosing an individual’s PHI for the purpose of conducting a 186 See, e.g., 67 FR 53182 (modifying the 2000 Privacy Rule in response to stakeholder implementation concerns and to clarify key provisions), 78 FR 5566 (modifying the HIPAA Rules to address HITECH requirements and improve workability and flexibility for covered entities), 79 FR 7289 (modifying the Privacy Rule to address requirements in the Clinical Laboratory Improvement Amendments of 1988 and to improve patient access), and 81 FR 382 (modifying the Privacy Rule to permit certain disclosures to the National Instant Criminal Background Check System). 187 See section III of this rulemaking for a full discussion of HIPAA and congressional intent. 188 42 U.S.C. 1320d–7 and section 264(c)(2) of Public Law 104–191 (codified at 42 U.S.C. 1320d– 2 note). PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 criminal, civil, or administrative investigation into or proceeding against the individual, a health care provider, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care that: (1) is provided outside of the state where the investigation or proceeding is authorized and such health care is lawful in the state in which it is provided; (2) is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or (3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state. In these three circumstances, the state lacks any substantial interest in seeking the disclosure. To operationalize this proposed modification, the Department also proposes to revise or clarify certain definitions and terms that apply to the Privacy Rule, as well as other HIPAA Rules. The NPRM would also prohibit a regulated entity from using or disclosing an individual’s PHI for the purpose of identifying 189 an individual, health care provider, or other person for the purpose of initiating such an investigation or proceeding against the individual, a health care provider, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. To effectuate these proposals, the Department proposes conforming and clarifying changes to the HIPAA Rules. These proposed changes include, but are not limited to, clarifying the definition of ‘‘person’’ to reflect longstanding statutory language defining the term; adopting new definitions of ‘‘public health’’ surveillance, investigation, or intervention, and ‘‘reproductive health care’’; clarifying that a regulated entity may not decline to recognize a person as a personal representative for the purposes of the Privacy Rule solely because they provide or facilitate reproductive health care for an individual; a new requirement that, in certain 189 Section 164.514(h) of 45 CFR requires a covered entity, in most cases, to take reasonable steps to verify the identify and authority of a person requesting PHI before disclosing the PHI, including in the case of public officials. The proposed restriction against using or disclosing PHI in connection with the proposals in this NPRM would not modify 45 CFR 164.514(h) but would address only those circumstances in which a regulated entity would use or disclose PHI to identify an individual for a purpose that would be restricted herein. Further, the Department believes the attestation requirement proposed in this NPRM would provide a regulated entity the assurance it needs to make disclosures for identity purposes that are consistent with the Privacy Rule. E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules circumstances, regulated entities must first obtain an attestation that a requested use or disclosure is not for a prohibited purpose; and modifications to the NPP for PHI to inform individuals that their PHI may not be used or disclosed for a prohibited purpose. The Department’s proposals are discussed in greater detail below. A. Section 160.103—Definitions 1. Clarifying the Definition of ‘‘Person’’ Current Provision and Issues To Address HIPAA does not define the term ‘‘person.’’ 190 By regulation, the Department has long defined ‘‘person’’ for purposes of the HIPAA Rules to mean ‘‘a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.’’ 191 This definition was based on the meaning of ‘‘person’’ that Congress adopted in the original Social Security Act of 1935 (SSA), defined as an ‘‘individual, a trust or estate, a partnership, or a corporation.’’ 192 In 2002, Congress enacted 1 U.S.C. 8, which defines ‘‘person,’’ ‘‘human being,’’ ‘‘child,’’ and ‘‘individual.’’ 193 The statute specifies that this definition shall apply when ‘‘determining the meaning of any Act of Congress, or of any ruling, regulation, or interpretation of the various administrative bureaus and agencies of the United States.’’ 194 The Department understands 1 U.S.C. 8 to provide a definition of ‘‘person’’ and ‘‘child’’ that is consistent with the Department’s understanding of that term, as it is used in the SSA, HIPAA, and the HIPAA Rules and does not include a fertilized egg, embryo, or fetus. Proposal Thus, the Department proposes to clarify the definition of ‘‘natural person’’ in a manner consistent with 1 U.S.C. 8. In so doing, the Department would make clear that all terms subsumed within the definition of ‘‘natural person,’’ such as ‘‘individual,’’ 195 which refers to a ‘‘person’’ who is the subject of PHI under the HIPAA Rules, is limited to the 190 See 42 U.S.C. 1320d–1320d–8. CFR 160.103. 192 See section 1101(3) of Public Law 74–271, 49 Stat. 620 (Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)). 193 1 U.S.C. 8(a). The Department is not opining on whether any state law confers a particular legal status upon a fetus. The Department instead cites to this statute to define the scope of the right of privacy that attaches pursuant to HIPAA. 194 Id. 195 45 CFR 160.103 (definition of ‘‘Individual’’). lotter on DSK11XQN23PROD with PROPOSALS2 191 45 VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 confines of the term ‘‘person.’’ 196 The Department would also make clear that ‘‘natural person,’’ as used in the definition of ‘‘person’’ under the HIPAA Rules, is limited to the definition at 1 U.S.C. 8. The Department believes it would be beneficial to clarify the definition of ‘‘person’’ to ensure that there is an understanding among stakeholders as to its meaning for Privacy Rule purposes. As such, the Department believes the proposed clarification of the definition of person better explains to regulated entities and other stakeholders the parameters of who is an ‘‘individual’’ whose PHI is protected by the HIPAA Rules. 2. Interpreting Terms Used in Section 1178(b) of the Social Security Act 197 HIPAA includes a rule of construction for certain laws generally concerning ‘‘[p]ublic health.’’ 198 Specifically, section 1178(b) of the SSA provides that nothing in HIPAA ‘‘shall be construed to invalidate or limit’’ laws ‘‘providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.’’ 199 Accordingly, the Privacy Rule permits a regulated entity to use and disclose PHI for certain public health purposes, treating the uses and disclosures covered by section 1178(b) as permitted uses and disclosures to public health authorities or other appropriate government authorities for the listed activities.200 A regulated entity may use or disclose PHI to public health authorities for the full range of activities described above, including reporting of diseases and injuries, reporting of birth and death to vital statistics agencies, and activities covered by the terms public health surveillance, public health investigation, and public health intervention. A ‘‘public health authority’’ means an agency or authority of the United States, a State, a territory, 196 See The Prenatal Record and the Initial Prenatal Visit, The Global Library of Women’s Medicine (last updated Jan. 2008) (PHI about the fetus is included in the mother’s PHI), https:// www.glowm.com/section-view/heading/ The%20Prenatal%20Record%20and%20the %20Initial%20Prenatal%20Visit/item/107#. Y7WRKofMKUl. 197 42 U.S.C. 1320d–7(b). 198 Id. 199 Id. The Department incorporated this limitation on Federal preemption of state laws in the HIPAA Rules at 45 CFR 160.203(c). 200 45 CFR 164.512(b). The Privacy Rule addresses its interactions with laws governing excepted public health activities in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures required by law, and 45 CFR 164.512(b), Standard: Uses and disclosures for public health activities. PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 23523 a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from, or contract with, such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.201 HIPAA does not define the terms in section 1178(b) that govern the scope of the ‘‘public health’’ exceptions to preemption and the Department declines to do so here. The Department believes it necessary to define only ‘‘public health’’ surveillance, investigation, or intervention and to make clear the Department’s interpretation of key terms used in section 1178(b) to clarify when HIPAA preempts contrary state laws. The Department believes that state laws that require the use or disclosure of highly sensitive PHI for non-public health purposes, such as criminal, civil, or administrative investigations or proceedings based on whether a person sought, obtained, provided, or facilitated reproductive health care, are not exempt from HIPAA’s general rule of preemption. Reporting of Disease or Injury, Birth, or Death The Privacy Rule permits regulated entities to use or disclose PHI without authorization for the public health purposes of reporting ‘‘disease or injury,’’ ‘‘birth,’’ or ‘‘death.’’ 202 Similarly, section 1178(b) exempts state laws requiring such reporting from HIPAA’s general preemption provision. The Department recognizes that such public health reporting activities are an important means of identifying threats to the health and safety of the public. The Department does not propose to define ‘‘disease or injury,’’ ‘‘birth,’’ or ‘‘death,’’ because the Department believes that these terms, when read with the definition of ‘‘person’’ as discussed above and in the broader context of HIPAA as discussed in greater detail below, exclude information about abortion or other reproductive health care. But the Department invites comment on whether it would be beneficial to clarify that these terms exclude information about reproductive health care. 201 See 45 CFR 164.501 (definition of ‘‘Public health authority’’). 202 See U.S. Dep’t of Health and Human Servs., Office for Civil Rights, Public Health (Dec. 18, 2020), https://www.hhs.gov/hipaa/forprofessionals/special-topics/public-health/ index.html. E:\FR\FM\17APP2.SGM 17APP2 23524 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 At the time of HIPAA’s enactment, state laws provided for the reporting of disease or injury, birth, or death by covered health care providers and other persons.203 These state public health reporting systems were well established and involved close collaboration between the state, local, or territorial jurisdiction and the Federal Government.204 Reports generally were made to public health authorities or, in some specific cases, law enforcement (e.g., reporting of gunshot wounds).205 Similar public health reporting systems continue to exist today. Reporting of ‘‘disease or injury’’ commonly refers to diagnosable health conditions reported for limited purposes such as workers’ compensation, tort claims, or health tracking efforts. All states, territories, and Tribal governments require covered health care providers (e.g., physicians and laboratories) and others to report cases of certain diseases or conditions that affect public health, such as coronavirus disease 2019 (COVID–19), malaria, and foodborne illnesses.206 Such reporting enables public health practitioners to study and explain diseases and their spread, along with determining appropriate actions to prevent and respond to outbreaks.207 States also require health care providers to report incidents of certain types of injuries, such as those caused by gunshots, knives, or burns.208 Various Federal statutes use the phrase ‘‘disease or injury’’ similarly to refer to events such as workplace injuries for purposes of compensation.209 203 The 1996–98 Report of the NCVHS to the Secretary describes various types of activities considered to be public health during the era in which HIPAA was enacted, such as the collection of public health surveillance data on health status and health outcomes and vital statistics information. See Report of ‘‘The National Committee on Vital and Health Statistics, 1996–98,’’ Nat’l Comm. on Vital and Health Stats. (Dec. 1999), https://ncvhs.hhs.gov/wp-content/uploads/2018/03/ 90727nv-508.pdf. 204 Id. 205 Id. 206 See ‘‘Reportable diseases,’’ in National Institutes of Health, National Library of Medicine, MedlinePlus, https://medlineplus.gov/ency/article/ 001929.htm (accessed Oct. 19, 2022). See also ‘‘What is Case Surveillance?’’ Centers for Disease Control and Prevention, National Notifiable Diseases Surveillance Sys. (July 20, 2022), https:// www.cdc.gov/nndss/about/. 207 See ‘‘Reportable diseases,’’ supra note 206. Such reporting is a type of public health surveillance activity. 208 See Victims Rights Law Center, ‘‘Mandatory Reporting of Non-Accidental Injuries: A State-byState Guide’’ (May 2014), https://4e5ae7d17e. nxcli.net/wp-content/uploads/2021/01/MandatoryReporting-of-Non-Accidental-Injury-Statutes-byState.pdf. 209 See, e.g., 38 U.S.C. 1110 (referring to an ‘‘injury suffered or disease contracted’’); 10 U.S.C. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 The limited meaning given to the terms ‘‘disease’’ and ‘‘injury’’ is clear from HIPAA’s broader context. For instance, interpreting ‘‘injury’’ to include reporting of any criminal abuse would render the specific exception for ‘‘child abuse’’ superfluous. And interpreting ‘‘disease’’ to include reporting of any disease for any purpose would eviscerate HIPAA’s general provisions protecting PHI. ‘‘[D]isease management activities’’ constitute ‘‘health care’’ under the Privacy Rule, and a broad interpretation of ‘‘disease or injury’’ would make even information about cancer treatment disclosable.210 Consequently, the Department has long understood ‘‘disease or injury’’ to narrowly refer to diagnosable health conditions reported for limited purposes such as workers’ compensation, tort claims, or health tracking efforts.211 With respect to reporting of ‘‘births’’ and ‘‘deaths,’’ such vital statistics are reported by covered health care providers to the vital registration systems operated in various jurisdictions 212 legally responsible for the registration of vital events.213 State 972 (discussing time lost as a result of ‘‘disease or injury’’); 38 U.S.C. 3500 (providing education for certain children whose parent suffered ‘‘a disease or injury’’ incurred or aggravated in the Armed Forces); see also 5 U.S.C. 8707 (insurance provision discussing compensation as a result of ‘‘disease or injury’’); 33 U.S.C. 765 (discussing retirement for disability as a result of ‘‘disease or injury’’); 15 U.S.C. 2607(c) (requiring chemical manufacturers to maintain records of ‘‘occupational disease or injury’’). 210 See 65 FR 82571 (recognizing that ‘‘disease management activities’’ often constitute ‘‘health care’’ under HIPAA); 65 FR 82777 (discussing the importance of privacy for information about cancer, a ‘‘disease’’ that causes an ‘‘indisputable’’ ‘‘societal burden’’); 65 FR 82778 (discussing the importance of privacy for information about sexually transmitted diseases, including Human Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/AIDS)); 65 FR 82463–64 (noting that numerous states adopted laws protecting health information relating to certain health conditions such as communicable diseases, cancer, HIV/AIDS, and other stigmatized conditions.); 65 FR 82731 (finding that there are no persuasive reasons to provide information contained within disease registries with special treatment as compared with other information that may be used to make decisions about an individual). 211 See, e.g., 65 FR 82517 (discussing tort litigation as information that could implicate IIHI); 65 FR 82542 (discussing workers’ compensation); 65 FR 82527 (separately addressing disclosures about ‘‘abuse, neglect or domestic violence’’ and limiting such disclosures to only two circumstances, even if expressly authorized by state statute or regulation). 212 See ‘‘Health Department Governance,’’ Centers for Disease Control and Prevention, Public Health Professionals Gateway (Nov. 25, 2022), https:// www.cdc.gov/publichealthgateway/sites governance/. 213 See the list of events included in vital events ‘‘vital events—births, deaths, marriages, divorces, and fetal deaths,’’ National Center for Health Statistics, Centers for Disease Control and PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 laws require birth certificates to be completed for all births, and Federal law mandates the national collection and publication of births and other vital statistics data.214 Tracking and reporting death is a complex and decentralized process with a variety of systems used by more than 6,000 local vital registrars.215 When HIPAA was enacted, the Model State Vital Statistics Act and Regulations, which is followed by most states,216 included distinct categories for ‘‘live births,’’ ‘‘fetal deaths,’’ and ‘‘induced terminations of pregnancy,’’ with instructions that abortions ‘‘shall not be reported as fetal deaths.’’ 217 In light of that common understanding at the time of HIPAA’s enactment, it is clear that the reporting of abortions is not included in the category of reporting of deaths for the purposes of HIPAA and does not fall within the scope of state activities Congress specifically designated as excepted from preemption by HIPAA. More generally, while Congress exempted certain ‘‘[p]ublic health’’ laws from preemption,218 Congress chose not to create a general exception for criminal laws or other laws that address the disclosure of information about similar types of activities outside of the public health context. Thus, the Privacy Rule’s exceptions for reporting of disease or injury, birth, or death do not allow the use or disclosure of PHI for investigating or punishing a person for seeking, obtaining, providing, or facilitating reproductive health care. Similarly, state laws requiring disclosure for such purposes are not exempt under section 1178(b) from HIPAA’s general preemption provision. Prevention, About the National Vital Statistics System (Jan. 4, 2016), https://www.cdc.gov/nchs/ nvss/about_nvss.htm. 214 See ‘‘Birth Data,’’ National Center for Health Statistics, Centers for Disease Control and Prevention, National Vital Statistics (Dec. 6, 2022), https://www.cdc.gov/nchs/nvss/births.htm. 215 See ‘‘How Tracking Deaths Protects Health,’’ Centers for Disease Control and Prevention, Public Health and Surveillance Data (July 2018), https:// www.cdc.gov/surveillance/pdfs/Tracking-Deathsprotects-healthh.pdf. 216 See ‘‘State Definitions and Reporting Requirements: For Live Births, Fetal Deaths, and Induced Terminations of Pregnancy,’’ Centers for Disease Control and Prevention, National Center for Health Statistics (1997), p. 5, https://www.cdc.gov/ nchs/data/misc/itop97.pdf. 217 ‘‘Model State Vital Statistics Act and Regulations,’’ Centers for Disease Control and Prevention, National Center for Health Statistics (1992), p. 8, https://www.cdc.gov/nchs/data/misc/ mvsact92b.pdf. 218 42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d–7). E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules for the sick.’’ 223 Stedman’s Medical Dictionary defines ‘‘public health’’ as ‘‘the art and science of community The Privacy Rule also permits a health, concerned with statistics, regulated entity to use or disclose PHI epidemiology, hygiene, and the to conduct ‘‘public health’’ surveillance, prevention and eradication of epidemic 219 investigation, or intervention. Section diseases; an effort organized by society 1178(b) similarly exempts state laws to promote, protect, and restore the providing for ‘‘public health’’ people’s health; public health is a social surveillance, investigation, or institution, a service, and a practice.’’ 224 intervention from HIPAA’s general The Centers for Disease Control and preemption rule. Neither HIPAA nor the Prevention’s (CDC) Agency for Toxic Privacy Rule currently defines these Substances and Disease Registry terms. To clarify their meaning, the commonly defines ‘‘public health Department proposes to define public surveillance’’ as ‘‘the ongoing health 220 surveillance, investigation, or systematic collection, analysis and intervention to mean population-based interpretation of outcome-specific data activities to prevent disease and for use in the planning, implementation, 221 promote health of populations. The and evaluation of public health Department also proposes to clarify that practice.’’ 225 And many states similarly such public health activities do not define ‘‘public health’’ to mean include uses and disclosures for the population-level activities.226 The criminal, civil, or administrative Department likewise has used public investigation into or proceeding against health in this way since it first adopted any person in connection with seeking, the Privacy Rule.227 obtaining, providing, or facilitating There is also a widely recognized reproductive health care, or to identify distinction between public health any person for the purpose of initiating activities, which primarily focus on such an investigation or proceeding.222 improving the health of populations, Since the time of HIPAA’s enactment, and criminal investigations, which public health activities related to surveillance, investigation, or 223 ‘‘Health,’’ ‘‘public health,’’ Black’s Law Dictionary (11th ed. 2019). intervention have been widely 224 ‘‘Public health,’’ Stedman’s Medical understood to refer to activities aimed at Dictionary 394520. improving the health of a population. 225 Jonathan Weinstein, ‘‘In Re Miguel M.,’’ 55 For example, legal dictionaries define N.Y.L. Sch. L. Rev. 389, 390 (2010) (citing Stephen ‘‘public health’’ as ‘‘[t]he health of the B. Thacker, ‘‘Historical Development,’’ in Principles community at large,’’ or ‘‘[t]he healthful and Practice of Public Health Surveillance 1 (Steven or sanitary condition of the general body M. Teutsch & R. Elliott Churchill eds., 2d ed., 2000)), https://digitalcommons.nyls.edu/cgi/ of people or the community en masse; viewcontent.cgi?article=1599&context=nyls_law_ esp., the methods of maintaining the review. 226 See, e.g., Richard A. Goodman, Judith W. health of the community, as by Munson, Kim Dammers, et al., ‘‘Forensic preventive medicine or organized care Public Health Surveillance, Investigation, or Intervention lotter on DSK11XQN23PROD with PROPOSALS2 219 See 45 CFR 164.512(b)(1)(i); U.S. Dep’t of Health and Human Servs., Office for Civil Rights, Disclosures for Public Health Activities, (accessed Oct. 19, 2022), https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/disclosures-publichealth-activities/. 220 See ‘‘Ten Essential Public Health Services,’’ Centers for Disease Control and Prevention, Public Health Professionals Gateway (Dec. 1, 2022), https://www.cdc.gov/publichealthgateway/ publichealthservices/essentialhealthservices.html and ‘‘What is Public Health?’’ in CDC Foundation, Public Health in Action (2023), https:// www.cdcfoundation.org/what-publichealth?gclid=Cj0KCQjw_ viWBhD8ARIsAH1mCd7ME0r94gapt8Q h48LjdQO3Sto101snekpI94auuah Rs7LizEkh7OwaAiKxEALw_wcB. See also ‘‘HIPAA Privacy Rule and Public Health,’’ Centers for Disease Control and Prevention, MMWR (Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/ mmwrhtml/m2e411a1.htm. 221 See Report of ‘‘The National Committee on Vital and Health Statistics, 1996–98,’’ supra note 203. These activities are consistent with the definition proposed herein. 222 See Report of ‘‘The National Committee on Vital and Health Statistics, 1996–98,’’ supra note 203, for descriptions of public health activities in 1996–98. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 Epidemiology: Law at the Intersection of Public Health and Criminal Investigations,’’ 31 The Journal of Law, Medicine & Ethics 684, 689–90 (2003); La. Rev. Stat. Ann. sec. 40:3.1 (2011) (defining threats to public health as nuisances ‘‘including but not limited to communicable, contagious, and infectious diseases, as well as illnesses, diseases, and genetic disorders or abnormalities’’); N.C. Gen. Stat. sec. 130A–141.1(a) (2010) (defining public health investigations as the ‘‘surveillance of an illness, condition, or symptoms that may indicate the existence of a communicable disease or condition’’). 227 See, e.g., 65 FR 82464 (noting that reporting of public health information on communicable diseases is not prevented by individuals’ right to information privacy); id. at 82467 (discussing the importance of accurate medical records in recognizing troubling public health trends and in assessing the effectiveness of public health efforts); id. at 82473 (discussing disclosure to ‘‘a department of public health’’); id. at 82525 (recognizing that it may be necessary to disclose PHI about communicable diseases when conducting a public health intervention or investigation); id. at 82526 (recognizing that an entity acts as a ‘‘public health authority’’ when, in its role as a component of the public health department, it conducts infectious disease surveillance); ‘‘HIPAA Privacy Rule and Public Health,’’ supra note 220 (describing what traditionally are considered to be ‘‘public health activities’’ that require PHI). PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 23525 primarily focus on identifying and imposing liability on persons who have violated the law. States and other local governing authorities maintain criminal codes that are distinct and separate from public health reporting laws,228 although some jurisdictions enforce required reporting through criminal statutes. Different governmental bodies are responsible for enforcing these separate codes, and public health officials do not typically investigate criminal activity.229 When states intend for public health information to be shared with law enforcement for criminal investigation purposes, they typically pass specific laws to permit that sharing.230 Other Federal laws also treat public health investigations as distinct from criminal investigations.231 Maintaining a clear distinction between public health investigations and criminal investigations serves HIPAA’s broader purposes, as well, by safeguarding privacy to ensure quality health care.232 228 For example, traditional public health reporting laws grew from colonial requirements that physicians report disease. These requirements transitioned to state regulatory requirements imposed by public health departments on authority granted to them by states. See Public Health Law 101, Disease Reporting and Public Health Surveillance, Centers for Disease Control and Prevention, p. 12 and 14, https://www.cdc.gov/ phlp/docs/phl101/PHL101-Unit-5-16Jan09Secure.pdf. See also, e.g., Code of Georgia 31–12– 2 (2021), authority to require disease reporting. 229 See ‘‘Public Health,’’ supra note 223 (‘‘Many cities have a ‘public health department’ or other agency responsible for maintaining the public health; Federal laws dealing with health are administered by the Department of Health and Human Services.’’); See also ‘‘Forensic Epidemiology: Law at the Intersection of Public Health and Criminal Investigations,’’ supra note 226, at 689. 230 See ‘‘Forensic Epidemiology: Law at the Intersection of Public Health and Criminal Investigations,’’ supra note 226, at 687 (discussing South Dakota Statutes sec. 22–18–31, a law allowing HIV test results to be released to a prosecutor for criminal investigation purposes); id. at 693 (discussing North Carolina General Statute (N.C.G.S.) sec. 130A–476, a law allowing confidential medical information to be shared with law enforcement in certain circumstances related to communicable diseases or terrorism). 231 See Camara v. Municipal Ct. of City & Cty. of S.F., 387 U.S. 523, 535–37 (1967) (discussing administrative inspections under the Fourth Amendment, such as those aimed at addressing ‘‘conditions which are hazardous to public health and safety,’’ and not ‘‘aimed at the discovery of evidence of crime’’); 42 U.S.C. 241(d)(D) (prohibiting disclosure of private information from research subjects in ‘‘criminal’’ and other proceedings); 42 U.S.C. 290dd–2(c) (prohibiting substance abuse records from being used in criminal proceedings). 232 See ‘‘Forensic Epidemiology: Law at the Intersection of Public Health and Criminal Investigations,’’ supra note 226, at 687 (discussing reasons why ‘‘an association of public health with law enforcement’’ may be ‘‘to the detriment of routine public health practice’’). See also 45 CFR E:\FR\FM\17APP2.SGM Continued 17APP2 23526 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 The Department concludes that the Privacy Rule’s permissions to use and disclose PHI for the ‘‘public health’’ activities of surveillance, investigation, or intervention do not include criminal, civil, or administrative investigations into, or proceedings against, any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, nor do they include identifying any person for the purpose of initiating such investigations or proceedings. Such actions are not public health activities. Public health surveillance, investigations, or interventions ensure the health of the community as a whole by addressing population-level issues such as the spread of communicable diseases, even where they involve individual-level interventions. Such surveillance systems provide data necessary to examine and potentially develop interventions to improve the public’s health, such as providing education or resources to support individuals’ access to health care and improve health outcomes.233 U.S. states, territories, and Tribal governments participate in bilateral agreements with the Federal Government to share data on conditions that affect public health.234 The CDC’s Division of Reproductive Health presently collects reproductive health data in support of national and statebased population surveillance systems to assess maternal complications, mortality and pregnancy-related disparities, and the numbers and characteristics of individuals who obtain legal induced abortions.235 Importantly, disclosures to public health authorities permitted by the Privacy Rule are limited to the ‘‘minimum necessary’’ to accomplish the public health purpose.236 In many cases, regulated entities need disclose only de-identified data 237 to meet the public health purpose. By contrast, 164.512(b)(1)(i) (including ‘‘public health investigations’’ as an activity carried out by a public health authority that is authorized by law to carry out public health activities). 233 See ‘‘Improving the Role of Health Departments in Activities Related to Abortion,’’ American Public Health Association (Oct. 26, 2021), https://www.apha.org/Policies-and-Advocacy/ Public-Health-Policy-Statements/Policy-Database/ 2022/01/07/Improving-Health-Department-Role-inActivities-Related-to-Abortion. 234 See ‘‘Reportable diseases,’’ supra note 206. See also ‘‘What is Case Surveillance?’’ supra note 206. 235 See ‘‘Reproductive Health,’’ Centers for Disease Control and Prevention (Apr. 20, 2022), https://www.cdc.gov/reproductivehealth/drh/aboutus/index.htm; and ‘‘Reproductive Health—CDCs Abortion Surveillance System FAQs,’’ Centers for Disease Control and Prevention, Reproductive Health (Nov. 17, 2022), https://www.cdc.gov/ reproductivehealth/data_stats/abortion.htm. 236 See 45 CFR 164.502(b). 237 See 45 CFR 164.514(a). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 criminal, civil, and administrative investigations and proceedings generally target specific persons; they are not designed to address populationlevel health concerns and are not limited to information authorized to be collected by a public health or similar government authority for a public health activity. Thus, the exceptions in section 1178(b) for ‘‘public health’’ investigations, interventions, or surveillance do not limit the Department’s ability to prohibit uses or disclosures of PHI for other purposes, such as judicial and administrative proceedings or law enforcement purposes. While the Department has chosen as a policy matter to permit uses or disclosures of PHI for law enforcement and other purposes in other contexts, it believes, as discussed above, that a different balance is appropriate in the context of highly sensitive information related to reproductive health care. In light of the proposed definition of ‘‘public health’’ in this context, the Department does not propose to additionally define the terms ‘‘investigation,’’ ‘‘intervention,’’ or ‘‘surveillance,’’ because it believes these terms are commonly understood. Specifically, the Department believes public health investigation or intervention includes monitoring realtime health status and identifying patterns to develop strategies to address chronic diseases and injuries, as well as using real-time data to identify and respond to acute outbreaks, emergencies, and other health hazards.238 The Department also believes public health surveillance refers to the ongoing, systematic collection, analysis, and interpretation of health-related data essential to planning, implementation, and evaluation of public health practice.239 Nevertheless, the Department invites comment on whether it would be beneficial to specifically define these terms. 240 See Child Abuse Reporting In accordance with section 1178(b) of HIPAA, the Privacy Rule permits a regulated entity to use or disclose PHI to report known or suspected child abuse or neglect if the report is made to a public health authority or other appropriate government authority that is authorized by law to receive such 238 See ‘‘Ten Essential Public Health Services,’’ supra note 220. 239 See ‘‘Introduction to Public Health Surveillance,’’ Centers for Disease Control and Prevention (Nov. 15, 2018), https://www.cdc.gov/ training/publichealth101/surveillance.html. PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 reports,240 which primarily are state or local child protective services agencies.241 This Privacy Rule provision does not include permission for the covered entity to disclose PHI in response to a request for PHI for a criminal, civil, or administrative investigation into or proceeding against a person based on suspected child abuse. Rather, the Privacy Rule only permits the disclosure of information for the purpose of making a report. We also note that the permission limits such disclosures to the minimum necessary to make the report.242 Any disclosure of PHI in response to a request from an investigator, whether in follow up to the report made by the covered entity (other than to clarify the PHI provided on the report) or as part of an investigation initiated based on an allegation or report made by a person other than the covered entity, would be required to meet the conditions of disclosures to law enforcement or for other investigations or legal proceedings.243 As discussed above, the Department understands the term ‘‘person’’ as it is used in the SSA, HIPAA, and the HIPAA Rules to be consistent with 1 U.S.C. 8. Congress also defined the term ‘‘child’’ in 1 U.S.C. 8, and the Department similarly understands the term ‘‘child’’ in the Privacy Rule to be consistent with that definition. Further, at the time HIPAA was enacted, ‘‘most, if not all, states had laws that mandated reporting of child abuse or neglect to the appropriate authorities.’’ 244 As such, the Department believes that to the extent its proposal would prohibit a regulated entity from disclosing PHI in order to report ‘‘child abuse’’ where the alleged victim does not meet the definition of ‘‘person,’’ the proposal is consistent with both 1 U.S.C. 8 and 1178(b). At the time HIPAA was enacted, ‘‘most, if not all, states had laws that mandated reporting of child abuse or neglect to the appropriate 45 CFR 164.512(b)(1)(ii). laws require certain persons, such as health care providers, to report known or suspected child abuse or neglect; such persons are often called ‘‘mandatory reporters.’’ See ‘‘Mandatory Reporters of Child Abuse and Neglect,’’ U.S. Dep’t of Health and Human Servs., Administration for Children and Families, Children’s Bureau, Child Welfare Information Gateway (Apr. 2019), https:// www.childwelfare.gov/pubPDFs/manda.pdf. See also ‘‘Factsheet: How the Child Welfare System Works,’’ U.S. Dep’t of Health and Human Servs., Administration for Children and Families, Children’s Bureau, Child Welfare Information Gateway (Oct. 2020), https://www.childwelfare.gov/ pubPDFs/cpswork.pdf. 242 See 45 CFR 164.502(b) and 164.514(d). 243 See 45 CFR 164.512(e) and (f). 244 65 FR 82527. 241 State E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules authorities.’’ 245 Additionally, when Congress enacted HIPAA, it had already addressed child abuse reporting in other laws, such as the Victims of Child Abuse Act of 1990 246 and the Child Abuse Prevention and Treatment Act.247 For example, 34 U.S.C. 20341(a)(1), a provision of the original Victims of Child Abuse Act of 1990 still in place today, requires certain professionals to report suspected abuse when working on Federal land or in a federally operated (or contracted) facility.248 As used in these statutes, the term ‘‘child abuse’’ does not include activities related to reproductive health care, such as abortion. For the reasons just stated, the Department believes that ‘‘child abuse’’ as used in the Privacy Rule and section 1178(b) is best interpreted to exclude conduct based solely on seeking, obtaining, providing, or facilitating reproductive health care. This interpretation is consistent with the public health aims of improving access to health care, including reproductive health care, for individuals and with congressional intent when HIPAA was enacted. Additionally, as the Department has stated in previous rulemakings, we do not intend to disrupt longstanding state or Federal child abuse reporting requirements that apply to regulated entities.249 Thus, the Department believes this interpretation of ‘‘child abuse’’ supports the protection of children while also serving HIPAA’s objectives of protecting the privacy of PHI to promote individuals’ trust in the health care system and preserving the relationship between individuals and their health care providers. The Department requests comment on its interpretation of ‘‘child abuse’’ as that term is used in the Privacy Rule. 3. Adding a Definition of ‘‘Reproductive Health Care’’ The HIPAA Rules define ‘‘health care’’ as ‘‘care, services, or supplies related to the health of an individual.’’ 250 The definition clarifies that the term specifically ‘‘includes but is not limited’’ to certain types of care, services, or supplies related to the lotter on DSK11XQN23PROD with PROPOSALS2 245 Id. 246 Public Law 101–647, 104 Stat. 4789 (codified at 18 U.S.C. 3509). 247 Public Law 93–247, 88 Stat. (codified at 42 U.S.C. 5101 note). 248 See 34 U.S.C. 20341(a)(1), originally enacted as part of the Victims of Child Abuse Act of 1990 and codified at 42 U.S.C. 13031, which was editorially reclassified as 34 U.S.C. 20341, Crime Control and Law Enforcement. For the purposes of such mandated reporting, see 34 U.S.C. 20341(c)(1) for definition of ‘‘child abuse.’’ 249 65 FR 82527. 250 45 CFR 160.103 (definition of ‘‘Health care’’). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 health of the individual. These groupings are ‘‘[p]reventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body’’ 251 and ‘‘[the s]ale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.’’ 252 As indicated by ‘‘includes, but is not limited to,’’ this is not an exclusive list of the types of services or supplies that constitute health care for the purposes of the HIPAA Rules. Indeed, ‘‘health care’’ also includes supplies purchased over the counter or furnished to the individual by a person that does not meet the definition of a health care provider under the HIPAA Rules.253 The Department proposes to add and define a new term, ‘‘reproductive health care,’’ that is a subcategory of the existing term ‘‘health care.’’ Specifically, the Department proposes to define ‘‘reproductive health care’’ as ‘‘care, services, or supplies related to the reproductive health of the individual.’’ As with ‘‘health care,’’ ‘‘reproductive health care’’ applies broadly and includes not only reproductive health care and services furnished by a health care provider and supplies furnished in accordance with a prescription, but also care, services, or supplies furnished by other persons and non-prescription supplies purchased in connection with an individual’s reproductive health. The Department proposes defining reproductive health care based on the underlying activities, consistent with its approach to defining ‘‘health care’’ in the 2000 Privacy Rule.254 Under this proposal, such care, services, or supplies would be considered ‘‘reproductive health care’’ to the extent that they meet this functional definition. Elsewhere, Congress and the Department have defined similar terms like ‘‘reproductive health services’’ and ‘‘reproductive health care services’’ to mean ‘‘reproductive health services provided in a hospital, clinic, physician’s office, or other facility, and includes medical, surgical, counselling or referral services relating to the human reproductive system, including services relating to pregnancy or the termination of a pregnancy.’’ 255 The Department 251 Id. 252 Id. 253 45 CFR 164.103 (definition of ‘‘Health care provider’’). 254 65 FR 82571. 255 18 U.S.C. 248(e)(5) uses the term ‘‘reproductive health services,’’ while E.O. 14076, 87 FR 42053 (July 8, 2022), and 14079, 87 FR 49505 PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 23527 proposes to use the term ‘‘reproductive health care’’ rather than ‘‘reproductive health services’’ to ensure that the term is interpreted broadly to capture all health care that could be furnished to address reproductive health, including the provision of supplies such as medications and devices, whether prescription or over-the-counter. The Department also proposes to define ‘‘reproductive health care’’ to include all specified services regardless of where they are provided, rather than only when provided in particular locations, and all types of reproductive health care services, rather than only certain types of services listed within the definition. The Department believes that services meeting the definition of these similar terms would generally be included within the proposed definition of ‘‘reproductive health care.’’ Additionally, the Department believes that basing the proposed term and definition of ‘‘reproductive health care’’ on the existing HIPAA term and definition of ‘‘health care’’ would be easier and less burdensome for regulated entities and other stakeholders to understand and implement. In keeping with the Department’s intention for ‘‘reproductive health care’’ to be interpreted broadly and inclusive of all types of health care related to an individual’s reproductive system, the Department would interpret ‘‘reproductive health care’’ to include, but not be limited to: contraception, including emergency contraception; pregnancy-related health care; fertility or infertility-related health care; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system. Pregnancy-related health care includes, but is not limited to, miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care, and similar or related care. Other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system includes health care related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age. The Department would interpret fertility or infertility-related health care to include services such as assisted reproductive (Aug. 3, 2022), use the term ‘‘reproductive healthcare services.’’ The definitions are essentially the same, with the only difference being ‘‘health’’ as opposed to ‘‘healthcare.’’ E:\FR\FM\17APP2.SGM 17APP2 23528 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules technology and its components,256 as well as other care, services, or supplies used for the diagnosis and treatment of infertility. The Department is not proposing a specific definition of ‘‘reproductive health’’ at this time. Various definitions of the term have been included in literature. The Department recognizes that it may be helpful to stakeholders if ‘‘reproductive health’’ were to be defined in the final rule and invites comment on whether including a particular definition of ‘‘reproductive health’’ would be beneficial. 4. Request for Comment The Department requests comment on the forgoing definitions and proposals, including any benefits, drawbacks, or unintended consequences. The Department also requests comment on the following considerations in particular: a. Whether the definitions the Department proposes to adopt are appropriate. If not, please provide an alternative definition(s) and support for the definition(s). b. Whether it is necessary for the Department to define ‘‘reproductive health.’’ If so, please provide a definition and support for the definition. c. Whether the Department should provide examples of ‘‘reproductive health care’’ in regulatory text, or it is sufficient to provide extensive discussion of the examples in preamble? d. Whether it would be helpful for the Department to define any additional terms. If so, please propose a definition and support for the definition and rationale. lotter on DSK11XQN23PROD with PROPOSALS2 B. Section 164.502—Uses and Disclosures of Protected Health Information: General Rules 1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities Section 164.502 of the Privacy Rule contains the general rules governing uses and disclosures of PHI, including that a covered entity or business associate may use or disclose PHI only as permitted or required by the Privacy Rule.257 Section 164.502(a)(1) lists permitted uses and disclosures. In this NPRM, the Department proposes several modifications to the Privacy Rule to prohibit regulated entities from using or disclosing an 256 See ‘‘What is Assisted Reproductive Technology?’’ Centers for Disease Control and Prevention (Oct. 8, 2019), https://www.cdc.gov/art/ whatis.html#:∼:text=According%20to%20this%20 definition%2C%20ART, donating%20them%20to%20another%20woman. 257 45 CFR 164.502(a)(1). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 individual’s PHI for use against any individual, regulated entity, or other person for the purpose of a criminal, civil, or administrative investigation into or proceeding against such person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. The Department also proposes to prohibit regulated entities from using or disclosing PHI for identifying an individual, a regulated entity, or other person for the purpose of initiating such an investigation or proceeding. These changes are proposed to continue safeguarding the privacy of PHI to ensure trust in the health care system and to enable individuals’ access to high-quality health care. The proposed prohibition in 45 CFR 164.502 is threefold: paragraph (a)(5)(iii) outlines the activity the Department proposes to prohibit; paragraph (a)(1)(iv) specifies that an authorization cannot be used to bypass the proposed prohibition in paragraph (a)(5)(iii); and paragraph (a)(1)(vi) clarifies that the permissions at 45 CFR 164.512 cannot be used to circumvent the proposed prohibition. The Department proposes to modify the general rules in 45 CFR 164.502 by adding a clause to paragraph (a)(1)(iv) and adding a new requirement in paragraph (a)(1)(vi). Existing paragraph (a)(1)(iv) permits disclosures based on a valid authorization and, in a prefatory clause, provides an exception to that general permission such that a health plan cannot use or disclose PHI that is genetic information for underwriting purposes, even with an individual’s authorization. Thus, an authorization that purports to allow a use or disclosure of PHI for that prohibited purpose is not valid under the Privacy Rule. Similarly, the Department proposes to add the new prohibition proposed in 45 CFR 164.502(a)(5)(iii) to the types of uses and disclosures that would not be permitted even with an authorization. By adding an exception to paragraph (a)(1)(iv) for uses and disclosures prohibited by paragraph (a)(5)(iii), the Department seeks to fully protect individuals’ privacy by precluding any possibility that a third party, such as a law enforcement official, could obtain an individual’s PHI for a prohibited purpose by coercing the individual to sign an authorization. In addition, the new proposed requirement in paragraph (a)(5)(iii) would expressly permit certain uses and disclosures made under 45 CFR 164.512 only when an applicable attestation has been obtained pursuant to proposed 45 CFR 164.509, discussed below in PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 section IV.D. For clarity, this proposal would also revise paragraph (a)(5)(vi) to replace the sentence containing the conditions for certain permitted uses and disclosures with a lettered list. 2. Adding a New Category of Prohibited Uses and Disclosures Issues To Address Generally, the Privacy Rule prohibits uses or disclosures of PHI except as permitted or required by the Rule. The Privacy Rule explicitly prohibits uses and disclosures of PHI in two circumstances: (1) a health plan generally is prohibited from using or disclosing PHI that is genetic health information for underwriting purposes; 258 and (2) a regulated entity is prohibited from selling PHI except when they have obtained a valid authorization from the individual who is the subject of the PHI.259 As discussed in section III of this preamble, the Department issued its prior iterations of the Privacy Rule at a time when individuals, as a practical matter, generally would not have expected their highly sensitive health care information to be used or disclosed for criminal, civil, or administrative investigations into or proceedings about that health care. The current regulatory and legal environment is in tension with that expectation and threatens to erode the trust that is essential to access to and quality of health care. The Department has received letters from the public, indicating confusion and concern as to the ability of regulated entities to use or disclose PHI for the purposes described above. These sentiments have been echoed by stakeholders in listening sessions and in media reports. Letters sent to the Department by Members of Congress further reinforce that confusion and concern exist about the privacy of individuals’ PHI, in addition to supporting the Department’s position that it has the ongoing authority under HIPAA and the HITECH Act to modify the Privacy Rule to ensure the privacy of PHI.260 These developments and communications bolster the 258 45 CFR 164.502(a)(5)(i). CFR 164.502(a)(5)(ii). 260 See, e.g., Letter from United States Congress Senators Tammy Baldwin, Elizabeth Warren, and Ron Wyden, et al., to HHS Secretary Xavier Becerra (March 7, 2023); Letter from United States Congress Senators Patty Murray, Kirsten Gillibrand, and Martin Heinrich, et al., to HHS Secretary Xavier Becerra (Sept. 13, 2022); Letter from United States Congress House Representatives Earl Blumenauer, Diana DeGette, Barbara Lee, et al., to HHS Secretary Xavier Becerra (Aug. 30, 2022); and Letter from United States Congress Senators Michael F. Bennet and Catherine Cortez Masto to HHS Secretary Xavier Becerra (July 1, 2022). 259 45 E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 Department’s decision to propose certain regulatory changes and technical corrections that are necessary to eliminate ambiguity and promote trust in the health care system. Therefore, the Department proposes to modify 45 CFR 164.502 by adding a new paragraph (a)(5)(iii) that will protect the privacy of individuals who obtain reproductive health care that is lawful under the circumstances in which it is provided, as well as their health care providers, and others who assist them in obtaining such health care. Proposed Prohibition In keeping with the Privacy Rule’s purpose-based approach to specifying uses or disclosures that are required, permitted, or prohibited, proposed 45 CFR 164.502(a)(5)(iii) would prohibit a regulated entity from using or disclosing PHI where the PHI would be used for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or identifying any person for the purpose of initiating such an investigation or proceeding, subject to the Rule of Applicability and Rule of Construction set forth in 45 CFR 164.502(a)(5)(iii)(C) and (D). Furthermore, the Department proposes that ‘‘seeking, obtaining, providing, or facilitating’’ would include, but not be limited to, expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care, as well as attempting to engage in any of the same. This proposed prohibition addresses efforts to investigate or bring proceedings against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided, or to identify any person for the purpose of initiating such investigation or proceeding. As discussed above, it would be contrary to the Congressional intent of protecting the privacy of an individual’s PHI and access to health care if the Privacy Rule were to permit a regulated entity to use or disclose PHI to investigate and bring proceedings against persons for seeking, obtaining, providing or facilitating reproductive health care, or to identify any person for such purposes, where such health care is lawful under state or Federal law. Permitting such uses and disclosures would also be inconsistent with longstanding individual privacy expectations and could especially chill VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 access to lawful health care, including by high-risk individuals who may have already experienced a miscarriage, ectopic pregnancy, stillbirth, or infertility. If such uses and disclosures are permitted, individuals may delay obtaining lawful health care or withhold information about their condition or medical history because they may not trust their health care providers to use the information only to provide appropriate health care, rather than report them to law enforcement authorities or others.261 Delaying health care may negatively affect an individual’s health, including increasing the risk of death. In fact, a recent report from the Texas Maternal Mortality and Morbidity Review Committee and Department of State Health Services found that the most common contributing factors to a woman’s pregnancy-related death in Texas were delay or failure to seek care, lack of knowledge regarding importance of treatment or follow-up, and lack of access and financial resources.262 Similarly, if such uses and disclosures are permitted, a health care provider might leave gaps in or include inaccuracies in the individual’s medical records, creating a risk that ongoing or future health care would be compromised, because they may not trust that the information would not be obtained by law enforcement authorities or others.263 Further, even where investigations cannot lawfully result in proceedings against a person, investigations themselves can reduce the health information privacy of the individual whose PHI is sought for the investigation, thereby harming that individual. For example, permitting a 261 See ‘‘In a doctor’s suspicion after a miscarriage, a glimpse of expanding medical mistrust,’’ supra note 13. ‘‘[A health care provider’s] ability to take care of patients relies on trust, and that will be impossible moving forward [. . .] [abortion restrictions] are really going to put a damper on people seeking care, even in very normal, very legal situations.’’; See also Lucy OgbuNwobodo, Ruth S. Shim, Sarah Y. Vinson, et al., ‘‘Mental Health Implications of Abortion Restrictions for Historically Marginalized Populations,’’ The New England Journal of Medicine (Oct. 27, 2022), https://www.nejm.org/ doi/full/10.1056/NEJMms2211124 (‘‘With the elimination of the right to privacy guaranteed by Roe v. Wade and the criminalization of abortion in many states, the risk of punitive involvement by the criminal legal system as a consequence of reproductive decisions, and potentially even in cases of miscarriage, is likely to be especially high for members of historically marginalized groups with mental illness—a population that is already overrepresented in the criminal legal system.’’). 262 See Texas Maternal Mortality and Morbidity Review Committee and Department of State Health Services Joint Biennial Report 2022, supra note 16, p. 41. 263 See, e.g., Brief for Zurawski. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 23529 covered entity to disclose a sexual assault survivor’s PHI to law enforcement or others to enable them to investigate that individual for obtaining lawful reproductive health care as a result of the assault compounds the harm experienced by the individual by violating their privacy. Additionally, allowing the disclosure makes that individual and others in similar circumstances less likely to obtain lawful reproductive health care if they believe their privacy will be violated in this manner. Thus, the Department proposes to prohibit the use or disclosure of PHI where the purpose of the use or disclosure is for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided, or identifying any person for the purpose of initiating such an investigation or proceeding. Importantly, and as further discussed below, this proposal is narrowly tailored to address only uses and disclosures for specified prohibited purposes. It does not otherwise alter a regulated entity’s responsibility to comply with the conditions imposed on the use or disclosure of PHI for other criminal, civil, or administrative investigations or proceedings. For example, the proposed rule would not broadly preempt state or other laws that would require the disclosure of information about an individual’s reproductive health to support claims for criminal or civil liability unrelated to the prohibited purposes, assuming such laws meet the requirements of other provisions of the Privacy Rule, e.g., the permission to use or disclose PHI where required by law.264 Purpose-Based Prohibition As discussed above and consistent with the general approach and structure of the Privacy Rule, the proposed prohibition focuses on the purpose of the use or disclosure, rather than the type of PHI requested or the type of regulated entity that receives the use or disclosure request. The Department acknowledges that in most cases, information about an individual’s reproductive health care includes the kind of highly sensitive information that could chill patients from obtaining lawful health care if they knew it could be disclosed. However, the Department is not proposing a rule that would provide a blanket protection for this category of information. Enforcing such 264 45 E:\FR\FM\17APP2.SGM CFR 164.512(a). 17APP2 23530 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 a blanket protection would require regulated entities to restrict the flow of this category of information, possibly disrupting existing health care delivery models. For example, implementing differing rules for a newly designated category of PHI would require costly updates to electronic record systems to allow for segmenting of certain data elements for extra protection and create barriers for care coordination. Providing routine treatments for conditions such as hormonal imbalances, miscarriage, pregnancy complications, or gynecological emergencies would be problematic for health care providers attempting to navigate a blanket prohibition against disclosure of the category of information related to reproductive health care. Thus, this proposal does not limit the prohibition to the use or disclosure of certain types of PHI or to PHI that is held or maintained by certain types of covered health care providers, such as a gynecologist or endocrinologist. A purpose-based prohibition as proposed by the Department would also permit health plans and many other different types of health care providers to continue to disclose PHI for treatment or payment for reproductive health care or other health care conditions that are affected by or affect an individual’s reproductive health. For example, pregnancy can place a significant strain on the heart of an individual with certain cardiovascular conditions. It is essential that the individual’s cardiologist be informed of and able to monitor the individual’s pregnancy for potential complications without barriers to access that information. As another example, pregnancy tests are routinely administered before a surgical procedure to ensure that surgeons, anesthesiologists, and individuals are aware of a pregnancy and have the opportunity to discuss the benefits and risks of proceeding or to identify alternative treatment options.265 And an earlier example related to hormonal imbalances illustrates why endocrinologists may require access to reproductive health information. For similar reasons, it is important that a health care provider maintain complete and accurate patient medical records to ensure subsequent health care providers 265 See Trisha Pasricha, ‘‘Pregnancy tests are routine before many surgical procedures. But Dobbs has raised the stakes of a positive result,’’ STAT News (Aug. 16, 2022), https://www.statnews.com/ 2022/08/16/pregnancy-tests-are-routine-beforemany-surgical-procedures-but-dobbs-has-raisedthe-stakes-of-a-positive-result/#:∼:text= The%20Supreme %20Court’s%20h9568%20decision, making%20testing%20anything %20but%20routine. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 are adequately informed in making diagnoses or recommending courses of treatment. Thus, to avoid the potential for disruption to health care and ensure the provision of appropriate health care, the Department proposes to limit the prohibition’s application to uses and disclosures of PHI where the purpose is to use the information against any person for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided, or to identify any person for doing so. The Department believes the narrowly crafted prohibition, as proposed, would avoid deterring individuals from obtaining lawful health care or providing full information to their health care providers out of fear that highly sensitive health information could be disclosed in connection with a criminal, civil, or administrative investigation or proceeding. At the same time, the proposal would facilitate the ability of health care providers to navigate the new medical-legal landscape in cooperation with their patients. The proposed prohibition also would serve as a disincentive to health care providers considering leaving gaps or including inaccuracies in medical records or taking other action to protect individuals or avoid liability under laws prosecuting provision of reproductive health care. Such disincentives, rooted in the ability to keep PHI private when sought for certain purposes, are properly within the Department’s authority to regulate under HIPAA. Preemption of State Laws The Privacy Rule generally preempts contrary provisions of state laws.266 Thus, if this NPRM were to be finalized, provisions of state law that are contrary to these proposals would be preempted. The Department recognizes that the proposal to prohibit uses and disclosures of PHI for a criminal, civil, or administrative investigation into or proceeding against any person, or to identify any person for the purpose of initiating such an investigation or proceeding, may create a conflict between the Privacy Rule and some state laws—though we have carefully crafted the proposed prohibition to apply only in circumstances in which the state lacks any substantial interest in seeking the disclosure. In such cases, regulated entities would be required to comply with the Privacy Rule, if 266 42 U.S.C. 1320d–7(a)(1) (providing the general rule that, with limited exceptions, a provision or requirement under HIPAA supersedes any contrary provision of state law). PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 modified as proposed. For example, the Privacy Rule, if modified as proposed, would prohibit the disclosure of PHI to law enforcement in furtherance of a law enforcement investigation of an individual for obtaining reproductive health care that is lawful under the circumstances in which it is provided. It would also prohibit the disclosure of PHI for a law enforcement investigation of a health clinic for providing reproductive health care that is lawful under the circumstances in which it is provided, even in response to a court order, such as a search warrant.267 Such disclosure, despite the court order, would be a violation of the Privacy Rule and would subject the regulated entity to a potential OCR investigation and civil money penalty. Additionally, if a regulated entity chose to comply with the court order in the example above, there would be a presumption that a breach of unsecured PHI had occurred because there was a disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the privacy of the PHI. Thus, breach notification would be required unless the entity could demonstrate that there was a low probability that the PHI had been compromised.268 Where an entity determines that a breach has occurred, the entity would need to provide notification to the affected individual(s), the Secretary, and, when applicable, the media.269 Application of Proposed Prohibition The Department proposes a Rule of Applicability to apply the prohibition where the relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that: (1) is provided outside of the state where the investigation or proceeding is authorized and that is lawful in the state in which such health care is provided; (2) is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or (3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state. This proposed Rule of Applicability would limit the application of the prohibition to 267 In contrast, the current Privacy Rule would permit such a disclosure based on a court order requiring the disclosure. See 45 CFR 164.512(a); see also 45 CFR 164.103 (definition of ‘‘Required by law’’). 268 45 CFR 164.402 (definition of ‘‘Breach’’). 269 See 45 CFR 164.400 through 164.414. The HIPAA Breach Notification Rule requires covered entities and their business associates to provide certain notifications following a breach of unsecured PHI. E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules circumstances in which the care is lawful under the circumstances in which such health care is provided. As described above, all three prongs of the proposed Rule of Applicability require the reproductive health care at issue to be provided under circumstances in which the provision of such health care is lawful. Thus, in order to determine whether the proposed rule would permit the use or disclosure of PHI, the regulated entity would need to determine whether the reproductive health care was provided under circumstances in which it was lawful to do so. Where the regulated entity determines that the reproductive health care was provided under circumstances where it was unlawful, the proposed prohibition would not apply, and the regulated entity would be permitted to use or disclose the PHI for a criminal, civil, or administrative investigation into or proceeding against a person in connection with seeking, obtaining, providing, or facilitating reproductive health care. For example, where the regulated entity determines that reproductive health care was provided in a state where it was unlawful to do so and under circumstances in which Federal law does not protect the provision of such health care, a regulated entity would be permitted to use or disclose PHI for a criminal, civil, or administrative investigation against a health care provider that provided the unlawful reproductive health care. However, the regulated entity would be prohibited from disclosing PHI for the same purpose where it determined that the reproductive health care was provided in a state where it was lawful to do so, subject to the proposed Rule of Construction, discussed below. Under the Constitution, an individual cannot be barred from traveling from one state to another to obtain reproductive health care.270 Accordingly, the Department proposes to prohibit uses and disclosures of PHI where it is sought for use in an investigation into or proceeding against a person for seeking, obtaining, providing or facilitating reproductive health care outside of the state in which investigation or proceeding is authorized and where such health care lotter on DSK11XQN23PROD with PROPOSALS2 270 Dobbs, 142 S. Ct. at 2309 (Kavanaugh, J., concurring) (addressing whether a state can ‘‘bar a resident of that State from traveling to another State to obtain an abortion? [ . . . ] [T]he answer is not based on the constitutional right to interstate travel.’’); see also ‘‘Application of the Comstock Act to the Mailing of Prescription Drugs That Can Be Used for Abortions,’’ Department of Justice, 46 Op. O.L.C. __, at *19 (Dec. 23, 2022), https:// www.justice.gov/olc/opinion/file/1560596/ download. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 is lawful under the circumstances in which it was provided. The proposal is not limited to circumstances in which the health care has not yet been obtained, provided, or facilitated. It also includes situations where the health care is ongoing or has been completed. For example, under this proposal, a covered entity that provides lawful reproductive health care to an out-ofstate resident generally would not be permitted to use or disclose PHI to law enforcement from the individual’s home state for use in an investigation or proceeding in connection with the individual’s receipt of or the covered entity’s provision of that reproductive health care. In addition, a covered health care provider in the state of the individual’s residence that may receive PHI concerning such reproductive health care provided out of state (e.g., a hospital in the home state that receives records from an out-of-state clinic) would be subject to the same restriction. In these circumstances under the Constitution, administrative, civil, or criminal liability may not be imposed for the receipt or provision of the outof-state care. The Department also notes that generally, states do not have the ability to permit or limit actors in another state from engaging in certain activities. For example, states determine the requirements for licensure of health care providers that furnish health care within their borders; they do not have the ability to set such requirements for health care providers that furnish health care elsewhere. Thus, it would be inconsistent to permit states to impose liability on health care providers who furnish health care in another state in accordance with the laws of that state. The proposed prohibition would also apply where the use or disclosure of PHI is sought for use in an investigation into or proceeding against a person where the reproductive health care is protected, required, or authorized by Federal law, regardless of the state in which such care is provided. For example, the proposed prohibition would prohibit the use or disclosure of PHI for use in an investigation into or proceeding against a covered entity that provided reproductive health care in a situation where EMTALA requires offering such health care. Additionally, the Department’s proposal would prohibit the use or disclosure of PHI for use in an investigation into or proceeding against employees of the Department of Veterans Affairs (VA) who provide or facilitate reproductive health care in a manner authorized by Federal law, including VA PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 23531 regulations.271 And it would apply where the investigation or proceeding is against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care— such as contraception—that remains protected by the Constitution after Dobbs.272 In these circumstances, Federal law bars the imposition of administrative, civil, or criminal liability on such care. Finally, the prohibition would apply when the relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state. Under this proposal, a regulated entity would not be permitted to use or disclose PHI in response to an investigation or proceeding occurring in a state where the reproductive health care is lawful. The proposal would also prohibit the use or disclosure of PHI where the health care meets the requirements of an exception to a law limiting the provision of reproductive health care (e.g., for pregnancy termination when the pregnancy is the result of rape or incest or because the life of the pregnant individual is endangered). It would also prohibit the use or disclosure of PHI where the health care occurred at a point in pregnancy at which such health care is permitted by state law. If a state has not made the relevant reproductive health care unlawful, it lacks a legitimate interest in conducting a criminal, civil, or administrative investigation or proceeding into such health care where the investigation is centered on the mere fact that reproductive health care was or is being provided. Scope of Proposed Prohibition The proposed prohibition would apply to any request for PHI to facilitate a criminal, civil, or administrative investigation or proceeding against any person, or to identify any person in order to initiate an investigation or proceeding, where the basis for the investigation, proceeding, or identification is that the person sought, 271 See ‘‘Intergovernmental Immunity for the Department of Veterans Affairs and Its Employees When Providing Certain Abortion Services,’’ Department of Justice, 46 Op. O.L.C. __ (Sept. 21, 2022), https://www.justice.gov/d9/2022-11/2022-0921-va_immunity_for_abortion_services.pdf. 272 See Griswold v. Connecticut, 381 U.S. 479 (1965); Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 142 S. Ct. at 2309 (Kavanaugh, J., concurring) (Dobbs ‘‘does not threaten or cast doubt on’’ the precedents providing constitutional protection for contraception). E:\FR\FM\17APP2.SGM 17APP2 23532 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 obtained, provided, or facilitated reproductive health care that is lawful under the circumstances in which such health care is provided. As discussed above, the proposal would preempt state or other law requiring a regulated entity to use or disclose PHI in response to a court order or other type of legal process for a purpose prohibited by this proposed rule where the prohibition applies. It would not preempt laws that require use or disclosure of PHI for other purposes, including public health purposes.273 The proposal also would not prohibit a regulated entity from disclosing an individual’s PHI to law enforcement where the purpose of the disclosure is to investigate a sexual assault committed against the individual, provided the attestation described later in this preamble is obtained, or where such health care is not lawfully obtained in the state in which it is provided. The Department intends ‘‘criminal, civil, or administrative investigation into or proceeding against’’ to encompass any type of legal or administrative investigation or proceeding. This includes, but is not limited to, law enforcement investigations, third party investigations in furtherance of civil proceedings, state licensure proceedings, criminal prosecutions, and family law proceedings. Examples of criminal, civil, or administrative investigations or proceedings for which regulated entities would be prohibited from using or disclosing PHI would also include a civil suit brought by a person exercising a private right of action provided for under state law against an individual or health care provider who obtained, provided, or facilitated a lawful abortion, or a law enforcement investigation into a health care provider for lawfully providing or facilitating the disposal of an embryo at the direction of the individual. The proposal would prohibit a regulated entity from using or disclosing PHI for a criminal, civil, or administrative investigation into or proceeding against ‘‘any person’’ in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided, 273 While this proposal does not affect reporting to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect as permitted under 45 CFR 164.512(b)(1)(ii), the proposed definitions of ‘‘person’’ and ‘‘child abuse’’ would make clear that seeking, obtaining, providing, or facilitating the provision of an abortion, products related to pregnancy, or fertilized egg or embryo disposal would not constitute child abuse as addressed therein. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 or for identifying ‘‘any person’’ for the purpose of initiating such an investigation or proceeding. ‘‘Against any person’’ means, based on the HIPAA Rules’ definition of ‘‘person,’’ 274 that the proposed prohibition would not be limited to use or disclosure of PHI for use against the individual; rather, the prohibition would apply to the use or disclosure of PHI against a regulated entity, or any other person, including an individual or entity, who may have obtained, provided, or facilitated lawful reproductive health care.275 Rule of Construction The Department does not intend for this proposed prohibition to prevent a regulated entity from using or disclosing PHI for other permissible purposes under the Privacy Rule where the request is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided, and proposes to clarify that through a Rule of Construction. In so doing, the Department clarifies that it does not intend for the prohibition to prevent certain uses or disclosures of PHI where they are permitted by other provisions of the Privacy Rule as discussed below. For example, just as an individual would be able to obtain their own PHI to initiate a claim against a covered health care provider for professional misconduct or negligence under the Privacy Rule’s right of access,276 the proposed Rule of Construction would make clear that the proposed prohibition does not inhibit the ability of a covered health care provider to use or disclose that same PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved reproductive health care. In such instance, there would be due process concerns that could ultimately prevent the covered health care provider from being held liable for the professional misconduct or negligence. Thus, the Department proposes to limit the Rule of Construction to applying only in circumstances in which the health care provider would not be using or disclosing such PHI for the purpose of ‘‘investigating or conducting a legal 274 45 CFR 160.103 (definition of ‘‘Person’’). that in section IV.A.1., the Department proposes to modify the definition of ‘‘person,’’ although that proposed modification would not have an effect here. 276 45 CFR 164.524. 275 Note PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 proceeding against a person,’’ but rather for the purpose of defending itself against such an investigation or a proceeding. In addition, such an investigation or proceeding would not be based on the mere act of seeking, obtaining, providing, or facilitating reproductive health care. Instead, the investigation or proceeding would be based on allegations of professional misconduct or negligence in providing reproductive health care. The use or disclosure of PHI would be permitted under such circumstances. The Federal government could similarly use PHI (obtained with an attestation) to defend itself against claims brought by individuals where professional misconduct based on a health care provider’s failure to meet an applicable standard of care, as described herein, may not be the primary focus of the claim, but where the provision of such care is central to the claim. As discussed above, under the Rule of Applicability, the proposed prohibition on the use or disclosure of PHI for the purposes of a criminal, civil, or administrative investigation or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, or the identification of any person for such investigations or proceedings, would apply only when such reproductive health care is provided under circumstances in which it is lawful to do so. When read in isolation, this would seemingly prevent regulated entities from using or disclosing PHI for the purpose of defending themselves or others against allegations that they sought, obtained, provided, or facilitated unlawful care. To address this potential misreading, the proposed Rule of Construction limits the proposed prohibition to circumstances in which the PHI is sought for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. Thus, under the proposal, a regulated entity could not use or disclose PHI as part of an investigation into any person for allegedly seeking, obtaining, providing, or facilitating reproductive health care; in contrast, the regulated entity could use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing such health care. Additionally, the proposed Rule of Construction would clarify that the proposed prohibition does not prohibit uses or disclosures to a health oversight agency for health oversight activities, such as for the purpose of investigating E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 whether reproductive health care was actually provided or appropriately billed in connection with a claim for such services.277 For example, the proposed Rule of Construction would not prohibit the use or disclosure of PHI where the PHI is sought to investigate or pursue proceedings against a person for knowingly submitting a claim for reproductive health care for payment to the government where the reproductive health care was not provided or improperly billed. In this case, the request would not be made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; instead, the request would be primarily for the purpose of investigating or imposing liability on a person for, in this particular scenario, an alleged violation of the Federal False Claims Act or a state equivalent.278 As another example, the proposed Rule of Construction also would not prohibit the use or disclosure of PHI to an Inspector General where the PHI is sought to conduct an audit aimed at protecting the integrity of the Medicare or Medicaid program. The proposed Rule of Construction also would make clear that the proposed prohibition does not prevent uses or disclosures for the purpose of investigating alleged violations of Federal nondiscrimination laws or abusive conduct, such as sexual assault, that occur in connection with reproductive health care. The proposed Rule of Construction would also clarify that the proposed prohibition would not prohibit a regulated entity from responding to a request for relevant records in a criminal or civil investigation or proceeding pursuant to 18 U.S.C. 248 regarding freedom of access to clinic entrances. Investigations under this provision are conducted for the purpose of determining whether a person physically obstructed, intimidated, or interfered with persons providing ‘‘reproductive health services,’’ 279 or attempted to do so. They therefore do not involve investigations or proceedings against a person in connection with the mere act of ‘‘seeking, obtaining, providing, or facilitating of reproductive health care’’ 277 See 45 CFR 164.512(d)(1)(i) through (iv) for health oversight activities for which the Privacy Rule permits uses and disclosures of PHI. The proposal would permit these uses and disclosures of PHI to effectuate Federal agencies’ health oversight activities. 278 31 U.S.C. 3729–3733. 279 18 U.S.C. 248(e)(5) (definition of ‘‘Reproductive health services’’). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 under circumstances in which it was lawful to do so. Disclosures Required by the Privacy Rule Regulated entities are expected to continue to comply with and disclose PHI in response to an individual’s request for access to their own PHI,280 or a request from the Secretary to disclose PHI as part of an investigation into a regulated entity’s compliance with the HIPAA Rules. These requirements to disclose PHI at 45 CFR 164.502(a)(2) and (4) are unlikely to come into conflict with the proposed prohibition because neither an individual’s request for their own PHI nor a HIPAA compliance investigation are disclosures sought primarily because a person sought, obtained, provided, or facilitated reproductive health care. The Department also reaffirms that an individual’s right of access to their own PHI cannot be denied based on their intended use of the PHI.281 Thus, an individual would retain their current ability to obtain a copy of their own PHI in a designated record set from a covered entity, as well as to direct a covered entity to transmit to another person (which could be a law enforcement official if the individual so chooses) an electronic copy of their PHI in an electronic health record (EHR). The Department is concerned that a law enforcement official or other person could potentially coerce an individual into exercising their right of access for the purpose of circumventing the prohibition. However, the Department also views the right of access as paramount to an individual’s ability to make decisions regarding their own health care and does not intend to impede an individual’s ability to exercise this right. Therefore, the Department does not propose to modify the right of access to address this specific concern. 280 Under 45 CFR 164.502(a)(2)(i), covered entities are primarily responsible for compliance with the Privacy Rule’s individual right of access provisions. The Privacy Rule imposes narrow direct liability on business associates for compliance with the individual right of access at 45 CFR 164.502(a)(4)(ii). However, it is the Department’s understanding that many covered entities engage business associates, such as release-of-information vendors, to accept and respond to such requests. For additional information on business associates and their obligations under the HIPAA Rules, visit https://www.hhs.gov/hipaa/for-professionals/ privacy/guidance/business-associates/factsheet/ index.html. 281 As explained in the preamble to the 2000 Privacy Rule, covered entities may only deny access for the reasons specifically provided in the rule. 65 FR 82556. PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 23533 3. Clarifying Personal Representative Status in the Context of Reproductive Health Care Current Provision and Issues To Address Section 164.502(g) of the Privacy Rule contains the standard for personal representatives and generally requires a regulated entity to treat an individual’s personal representative as the individual when consistent with state law.282 For example, the Privacy Rule would treat a legal guardian of an individual who has been declared incompetent by a court as the personal representative of that individual, if consistent with applicable law (e.g., state law).283 In this and certain other provisions, the Department seeks to maintain the balance between the interest of a state or others to regulate health and safety and protect vulnerable individuals 284 with the goal of maintaining the privacy protections established in the Privacy Rule.285 The Department is concerned that some regulated entities may interpret the Privacy Rule as providing them with the ability to refuse to recognize as an individual’s personal representative a person who makes reproductive health care decisions, on behalf of the individual, with which the regulated entity disagrees. Under these circumstances, current section 502(g)(5) of the Privacy Rule could be interpreted to permit a regulated entity to assert that, by virtue of the personal representative’s involvement in the reproductive health care of the individual, the regulated entity believes that the personal representative is subjecting the individual to abuse. Further, in the absence of clarification as proposed in this NPRM, this regulated entity could exercise professional judgment to decide that it is in the best interest of the individual not to recognize the personal representative’s authority to make medical decisions for that individual. Proposal To protect the balance of interests struck by the Privacy Rule, the Department proposes to modify 45 CFR 164.502 by adding a new paragraph (g)(5)(iii). Proposed 45 CFR 164.502(g)(5)(iii) would ensure that a 282 See 45 CFR 164.502(g)(1). 45 CFR 164.502(g)(3)(i). See also ‘‘Personal Representatives,’’ U.S. Dep’t of Health and Human Servs., Office for Civil Rights, https:// www.hhs.gov/hipaa/for-individuals/personalrepresentatives/. 284 See, e.g., 45 CFR 164.510(b)(3) and 164.512(j)(1)(i)(A). 285 See 65 FR 82471. 283 See E:\FR\FM\17APP2.SGM 17APP2 23534 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 regulated entity could not deny personal representative status to a person, where such status would otherwise be consistent with state and other applicable law, primarily because that person facilitates or facilitated or provided reproductive health care for an individual. The Department believes this proposal is narrowly tailored and respects the interests of states and the Department by not unduly interfering with the ability of states to define the nature of the relationship between an individual and another person, including between a minor and a parent, upon whom the state deems it appropriate to bestow personal representative status. This proposal would, however, maintain the existing HIPAA standard by ensuring personal representative status, when otherwise consistent with state law, is not affected by the type of underlying health care sought. 4. Request for Comment The Department requests comment on the foregoing proposals, including any benefits, drawbacks, or unintended consequences. The Department also requests comment on the following considerations in particular: e. Whether the proposed prohibition in section IV.B.2. is sufficiently narrow so as to limit harmful uses or disclosures (such as for investigating individuals who have obtained, or health care providers who have provided, lawful health care primarily because they obtained or provided the lawful health care) and to permit beneficial uses or disclosures (such as for conducting investigations into health care fraud or audits examining general compliance with claims billing requirements). If not, please explain and provide examples. f. The effects of individuals’ concerns about the potential disclosure of their PHI to law enforcement or others on their willingness to confide in their health care providers. g. The effects of individuals’ withholding information about their health from their health care providers. h. The effects of health care providers’ concerns about potential criminal, civil, or administrative investigations into or proceedings against them or their patients in connection with the provision of lawful reproductive health care on the completeness and accuracy of medical records and continuity of care. i. Whether it would be beneficial to further clarify or provide additional examples of instances in which the use or disclosure of PHI would be permitted under the proposal, such as examples of VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 type of investigations or proceedings that are focused on health care fraud and for which PHI is necessary. j. Whether the Department should permit the use and disclosure of an individual’s PHI for the purpose described in section IV.B.2. with a valid authorization from the individual. i. If so, please provide recommendations for how the Department could ensure that individuals are adequately protected from coercive tactics to provide such authorization. For example, should the Department permit such use or disclosure based on an authorization only if a regulated entity also obtains some form of attestation or assurance from the recipient of the PHI? ii. Whether third parties might circumvent the prohibition by coercing individuals to exercise their right to direct a covered entity to transmit to a third party an electronic copy of their PHI in an EHR. If so, please suggest ways the Department could address this problem without curtailing an individual’s right of access or increasing the burden on regulated entities. k. Whether the Department should apply the proposed prohibition broadly to any health care, rather than limiting it to reproductive health care. Please explain. l. Whether the Department should prohibit or limit uses or disclosures of ‘‘highly sensitive PHI’’ for certain purposes. If so: i. How should the Department define ‘‘highly sensitive PHI’’? Please explain and provide reference materials to support any suggested definition. ii. What additional protections should ‘‘highly sensitive PHI’’ be accorded? iii. Do regulated entities have the technical ability to differentiate between types of PHI in their electronic record systems and apply special protections to a new category of ‘‘highly sensitive PHI’’? iv. What would be the estimated burden on regulated entities of providing additional protections for ‘‘highly sensitive PHI’’? m. Whether in addition to, or instead of, the proposed prohibition, the Department should: i. Require a regulated entity to obtain an individual’s authorization for certain uses and disclosures of PHI that currently are permitted without an authorization. ii. Require a regulated entity to obtain an individual’s authorization for any uses and disclosures of a defined category of PHI (e.g., ‘‘highly sensitive PHI’’). iii. Require a regulated entity to accept and comply with an individual’s PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 request for restrictions of uses and disclosures of ‘‘highly sensitive PHI.’’ iv. Eliminate or narrow any existing permissions to use or disclose ‘‘highly sensitive PHI’’ (e.g., permissions to report crime on the premises or report crime in emergencies). n. What are the practices and procedures that a regulated entity currently uses to determine what actions they will take when faced with a conflict of state and Federal laws regarding uses and disclosures of PHI? o. Whether the scope of the proposed rule of applicability will be sufficiently clear to individuals and covered entities, and whether the provision should be made more specific or otherwise modified to ensure individuals and covered entities know when disclosures of PHI will be permitted. p. Whether the proposed Rule of Construction is sufficient, or whether the Rule of Construction should be expanded, narrowed, or otherwise modified. Please explain and provide support for this response. q. Whether the proposed clarification to personal representative status in the context of reproductive health care is sufficient to clarify that personal representatives who provide or facilitate reproductive health care have not committed an act of ‘‘child abuse.’’ Please explain and provide support for this response. C. Section 164.509—Uses and Disclosures for Which an Attestation Is Required (Proposed Heading) 1. Current Provision and Issues To Address The Privacy Rule currently separates uses and disclosures into three categories: required, permitted, and prohibited. Permitted uses and disclosures are further subdivided into those to carry out treatment, payment, or health care operations; 286 those for which an individual’s authorization is required; 287 those requiring an opportunity for the individual to agree or object; 288 and those for which an authorization or opportunity to agree or object is not required.289 For an individual’s authorization to be valid, the Privacy Rule requires that it contain certain specific information to ensure that an individual authorizing a regulated entity to use or disclose their PHI to another person knows and 286 45 CFR 164.506. CFR 164.508. 288 45 CFR 164.510. 289 45 CFR 164.512. 287 45 E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 understands to what it is they are agreeing.290 Pursuant to proposals in this NPRM, a regulated entity presented with a request for PHI that is potentially related to reproductive health care would need to discern whether using or disclosing PHI in response to the request would be prohibited by the proposed 45 CFR 164.502(a)(5)(iii). Without a mechanism for assisting regulated entities in determining the purpose of a use or disclosure request from certain persons, the Department believes it would be difficult for regulated entities to distinguish between use and disclosure requests for permitted and prohibited purposes, potentially leading regulated entities to deny use or disclosure requests for permitted purposes. Additionally, absent an enforcement mechanism, the Department believes requesters of PHI could seek to use existing Privacy Rule permissions for purposes that would be prohibited under 45 CFR 164.502(a)(5)(iii). 2. Proposal To facilitate compliance with the proposed prohibition while also providing a pathway to disclose PHI for permitted purposes for which authorization is not required and an opportunity to agree or object is not required, the Department proposes to add a requirement to obtain an attestation from the person requesting the use and disclosure as a condition for certain permitted uses and disclosures. Specifically, the Department proposes to add a new section 45 CFR 164.509: ‘‘Uses and disclosures for which an attestation is required.’’ This proposed condition would require a regulated entity to obtain assurances from the person requesting the PHI, in the form of a signed and dated written statement attesting that the use or disclosure would not be for a purpose prohibited under 45 CFR 164.502(a)(5)(iii), where the person is making the request under the Privacy Rule permissions at 45 CFR 164.512(d) (disclosures for health oversight activities), (e) (disclosures for judicial and administrative proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) (disclosures about decedents to coroners and medical examiners). This proposed condition would apply when the request is for PHI that is potentially related to reproductive health care, as defined in proposed 45 CFR 160.103. Thus, an attestation would not be required when the person making the request does not seek PHI potentially 290 45 CFR 164.508(b). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 related to reproductive health care. If, however, the request would require a regulated entity to disclose PHI potentially related to reproductive health care, a regulated entity would have to first obtain an attestation from the person making the request to ensure that the PHI would not be used or disclosed for a prohibited purpose. Additionally, where one of these permissions applies, the attestation must include a statement that the use or disclosure is not prohibited as described at 45 CFR 164.502(a)(5)(iii). Thus, the Department proposes to limit the attestation requirement to the Privacy Rule provisions that have the greatest potential to result in use or disclosure of an individual’s PHI for a criminal, civil, or administrative investigation into or proceeding against, any person for seeking, obtaining, providing, or facilitating reproductive health care or to identify any person for the purpose of initiating such an investigation or proceeding. The attestation proposal is intended both to ensure that the existing Privacy Rule permissions could not be used to circumvent the new proposed prohibition at 45 CFR 164.502(a)(5)(iii) and to continue permitting essential disclosures. The proposed attestation requirement also would limit the additional burden on the regulated entity receiving requests for such uses and disclosures by providing a standard mechanism by which the regulated entity would ascertain whether a requested use or disclosure would be prohibited under the proposal. The Department’s attestation proposal is modeled after the authorization requirement at 45 CFR 164.508.291 Modeling the proposed attestation provision after the authorization provision would ensure that a person requesting the PHI provides a regulated entity with the information needed to ascertain whether the request is for a prohibited purpose because the proposed attestation requirement would require the person requesting the disclosure to confirm the types of PHI that they are requesting; to clearly identify the name of the individual whose PHI is being requested, if practicable, or if not practicable, the class of individuals whose PHI is being requested, and to confirm, in writing, that the use or disclosure is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). For purposes of the 291 Section 164.508 of title 45 CFR details the general rules for authorizations, such as the rules specific to types of PHI or purposes for disclosure, compound authorizations, the elements required for a valid authorization, and how authorizations may be revoked. PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 23535 ‘‘class of individuals’’ described in 45 CFR 164.509(c)(1)(i)(B), the requesting entity may describe such a class in general terms—for example, as all individuals who were treated by a certain health care provider or for whom a certain health care provider submitted claims, all individuals who received a certain procedure, or all individuals with given health insurance coverage. Similar to the authorization provision, the proposed attestation provision would also include the general requirements for a valid attestation, and defects of an invalid attestation. The provision would also include the attestation’s content requirements and would apply to both uses and disclosures for the specified purposes.292 In addition, the attestation must be written in plain language.293 The proposed attestation provision would also include a prohibition on compound attestations. Specifically, the proposal would prohibit the attestation from being ‘‘combined with’’ any other document. The Department intends this prohibition to mean that an attestation must be clearly labeled and distinct from any surrounding text. For example, an attestation would not be impermissibly ‘‘combined with’’ a subpoena if it is attached to it, provided that the attestation is clearly labeled as such. As another example, an electronic attestation would not to be impermissibly ‘‘combined with’’ another document where the attestation is on the same screen as the other document, provided that the attestation is clearly and distinctly labeled as such. Further, the attestation proposal would explicitly permit the attestation document to be in electronic format, as well as electronically signed by the person requesting the disclosure.294 At this time, the Department declines to propose mandating a specific electronic format for the attestation. The attestation would be facially valid when the document meets the required elements of the attestation proposal and includes an electronic signature that is valid under applicable Federal and state law.295 292 Pursuant to 45 CFR 164.530(j), regulated entities would be required to maintain a written or electronic copy of the attestation. 293 The Federal plain language guidelines under the Plain Writing Act of 2010 only applies to Federal agencies, but it serves as a helpful resource. See . 294 Proposed 45 CFR 164.509(b)(1)(iv) and (c)(1)(v). 295 While not explicitly stated in the Privacy Rule, the Department previously issued guidance clarifying that authorizations are permitted to be submitted and signed electronically. See HIPAA FAQ #475, and HIPAA FAQ #554, https:// E:\FR\FM\17APP2.SGM Continued 17APP2 23536 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 Unlike the authorization provision, the proposed attestation would be limited to the specific use or disclosure. Generally, when a regulated entity receives a valid authorization, they may continue to use or disclose PHI to such requestor pursuant to that authorization after the initial disclosure, provided that such subsequent uses and disclosures are valid and related to that authorization. Under the proposal, the Department anticipates that each use or disclosure request would require a new attestation. The Department is explicitly declining to propose a new exception to the minimum necessary standard for uses and disclosures made pursuant to an attestation under 45 CFR 164.509.296 Thus, a regulated entity would have to limit a use or disclosure to the minimum necessary when provided in response to a request that would be subject to the proposed attestation requirement. Where the person requesting the PHI is also a regulated entity, that person would also need to make reasonable efforts to limit their request to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.297 The Department does not propose to require a regulated entity to investigate the validity of an attestation provided by a person requesting a use or disclosure of PHI; rather, a regulated entity would be able to rely on the attestation provided that it is objectively reasonable under the circumstances for the regulated entity to believe the statement required by 45 CFR 164.509(c)(1)(iv) that the requested disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii).298 If such reliance is not objectively reasonable, then the regulated entity may not rely on the attestation. Under the proposal, it would not be objectively reasonable for a regulated entity to rely on a requester’s representation as to whether the reproductive health care was provided under circumstances in which it was lawful to provide such care. This is www.hhs.gov/hipaa/for-professionals/faq/554/howdo-hipaa-authorizations-apply-to-electronic-healthinformation/. 296 See 45 CFR 164.502(b). The minimum necessary standard of the Privacy Rule applies to all uses and disclosures where a request does not meet one of the specified exceptions in paragraph (b)(2). 297 45 CFR 164.502(b)(1). 298 This approach is consistent with 45 CFR 164.514(h)(2)(iii), which permits a covered entity to rely on certain statements or requests to meet the requirement to verify the legal authority of a public official or a person acting on behalf of the public official if such reliance is reasonable under the circumstances. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 because the regulated entity, and not the requester, has the information about the provision of such care that is necessary to make this determination. Therefore, this determination would need to be made by the regulated entity prior to using or disclosing PHI in response to a request for a use or disclosure of PHI that would require an attestation under the proposal. The proposed attestation also would require a regulated entity to cease use or disclosure of PHI if the regulated entity developed reason to believe, during the course of the use or disclosure, that the representations contained within the attestation were materially false, leading to uses or disclosures for a prohibited purpose.299 The Department notes that pursuant to HIPAA, a person who knowingly and in violation of the Administrative Simplification provisions obtains or discloses IIHI relating to another individual or discloses IIHI to another person would be subject to criminal liability.300 Thus, a requester who knowingly falsifies an attestation (e.g., makes material misrepresentations as to the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual’s IIHI would be in violation of HIPAA and could be subject to criminal penalties as outlined in the statute.301 Additionally, the Department notes that a disclosure made based on an attestation that contains material misrepresentations after the regulated entity becomes aware of such misrepresentations would constitute an impermissible disclosure, which may require notifications of a breach to the individual, the Secretary, and in some cases, the media.302 The proposed attestation does not replace the requirements of the Privacy Rule’s permissions for a regulated entity to disclose PHI in response to a subpoena, discovery request, or other lawful process 303 or administrative request; 304 instead, it is designed to work with these permissions and their requirements. Under this proposal, for PHI to be disclosed pursuant to 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C), a regulated entity would need to verify that the requirements of each provision are met and also satisfy the requirements of the new attestation provision under the proposed 45 CFR 299 Proposed 45 CFR 164.509(d). 42 U.S.C. 1320d–6(a). 301 See 42 U.S.C. 1320d–6(b). 302 45 CFR 164.400 et seq. The HIPAA Breach Notification Rule, 45 CFR 164.400–414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. 303 45 CFR 165.512(e)(1)(ii). 304 45 CFR 164.512(f)(1)(ii)(C). 300 See PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 164.509. In addition, the requirements of 45 CFR 164.528, the right to an accounting of disclosures of PHI made by a covered entity, would not be affected by the proposed attestation. Therefore, disclosures made pursuant to a permission under 45 CFR 164.512(d), (e), (f), or (g) must be included in the accounting, including when they are made pursuant to an attestation.305 To reduce the burden on regulated entities implementing this proposed attestation, the Department is considering developing a model attestation that a regulated entity may use when developing its own attestation templates. The Department does not anticipate requiring regulated entities to use the model attestation at this time, thereby leaving a regulated entity free to draft an attestation that meets the specific needs of their organization. However, we do note that under the proposal, an attestation would be defective if it contained anything beyond the elements and statements required by paragraphs (c)(1) of § 164.509. 3. Request for Comment The Department requests comment on the foregoing proposals, including any benefits, drawbacks, or unintended consequences. The Department also requests comment on the following considerations in particular: r. Whether the proposed attestation requirement in section IV.C. would address all relevant types of permitted uses and disclosures under the Privacy Rule. That is, should the proposed requirement apply as a condition of any additional permitted uses and disclosures that could be used to request uses and disclosures of PHI for a prohibited purpose? i. Conversely, would the proposed requirement be overinclusive, placing unreasonable barriers to disclosures for beneficial purposes such that the Department should narrow the scope of the proposed requirement? ii. The Department requests comment on specific examples of unreasonable barriers and recommended alternatives. s. Whether requesters of PHI should be required to name the individuals whose PHI they are requesting, or if describing a class of individuals whose PHI is requested is sufficient. Please explain how the Department can further protect the privacy of individuals from requests for large amounts of PHI ostensibly sought for a non-prohibited 305 See also 45 CFR 164.528(a)(2) regarding when the covered entity must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official. E:\FR\FM\17APP2.SGM 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules purpose if requesters of PHI are permitted to describe a class of individuals whose PHI is requested. t. How the Department should interpret the terms ‘‘practicable’’ and ‘‘class of individuals.’’ u. Whether a model attestation would be useful for regulated entities. i. If so, what other information should be included within such model attestation to improve regulated entities’ understanding of the proposed attestation requirements, if adopted? ii. What should be the format of a model attestation? v. Whether the Department should require a particular attestation format, rather than providing a model attestation. w. How the Department should interpret ‘‘combined with’’ at proposed 45 CFR 164.509(b)(3) with respect to both paper and electronic attestations to minimize the burden on regulated entities of understanding and responding to requests that require an attestation. x. Whether the Department should consider permitting the attestation to be combined with other types of documents. i. If so, which types of documents should regulated entities be permitted to combine with the attestation? ii. What potential negative impacts could this have on the clarity of the attestation? y. Whether the Department should require the attestation to include a signed declaration made under penalty of perjury that the requester is not making the request for a purpose prohibited by this proposal and any ramifications, positive or negative, of such a requirement. z. Whether there are any other elements that should be included within the proposed attestation that are not currently listed. aa. Whether the Department should consider it a material misrepresentation if a person who signs an attestation does not have an objectively reasonable basis to suspect that the reproductive health care was provided under circumstances in which it was unlawful. If so, what should the Department consider a reasonable basis for suspicion? bb. How the proposed attestation requirement would affect a regulated entity’s process for responding to regular or routine requests from certain requestors, such as government agencies that request PHI for purposes of health oversight activities. For such requests, what information should such requestors provide to reduce regulated entities’ compliance burden associated VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 with the proposed attestation requirements? cc. Whether there is alternative documentation that a requestor could provide, instead of an attestation, to assist a regulated entity in complying with 45 CFR 164.502(a)(5)(iii). For example, would a notice from a health oversight agency that identifies the objective of an audit, information sought, and the requesting agency provide sufficient information to assure the regulated entity that the audit is not subject to the prohibition at proposed 45 CFR 164.502(a)(5)(iii)? Please provide examples of documentation that may be helpful. D. Section 164.512—Uses and Disclosures for Which an Authorization or Opportunity To Agree or Object Is Not Required 1. Applying the Proposed Prohibition and Attestation Requirement to Certain Permitted Uses and Disclosures Current Provision and Issues To Address Section 164.512 of the Privacy Rule contains the standards for uses and disclosures for which an authorization or opportunity to agree or object is not required. Many of the uses and disclosures addressed by 45 CFR 164.512 relate to government or administrative functions,306 or as described in the 2000 Privacy Rule preamble, ‘‘national priority purposes.’’ 307 These permissions for uses and disclosures were not required by HIPAA but instead represented the Secretary’s previous balancing of the privacy interests and expectations of individuals and the interests of communities in making certain information available for community purposes, such as for certain public health, health care oversight, and research purposes.308 As discussed previously, the regulations implementing HIPAA have sought to ensure that individuals do not forgo 306 See, e.g., 45 CFR 164.512(a), Uses and disclosures required by law; 45 CFR 164.512(b), Uses and disclosures for public health activities; 45 CFR 164.512(c), Disclosures about victims of abuse, neglect or domestic violence; 45 CFR 164.512(d) Uses and disclosures for health oversight activities; 45 CFR 164.512(e), Disclosures for judicial and administrative proceedings; 45 CFR 164.512(f), Disclosures for law enforcement purposes; 45 CFR 164.512(g) Uses and disclosures about decedents; 45 CFR 164.512(h), Uses and disclosures for cadaveric organ, eye or tissue donation purposes; 45 CFR 164.512(i), Uses and disclosures for research purposes; 45 CFR 164.512(j), Uses and disclosures to avert a serious threat to health or safety; 45 CFR 164.512(k), Uses and disclosures for specialized government functions; and 45 CFR 164.512(l), Disclosures for workers’ compensation. 307 65 FR 82524. 308 See 65 FR 82471. PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 23537 health care when needed—or withhold important information from their health care providers that may affect the quality of health care they receive—out of a fear that their sensitive information would be revealed outside of their relationships with their health care providers. The changes proposed in this NPRM attempt to address the need to ensure that PHI continues to be used and disclosed only in a manner consistent with the standard established in the Privacy Rule, given recent developments in Federal and state law that may undermine the privacy protections for PHI. As discussed above, the proposed 45 CFR 164.502(a)(5)(iii) may prohibit uses and disclosures of PHI in some circumstances that are currently permitted. To clarify that this proposal is inclusive of purposes currently permitted under 45 CFR 164.512, the Department believes it is necessary to modify the general rule for such permitted uses and disclosures. In addition, the Department believes it is necessary to modify the general rule to reflect the new condition that would be imposed upon certain uses and disclosures permitted under 45 CFR 164.512 through the proposed attestation requirement at 45 CFR 164.509. Proposal The Department proposes to modify the introductory text of 45 CFR 164.512 by citing the proposed prohibition at the beginning of the first sentence and conditioning certain disclosures on the receipt of the attestation proposed at 45 CFR 164.509. The proposed modification would add the clause ‘‘Except as provided by 45 CFR 164.502(a)(5)(iii), [ . . . ]’’ and ‘‘and 45 CFR 164.509’’ to ‘‘subject to the applicable requirements of this section.’’ As discussed above, the proposed change would create a new requirement to obtain an attestation from the person requesting the use and disclosure of PHI potentially related to reproductive health care as a condition for certain types of permitted uses and disclosures of PHI. For example, the Privacy Rule currently permits uses and disclosures for health care oversight,309 judicial and administrative proceedings,310 law enforcement purposes,311 and coroners and medical examiners,312 provided specified conditions are met. If paragraph (a)(5)(iii) of 45 CFR 164.502 309 45 CFR 164.512(d). CFR 164.512(e). 311 45 CFR 164.512(f). 312 45 CFR 164.512(g)(1). 310 45 E:\FR\FM\17APP2.SGM 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 23538 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules is finalized, uses and disclosures of PHI for these purposes would be subject to an additional condition; that is, such uses and disclosures would be prohibited unless a regulated entity first obtained an attestation from the person requesting the use and disclosure under proposed 45 CFR 164.509. The Department assumes that there would be instances in which a state or other law requires a regulated entity to use or disclose PHI for health care oversight, judicial and administrative proceedings, law enforcement purposes, or coroners and medical examiners for a purpose not related to one of the prohibited purposes in proposed 45 CFR 164.502(a)(5)(iii). The Department believes that a regulated entity would be able to comply with such laws, as well as the proposed attestation requirement if the PHI is potentially related to reproductive health care. For example, a regulated entity may continue to disclose PHI without an authorization to a state medical board, a prosecutor, or a coroner, in accordance with the Privacy Rule, when the request is for PHI that is not potentially related to reproductive health care or accompanied by the required attestation. As a result, a regulated entity may continue to assist the state in carrying out its health care oversight, judicial and administrative functions, law enforcement, and coroner duties with the use or disclosure of PHI that is potentially related to reproductive health care once a facially valid attestation has been provided to the regulated entity from whom PHI is sought, except in matters involving restrictions on seeking, obtaining, providing, or facilitating reproductive health care. In such cases, the state would need to obtain information about an individual’s reproductive health or reproductive health care received by the individual from an entity not regulated under the Privacy Rule. As a reminder, the Privacy Rule only applies to PHI, which is IIHI that is maintained or transmitted by, for, or on behalf of a covered entity. Thus, it does not apply to individuals’ health information when it is in the possession of a person that is not a covered entity or business associate, such as a friend, family member, or is stored on a personal cellular telephone or tablet.313 Additionally, for clarity, the Department proposes to change the word ‘‘orally’’ at the end of the 313 See Guidance on ‘‘Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet,’’ U.S. Dep’t of Health and Human Servs. (June 29, 2022), https:// www.hhs.gov/hipaa/for-professionals/privacy/ guidance/cell-phone-hipaa/. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 introductory paragraph to ‘‘verbally.’’ No substantive change is intended. 2. Making a Technical Correction to the Heading of 45 CFR 164.512(c) and Clarifying That Providing or Facilitating Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence Current Provisions and Issues to Address Paragraph (c) of 45 CFR 164.512 permits disclosures of PHI about victims of abuse, neglect, or domestic violence under specified conditions. While the regulatory text includes the serial comma, clearly indicating that the provision addresses victims of three different types of crimes, the standard heading is less clear. This section permits a regulated entity to disclose an individual’s PHI under certain conditions to an authorized government agency where the regulated entity reasonably believes the individual to be a victim of abuse, neglect, or domestic violence. The Department is concerned that recent state actions may lead regulated entities to think that they are permitted to make such disclosures of PHI when they believe that persons who provide or facilitate access to reproductive health care are perpetrators of such crimes. Thus, the Department believes it is necessary to clarify that providing or facilitating access to appropriate reproductive health care is not abuse, neglect, or domestic violence. Proposals For grammatical clarity, the Department proposes to add the serial comma after the word ‘‘neglect’’ in the heading of the standard contained at 45 CFR 164.512(c), so it would read ‘‘Standard: Disclosures about victims of abuse, neglect, or domestic violence.’’ The Department also proposes to add a new paragraph (c)(3) to 45 CFR 164.512(c), with the heading ‘‘Rules of construction,’’ that would read, ‘‘Nothing in this section shall be construed to permit uses or disclosures prohibited by § 164.502(a)(5)(iii).’’ This new paragraph would clarify that the permission to use or disclose PHI in reports of abuse, neglect, or domestic violence does not permit uses or disclosures based primarily on the provision or facilitation of reproductive health care to the individual. The proposed provision is intended to safeguard the privacy of individuals’ PHI against claims that uses and disclosures of that PHI are warranted because the provision or facilitation of reproductive health care, in and of itself, may constitute abuse, neglect, or PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 domestic violence. Similar to the discussion above in section IV.D.1, the Department also does not intend for this proposal to obstruct oversight related to professional conduct or similar legal proceedings for which PHI related to reproductive health care is needed. 3. Clarifying the Permission for Disclosures Based on Administrative Processes Current Provision and Issues To Address Under 45 CFR 164.512(f)(1), a regulated entity may disclose PHI pursuant to an administrative request, provided that: (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) de-identified information could not reasonably be used.314 Examples of administrative requests include administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law.315 The examples of administrative requests provided in the existing regulatory text include only those requests that are enforceable in a court of law, and the catchall ‘‘or similar process authorized by law’’ similarly is intended to include only requests that, by law, require a response. This interpretation is consistent with the Privacy Rule’s definition of ‘‘required by law,’’ which enumerates these and other examples of administrative requests that constitute ‘‘a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law.’’ 316 However, the Department has become aware that some regulated entities may be interpreting this provision in a manner that is inconsistent with the Department’s intent. Therefore, the Department is taking this opportunity to clarify the types of administrative processes that this provision was intended to address. Proposal Specifically, the Department proposes to insert language to clarify that the administrative processes that give rise to a permitted disclosure include only those that, by law, require a regulated 314 45 CFR 164.512(f)(1)(ii)(C). 315 Id. 316 See 45 CFR 164.103. The Privacy Rule’s definition of ‘‘Required by law’’ includes administrative requests and lists the examples of processes that are enumerated under 45 CFR 164.512(f)(1)(ii)(C). E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 entity to respond. Accordingly, the proposal would specify that PHI may be disclosed pursuant to an administrative request ‘‘for which a response is required by law.’’ This is not intended to be a substantive change, as the proposal is consistent with preamble discussion on this topic in the 2000 Privacy Rule.317 4. Request for Comment The Department requests comment on the forgoing proposals, including any benefits, drawbacks, or unintended consequences. The Department also requests comment on the following considerations in particular: dd. The way in which regulated entities currently receive and address requests for PHI when requested pursuant to the Privacy Rule permissions at 45 CFR 164.512(d) (uses and disclosures for health oversight activities), (e) (disclosures for judicial and administrative proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) (uses and disclosures about decedents to coroners and medical examiners). Specifically: i. How are such requests currently submitted (e.g., hard copy letter, electronically via email, an online form)? ii. For requests under 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C): i. When using or disclosing information after receiving the required assurances,318 does the entity choose to obtain assurances for every subsequent related request, or does the entity continue to disclose PHI to such entity after receiving the initial assurance, provided that subsequent requests are related to the initial request in which the initial assurance was received? ii. How do regulated entities accept assurances (e.g., hard copy letter, electronically via email, uploading to an online portal)? ee. Examples, if any, of uses or disclosures of PHI that are required by law and are not for prohibited purposes but may no longer be permitted under this proposal. ff. The effect expanding the scope of the proposed prohibition to include any health care would have on the proposed attestation requirement and the ability of regulated entities to implement it. gg. Whether the phrase ‘‘based primarily’’ is sufficient to clarify that the proposed rule of construction is only intended to address situations where the purpose is to investigate or impose liability because reproductive health care was provided, rather than, 317 See 318 See 65 FR 82531. 45 CFR 164.512(e)(1)(iii) and (f)(1)(ii)(C). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 for example, the quality of the health care provided or whether claims submitted for that health care were appropriate. hh. Whether there are disclosures currently made under Federal agencies’ interpretations of the Privacy Act that would not be permitted under the proposal. If so, what would they be, and should the Department permit them? E. Section 164.520—Notice of Privacy Practices for Protected Health Information 1. Current Provision and Issues To Address The Privacy Rule generally requires that a covered entity provide individuals with an NPP to ensure that they understand how a covered entity may use and disclose their PHI, as well as their rights and the covered entity’s legal duties with respect to PHI.319 Section 164.520(b)(1)(ii) of the Privacy Rule describes the required contents of the NPP, including descriptions of the types of permitted uses and disclosures of their PHI. It does not, however, currently require a covered entity to provide information about prohibited uses and disclosures of PHI. The Department is concerned that the current NPP requirements might not provide individuals with adequate assurances that a revised Privacy Rule would prohibit the use or disclosure of their PHI in certain circumstances. Without such assurances, the Department is concerned that individuals may avoid accessing crucial health care. 2. Proposal The Department proposes to modify 45 CFR 164.520(b)(1)(ii) to require that a covered entity add two types of uses and disclosures to those already described in the NPP, putting individuals on notice about how their PHI may or may not be used. Specifically, the Department proposes at 45 CFR 164.520(b)(1)(ii)(F) to add to the NPP’s list of required elements two that address the proposed use and disclosure prohibition at 45 CFR 164.502(a)(5)(iii). Under this proposal, a covered entity must separately describe each type of use or disclosure prohibited by 45 CFR 164.502(a)(5)(iii) and must do so in sufficient detail for an individual to understand this prohibition and the proposed attestation requirement. By modifying the NPP, a covered entity would continue to provide an 319 45 CFR 164.520. Unlike many provisions of the Privacy Rule, 45 CFR 164.520 applies only to covered entities, as opposed to both covered entities and their business associates. PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 23539 individual with information the individual needs to make decisions about their health care, as well as information about how the covered entity will treat PHI the individual chooses to disclose to the covered entity, and about how to exercise their rights of access 320 and to request restrictions.321 The modification would also enable the covered entity to provide the individual with reassurance about their privacy rights and their ability to discuss their reproductive health and related care with any health care provider without fear of harm because it would inform an individual that their PHI may not be used or disclosed for the purposes the Department proposes to prohibit. 3. Request for Comment The Department requests comment on the foregoing proposals, including any benefits, drawbacks, or unintended consequences. The Department also requests comment on the following considerations in particular: ii. Whether it would benefit individuals for the Department to require that covered entities include a statement in the NPP explaining that when PHI is disclosed for a permitted purpose to an entity other than a covered entity (e.g., disclosed to a noncovered health care provider for treatment purposes), the recipient of the PHI would not be bound by the proposed prohibition because the Privacy Rule would no longer apply. V. Executive Order 12866 and Related Executive Orders on Regulatory Review A. Regulatory Impact Analysis The Department of Health and Human Services (HHS or Department) has examined the effects of the proposed rule under Executive Order (E.O.) 12866, Regulatory Planning and Review,322 E.O. 13563, Improving Regulation and Regulatory Review,323 320 With certain exceptions, an individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record set for as long as the PHI is maintained in the designated record set. See 45 CFR 164.524. 321 A covered entity must permit an individual to request that the covered entity restrict uses or disclosures of PHI for certain purposes. While the covered entity is not required to agree to the restriction, they may not use or disclose PHI if they agree to do so, except in limited circumstances. Additionally, a covered health care provider must permit an individual to request and must accommodate a reasonable request by an individual to receive communications of PHI from the covered entity by alternative means or at alternative locations. A health plan must do the same in certain circumstances. See 45 CFR 164.522. 322 58 FR 51735 (Oct. 4, 1993). 323 76 FR 3821 (Jan. 21, 2011). E:\FR\FM\17APP2.SGM 17APP2 23540 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules the Regulatory Flexibility Act 324 (RFA), and the Unfunded Mandates Reform Act of 1995 325 (UMRA). E.O.s 12866 and 13563 direct the Department to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive effects; and equity). This proposed rule is significant under section 3(f)(1) of E.O. 12866. The RFA requires us to analyze regulatory options that would minimize any significant effect of a rule on small entities. As discussed in greater detail below, this analysis concludes, and the Secretary proposes to certify, that the proposed rule, if finalized, would not result in a significant economic effect on a substantial number of small entities. The UMRA (section 202(a)) generally requires us to prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing ‘‘any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.’’ The current threshold after adjustment for inflation is $165 million, using the most current (2021) Implicit Price Deflator for the Gross Domestic Product. UMRA does not address the total cost of a rule. Rather, it focuses on certain categories of cost, mainly Federal mandate costs resulting from imposing enforceable duties on state, local, or Tribal governments, or on the private sector; or increasing the stringency of conditions in, or decreasing the funding of, state, local, or Tribal governments under entitlement programs. This proposed rule would impose mandates that would result in the expenditure by state, local, and Tribal governments, in the aggregate, or by the private sector, of more than $165 million in any one year. The impact analysis in this proposed rule addresses those impacts both qualitatively and quantitatively. In general, each regulated entity, including government entities such as state Medicaid agencies that meet the definition of covered entity, would be required to ensure it adopts new policies and procedures for handling requests for PHI for which an attestation is required and train its workforce members on the new requirements. Additionally, although the Department has not quantified the costs, state, local, and Tribal investigative agencies would need to analyze requests that they initiate for PHI and provide regulated entities with an attestation that the request is not for a prohibited purpose where the request is for PHI that is potentially related to reproductive health care. One-time costs for all regulated entities to make these policy changes would result in costs over the UMRA threshold in one year. The Department has initially estimated that ongoing expenses for the new attestation requirement would not rise significantly; however, it seeks additional data to inform its estimates. Although Medicaid has funds available for states for certain administrative costs, these are limited to costs specific to operating the Medicaid program. There are no Federal funds directed at HIPAA compliance activities. The Summary of Major Proposals and Need for Rulemaking sections at the beginning of this preamble contain a summary of this proposed rule and describe the reasons it is needed. The Department presents a detailed analysis below. 1. Summary of Costs and Benefits The Department has identified six general categories of quantifiable costs arising from these proposals: (1) creating an attestation form and handling requests for disclosures for which an attestation is required; (2) revising business associate agreements; (3) updating the Notice of Privacy Practices (NPP) and posting it online; (4) developing new or modified policies and procedures; (5) revising training programs for workforce members; and (6) requesting an exception from preemption of state law. The first five categories apply primarily to covered entities such as health care providers and health plans, while the sixth category applies to states and other interested persons. The Department estimates that the first-year costs attributable to the proposed rule would total approximately $612 million. These costs are associated with covered entities creating an attestation form and responding to requests for protected health information (PHI) that may require an attestation; revising business associate agreements; revising policies and procedures; updating, posting, and mailing the NPP; and revising training programs for workforce members, and with states or other persons requesting exceptions from preemption. These costs also include increased estimates for wages, postage, and the number of NPPs distributed by health plans. For years two through five, estimated annual costs of approximately $68 million are attributable to ongoing costs related to the proposed attestation requirement. Table 1 reports the present value and annualized estimates of the costs of the proposed rule covering a 5year time horizon. Using a 7% discount rate, the Department estimates the proposed rule would result in annualized costs of $192 million; and using a 3% discount rate, these annualized costs are $183 million. TABLE 1—ACCOUNTING TABLE, COSTS OF THE PROPOSED RULE, $ MILLIONS Primary estimate Costs lotter on DSK11XQN23PROD with PROPOSALS2 Present Value ......................................................................... Present Value ......................................................................... Present Value ......................................................................... Annualized .............................................................................. Annualized .............................................................................. Year dollars $883.4 786.8 839.1 191.9 183.2 2021 2021 2021 2021 2021 The proposed changes to the Privacy Rule would likely result in important benefits that the Department is unable to fully quantify at this time. As explained further below, unquantified benefits include improved trust between individuals and health care providers; enhanced privacy and improved access 324 Public Law 96–354, 94 Stat. 1164 (codified at 5 U.S.C. 601–612). 325 Pubic Law 104–4, 109 Stat. 48 (codified at 2 U.S.C. 1501). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 Discount rate Undiscounted ......................... 7% .......................................... 3% .......................................... 7% .......................................... 3% .......................................... Period covered 2023–2027 2023–2027 2023–2027 2023–2027 2023–2027 to reproductive health care and information, which may prevent increases in maternal mortality and morbidity; increased accuracy and E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules completeness in patient medical records, which may prevent poor health outcomes; enhanced support for victims of rape, incest, and sex trafficking; and maintenance of family economic stability. Additionally, the Department believes that allowing regulated entities to accept an attestation from a requester of PHI that is potentially related to reproductive health care will reduce 23541 potential liability for regulated entities by providing some assurance that the requested disclosure is not prohibited. TABLE 2—POTENTIAL NON-QUANTIFIED BENEFITS FOR COVERED ENTITIES AND INDIVIDUALS Benefits lotter on DSK11XQN23PROD with PROPOSALS2 Improve access to complete information about lawful reproductive health care options for individuals who are pregnant or considering a pregnancy (i.e., health literacy). Maintain or reduce levels of maternal mortality and morbidity by ensuring that individuals and their clinicians can freely communicate and have access to complete information needed for quality health care, including coordination of care. Decrease barriers to accessing prenatal health care by maintaining privacy for individuals who seek a complete range of reproductive health care options. Enhance mental health and emotional well-being of pregnant individuals by reducing fear of prosecution based on potential disclosures of their PHI. Improve or maintain trust between individuals and health care providers by reducing the potential for health care providers reporting PHI in a manner that could harm the individuals’ interests. Prevent or reduce re-victimization of pregnant individuals who have survived rape or incest by protecting their PHI from undue scrutiny. Improve or maintain families’ economic well-being by not exposing individuals to costly criminal, civil, or administrative investigations or proceedings for engaging in lawful activities if their PHI or a family member’s PHI is disclosed. Maintain the economic well-being of regulated entities by not exposing regulated entities or workforce members to costly civil litigation, investigation, or prosecution for engaging in lawful activities. Ensure individuals’ ability to obtain full and complete information and make lawful decisions concerning fertility- or infertility-related health care that may include selection or disposal of embryos without risk of criminal, civil, or administrative investigation or proceedings based on the disclosure of their PHI. 2. Baseline Conditions The Privacy Rule, in conjunction with the Security and Breach Notification Rules, protects the privacy and security of individuals’ PHI, that is, individually identifiable health information (IIHI) transmitted by or maintained in electronic media or any other form or medium, with certain exceptions. It limits the circumstances under which regulated entities are permitted or required to use or disclose PHI and requires covered entities to have safeguards in place to protect the privacy of PHI. The Privacy Rule also establishes certain rights for individuals with respect to their PHI. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. As explained in the preamble, the Department has the authority under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to modify the Privacy Rule to prohibit the use or disclosure of PHI for a criminal, civil, or administrative investigation into or proceeding against any person in connection with obtaining, providing, or facilitating reproductive health care, as well as to identify any person for the purpose of initiating such an investigation or proceeding. The Privacy Rule has been modified several times since it was first issued in 2000 to address statutory requirements, changed circumstances, and concerns and issues VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 raised by stakeholders regarding the effects of the Privacy Rule on regulated entities, individuals, and others. Recently, as the preamble discusses, changed circumstances resulting from new inconsistencies in the regulation of reproductive health care nationwide and the negative effects on individuals’ expectations for privacy and their relationships with their health care providers, as well as the additional burdens imposed on regulated entities, necessitate consideration of additional modifications. For purposes of this Regulatory Impact Analysis (RIA), the proposed rule adopts the list of covered entities and cost assumptions identified in the Department’s 2019 Information Collection Request (ICR).326 The Department also relies on certain estimates and assumptions from the 1999 Privacy Rule NPRM 327 that remain relevant, and the 2013 Omnibus Rule,328 as referenced in the analysis that follows. The Department quantitatively analyzes and monetizes the effect that this proposed rule may have on regulated entities’ actions to: revise business associate agreements between covered entities and their business associates, including release-ofinformation contractors; create new forms; respond to certain types of requests for PHI that is potentially related to reproductive health care; 326 84 FR 34905 (July 19, 2019). FR 59918 (Nov. 3, 1999). 328 78 FR 5566 (Jan. 25, 2013). 327 64 PO 00000 Frm 00037 Fmt 4701 Sfmt 4702 update their NPP; adopt policies and procedures to implement the legal requirements of this proposed rule, and train their employees on the updated policies and procedures. The Department analyzes the remaining benefits and burdens qualitatively because of the uncertainty inherent in predicting other concrete actions that such a diverse scope of regulated entities might take in response to this proposed rule. Analytic Assumptions The Department bases its assumptions for calculating estimated costs and benefits on a number of publicly available datasets, including data from the U.S. Census, the U.S. Department of Labor, Bureau of Labor Statistics (BLS), Centers for Medicare & Medicaid Services, and the Agency for Healthcare Research and Quality. Implementing the proposed regulatory changes likely would require covered entities to engage workforce members or consultants for certain activities. The Department assumes that an attorney would draft or review the new attestation form, revisions to business associate agreements, revisions to the NPP, and required changes to HIPAA policies and procedures. The Department expects that a training specialist would revise the necessary HIPAA training and a web designer would post the updated NPP. The Department further anticipates that a workforce member at the pay level of general health care practitioner would E:\FR\FM\17APP2.SGM 17APP2 23542 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules confirm receipt of required attestations. To the extent that these assumptions would affect the Department’s estimate of costs, the Department welcomes comment on its assumptions, particularly those in which the Department identifies the level of workforce member (i.e., clerical staff, professional) that would be engaged in activities, and the amount of time that particular types of workforce members spend conducting activities related to this NPRM as further described below. Table 3 also lists pay rates for occupations referenced in the explanation of estimated information collection burdens in section F of this RIA and related tables. For changes in time use for on-the-job activities considered in this analysis, the Department adopts an hourly value of time based on the cost of labor, including wages and benefits, and also indirect costs, which ‘‘reflect resources necessary for the administrative oversight of employees and generally include time spent on administrative personnel issues (e.g., human resources activities such as hiring, performance reviews, personnel transfers, affirmative action programs), writing administrative guidance documents, office expenses (e.g., space rental, utilities, equipment costs), and outreach and general training (e.g., employee development).’’ 329 For each occupation performing activities as a result of the proposed rule, the Department identifies a pre-tax hourly wage using a database maintained by the BLS.330 For the purposes of this analysis, the Department assumes that benefits plus indirect costs equal approximately 100 percent of pre-tax wages, and adjusts the hourly wage rates by multiplying by two, for a fully loaded hourly wage rate. The Department adopts this as the estimate of the hourly value of time for changes in time use for on-the-job activities. TABLE 3—OCCUPATIONAL PAY RATES Mean hourly wage Occupation code and title 00–0000 All Occupations ......................................................................................................................................... 43–3021 Billing and Posting Clerks ........................................................................................................................ 29–0000 Healthcare Practitioners and Technical Occupations .............................................................................. 29–9021 Health Information Technologists and Medical Registrars ...................................................................... 29–9099 Healthcare Practitioners and Technical Workers, All Other .................................................................... 15–1212 Information Security Analysts ................................................................................................................... 23–1011 Lawyers .................................................................................................................................................... 13–1111 Management Analysts .............................................................................................................................. 11–9111 Medical and Health Services Manager .................................................................................................... 29–2072 Medical Records Specialist ...................................................................................................................... 43–0000 Office and Administrative Support Occupations ...................................................................................... 11–2030 Public Relations and Fundraising Managers ........................................................................................... 13–1151 Training and Development Specialist ....................................................................................................... 43–4171 Receptionists and Information Clerks ...................................................................................................... 15–1255 Web and Digital Interface Designers ....................................................................................................... Composite Wage for Breach Notice ........................................................................................................................ $56.02 41.10 87.60 59.06 62.38 108.92 142.34 96.66 115.22 46.46 41.76 127.70 65.02 31.64 91.80 76.66 This proposed rule would apply to HIPAA covered entities, including health care providers 332 that conduct covered electronic transactions, health plans, and in certain circumstances, health care clearinghouses.333 The Department estimates that there are 774,331 business establishments that meet the definition of a covered entity (see Table 4). By calculating costs for establishments, rather than firms (which may be an umbrella organization over multiple establishments), there is a tendency toward overestimating some burdens, because certain costs would be borne by a parent organization rather than each separate facility. However, the level of an organization that is financially responsible for covering costs to implement Privacy Rule requirements may vary across the health care industry. The Department requests data on the extent to which certain burdens of the proposed rule would be borne by each facility versus an umbrella organization. Unless otherwise indicated, the Department relies on data about the number of firms and establishments from the U.S. Census.334 The Department expects that the proposed rule will have varying effects on different covered entities and would have the most direct effect on covered health care providers and health plans. However, all affected covered entities would at least need to adopt or change some policies and procedures and retrain some employees. Affected covered entities would include many Federal, state, local, Tribal, and private sector health care providers. 329 See ‘‘Valuing Time in U.S. Department of Health and Human Services Regulatory Impact Analyses: Conceptual Framework and Best Practices,’’ U.S. Dep’t of Health and Human Servs., Office of the Assistant Secretary for Planning and Evaluation (2017), p. v, https://aspe.hhs.gov/ reports/valuing-time-us-department-health-humanservices-regulatory-impact-analyses-conceptualframework. 330 See ‘‘Occupational Employment and Wages,’’ Bureau of Labor Statistics, U.S. Dep’t of Labor (May 2021), https://www.bls.gov/oes/current/oes_ nat.htm. 331 This includes 60 days from publication of a final rule to the effective date and an additional 180 days until the compliance date. 332 The Department notes that pharmacies, discussed later in the preamble, are a type of health care provider under HIPAA. HIPAA defines the term health care provider for the purposes of the Administrative Simplification provisions at section 262: ‘‘The term ‘health care provider’ includes a provider of services (as defined in section 1861(u)), a provider of medical or other health services (as defined in section 1861(s)), and any other person furnishing health care services or supplies.’’ 333 Only certain provisions of the Privacy Rule apply to clearinghouses as covered entities. In addition, certain provisions apply to clearinghouses in their role as business associates of other covered entities. See 45 CFR 164.500(b) and (c). Because the provisions addressed in this proposed rule generally do not apply directly to clearinghouses, the Department does not anticipate that these entities would experience costs associated with this proposed rule. 334 See ‘‘2015 Statistics of U.S. Businesses (SUSB) Annual Data Tables by Establishment Industry’’ (Jan. 2018), https://www.census.gov/data/tables/ 2015/econ/susb/2015-susb-annual.html. The Department assumes that the vast majority of covered entities would be able to incorporate changes to their workforce training into existing HIPAA training programs because the total time frame for compliance from date of finalization would be 240 days.331 Covered Entities Affected lotter on DSK11XQN23PROD with PROPOSALS2 $28.01 20.55 43.80 29.53 31.19 54.46 71.17 48.33 57.61 23.23 20.88 63.85 32.51 15.82 45.90 38.33 Fully loaded hourly wage VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 PO 00000 Frm 00038 Fmt 4701 Sfmt 4702 E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules Census data for businesses in the category of Third Party Administration of Insurance and Pension Funds does not separately enumerate those that service health and medical insurance. However, the Department is able to extrapolate from data about insurance carriers the percentage of businesses that service health and medical insurance. According to Census data, there are 880 Direct Health and Medical Insurance Carrier firms compared to 5,350 Insurance Carrier firms, such that health and medical insurance firms make up 16.4% of insurance firms. Thus, the Department assumes for purposes of this analysis that 16.4% of Third Party Administration of Insurance and Pension Funds firms and establishments service health and medical insurance. Applying this percentage to the 2,773 firms and 4,772 establishments in the category Third Party Administration of Insurance and Pension Funds, the Department estimates that 455 of these firms and 783 establishments are affected by this proposed rule.335 See Table 4 below. Covered pharmacies would also be affected by the proposed rule. There were 67,753 community pharmacies (including 19,500 pharmacy and drug store firms and 44,130 establishments identified in U.S. Census data) operating in the U.S. in 2015.336 Small pharmacies largely use pharmacy services administration organizations (PSAOs) to provide administrative services, such as negotiations, on their behalf.337 A 2013 study identified 22 PSAOs and notes there may be more in operation.338 Based on information received from industry, the Department adjusts this number upward and estimates that the proposed rule would affect 40 PSAOs. The Department assumes that costs affecting pharmacies are incurred at each pharmacy and drug store establishment and each PSAO. The Department has not separately calculated the effect of the proposed rule on business associates because the primary effect is on the covered entities for which they provide services. To the extent that covered entities engage business associates to perform activities under the proposed rule, the Department assumes that any additional costs will be borne by the covered entities through their contractual agreements with business associates. The Department’s estimate that each revised business associate agreement would require no more than 1 hour of a lawyer’s labor assumes that the hourly burden could be split between the 23543 covered entity and the business associate. Thus, the Department has calculated estimated costs based on the potential number of business associate agreements that are revised rather than the number of covered entities or business associates with revised agreements. The Department requests data on the number of business associates (which may include health care clearinghouses acting in their role as business associates of other covered entities) that would be affected by the proposed rule and the extent to which they may experience costs or other burdens not already accounted for in the estimates of burdens for revising business associate agreements. The Department also requests comment on the number of business associate agreements that would need to be revised, if any. The Department requests public comment on these estimates, including those for third party administrators and pharmacies where the Department has provided additional explanation. The Department additionally requests detailed comment on any situations in which covered entities other than those identified here would be affected by this rulemaking. TABLE 4—ESTIMATED NUMBER AND TYPE OF COVERED ENTITIES Covered Entities NAICS code Type of entity 524114 ....................................................... 524292 ....................................................... 622 ............................................................. 44611 ......................................................... 6211–6213 ................................................. 6215 ........................................................... 6214 ........................................................... 6219 ........................................................... 623 ............................................................. 6216 ........................................................... 532291 ....................................................... Health and Medical Insurance Carriers ..................................... Third Party Administrators ......................................................... Hospitals .................................................................................... Pharmacies ................................................................................ Office of Drs. & Other Professionals ......................................... Medical Diagnostic & Imaging ................................................... Outpatient Care ......................................................................... Other Ambulatory Care .............................................................. Skilled Nursing & Residential Facilities ..................................... Home Health Agencies .............................................................. Home Health Equipment Rental ................................................ 880 456 3,293 19,540 433,267 7,863 16,896 6,623 38,455 21,829 611 5,379 783 7,012 a 67,753 505,863 17,265 39,387 10,059 86,653 30,980 3,197 Total ................................................... .................................................................................................... 549,713 774,331 a Number Establishments of pharmacy establishments is taken from industry statistics. The Department believes that the population of individuals potentially affected by the proposed rule is approximately 74 million overall,339 representing nearly one-fourth of the U.S. population, including approximately 6 million pregnant women and girls annually and an unknown number of individuals facing a potential pregnancy or pregnancy risk due to sexual activity, contraceptive avoidance or failure, rape (including statutory rape), and incest. According to Federal data, 78 percent of sexually active females received reproductive health care in 2015–2017.340 × .164 = 454.7; 4,772 × .164 = 782.6]. Dima Mazen Qato, Shannon Zenk, Jocelyn Wilder, et al., ‘‘The availability of pharmacies in the United States: 2007–2015,’’ PLOS ONE (Aug. 2017), https://doi.org/10.1371/journal.pone.0183172. 337 Discussing generally that small and independent pharmacies often lack internal resources to support these services. See ‘‘Prescription Drugs: The Number, Role, and Ownership of Pharmacy Services Administrative Organizations,’’ U.S. Government Accountability Office, GAO–13–176 (Jan. 29, 2013), https:// www.gao.gov/products/GAO-13-176. 338 Id. 339 See females aged 10–44, American Community Survey S0101 AGE AND SEX 2020: ACS 5-Year Estimates Subject Tables, https:// data.census.gov/cedsci/table?q=United%20States %20females&t=Populations%20and%20People& g=0100000US&tid=ACSST5Y2020.S0101. 340 See Sexually active females who received reproductive health services (FP–7.1), Healthypeople.gov, https://wayback.archive-it.org/ 5774/20220415172039/https:/www.healthy people.gov/2020/leading-health-indicators/2020lhi-topics/Reproductive-and-Sexual-Health/data. Individuals Affected lotter on DSK11XQN23PROD with PROPOSALS2 Firms 335 [2,773 336 See VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4702 E:\FR\FM\17APP2.SGM 17APP2 23544 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules TABLE 5—ESTIMATED NUMBER OF INDIVIDUALS AFFECTED Population estimate Females of potentially childbearing age Females Aged 10—14 342 .................................................................................................................................. Females 15—44 343 ........................................................................................................................................... 10,310,162 64,130,037 4,460 5,575,150 Total ............................................................................................................................................................ 74,440,199 5,579,610 3. Costs of the Proposed Rule Below, the Department provides the basis for its estimated quantifiable costs resulting from the proposed changes to specific provisions of the Privacy Rule and invites comments on the Department’s assumptions, data, and calculations, as well as any additional considerations that the Department has not identified here. Many of the estimates are based on assumptions formed through the Office for Civil Rights’ (OCR’s) experience in its compliance and enforcement program and accounts from stakeholders received at outreach events. The Department has not quantified recurring burdens for the proposed rule beyond that of obtaining a required attestation from the requester for health oversight, legal proceedings, law enforcement, and coroners or medical examiners. The Department welcomes information or data points from commenters to further refine its estimates and assumptions. a. Costs Associated With Requests for Exception From Preemption The Department anticipates that states that restrict access to reproductive health care are likely to seek an exception to the proposed requirements of this rule that would preempt state law. Given the fast-developing status of state laws governing access to reproductive health care, the Department estimates a potential increase of 26 states344 incurring costs lotter on DSK11XQN23PROD with PROPOSALS2 Number of 2017 Pregnancies 341 341 See Isaac Maddow-Zimet and Kathryn Kost, ‘‘Pregnancies, Births and Abortions in the United States, 1973–2017: National and State Trends by Age Appendix Tables,’’ Guttmacher Institute, https://www.guttmacher.org/sites/default/files/ report_downloads/pregnancies-births-abortions-us1973-2017-appendix-tables.pdf. 342 See American Community Survey S0101 AGE AND SEX 2020: ACS 5-Year Estimates Subject Tables, https://data.census.gov/cedsci/table?q= United%20States%20females&t= Populations%20and%20People&g=0100000 US&tid=ACSST5Y2020.S0101. 343 Id. 344 See Elizabeth Nash, Lauren Cross, ‘‘26 States Are Certain or Likely to Ban Abortion Without Roe: Here’s Which Ones and Why,’’ Guttmacher Institute (published Oct. 28, 2021; updated Apr. 19, 2022; an updated analysis was published on Jan. 10, 2023), https://www.guttmacher.org/article/2021/10/26states-are-certain-or-likely-ban-abortion-withoutroe-heres-which-ones-and-why. The number of VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 to develop an exception request to submit to the Secretary. Based on existing burden estimates for this activity,345 the Department estimates that each exception request would require approximately 16 hours of labor at the rate of a general health care practitioner and that approximately 26 states would make such requests. Thus, the Department estimates that states will spend a total of 416 hours requesting exception from preemption and monetize this as a one-time cost of $36,442 [= 16 × 26 × $87.60]. b. Estimated Costs From Adding a Requirement for an Attestation for Disclosures for Certain Purposes The Department analyzed the costs of the proposed attestation requirement in comparison to the estimated costs of complying with the existing authorization requirement because both activities involve reviewing requests for disclosures and required documentation. The Department estimates that the annual costs of implementing a requirement to obtain an attestation that certain types of requests for PHI that is potentially related to reproductive health care are not for a prohibited purpose would be similar to the costs associated with uses and disclosures for which an authorization is required because the number of attestation-based requests likely would be lower even if the handling of such requests were more burdensome. For purposes of this analysis, the Department adopts the cost estimates already approved for documenting disclosures based on an authorization because those estimates provide an established baseline. The Department draws this estimate from its approved ICR for 45 CFR 164.508, which allows for one burden hour per covered entity based on the hourly wage of a general health care practitioner.346 states identified dropped to 24 in 2023; however, due to the pace of change in this area the Department relies on the higher number as a basis for its cost estimates. 345 Information Collection, Process for Requesting Exception Determinations (states or persons), https://www.reginfo.gov/public/do/PRAViewIC?ref_ nbr=201909-0945-001&icID=10428. 346 See Section F. of this RIA, Paperwork Reduction Act of 1995. PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 For 774,331 covered entities, this would amount to a total annual cost of $67,831,396 [= 774,331 × 1 × $87.60]. The quantified burden is associated with the requirement to keep records of attestations received. The Department anticipates an increase in time needed by regulated entities to process each request for PHI under 45 CFR 164.512(d), (e), (f), or (g)(1) that is not accompanied by an attestation. The Department believes that the regulated entity would likely need to determine whether the requested PHI includes PHI potentially related to reproductive health care. However, the Department lacks sufficient information to estimate the amount such a burden would vary from the burden of processing requests for PHI with an authorization. Additionally, the Department believes that regulated entities may need to evaluate whether the reproductive health care encompassed within the scope of a request under 45 CFR 164.512(d) through (f) and (g)(1) was lawful under the circumstances in which it was provided, and solicits comments on data about the associated costs of such reviews. In addition to the recurring costs of responding to requests for PHI under the proposed revisions, the Department estimates that covered entities would incur a one-time cost for creating a new attestation form for a total of $55,109,137 [= 774,331 × (30/60) × $142.34]. This would be based on 30 minutes of labor by a lawyer using the Department’s sample form. c. Costs Arising From Revised Business Associate Agreements The Department anticipates that a certain percentage of business associate agreements would likely need to be updated to reflect a determination made by covered entities and business associates that, where the business associate receives requests for disclosures of PHI under proposed 45 CFR 164.512(d), (e), (f), or (g)(1), the covered entity will bear the burden of determining whether a requested disclosure would include PHI that is potentially related to reproductive health care. Based on estimates in previous HIPAA rulemaking, the E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules Department estimates that each new or significantly modified contract between a business associate and its subcontractors would require, at most, one hour of labor by a lawyer at the wage reported in Table 3. We believe that approximately 35 percent of 1 million business associates, or 350,000 entities, would decide to create or significantly modify subcontracts, resulting in total costs of $49,819,000 [= 350,000 × $142.34]. The Department invites comments on these assumptions and the number of business associate agreements likely to be revised due to the proposed regulatory changes. d. Costs Arising From Changes to the Notice of Privacy Practices The Department proposes to modify the NPP to notify individuals that covered entities cannot use or disclose PHI for certain purposes and that in certain circumstances, covered entities must obtain an attestation from the person requesting the use or disclosure affirming that the request is not for a prohibited purpose, and where applicable, that the use or disclosure is primarily for a purpose described at 45 CFR 164.502(a)(5)(iii)(C). The Department believes the burden associated with revising the NPP consists of costs related to developing and drafting the revised NPP for covered entities. The Department estimates that the proposal to update and revise the language in the NPP would require 30 minutes of professional legal services at the wage reported in Table 3. Across all covered entities, the Department estimates a cost of $55,109,137 [= 774,331 × (30/60) × $142.34]. The Department does not anticipate any new costs for health care providers associated with distribution of the revised notice other than posting it on the entity’s website (if it has one) because health care providers have an ongoing obligation to provide the notice to first-time patients that is already accounted for in cost estimates for the HIPAA Rules. Health plans that post their NPP online would incur minimal costs by posting the updated notice, and then, including the updated NPP in the next annual mailing to subscribers.347 Health plans that do not provide an annual mailing would potentially incur an additional $12,743,700 in capital expenses for mailing the revised NPP to an estimated 10 percent of the 150,000,000 health plan subscribers who receive a mailed, paper copy of the notice, as well as the labor expense for an administrative support staff member at the rate shown in Table 3 to complete the mailing, for approximately $2,610,000 [= 62,500 hours × $41.76]. The Department further estimates the cost of posting the revised NPP on the covered entity’s website would be 15 minutes of a web designer’s time at the wage reported in Table 3. Across all covered entities, the Department estimates a cost of online posting as $17,770,896 [= 774,331 × (15/60) × $91.80]. e. Estimated Costs for Developing New or Modified Policies and Procedures The Department anticipates that covered entities would need to develop new or modified policies and procedures related to new requirements for attestations, prohibited uses and disclosures, certain uses and disclosures permitted under 45 CFR 164.512, and 23545 clarification of personal representative qualifications. The Department estimates that the costs associated with developing policies and procedures would be the labor of a lawyer for 2.5 hours and that this expense would represent the largest area of cost for compliance with the rule once finalized, for a total of $275,545,686 [= 774,331 × 2.5 × $142.34]. f. Costs Associated With Training Workforce Members The Department anticipates that covered entities would be able to incorporate new content into existing HIPAA training requirements and that the costs associated with doing so would be attributed to the labor of a training specialist for an estimated 90 minutes for a total of $75,543,732 [= 774,331 × (90/60) × $65.04]. The Department invites comments on all aspects of its estimates and assumptions, including the time spent on the identified activities and the occupations or professions of persons designated to perform those tasks. g. Total Quantifiable Costs The Department summarizes in Table 6 the estimated nonrecurring costs that covered entities and states would experience in the first year of implementing the proposed regulatory changes. The Department anticipates that these costs would be for requesting exceptions from preemption of state law, implementing the attestation requirement, revising business associate agreements, revising the NPP, mailing it, and posting it online, revising policies and procedures, and updating HIPAA training programs. lotter on DSK11XQN23PROD with PROPOSALS2 TABLE 6—NEW NONRECURRING COSTS OF COMPLIANCE WITH THE PROPOSED RULE Total costs (millions) Nonrecurring costs Burden hours/action × hourly wage Respondents Exception Requests ................................. Attestations, New Form ........................... BAAs, Revising ........................................ NPP, Updating ......................................... NPP, Mailing ............................................ NPP, Posting Online ................................ Policies & Procedures ............................. Training .................................................... Capital Expenses, Mailing NPPs—Health Plans. 16 × $87.60 ............................................. 30/60 × $142.34 ...................................... 1 × $142.34 ............................................. 30/60 × $142.34 ...................................... 0.25/60 × $41.76 ..................................... 15/60 × $91.80 ........................................ 150/60 × $142.34 .................................... 90/60 × $65.04 ........................................ $.85/NPP ................................................. 26 States ................................................. 774,331 Covered entities ........................ 350,000 BAAs ......................................... 774,331 Covered entities ........................ 15,000,000 Subscribers .......................... 774,331 Covered entities ........................ 774,331 Covered entities ........................ 774,331 Covered entities ........................ 15,000,000 Subscribers .......................... $0.04 55 50 55 3 18 276 76 13 Total Nonrecurring Burden ............... .................................................................. .................................................................. a 544 a Totals may not add up due to rounding. Table 7 summarizes the recurring costs that the Department anticipates covered entities would incur annually 347 45 as a result of the proposed regulatory changes. These new costs would be based on responding to requests for disclosures for which an attestation is required. CFR 164.520(c)(1)(v)(A). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 PO 00000 Frm 00041 Fmt 4701 Sfmt 4702 E:\FR\FM\17APP2.SGM 17APP2 23546 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules TABLE 7—RECURRING ANNUAL COSTS OF COMPLIANCE WITH THE PROPOSED RULE a Burden hours/CE × wage Respondents Disclosures for which an attestation is required. 1 × $87.60 ............................................... 774,331 Covered entities ........................ $67,831,396 Total Recurring Annual Burden ........ .................................................................. .................................................................. 67,831,396 a Totals may not add up due to rounding. Costs Borne by the Department The covered entities that are operated by the Department would be affected by the proposed changes in a similar manner to other covered entities, and those costs have been factored into the estimates above. The Department expects that it would incur costs related to drafting and disseminating information about the proposed regulatory changes to covered entities, including health care providers and health plans. In addition, the Department anticipates that it may incur a 26-fold increase in the number of requests for exceptions from state law preemption in the first year after a final rule becomes effective, at an estimated total cost of approximately $146,319 to analyze and develop responses for an average cost of $7,410 per request. This increase is based on the number of states that have or are likely to pass more restrictive abortion laws 348 and may seek to use or disclose individuals’ PHI to enforce those laws. This estimate assumes that the Department receives and reviews exception requests from each of those 26 states, that half of those require a more complex analysis, and that all requests result in a written response within one year of the final rule’s publication. Benefits of the Proposed Rule The benefits of the proposed rule to individuals and families are likely substantial, and yet are not fully quantifiable because the area of health care the proposed rule addresses is among the most sensitive and lifealtering if privacy is violated. Additionally, the value of privacy, which cannot be recovered once lost, and trust that privacy will be protected by others, is difficult to quantify fully. Notably, matters of reproductive health may include circumstances resulting in lotter on DSK11XQN23PROD with PROPOSALS2 Total annual cost (millions) Recurring costs 348 See Elizabeth Nash, Lauren Cross, ‘‘26 States Are Certain or Likely to Ban Abortion Without Roe: Here’s Which Ones and Why,’’ Guttmacher Institute (published Oct. 28, 2021; updated Apr. 19, 2022 and Jan. 10, 2023), https://www.guttmacher.org/ article/2021/10/26-states-are-certain-or-likely-banabortion-without-roe-heres-which-ones-and-why. In January 2023, the number of projected states dropped to 24. VerDate Sep<11>2014 17:59 Apr 14, 2023 Jkt 259001 a pregnancy, considerations concerning maternal and fetal health, family genetic conditions, information concerning sexually transmitted infections, and the relationship between prospective parents (including victimization due to rape, incest, or sex trafficking). Involuntary or poorly-timed disclosures can irreparably harm relationships and reputations, and even result in job loss or other negative consequences in the workplace,349 as well as investigation, civil litigation or proceedings, and prosecution for lawful activities.350Additionally, fear of potential penalties or liability that may result from disclosing information to a health care provider related to accessing abortion or other reproductive health care may cast a long shadow, decreasing trust between individuals and health care providers, discouraging and deterring access to other valuable and necessary health care, or compromising ongoing or subsequent care if patient medical records are not accurate or complete.351 The proposed rule would prevent or reduce the harms discussed here, resulting in non-quantifiable benefits to individuals and their families, friends, and health care providers. In particular, the role of trust in the health care system and its importance to the provision of highquality health care is discussed extensively in section III of this preamble. The Department believes the proposed rule would increase health 349 See Danielle Keats Citron and Daniel J. Solove, ‘‘Privacy Harms,’’ GWU Legal Studies Research Paper No. 2021–11, GWU Law School Public Law Research Paper No. 2021–11, 102 Boston University Law Review 793, 830—861 (Feb. 9, 2021), https:// papers.ssrn.com/sol3/papers.cfm?abstract_ id=3782222. 350 See ‘‘Lawyers preparing for abortion prosecutions warn about health care, data privacy,’’ supra note 166. 351 See ‘‘Women with chronic conditions struggle to find medications after abortion laws limit access,’’ Centers for Disease Control and Prevention, Division of Reproductive Health, National Center for Chronic Disease Prevention and Health Promotion (Jan. 4, 2023), https://www.cdc.gov/ teenpregnancy/health-care-providers/index.htm; and ‘‘Abortion Bans May Limit Essential Medications for Women with Chronic Conditions,’’ supra note 176. PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 literacy by improving access to complete information about health care options for individuals.352 For example, the proposal to prohibit use and disclosure of PHI for purposes of prosecuting an individual, a person assisting them, or their health care provider would enable health care providers to obtain and provide complete and accurate medical information about reproductive health care without undue fear of serious and costly repercussions. The Department believes that the proposed rule would also contribute to increased access to prenatal health care at the critical early stages of pregnancy by affording individuals the assurance that they may obtain reproductive health care without fearing that records related to that care would be subject to disclosure. For example, if a sexually active individual fears they or their health care providers could be subject to prosecution as a result of disclosure of their PHI, the individual may avoid informing health care providers about symptoms or asking questions of medical experts and may consequently fail to receive the support and health care they need to obtain a pregnancy diagnosis and receive appropriate, lawful health care.353 Similarly, the proposed rule would likely contribute to decreasing the rate of maternal mortality and morbidity by improving access to information about health services.354 The Department believes that the proposed rule would contribute to enhancing the mental health and emotional well-being of individuals seeking or obtaining reproductive health care by reducing fear that their PHI would be disclosed for an investigation 352 See Lynn M. Yee, Robert Silver, David M. Haas, et al., ‘‘Association of Health Literacy Among Nulliparous Individuals and Maternal and Neonatal Outcomes,’’ JAMA Network Open (Sept. 1, 2021), https://jamanetwork.com/journals/ jamanetworkopen/fullarticle/2783674. 353 See Texas Maternal Mortality and Morbidity Review Committee and Department of State Health Services Joint Biennial Report 2022, supra note 16. 354 See Helen Levy, Alex Janke, ‘‘Health Literacy and Access to Care,’’ Journal of Health Communication (2016), https:// www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/; see also Brief for Zurawski. E:\FR\FM\17APP2.SGM 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules of or proceeding against, or prosecution of the individual, their health care provider, or any persons facilitating the individual’s access to reproductive health care. This is especially important for individuals who need access to reproductive health care because they are survivors of rape, incest, or sex trafficking. For at least some such individuals, certain types of reproductive health care, including abortion, generally remain legal even if the option to terminate a pregnancy is no longer available to the broader population under state laws. The proposed rule is projected to prevent or reduce re-victimization of pregnant individuals who have been subject to rape, incest, or sex trafficking by protecting their PHI from disclosure. Investigations and prosecutions that rely on that information may be costly to defend against and thus financially draining for the target of the investigation or prosecution and for persons who are not the target of the investigation or prosecution but whose information may be used as evidence against others. Witnesses or targets of an investigation or prosecution may lose time from work and incur steep legal bills that create unmanageable debt or otherwise harm the economic stability of the individual, their family, and their health care provider. In the absence of the proposal, much of those costs may be for defending against the disclosure or use of PHI. Thus, the Department expects that the proposed rule would contribute to families’ economic wellbeing by reducing the risk of exposure to costly investigation or prosecution for lawful activities as a result of disclosures of PHI. The Department believes that the proposed rule would also contribute to improved continuity of care and ongoing and subsequent health care for individuals, thereby improving health outcomes. If a health care provider believes that the patient’s PHI is likely to be disclosed without the patient’s or the health care provider’s knowledge or consent, possibly to initiate or be used in criminal or civil proceedings against the patient, their health care provider, or others, the health care provider is more likely to omit information about a patient’s medical history or condition, or leave gaps or include inaccuracies, when preparing patient medical records. And if an individual’s medical records lack complete information about the individual’s health history, a subsequent health care provider may not be able to conduct an appropriate health assessment to reach a sound diagnosis and recommend the best course of action for the individual. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 Alternatively, health care providers may withhold from the individual full and complete information about their treatment options because of liability concerns stemming from fears about the privacy of an individual’s PHI.355 Heightened confidentiality and privacy protections enable a health care provider to feel confident maintaining full and complete patient records. Without complete patient records, an individual is less likely to receive appropriate ongoing or future health care, including correct diagnoses, and will be impeded in making informed treatment decisions. Comparison of Benefits and Costs The Department expects the totality of the benefits of the proposed rule to outweigh the costs because the rule would create a net benefit to society, particularly for the significant number of individuals who could become pregnant (nearly one-fourth of the population of the U.S.) and who need access to lawful health care without the risk of their PHI being used or disclosed in furtherance of criminal, civil, or administrative investigations or proceedings. The Department expects covered entities and individuals to benefit from covered entities’ increased flexibility and confidence to be able to provide health care according to professional standards. The Department’s benefit-cost analysis asserts that the proposed regulatory changes would help support individuals’ right to access health care and information about their health care options free of government intrusion, enhance the relationship between health care professionals and individuals, strengthen maternal well-being and family stability, and support victims of rape, incest, and sex trafficking. The regulatory proposals would also aid health care providers in developing and maintaining a high level of trust between health care professionals and individuals and maintaining complete and accurate patient medical records to aid ongoing and subsequent health care. Greater levels of trust would further enable individuals to develop and maintain relationships with health care professionals, which would enhance continuity of health care for all individuals receiving care from the health care provider, not only those in need of reproductive health care. The financial costs of the proposed rule would accrue primarily to covered entities, particularly health care providers and health plans in the first year after implementation of a final rule, 355 See PO 00000 Brief for Zurawski at p. 10. Frm 00043 Fmt 4701 Sfmt 4702 23547 with recurring costs accruing annually at a lower rate. 4. Request for Comment jj. The Department requests comment on all the estimates, assumptions, and analyses within the cost-benefits analysis, including the costs to regulated entities and individuals. kk. The Department also requests comments on any relevant information or data that would inform a quantitative analysis of proposed reforms that the Department qualitatively addresses in this RIA. Specifically, the Department requests comment on the following: i. Whether this proposed rule would affect other activities of regulated entities, including their ability to comply with other laws, and, if so, how. ii. Whether the proposed prohibition on the use or disclosure of PHI for a criminal, civil, or administrative investigation or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided would affect the disclosure of PHI between health care providers or between health care providers and health plans for treatment purposes. iii. Whether the proposed prohibition on the use or disclosure of PHI for a criminal, civil, or administrative investigation or proceeding against any person in connection with seeking obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided would affect the provision of access to individuals who request copies of their own PHI. iv. Data about the costs to regulated entities of determining whether reproductive health care revealed in PHI that is the subject of a request under 45 CFR 164.512(d) through (f) and (g)(1) was lawful under the circumstances in which it was provided. v. Data about the costs to regulated entities of determining whether a request for the use or disclosure of PHI is for a prohibited purpose where an attestation is not provided. vi. Whether the ongoing cost associated with the burden of responding to requests for PHI with an authorization is an appropriate comparator for the ongoing cost associated with the burden of responding to requests for PHI that may require an attestation. vii. The number of requests regulated entities receive annually for uses and disclosures under 45 CFR 164.512(d) through (f) and (g)(1), and the number of individuals’ records encompassed by those requests. E:\FR\FM\17APP2.SGM 17APP2 23548 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules viii. Data about the costs and any other burdens for regulated entities associated with determining that a request is for PHI that is potentially related to reproductive health care. ix. Whether the lack of an attestation for some requests received under 45 CFR 164.512(d) through (f) and (g)(1) would increase the time needed to process each request. ll. The Department also requests comments on whether there may be other indirect costs and benefits resulting from the changes in the proposed rule and welcomes additional information that may help quantify those costs and benefits. B. Regulatory Alternatives to the Proposed Rule The Department welcomes public comment on any benefits or drawbacks of the following alternatives it considered, but did not propose, while developing this proposed rule. The Department also requests comment on whether the Department should reconsider any of the alternatives considered, and if so, why. No Regulatory Changes The Department carefully considered several alternatives to issuing this NPRM, including the option of not pursuing any regulatory changes, but rejected that approach for several reasons. Recent developments in state law that impose greater restrictions on access to reproductive health care are generating significant confusion for individuals, health care providers, and family, friends, and caregivers regarding their ability to privately seek, obtain, provide, or facilitate lawful reproductive health care. In light of these developments, there is significant confusion about the extent to which reproductive health care information is protected by the Privacy Rule. Perhaps most importantly, the current regulatory environment is diminishing the ability of individuals to receive medically appropriate health care that remains legal under the circumstances in which it is provided—including in a wide range of contexts beyond reproductive care—thus putting their health at increased risk.356 The Department believes that the Privacy Rule should be lotter on DSK11XQN23PROD with PROPOSALS2 356 See ‘‘Methotrexate access becomes challenging for some patients following Supreme Court decision on abortion,’’ ‘‘Abortion restrictions may be making it harder for patients to get a cancer and arthritis drug,’’ ‘‘Abortion bans complicate access to drugs for cancer, arthritis, even ulcers,’’ supra note 175. See also, e.g., ‘‘Women with chronic conditions struggle to find medications after abortion laws limit access,’’ ‘‘Abortion Bans May Limit Essential Medications for Women with Chronic Conditions,’’ supra note 176. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 modified to protect the privacy of PHI to better support the provision of appropriate, timely, and lawful reproductive health care and other health care for pregnant individuals in the current environment. The proposed regulatory changes would further Congressional intent to protect the privacy of IIHI and bolster patientprovider confidentiality. Revising the Privacy Rule would clarify covered entities’ obligations and flexibilities, protect the privacy of individuals’ PHI, and improve the quality of individuals’ health care. Modify Privacy Rule Without Preempting State Law The Department also considered whether to remove the Privacy Rule permissions for a covered entity to comply with certain other legal requirements to use or disclose PHI, such as the terms of a court order or other judicial or administrative process without preempting statutes or regulations that specifically require regulated entities to make uses and disclosures of PHI about an individual’s reproductive health. The Department believes that this approach would not protect an individual from having their PHI disclosed and used against them when another law requires the disclosure. As discussed in the preamble, the Department believes that this result would undermine trust in the health care system and thereby decrease access to quality health care, as well as interfere with continuity of care by compromising the accuracy and completeness of patient medical records, contrary to Congress’ intent in enacting HIPAA. The Department believes that these harms outweigh the states’ interests in this context. The Department therefore proposes to preempt state law that would require use or disclosure of PHI about an individual’s reproductive health for prohibited purposes, as discussed herein. Modify the Privacy Rule To Align With 42 CFR Part 2 for Uses and Disclosures of PHI for Certain Criminal and Noncriminal Proceedings Against an Individual The Department also considered proposing to apply requirements equivalent to 42 CFR part 2 (referred to as ‘‘part 2’’) for uses and disclosures of PHI for certain criminal and noncriminal proceedings against an individual based on their alleged decision to obtain, or attempt to obtain, reproductive health care. However, the Department believes this approach also would not protect an individual from PO 00000 Frm 00044 Fmt 4701 Sfmt 4702 having their PHI disclosed and potentially used against them pursuant to a court order, and thus it also would not prevent regulated entities from disclosing an individual’s PHI for purposes of imposing criminal or civil liability on an individual, health care provider, or other person, for obtaining, providing, or facilitating lawful reproductive health care. Part 2 affords some discretion to courts to order disclosures of part 2 records in certain circumstances; however, part 2 also expressly prohibits further use or disclosure of those records by any recipient for a proceeding against a patient. The Privacy Rule only regulates uses and disclosures by regulated entities; the Privacy Rule cannot limit further uses or disclosures by other persons who receive an individual’s health information from a regulated entity. Therefore, an approach similar to part 2 would not sufficiently strengthen privacy protections with respect to the purposes for which this proposal would prohibit the use or disclosure of PHI. Require a Valid Authorization Before Using or Disclosing PHI for Certain Purposes As an alternative to prohibiting certain uses and disclosures as proposed in this NPRM, the Department considered proposing to permit regulated entities to make such uses or disclosures of PHI only after obtaining a valid authorization. However, the Department has concerns regarding the potential for coercion or harassment of individuals to pressure them into providing authorization for access to their PHI by persons requesting the disclosure, such as law enforcement. In such a scenario, covered entities would be forced to choose between their obligations under state law and their Privacy Rule compliance responsibilities in the event that an individual declined to provide an authorization, undermining health information privacy protections for individuals. As a result, the Department’s current view is that an authorization approach would not adequately ensure trust in the relationship between health care professionals and individuals. Require Covered Entities To Agree to Requests for Restrictions on Disclosures of PHI for Treatment, Payment, and Health Care Operations Concerns have arisen that some states may attempt to criminalize or otherwise penalize individuals for traveling out of state to obtain reproductive health care, or other persons for assisting individuals who do, notwithstanding E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules relevant constitutional protections. The Department thus considered including a proposal that would have required regulated entities to agree to requests from individuals to restrict disclosures of PHI related to reproductive health care for treatment, payment, or health care operations. This may lower the risk of PHI being disclosed to covered entities in states that may seek to obtain it pursuant to a criminal, civil, or administrative investigation or proceeding related to the receipt or facilitation of reproductive health care. However, the Department has concerns about the ability of regulated entities to operationalize such a requirement. Further, the requirement would likely be overly restrictive for regulated entities and may not improve the quality of health care. Additionally, this approach would be dependent on individuals’ awareness of their right to make a request for restrictions and confidence that such requests would be granted. The Privacy Rule permits regulated entities to accept requests for restrictions from individuals, although they are only mandated to accept such requests to prevent disclosures to an individual’s health plan for health care that has been paid in full by the individual. lotter on DSK11XQN23PROD with PROPOSALS2 Prohibit Uses and Disclosures of PHI Related to Reproductive Health Care The Department considered limiting the prohibition to uses and disclosures of PHI related to reproductive health care for certain purposes. However, as discussed in the preamble, this would have required the Department to define what constitutes ‘‘related to’’ reproductive health care. Given the connection between reproductive health care and other types of health care, the Department believes that it would not be possible to create such a definition at this time without being both under- and over-inclusive. The difficulty of defining this category could make it impossible for electronic health records to reliably segregate the information. In addition, requiring regulated entities to take actions that necessitate treating one category of PHI differently than other PHI (e.g., imposing conditions on uses and disclosures that would require such entities to label or segment certain PHI within medical records) would hinder coordinated care and potentially result in negative health outcomes if treating clinicians are unaware of an individual’s complete medical history. As a result, the Department believes that this approach would not enhance access to quality health care. VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 Under the current proposal, regulated entities would be required to obtain an attestation from persons requesting PHI that is ‘‘potentially related to reproductive health care’’ when the request is made pursuant to the use and disclosure permissions at 45 CFR 164.512(d) through (f) or (g)(1). While the language itself is similar, the Department believes using it in this instance would not create the same operational challenges described above. For example, because the proposed attestation requirement would apply only to certain permissions that are not used by covered health care providers to disclose PHI to other health care providers for treatment purposes, care coordination would not be hindered. Additionally, we do not believe that this approach would implicate the segmentation concerns described above because ‘‘potentially related to reproductive health care’’ is broader than ‘‘related to reproductive health care.’’ This would require regulated entities to consider the full scope and context of the PHI requested to determine whether it could reveal information about the individual’s reproductive health. Prohibit the Uses and Disclosures of PHI Proposed in This Rule Without the Rule of Applicability The Department considered prohibiting the use or disclosure of PHI for the purpose of investigating or conducting a proceeding against any person for seeking, obtaining, providing, or facilitating reproductive care, regardless of whether the care was lawful under state or Federal law. However, the Department is concerned that this uniform approach would have placed significant burdens on states’ abilities to enforce their laws. The Department has therefore proposed the more tailored approach in this proposed rule. Require Attestations for Requests for Any PHI Under 45 CFR 164.512(d) Through (f) and (g)(1) The Department considered requiring that regulated entities obtain an attestation before using or disclosing any PHI under 45 CFR 164.512(d) through (f) and (g)(1). However, this could have placed an unnecessary burden on regulated entities and persons requesting PHI by requiring attestations even under circumstances in which the requested disclosure would be unlikely to implicate the prohibition. Thus, the Department has taken a narrower approach to the proposed attestation requirement. PO 00000 Frm 00045 Fmt 4701 Sfmt 4702 23549 Require Attestations To Include Names of Individuals Whose PHI Is Being Sought for All Requests The Department considered requiring that an attestation include the name of any individual whose PHI is being requested, without providing an option for the requestor to identify a class of individuals if it is not practicable to provide the individuals’ names. However, this could have impeded investigations of health care fraud, for example, where health oversight agencies and law enforcement authorities know the name of a suspected health care provider, but may not know the names of individuals before the request is made. Therefore, where providing the names of individuals is not practicable, the Department has proposed an option for identifying a class of individuals. C. Regulatory Flexibility Act—Small Entity Analysis The Department has examined the economic implications of this proposed rule as required by the RFA. This analysis, as well as other sections in this RIA, serves as the Initial Regulatory Flexibility Analysis, as required under the RFA. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. The Act defines ‘‘small entities’’ as (1) a proprietary firm meeting the size standards of the Small Business Administration (SBA), (2) a nonprofit organization that is not dominant in its field, and (3) a small government jurisdiction of less than 50,000 population. Because 90 percent or more of all health care providers meet the SBA size standard for a small business or are a nonprofit organization, the Department generally treats all health care providers as small entities for purposes of performing a regulatory flexibility analysis. The SBA size standard for health care providers ranges between a maximum of $8 million and $41.5 million in annual receipts, depending upon the type of entity.357 With respect to health insurers, the SBA size standard is a maximum of $41.5 million in annual receipts, and for third party administrators it is $40 million.358 While some insurers are classified as nonprofit, it is possible 357 See ‘‘Table of Small Business Size Standards,’’ U.S. Small Business Administration (July 14, 2022), https://www.sba.gov/sites/default/files/2022-07/ Table%20of%20Size%20Standards_ Effective%20July%2014%202022_Final-508.pdf. 358 Id. E:\FR\FM\17APP2.SGM 17APP2 23550 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 they are dominant in their market. For example, a number of Blue Cross/Blue Shield insurers are organized as nonprofit entities; yet they dominate the health insurance market in the states where they are licensed. For the reasons stated below, it is not expected that the cost of compliance would be significant for small entities. Nor is it expected that the cost of compliance would fall disproportionately on small entities. Although many of the covered entities affected by the proposed rule are small entities, they would not bear a disproportionate cost burden compared to the other entities subject to the proposed rule. The projected total costs are discussed in detail in the RIA. The Department does not view this as a burden because the result of the changes would be annualized costs per covered entity of approximately $236 [= $183 million 359/ 774,331 covered entities]. Thus, this analysis concludes, and the Secretary proposes to certify, that the proposed rule, if finalized, would not result in a significant economic effect on a substantial number of small entities. D. Executive Order 13132—Federalism As required by E.O. 13132 on Federalism, the Department has examined the effects of provisions in the proposed regulation on the relationship between the Federal Government and the states. In the Department’s view, this proposed regulation would have federalism implications because it would have direct effects on the states, the relationship between the National Government and states, and on the distribution of power and responsibilities among various levels of government relating to the disclosure of PHI. Any federalism implications of the rule, however, flow from and are consistent with the underlying statute— and the proposed Rule of Applicability would limit the proposed regulation to those circumstances in which the state lacks any substantial interest in seeking the disclosure. The statute allows the Department to preempt state or local rules that provide less stringent privacy protection requirements than Federal law.360 Section 3(b) of E.O. 13132 recognizes that national action limiting the policymaking discretion of states will be imposed only where there is constitutional and statutory authority for the action and the national activity is appropriate in light of the presence of 359 This figure represents annualized costs discounted at a 3% rate. 360 42 U.S.C. 1320d–7(a)(1). VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 a problem of national significance. The privacy of PHI is of national concern by virtue of the scope of interstate health commerce. As described in the preamble, recent state actions on reproductive health care have undermined the longstanding expectation among individuals in all states that their highly sensitive reproductive health information will remain private. These state actions thus directly threaten the trust that is essential to ensuring access to, and quality of, lawful health care. HIPAA’s provisions reflect this position by authorizing the Secretary to promulgate regulations to implement the Privacy Rule. Section 4(a) of E.O. 13132 expressly contemplates preemption when there is a conflict between exercising state and Federal authority under a Federal statute. Section 4(b) of the E.O. authorizes preemption of state law in the Federal rulemaking context when ‘‘the exercise of State authority directly conflicts with the exercise of Federal authority under the Federal statute.’’ The approach in this regulation is consistent with these standards in the Executive order in superseding state authority only when such authority is inconsistent with standards established pursuant to the grant of Federal authority under the statute. State and local laws that impose less stringent requirements for the protection of reproductive health information undermine Congress’ intent to ensure that all individuals who receive health care are assured a minimum level of privacy for their PHI. Both the personal and public interest is served by protecting PHI so as not to undermine an individual’s access to and quality of health care services and their trust in the health care system. Section 6(b) of E.O. 13132 includes some qualitative discussion of substantial direct compliance costs that state and local governments would incur as a result of a proposed regulation. The Department anticipates that the most significant direct costs on state and local governments would be the cost for state and local governmentoperated covered entities to revise business associate agreements, revise policies and procedures, create a new form for attestations, update the NPP, update training programs, and process requests for disclosures for which an attestation is required. In addition, the Department anticipates that approximately half of the states may choose to file a request for an exception to preemption. The longstanding regulatory provisions that govern preemption exception requests under PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 the HIPAA Rules would remain undisturbed by this proposed rule.361 However, based on the legal developments in some states that are described elsewhere in this preamble, the Department believes it is likely that, in the first year of implementation of a final rule, more states will submit requests for exceptions from preemption than have done so in the past. The RIA above addresses these costs in detail. The Department requests comment from local and state governments on provisions in the proposed rule that would preempt state and local laws and on whether state and local governments are likely to incur additional costs, such as those associated with the effects of the prohibited disclosures on law enforcement’s access to information. E. Assessment of Federal Regulation and Policies on Families Section 654 of the Treasury and General Government Appropriations Act of 1999 362 requires Federal departments and agencies to determine whether a proposed policy or regulation could affect family well-being. If the determination is affirmative, then the Department or agency must prepare an impact assessment to address criteria specified in the law. The proposed rule would strengthen the stability of the family and marital commitment because it enables individuals and families to have access to the full range of reproductive health care information and access to options for consideration when making sensitive decisions about family planning. The proposed rule may be carried out only by the Federal Government because it would modify Federal health privacy law, ensuring that American families have access to reproductive health care information and can freely discuss their reproductive health, regardless of the state where they are located when health care is accessed. Access to reproductive health care and information about the full range of reproductive health care is vital for individuals who may become pregnant or who are capable of becoming pregnant. F. Paperwork Reduction Act of 1995 Under the Paperwork Reduction Act of 1995 363 (PRA), agencies are required to submit to the Office of Management and Budget (OMB) for review and approval any reporting or recordkeeping requirements inherent in a 361 45 CFR 160.201 through 160.205. Law 105–277, 112 Stat. 2681 (Oct. 21, 362 Public 1998). 363 Public Law 104–13, 109 Stat. 163 (May 22, 1995). E:\FR\FM\17APP2.SGM 17APP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules proposed or final rule, and are required to publish such proposed requirements for public comment. The PRA requires agencies to provide a 60-day notice in the Federal Register and solicit public comment on a proposed collection of information before it is submitted to OMB for review and approval. To fairly evaluate whether an information collection should be approved by the OMB, section 3506(c)(2)(A) of the PRA requires that the Department solicit comment on the following issues: 1. Whether the information collection is necessary and useful to carry out the proper functions of the agency; 2. The accuracy of the agency’s estimate of the information collection burden; 3. The quality, utility, and clarity of the information to be collected; and 4. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques. The PRA requires consideration of the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section. The Department explicitly seeks, and will consider, public comment on its assumptions as they relate to the PRA requirements summarized in this section. To comment on the collection of information or to obtain copies of the supporting statements and any related forms for the proposed paperwork collections referenced in this section, email your comment or request, including your address and phone number to Sherrette.Funn@hhs.gov, or call the Reports Clearance Office at (202) 690–6162. Written comments and recommendations for the proposed information collections must be directed to the OS Paperwork Clearance Officer at the above email address within 60 days. In this NPRM, the Department is revising certain information collection requirements and, as such, is revising the information collection last prepared in 2019 and previously approved under OMB control # 0945–0003. The revised information collection describes all new and adjusted information collection requirements for covered entities pursuant to the implementing regulation for HIPAA at 45 CFR parts 160 and 164, the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. The estimated annual labor burden presented by the proposed regulatory modifications in the first year of implementation, including nonrecurring and recurring burdens, is 5,189,569 burden hours at a cost of VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 $596,728,985 364 and $67,831,396 of estimated annual labor costs in years two through five. The overall total burden for respondents to comply with the information collection requirements of all of the HIPAA Privacy, Security, and Breach Notification Rules, including nonrecurring and recurring burdens presented by proposed program changes, is 955,098,062 burden hours at a cost of $101,685,085,101, plus $188,873,438 in capital costs for a total estimated annual burden of $101,873,958,539 in the first year following the effective date of the final rule, assuming all changes are adopted as proposed. Details describing the burden analysis for the proposals associated with this NPRM are presented below. 1. Explanation of Estimated Annualized Burden Hours Below is a summary of the significant program changes and adjustments made since the 2019 information collection. These program changes and adjustments form the bases for the burden estimates presented in information collection request associated with this NPRM. Adjusted Estimated Annual Burdens of Compliance (1) Increasing the number of covered entities from 700,000 to 774,331 based on program change; (2) Increasing the number of respondents requesting exceptions to state law preemption from 1 to 27 based on an expected reaction by states that have enacted restrictions on reproductive health care access; (3) Increasing the burden hours by a factor of two for responding to individuals’ requests for restrictions on disclosures of their PHI under 45 CFR 164.522 to represent a doubling of the expected requests; and (4) Increasing the total number of NPPs distributed by health plans by 50% to total 300,000,000 due to the increase in number of Americans with health coverage. New Burdens Resulting From Program Changes In addition to these changes, the Department added new annual burdens as a result of program changes: (1) A nonrecurring burden of 30 minutes per covered entity to create a new attestation form using the sample provided by the Department; (2) A recurring burden of 1 hour per covered entity for uses and disclosures 364 This includes an increase of 416 burden hours and $36,442 in costs added to the existing information collection for requesting exemption determinations under 45 CFR 160.204. PO 00000 Frm 00047 Fmt 4701 Sfmt 4702 23551 for which an attestation must be obtained from the person requesting the use and disclosure; (3) A nonrecurring burden of 1 hour per business associate agreement that is revised as a result of the proposed changes to handling requests under 45 CFR 164.512(d), (e), (f), and (g)(1), to allocate responsibilities between covered entities and their release-ofinformation contractors; (4) A nonrecurring burden of 30 minutes per covered entity to update the required content of its NPP; (5) A nonrecurring burden of 15 minutes per covered entity for posting an updated NPP online; (6) A nonrecurring burden of 2.5 hours for each covered entity to update its policies and procedures; and (7) A nonrecurring burden of 90 minutes for each covered entity to update the content of its HIPAA training program. VI. Request for Comment In addition to the questions posed above, the Department also seeks comment on the following questions: mm. Whether individuals who are members of historically underserved and minority communities are more likely to be subjects of investigations into or proceedings against persons in connection with obtaining, providing, or facilitating lawful reproductive health care. If so, please explain the relationship to and effects on the health information privacy of community members, including data and citations to relevant literature. nn. Whether individuals who are members of historically underserved and minority communities are less likely to have access to legal counsel when facing investigations into or proceedings against persons in connection with obtaining, providing, or facilitating lawful reproductive health care. If so, please explain the relationship to and effects on the health information privacy of community members, including data and citations to relevant literature. oo. With respect to an individual’s right to restrict uses and disclosures of their PHI under 45 CFR 164.522(a)(1): i. Whether individuals are generally aware of this right. ii. Whether covered entities have experienced an increase in requests from individuals to exercise this right. iii. Whether regulated entities have been or are more likely to grant individuals such requests considering the recent developments in the legal environment. E:\FR\FM\17APP2.SGM 17APP2 23552 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules VII. Public Participation The Department seeks comment on all issues raised by the proposed regulation, including any unintended adverse consequences. Because of the large number of public comments normally received on Federal Register documents, the Department is not able to acknowledge or respond to them individually. In developing the final rule, the Department will consider the public comments that are received by the date and time specified in the DATES section of the Preamble, in accordance with the agency practices described in the section labeled ADDRESSES. List of Subjects 45 CFR Part 160 Administrative practice and procedure, Computer technology, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Preemption, Privacy, Public health, Reporting and recordkeeping requirements, Reproductive health care, Security. 45 CFR Part 164 Administrative practice and procedure, Computer technology, Drug abuse, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Medicaid, Medical research, Privacy, Public health, Reporting and recordkeeping requirements, Reproductive health care, Security. § 160.103 Definitions. * * * * * Person means a natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private. * * * * * Public health, as used in the terms ‘‘public health surveillance,’’ ‘‘public health investigation,’’ and ‘‘public health intervention,’’ means populationlevel activities to prevent disease and promote health of populations. Such activities do not include uses and disclosures for the criminal, civil, or administrative investigation into or proceeding against a person in connection with obtaining, providing, or facilitating reproductive health care, or for the identification of any person in connection with a criminal, civil, or administrative investigation into or proceeding against a person in connection with obtaining, providing, or facilitating reproductive health care. Reproductive health care means care, services, or supplies related to the reproductive health of the individual. * * * * * PART 164—SECURITY AND PRIVACY 3. The authority citation for part 164 continues to read as follows: ■ Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d–1320d–9; sec. 264, Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. 1320d– 2(note)); and secs. 13400–13424, Pub. L. 111– 5, 123 Stat. 258–279. Proposed Rule ■ For the reasons stated in the preamble, the Department of Health and Human Services proposes to amend 45 CFR subtitle A, subchapter C, parts 160 and 164 as set forth below: § 164.502 Uses and disclosures of protected health information: General rules. PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS 1. The authority citation for part 160 continues to read as follows: ■ lotter on DSK11XQN23PROD with PROPOSALS2 b. Adding in alphabetical order the definitions of ‘‘Public health’’ and ‘‘Reproductive health care’’. The revision and additions read as follows: ■ Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d–1320d–9; sec. 264, Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. 1320d–2 (note)); 5 U.S.C. 552; secs. 13400–13424, Pub. L. 111–5, 123 Stat. 258–279; and sec. 1104 of Pub. L. 111–148, 124 Stat. 146–154. 2. Amend § 160.103 by: a. Revising the definition of ‘‘Person’’; and ■ ■ VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 4. Amend § 164.502 by revising paragraphs (a)(1)(iv) and (vi) and adding paragraphs (a)(5)(iii) and (g)(5)(iii) to read as follows: (a) * * * (1) * * * (iv) Except for uses and disclosures prohibited under paragraph (a)(5)(i) or (iii) of this section, pursuant to and in compliance with a valid authorization under § 164.508; * * * * * (vi) As permitted by and in compliance with any of the following: (A) This section. (B) Section 164.512 and, where applicable, § 164.509. (C) Section 164.514(e). (D) Section 164.514(f). PO 00000 Frm 00048 Fmt 4701 Sfmt 4702 (E) Section 164.514(g). * * * * (5) * * * (iii) Reproductive health care—(A) Prohibition. Subject to paragraphs (a)(5)(iii)(C) and (D) of this section, a covered entity or business associate may not use or disclose protected health information for either of the following purposes. (1) Where the use or disclosure is for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care. (2) To identify any person for the purpose of initiating an activity described at paragraph (a)(5)(iii)(A)(1) of this section. (B) Scope of prohibition. For the purposes of this subpart, seeking, obtaining, providing, or facilitating reproductive health care includes, but is not limited to, any of the following: expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same. (C) Rule of applicability. The prohibition at paragraph (a)(5)(iii) of this section applies where one or more of the following conditions exists. (1) The relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care outside of the state where the investigation or proceeding is authorized and where such health care is lawful in the state in which it is provided. (2) The relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided. (3) The relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state. (D) Rule of construction. Nothing in this section shall be construed to prohibit a use or disclosure of protected health information otherwise permitted by this subpart unless such use or * E:\FR\FM\17APP2.SGM 17APP2 Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Proposed Rules disclosure is primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. * * * * * (g) * * * (5) * * * (iii) Paragraph (g)(5) of this section does not apply where the primary basis for the covered entity’s belief is the facilitation or provision of reproductive health care by such person for and at the request of the individual. * * * * * ■ 5. Add § 164.509 to read as follows: lotter on DSK11XQN23PROD with PROPOSALS2 § 164.509 Uses and disclosures for which an attestation is required. (a) Standard: Attestations for certain uses and disclosures of protected health information to persons other than covered entities. A covered entity may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under this section from the person requesting the use or disclosure. (b) Implementation specifications: General requirements—(1) Valid attestations. (i) A valid attestation is a document that meets the requirements of paragraph (c)(1) of this section. (ii) A valid attestation verifies that the use or disclosure is not otherwise prohibited by § 164.502(a)(5)(iii). (iii) A valid attestation may be electronic, provided that it meets the requirements in paragraph (c)(1) of this section, as applicable. (2) Defective attestations. An attestation is not valid if the document submitted has any of the following defects: (i) The attestation lacks an element or statement required by paragraph (c) of this section. (ii) The attestation contains an element or statement not required by paragraph (c) of this section. (iii) The attestation violates paragraph (b)(3) of this section. (iv) The covered entity has actual knowledge that material information in the attestation is false. (v) It is objectively unreasonable for the covered entity to believe that the attestation is true with respect to the requirement at paragraph (c)(1)(iv) of this section. (3) Compound attestation. An attestation may not be combined with any other document. (c) Implementation specifications: Content requirements and other VerDate Sep<11>2014 17:22 Apr 14, 2023 Jkt 259001 obligations—(1) Required elements. A valid attestation under this section must contain the following elements: (i) A description of the information requested that identifies the information in a specific fashion, including one of the following: (A) The name of any individual(s) whose protected health information is sought, if practicable. (B) If including the name(s) of any individual(s) whose protected health information is sought is not practicable, a description of the class of individuals whose protected health information is sought. (ii) The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure. (iv) A clear statement that the use or disclosure is not for a purpose prohibited under § 164.502(a)(5)(iii). (v) Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided. (2) Plain language requirement. The attestation must be written in plain language. (d) Material misrepresentations. If, during the course of using or disclosing protected health information in reasonable reliance on a facially valid attestation, a covered entity discovers information reasonably showing that the representations in the attestation were materially false, leading to uses or disclosures for a prohibited purpose, the covered entity must cease such use or disclosure. ■ 6. Amend § 164.512 by: ■ a. Revising the introductory text and the heading of paragraph (c); ■ b. Adding paragraph (c)(3); and ■ c. Revising paragraph (f)(1)(ii)(C) introductory text. The revisions and addition read as follows: § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required. Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written PO 00000 Frm 00049 Fmt 4701 Sfmt 9990 23553 authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity’s information and the individual’s agreement may be given verbally. * * * * * (c) Standard: Disclosures about victims of abuse, neglect, or domestic violence. * * * (3) Rule of construction. Nothing in this section shall be construed to permit disclosures prohibited by § 164.502(a)(5)(iii) when the report of abuse, neglect, or domestic violence is based primarily on the provision of reproductive health care. * * * * * (f) * * * (1) * * * (ii) * * * (C) An administrative request for which response is required by law, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: * * * * * ■ 7. Amend § 164.520 by adding paragraphs (b)(1)(ii)(F) and (G) to read as follows: § 164.520 Notice of privacy practices for protected health information. * * * * * (b) * * * (1) * * * (ii) * * * (F) A description, including at least one example, of the types of uses and disclosures prohibited under § 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. (G) A description, including at least one example, of the types of uses and disclosures for which an attestation is required under § 164.509. * * * * * Dated: April 5, 2023. Xavier Becerra, Secretary, Department of Health and Human Services. [FR Doc. 2023–07517 Filed 4–12–23; 8:45 am] BILLING CODE 4153–01–P E:\FR\FM\17APP2.SGM 17APP2

Agencies

[Federal Register Volume 88, Number 73 (Monday, April 17, 2023)]
[Proposed Rules]
[Pages 23506-23553]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-07517]



[[Page 23505]]

Vol. 88

Monday,

No. 73

April 17, 2023

Part II





Department of Health and Human Services





-----------------------------------------------------------------------





45 CFR Part 160 and 164





HIPAA Privacy Rule To Support Reproductive Health Care Privacy; 
Proposed Rule

Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / 
Proposed Rules

[[Page 23506]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0945-AA20


HIPAA Privacy Rule To Support Reproductive Health Care Privacy

AGENCY: Office for Civil Rights (OCR), Office of the Secretary, 
Department of Health and Human Services.

ACTION: Notice of proposed rulemaking; notice of Tribal consultation.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or 
``Department'') is issuing this notice of proposed rulemaking (NPRM) to 
solicit comment on its proposal to modify the Standards for Privacy of 
Individually Identifiable Health Information (``Privacy Rule'') under 
the Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
and the Health Information Technology for Economic and Clinical Health 
Act of 2009 (HITECH Act). The proposal would modify existing standards 
permitting uses and disclosures of protected health information (PHI) 
by limiting uses and disclosures of PHI for certain purposes where the 
use or disclosure of information is about reproductive health care that 
is lawful under the circumstances in which such health care is 
provided. The proposal would modify existing standards by prohibiting 
uses and disclosures of PHI for criminal, civil, or administrative 
investigations or proceedings against individuals, covered entities or 
their business associates (collectively, ``regulated entities''), or 
other persons for seeking, obtaining, providing, or facilitating 
reproductive health care that is lawful under the circumstances in 
which it is provided.

DATES: 
    Comments: Submit comments on or before June 16, 2023.
    Meeting: Pursuant to Executive Order 13175, Consultation and 
Coordination with Indian Tribal Governments, the Department of Health 
and Human Services' Tribal Consultation Policy, and the Department's 
Plan for Implementing Executive Order 13175, the Office for Civil 
Rights solicits input from Tribal officials as the Department develops 
the modifications to the HIPAA Privacy Rule at 45 CFR parts 160 and 
164, subparts A and E. The Tribal consultation meeting will be held on 
May 17, 2023, at 2 p.m. to 3:30 p.m. EDT.

ADDRESSES: You may submit comments, identified by RIN Number 0945-AA20, 
by any of the following methods. Please do not submit duplicate 
comments.
    To participate in the Tribal consultation meeting, you must 
register in advance at https://www.zoomgov.com/meeting/register/vJItf-2hqD8jHfdtmYaUoWidy9odBZMYQ4Q.
     Federal eRulemaking Portal: You may submit electronic 
comments at https://www.regulations.gov by searching for the Docket ID 
number HHS-OCR-0945-AA20. Follow the instructions at https://www.regulations.gov for submitting electronic comments. Attachments 
should be in Microsoft Word or Portable Document Format (PDF).
     Regular, Express, or Overnight Mail: You may mail written 
comments to the following address only: U.S. Department of Health and 
Human Services, Office for Civil Rights, Attention: HIPAA and 
Reproductive Health Care Privacy NPRM, Hubert H. Humphrey Building, 
Room 509F, 200 Independence Avenue SW, Washington, DC 20201. Please 
allow sufficient time for mailed comments to be timely received in the 
event of delivery or security delays.
    Please note that comments submitted by fax or email and those 
submitted after the comment period will not be accepted.
    Inspection of Public Comments: All comments received by the 
accepted methods and due date specified above may be posted without 
change to content to https://www.regulations.gov, which may include 
personal information provided about the commenter, and such posting may 
occur after the closing of the comment period. However, the Department 
may redact certain non-substantive content from comments or attachments 
to comments before posting, including: threats, hate speech, profanity, 
sensitive health information, graphic images, promotional materials, 
copyrighted materials, or individually identifiable information about a 
third-party individual other than the commenter. In addition, comments 
or material designated as confidential or not to be disclosed to the 
public will not be accepted. Comments may be redacted or rejected as 
described above without notice to the commenter, and the Department 
will not consider in rulemaking any redacted or rejected content that 
would not be made available to the public as part of the administrative 
record.
    Docket: For complete access to background documents or posted 
comments, go to https://www.regulations.gov and search for Docket ID 
number HHS-OCR-0945-AA20.

FOR FURTHER INFORMATION CONTACT: Lester Coffer at (202) 240-3110 or 
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: The discussion below includes an Executive 
Summary, a description of relevant statutory and regulatory authority 
and history, the justification for this proposed regulation, a section-
by-section description of the proposed modifications, and a regulatory 
impact analysis and other required regulatory analyses. The Department 
solicits public comment on all aspects of the proposed rule. The 
Department requests that persons commenting on the provisions of the 
proposed rule label their discussion of any particular provision or 
topic with a citation to the section of the proposed rule being 
addressed and identify the particular request for comment being 
addressed, if applicable.

I. Executive Summary
    A. Overview
    B. Applicability
    C. Table of Abbreviations/Commonly Used Acronyms in This 
Document
II. Statutory Authority and Regulatory History
    A. Statutory Authority and History
    1. Health Insurance Portability and Accountability Act of 1996 
(HIPAA)
    2. The Health Information Technology for Economic and Clinical 
Health (HITECH) Act
    B. Rulemaking Authority and Regulatory History
    1. The Department's Rulemaking Authority Under HIPAA
    2. Regulatory History
III. Justification for This Proposed Rulemaking
    A. HIPAA Encourages Trust by Carefully Balancing Individuals' 
Privacy Interests With Others' Interests in Using or Disclosing PHI
    B. Developments in the Legal Environment are Eroding 
Individuals' Trust in the Health Care System
    C. To Protect the Trust Between Individuals and Health Care 
Providers, the Department Proposes To Restrict Certain Uses and 
Disclosures of PHI for Non-Health Care Purposes
IV. Section-by-Section Description of Proposed Amendments to the 
Privacy Rule
    A. Section 160.103--Definitions
    1. Clarifying the Definition of ``Person''
    2. Interpreting Terms Used in Section 1178(b) of the Social 
Security Act
    3. Adding a Definition of ``Reproductive Health Care''
    4. Request for Comment
    B. Section 164.502--Uses and Disclosures of Protected Health 
Information: General Rules
    1. Clarifying When PHI May Be Used or Disclosed by Regulated 
Entities
    2. Adding a New Category of Prohibited Uses and Disclosures

[[Page 23507]]

    3. Clarifying Personal Representative Status in the Context of 
Reproductive Health Care
    4. Request for Comment
    C. Section 164.509--Uses and Disclosures for Which an 
Attestation Is Required (Proposed Heading)
    1. Current Provision and Issues To Address
    2. Proposal
    3. Request for Comment
    D. Section 164.512--Uses and Disclosures for Which an 
Authorization or Opportunity To Agree or Object Is Not Required
    1. Applying the Proposed Prohibition and Attestation Requirement 
to Certain Permitted Uses and Disclosures
    2. Making a Technical Correction to the Heading of 45 CFR 
164.512(c) and Clarifying That Providing or Facilitating 
Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
    3. Clarifying the Permission for Disclosures Based on 
Administrative Processes
    4. Request for Comment
    E. Section 164.520--Notice of Privacy Practices for Protected 
Health Information
    1. Current Provision and Issues To Address
    2. Proposal
    3. Request for Comment
V. Executive Order 12866 and Related Executive Orders on Regulatory 
Review
    A. Regulatory Impact Analysis
    1. Summary of Costs and Benefits
    2. Baseline Conditions
    3. Costs of the Proposed Rule
    4. Request for Comment
    B. Regulatory Alternatives to the Proposed Rule
    C. Regulatory Flexibility Act--Small Entity Analysis
    D. Executive Order 13132--Federalism
    E. Assessment of Federal Regulation and Policies on Families
    F. Paperwork Reduction Act of 1995
    1. Explanation of Estimated Annualized Burden Hours
VI. Request for Comment
VII. Public Participation

I. Executive Summary

A. Overview

    In this notice of proposed rulemaking (NPRM), the Department of 
Health and Human Services (HHS or ``Department'') proposes 
modifications to the Standards for Privacy of Individually Identifiable 
Health Information (``Privacy Rule''), issued pursuant to section 264 
of the Administrative Simplification provisions of title II, subtitle 
F, of the Health Insurance Portability and Accountability Act of 1996 
(HIPAA).\1\ The Privacy Rule \2\ is one of several rules, collectively 
known as the HIPAA Rules,\3\ that protect the privacy and security of 
individuals' protected health information \4\ (PHI), which is 
individually identifiable health information \5\ (IIHI) transmitted by 
or maintained in electronic media or any other form or medium, with 
certain exceptions.\6\
---------------------------------------------------------------------------

    \1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat. 
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social 
Security Act (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 14, 1935), 
(see sections 1171-1179 of the SSA (codified at 42 U.S.C. 1320d-
1320d-8)), as well as promulgating section 264 of HIPAA (codified at 
42 U.S.C. 1320d-2 note), which authorizes the Secretary to 
promulgate regulations with respect to the privacy of individually 
identifiable health information. The Privacy Rule has subsequently 
been amended pursuant to the Genetic Information Nondiscrimination 
Act of 2008 (GINA), title I, section 105, Public Law 110-233, 122 
Stat. 881 (May 21, 2008) (codified at 42 U.S.C. 2000ff), and the 
Health Information Technology for Economic and Clinical Health 
(HITECH) Act of 2009, Public Law 111-5, 123 Stat. 226 (Feb. 17, 
2009) (codified at 42 U.S.C. 139w-4(0)(2)).
    \2\ 45 CFR parts 160 and 164, subparts A and E. For a history of 
the Privacy Rule, see Section II.B.2., ``Regulatory History,'' 
below.
    \3\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164, 
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part 
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160, 
subparts C, D, and E.
    \4\ 45 CFR 160.103 (definition of ``Protected health 
information'').
    \5\ 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of 
``Individually identifiable health information'').
    \6\ At times throughout this NPRM, the Department uses the terms 
``health information'' or ``individuals' health information'' to 
refer generically to health information pertaining to an individual 
or individuals. In contrast, the Department's use of the term 
``IIHI'' refers to a category of health information defined in 
HIPAA, and ``PHI'' is used to refer specifically to a category of 
IIHI that is defined by and subject to the privacy and security 
standards promulgated in the HIPAA Rules.
---------------------------------------------------------------------------

    Under its statutory authority to administer and enforce the HIPAA 
Rules, the Department modifies the HIPAA Rules as needed, but not more 
than once every 12 months.\7\ The Department makes the determination 
that such modifications may be needed using information it receives on 
an ongoing basis--from the public, regulated entities, media reports, 
and its own analysis of the state of privacy for IIHI. Based on 
information the Department has received in recent months, we believe it 
may be necessary to modify the Privacy Rule to avoid the circumstance 
where an existing provision of the Privacy Rule is used to request the 
use or disclosure of an individual's PHI as a pretext for obtaining PHI 
related to reproductive health care for a non-health care purpose where 
such use or disclosure would be detrimental to any person. The 
proposals in this NPRM would amend provisions of the Privacy Rule to 
strengthen privacy protections for individuals' PHI related to 
reproductive health care.
---------------------------------------------------------------------------

    \7\ 45 CFR 160.104.
---------------------------------------------------------------------------

    The Supreme Court's decision in Dobbs v. Jackson Women's Health 
Organization \8\ (Dobbs) makes it more likely than before that 
individuals' PHI may be disclosed in ways that cause harm to the 
interests that HIPAA seeks to protect but that are not adequately 
addressed in this context,\9\ such as criminal, civil, or 
administrative investigations or proceedings that chill access to 
lawful health care and full communication between individuals and 
health care providers. These developments in the legal environment 
increase the potential for uses or disclosures about an individual's 
reproductive health to undermine access to and the quality of health 
care generally. Some states have already imposed criminal, civil, or 
administrative liability for, or created private rights of action 
against, individuals who obtain certain reproductive health care, 
including pregnancy termination; the health care providers who furnish 
such reproductive health care; or other persons who facilitate the 
furnishing or receipt of certain reproductive health care.\10\ Other 
states may follow suit in the future. And in yet other states, law 
enforcement agencies may attempt to use general criminal laws to 
prosecute individuals for seeking or obtaining such reproductive health 
care.\11\
---------------------------------------------------------------------------

    \8\ 597 U.S. __, 142 S. Ct. 2228 (2022) (No. 19-1392) (June 24, 
2022).
    \9\ See National Committee on Vital and Health Statistics (NCVHS 
or ``Committee'') discussion below, section II.A.1., expressing 
concern for harm caused by disclosing identifiable health 
information for non-health care purposes.
    \10\ See, e.g., S.C. Code Ann. sec. 44-41-80(b), NRS 200.220, 
Tex. Health & Safety Code Ann. sec. 171.208 (2021); 63 OK Stat sec. 
1-745.34-35 (2022). See also Abortion Policy Tracker, Kaiser Family 
Foundation (Jan. 20, 2023), https://www.kff.org/other/state-indicator/abortion-policy-tracker/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.
    \11\ See Laura Huss, Farah Diaz-Tello, Goleen Samari, ``Self-
Care, Criminalized: August 2022 Preliminary Findings,*'' If/When/
How: Lawyering for Reproductive Justice (2022), https://www.ifwhenhow.org/resources/self-care-criminalized-preliminary-findings/; Caroline Kitchener and Ellen Francis, ``Talk of 
prosecuting women for abortion pills roils antiabortion movement,'' 
The Washington Post (Jan. 11. 2023), https://www.washingtonpost.com/nation/2023/01/11/alabama-abortion-pills-prosecution/.
---------------------------------------------------------------------------

    After Dobbs, the Department has heard concerns that civil, 
criminal, or administrative investigations or proceedings have been 
instituted or threatened on the basis of reproductive health care that 
is lawful under the circumstances in which it is provided. The threat 
that PHI will be obtained and used in such an investigation or 
proceeding is likely to chill individuals' willingness to seek lawful 
treatment or to provide full information to their

[[Page 23508]]

health care providers when obtaining that treatment.
    A positive, trusting relationship between individuals and their 
health care providers is essential to an individual's health and well-
being.\12\ The prospect of releasing highly sensitive PHI can result in 
medical mistrust and the deterioration of the confidential, safe 
environment that is necessary to quality health care, a functional 
health care system, and the public's health generally.\13\ That is even 
more true in the context of reproductive health care, given the 
potential for stigmatization and other adverse consequences to 
individuals resulting from disclosures they do not want or expect.\14\
---------------------------------------------------------------------------

    \12\ See Fallon E. Chipidza, Rachel S. Wallwork, Theodore A. 
Stern, ``Impact of the Doctor-Patient Relationship,'' The Primary 
Care Companion for CNS Disorders (Oct. 2015), https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/.
    \13\ See, e.g., Kim Bellware, ``Doctor says she shouldn't have 
to turn over patients' abortion records,'' The Washington Post (Nov. 
19, 2022), https://www.washingtonpost.com/politics/2022/11/19/caitlin-bernard-rokita-lawsuit/ (citing the testimony of pediatric 
bioethics expert Kyle Brothers about the potential negative effects 
requests for this type of sensitive medical record could have on 
individuals: ``This kind of disclosure, especially for a minor, is 
just heartbreaking.''). See also Eric Boodman, ``In a doctor's 
suspicion after a miscarriage, a glimpse of expanding medical 
mistrust,'' STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/ (Sarah Prager, professor of obstetrics and 
gynecology at the University of Washington said that it's a bad 
precedent if clinical spaces become unsafe for patients because, 
``[a health care provider's] ability to take care of patients relies 
on trust, and that will be impossible moving forward.'').
    \14\ See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary 
Michael O. Leavitt (Feb. 20, 2008) (listing categories of health 
information that are commonly considered to contain sensitive 
information), p. 5, https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf.
---------------------------------------------------------------------------

    Experience shows that medical mistrust--especially in vulnerable 
communities that have been negatively affected by historical and 
current health care disparities \15\--can create damaging and chilling 
effects on individuals' willingness to seek appropriate and lawful care 
for medical conditions that can worsen without treatment.\16\ If 
individuals believe that their PHI may be disclosed without their 
knowledge or consent to initiate criminal, civil, or administrative 
investigations or proceedings against them or others based primarily 
upon their receipt of lawful reproductive health care, they are likely 
to be less open, honest, or forthcoming about their symptoms and 
medical history. As a result, individuals may refrain from sharing 
critical information with their health care providers, regardless of 
whether they are seeking reproductive health care that is lawful under 
the circumstances in which it is provided. For instance, an individual 
who has obtained a lawful abortion in one state may fear receiving 
emergency care in a state where abortion is unlawful because providing 
information to a health care provider in such a state could place them 
into legal jeopardy, even if that information is relevant to the 
immediate health emergency. If an individual believes they cannot be 
honest about their health history, the health care provider cannot 
conduct an appropriate health assessment to reach a sound diagnosis and 
recommend the best course of action for that individual. Heightened 
confidentiality and privacy protections enable an individual to develop 
a trust-based relationship with their health care provider and to be 
open and honest with their health care provider. That health care 
provider is then more likely to provide a correct diagnosis and aid the 
individual in making informed treatment decisions.
---------------------------------------------------------------------------

    \15\ See Lisa P. Oakley, Marie Harvey, Daniel F. Lopez-Cevallos, 
``Racial and Ethnic Discrimination, Medical Mistrust, and 
Satisfaction with Birth Control Services among Young Adult 
Latinas,'' Women's Health Issues (July-August 2018), p. 313, https://www.sciencedirect.com/science/article/abs/pii/S1049386717305443; 
and Cynthia Prather, Taleria R. Fuller, Khiya J. Marshall, et al., 
``The Impact of Racism on the Sexual and Reproductive Health of 
African American Women,'' Journal of Women's Health (July 2016), p. 
664, https://www.liebertpub.com/doi/abs/10.1089/jwh.2015.5637.
    \16\ See Texas Maternal Mortality and Morbidity Review Committee 
and Department of State Health Services Joint Biennial Report 2022, 
Texas Department of State Health Services (Dec. 2022), p. 41, 
https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/Joint-Biennial-MMMRC-Report-2022.pdf.
---------------------------------------------------------------------------

    Similarly, if a health care provider believes that an individual's 
highly sensitive PHI is likely to be disclosed without the individual's 
or the health care provider's knowledge or consent in connection with a 
criminal, civil, or administrative investigation or proceeding against 
the individual, their health care provider, or others primarily because 
of the type of health care the individual received or sought, the 
health care provider is more likely to omit information about an 
individual's medical history or condition, leave gaps, or include 
inaccuracies when preparing the individual's medical records. And if an 
individual's medical records lack complete information about the 
individual's health history, a subsequent health care provider may not 
be able to conduct an appropriate health assessment to reach a sound 
diagnosis and recommend the best course of action for the individual. 
Alternatively, a health care provider may even withhold from an 
individual full and complete information about their treatment options 
because of liability fears stemming from concerns about the level of 
privacy afforded to PHI.\17\ Heightened confidentiality and privacy 
protections enable a health care provider to feel confident maintaining 
full and complete medical records. With complete medical records, an 
individual is more likely to receive appropriate ongoing or future 
health care, including correct diagnoses, and obtain appropriate 
guidance, empowering the individual in making informed treatment 
decisions. This further enables the individual to access lawful health 
care--and health care providers to practice medicine--in an environment 
that promotes social, environmental, mental, and physical wellness.
---------------------------------------------------------------------------

    \17\ See Brief for Zurawski at p. 10, Zurawski v. State of Texas 
(No. D-1-GN-23-000968) (W.D. Tex. 2023) (stating that ``[i]n every 
interaction with their medical team in Texas, Lauren M. and her 
husband felt confused and frustrated and could not get direct 
answers,'' and that ``[i]t was apparent that their doctors, nurses, 
and counselors were all fearful of speaking directly and openly 
about abortion for fear of liability under Texas's abortion 
bans.'').
---------------------------------------------------------------------------

    Furthermore, an individual's lack of trust in their health care 
provider to maintain the confidentiality of the individual's most 
sensitive medical information and a lack of trust in the medical system 
more generally may have significant repercussions for the public's 
health more generally. Individuals who are not candid with their health 
care providers about their reproductive health care may also withhold 
information about other matters that have public health implications, 
such as sexually transmitted infections or vaccinations.\18\
---------------------------------------------------------------------------

    \18\ See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary 
Michael O. Leavitt (June 22, 2006), p. 2 (with forwarded NCVHS 
recommendations, ``Individual trust in the privacy and 
confidentiality of their personal health information also promotes 
public health, because individuals with potentially contagious or 
communicable diseases are not inhibited from seeking treatment.''), 
https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/.
---------------------------------------------------------------------------

    When proposing the initial Privacy Rule, the Department described 
its policy choices as being motivated to develop and maintain a 
relationship of trust between individuals and health care providers. 
``A fundamental assumption of this regulation is that the greatest 
benefits of improved privacy protection will be realized in the future 
as patients gain increasing trust in health care practitioner's ability 
to

[[Page 23509]]

maintain the confidentiality of their health information.'' \19\ The 
Department also described the benefits of increasing individuals' 
access to their own health care information in the development and 
maintenance of that trust. Providing individuals with ``[o]pen access 
to [their] health information can benefit both the individuals and the 
covered entities. [ . . . ] It can increase communication, thereby 
enhancing individuals' trust in their health care providers and 
increasing compliance with the providers' instructions.'' \20\ The 
Department reiterated this need for trust between individuals and 
health care providers in the 2000 Privacy Rule, noting that ``[t]he 
provision of high-quality health care requires the exchange of 
personal, often-sensitive information between an individual and a 
skilled practitioner. Vital to that interaction is the patient's 
ability to trust that the information shared will be protected and kept 
confidential.'' \21\ As the Department also stated, ``[h]ealth care 
professionals who lose the trust of their patients cannot deliver high-
quality care.'' \22\
---------------------------------------------------------------------------

    \19\ See 64 FR 59918, 60006 (Nov. 3, 1999).
    \20\ See 64 FR 59980.
    \21\ See 65 FR 82462, 82463 (Dec. 28, 2000).
    \22\ See 65 FR 82468.
---------------------------------------------------------------------------

    However, the Department also noted that the policy choices it made 
when issuing the 2000 Privacy Rule were a result of balancing the 
interests of the individual in the privacy of their PHI with the 
interests of society in disclosures of PHI for non-health care 
purposes. Thus, the 2000 Privacy Rule included permissions for 
regulated entities to disclose PHI under certain conditions for 
judicial and administrative proceedings and law enforcement purposes. 
As the Department explained at that time, ``Individuals' right to 
privacy in information about themselves is not absolute. It does not, 
for instance, prevent reporting of public health information on 
communicable diseases or stop law enforcement from getting information 
when due process has been observed.'' \23\
---------------------------------------------------------------------------

    \23\ 65 FR 82464.
---------------------------------------------------------------------------

    The proposed modifications to the Privacy Rule in this NPRM 
directly advance the purposes of HIPAA. From their inception, the 
Department's regulations implementing the statute have sought to ensure 
that individuals do not forgo lawful health care when needed--or 
withhold important information from their health care providers that 
may affect the quality of health care they receive--out of a fear that 
their sensitive information would be revealed outside of their 
relationships with their health care providers. In the past, the 
Department generally has applied the same privacy standards to nearly 
all PHI, regardless of the type of health care at issue. But the 
Department has also recognized that some forms of PHI may be 
particularly sensitive and thus may warrant heightened protections. For 
example, the Department has accorded ``special protections'' to 
psychotherapy notes under the Privacy Rule, owing in part to the 
``particularly sensitive information'' those notes contain.\24\
---------------------------------------------------------------------------

    \24\ The special protections for psychotherapy notes and the 
Department's rationale for them are discussed at greater length in 
section III of this preamble.
---------------------------------------------------------------------------

    Many individuals regard information about their reproductive health 
as highly private and personal. That information is likely to come up 
in a wide variety of encounters between individuals and their health 
care providers, including routine physicals, gynecological 
examinations, and a range of other encounters that do not involve an 
individual's effort to obtain health care, such as an abortion, that is 
illegal under some post-Dobbs state laws. However, if individuals do 
not trust that their health care providers will keep their sensitive 
information private, they may withhold important health information 
from their health care providers, leading to incomplete and inaccurate 
medical records and potentially substandard health care. Some 
individuals may refrain from or defer obtaining necessary health care, 
which could lead to worse health outcomes and exacerbate health 
disparities.\25\ Others may withhold aspects of their medical history 
from their health care providers, which could impede the ability of 
health care professionals to make fully informed medical judgments and 
provide full and complete information about treatment options. 
Similarly, health care providers may omit information about an 
individual's medical history or condition, or leave gaps or include 
inaccuracies, when preparing medical records, out of fear that the 
individual's PHI is likely to be disclosed without the individual's or 
the health care provider's knowledge or consent for use in criminal or 
civil proceedings against the individual, their health care provider, 
or others. In so doing, they increase the risk that the individual will 
receive substandard ongoing or future health care. Regardless of how it 
occurs, the result is substandard health care and worse health 
outcomes.
---------------------------------------------------------------------------

    \25\ See Jessica Winter, ``The Dobbs Decision Has Unleashed 
Legal Chaos for Doctors and Patients,'' The New Yorker (July 2, 
2022) (Chloe Akers, a criminal defense attorney in Tennessee, 
discussing agencies authorized to investigate offenses related to 
abortion ``[t]hat leads to a serious concern about privacy at ob-gyn 
offices and for other health-care providers.''), https://www.newyorker.com/news/news-desk/the-dobbs-decision-has-unleashed-legal-chaos-for-doctors-and-patients.
---------------------------------------------------------------------------

    Such deferrals or avoidance of lawful health care are not only 
problematic for individuals' health, but they are also problematic for 
public health. As discussed in greater detail below, the objective of 
public health is to protect and improve the health of people and their 
communities. Barriers that undermine the willingness of individuals to 
seek lawful health care in a timely manner or to provide complete and 
accurate health information to their health care providers undermine 
the overall objective of public health. Thus, based on the longstanding 
purposes of HIPAA, there is a compelling need to provide additional 
protections to this especially sensitive category of information.
    Following the Dobbs decision in 2022, laws enacted or effective in 
a number of states \26\ raised the prospect that highly sensitive PHI 
would be disclosed under circumstances that did not exist before the 
Supreme Court's decision, generating significant confusion for 
individuals, health care providers, family, friends, and caregivers 
regarding their ability to privately seek, obtain, provide, or 
facilitate health care. The Department has received questions from 
regulated entities, Members of Congress, and others about the state of 
privacy protections, particularly for information about an individual's 
reproductive health or about reproductive health care an individual may 
have received. While the Department has already taken steps to address 
some of the confusion,\27\ we have received additional inquiries and 
reports that indicate further clarification is needed to resolve this 
confusion and strengthen privacy protections. In light of this 
confusion, the Department believes that there is a need to reaffirm and 
clarify that maintaining the privacy of an individual's PHI is 
important to providing high-quality health care. To do so, the 
Department believes it is

[[Page 23510]]

necessary to provide heightened protections for another especially 
sensitive category of health information--PHI sought for the purposes 
of conducting a criminal, civil, or administrative investigation into 
or proceeding against any person in connection with seeking, obtaining, 
providing, or facilitating reproductive health care that is lawful 
under the circumstances in which it is provided. These proposed 
modifications would provide heightened protections for individuals' 
health information privacy under the defined circumstances; foster an 
open and honest exchange of information between the individual and 
health care provider, who--with that information--could employ 
evidence-based clinical practice guidelines; and increase access to 
high-quality, lawful health care.
---------------------------------------------------------------------------

    \26\ See ``After Roe Fell: Abortion Laws by State,'' Center for 
Reproductive Rights (updated in real time) (describing actions taken 
by states, including that ``some states and territories never 
repealed their pre-Roe abortion bans'' that have now gone into 
effect.), https://reproductiverights.org/maps/abortion-laws-by-state/.
    \27\ See Press Release, ``HHS Issues Guidance to Protect Patient 
Privacy in Wake of Supreme Court Decision on Roe,'' U.S. Dep't of 
Health and Human Servs. (June 29, 2022), https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html.
---------------------------------------------------------------------------

    The Department has determined, in accordance with other Federal 
agencies, that information about reproductive health care is 
particularly sensitive and requires heighted protections. For example, 
the Federal Trade Commission (FTC) has recognized that information 
related to personal reproductive matters is ``particularly sensitive.'' 
\28\ In business guidance, FTC staff explained that ``[t]he exposure of 
health information and medical conditions, especially data related to 
sexual activity or reproductive health, may subject people to 
discrimination, stigma, mental anguish, or other serious harms.'' \29\ 
As a result, the FTC has committed to using the full scope of its 
authorities to protect consumers' privacy, including the privacy of 
their health information and other sensitive data.\30\
---------------------------------------------------------------------------

    \28\ Kristin Cohen, ``Location, health, and other sensitive 
information: FTC committed to fully enforcing the law against 
illegal use and sharing of highly sensitive data,'' Federal Trade 
Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal (last 
accessed Nov. 15, 2022).
    \29\ Id.
    \30\ Id.
---------------------------------------------------------------------------

    The Department of Defense (DOD) has also recognized such privacy 
concerns. In a memorandum to DOD leaders, the Secretary of Defense 
directed the DOD to ``[e]stablish additional privacy protections for 
reproductive health care information'' for service members and 
``[d]isseminate guidance that directs Department of Defense health care 
providers that they may not notify or disclose reproductive health 
information to commanders unless this presumption is overcome by 
specific exceptions set forth in policy.'' \31\ The guidance repeatedly 
emphasizes not only the importance of privacy for such highly sensitive 
information but also the importance of privacy in making highly 
sensitive reproductive health care decisions.\32\
---------------------------------------------------------------------------

    \31\ Memorandum Re: Ensuring Access to Reproductive Health Care, 
Dep't of Defense (Oct. 20, 2022), p. 1, (emphasis in original), 
https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF.
    \32\ Id.
---------------------------------------------------------------------------

    The Department recognizes that the need for heightened protections 
for highly sensitive PHI is now more acute than it was before, given 
the actions taken by states to regulate, and even criminalize, 
reproductive health care.\33\ Before the Supreme Court's decision, the 
range of circumstances in which persons attempted to seek or use highly 
sensitive PHI in criminal, civil, and administrative investigations or 
proceedings in connection with the provision of reproductive health 
care was much narrower. The general HIPAA privacy protections provided 
the necessary trust to promote access to and receipt of high-quality 
and lawful health care in that environment. As states take steps to 
more broadly regulate reproductive health care, some individuals and 
their health care providers are at greater risk and have increased fear 
that especially sensitive PHI detailing the individual's need for, or 
receipt of, lawful reproductive health care will be used or disclosed 
without their knowledge or consent.\34\
---------------------------------------------------------------------------

    \33\ See ``Talk of prosecuting women for abortion pills roils 
antiabortion movement,'' supra note 11.
    \34\ Id.
---------------------------------------------------------------------------

    The Department carefully analyzed state prohibitions or 
restrictions on an individual's ability to obtain health care and the 
effects on health information privacy, access to high-quality health 
care, and the relationships between individuals and their health care 
providers after Dobbs; and conducted a thorough review of the history 
and text of HIPAA and the Privacy Rule. The Department has also engaged 
in extensive discussions with HHS agencies and other Federal 
departments, including the Department of Justice; examined media 
reports on state activity affecting privacy protections for 
reproductive health information; held listening sessions with and 
reviewed correspondence from stakeholders, including covered entities, 
requesting technical assistance from the Department and urging the 
Department to clarify and strengthen privacy protections for PHI; and 
reviewed correspondence to HHS from Members of Congress who have urged 
the same. The proposals contained within this NPRM are the result of 
this work.

B. Applicability

    The effective date of a final rule would be 60 days after 
publication.\35\ Regulated entities would have until the ``compliance 
date'' to establish and implement policies and practices to achieve 
compliance with any new or modified standards. Except as otherwise 
provided, 45 CFR 160.105 provides that regulated entities must comply 
with the applicable new or modified standards or implementation 
specifications no later than 180 days from the effective date of any 
such change. The Department has previously noted that the 180-day 
general compliance period for new or modified standards would not apply 
where a different compliance period is provided in the regulation for 
one or more provisions.\36\ However, the compliance period cannot be 
less than the statutory minimum of 180 days.\37\
---------------------------------------------------------------------------

    \35\ See Office of the Federal Register, A Guide to the 
Rulemaking Process (2011), p. 8, https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf.
    \36\ See 78 FR 5566, 5569 (Jan. 25, 2013).
    \37\ See 42 U.S.C. 1320d-4(b)(2).
---------------------------------------------------------------------------

    The Department does not believe that the proposed rule would pose 
unique implementation challenges that would justify an extended 
compliance period (i.e., a period longer than the standard 180 days 
provided in 45 CFR 160.105). Further, the Department believes that 
adherence to the standard compliance period is necessary to timely 
address the circumstances described in this NPRM. Thus, the Department 
proposes to apply the standard compliance date of 180 days after the 
effective date of a final rule.\38\ The Department seeks comment on 
this time frame for compliance.
---------------------------------------------------------------------------

    \38\ See 45 CFR 160.104(c)(1), which requires the Secretary to 
provide at least a 180-day period for covered entities to comply 
with modifications to standards and implementation specifications in 
the HIPAA Rules.
---------------------------------------------------------------------------

    If any provision in this rulemaking is held to be invalid or 
unenforceable facially, or as applied to any person, plaintiff, or 
circumstance, the provision shall be severable from the remainder of 
this rulemaking, and shall not affect the remainder thereof, and the 
invalidation of any specific application of a provision shall not 
affect the application of the provision to other persons or 
circumstances.

C. Table of Abbreviations/Commonly Used Acronyms in This Document

    As used in this preamble, the following terms and abbreviations 
have the meanings noted below.

[[Page 23511]]



------------------------------------------------------------------------
                  Term                               Meaning
------------------------------------------------------------------------
AMA....................................  American Medical Association.
BLS....................................  Bureau of Labor Statistics.
CDC....................................  Centers for Disease Control and
                                          Prevention.
DOD....................................  Department of Defense.
HHS or Department......................  U.S. Department of Health and
                                          Human Services.
EHR....................................  Electronic Health Record.
E.O....................................  Executive Order.
FTC....................................  Federal Trade Commission.
GINA...................................  Genetic Information
                                          Nondiscrimination Act of 2008.
Health IT..............................  Health Information Technology.
HITECH Act.............................  Health Information Technology
                                          for Economic and Clinical
                                          Health Act of 2009.
HIPAA..................................  Health Insurance Portability
                                          and Accountability Act of
                                          1996.
ICR....................................  Information Collection Request.
IIHI...................................  Individually Identifiable
                                          Health Information.
NCVHS or Committee.....................  National Committee on Vital and
                                          Health Statistics.
NPP....................................  Notice of Privacy Practices.
NPRM...................................  Notice of Proposed Rulemaking.
OCR....................................  Office for Civil Rights.
OMB....................................  Office of Management and
                                          Budget.
PDF....................................  Portable Document Format.
PHI....................................  Protected Health Information.
PRA....................................  Paperwork Reduction Act of
                                          1995.
PSAO...................................  Pharmacy Services
                                          Administration Organization.
RFA....................................  Regulatory Flexibility Act.
RIA....................................  Regulatory Impact Analysis.
SBA....................................  Small Business Administration.
SSA....................................  Social Security Act of 1935.
UMRA...................................  Unfunded Mandates Reform Act of
                                          1995.
VA.....................................  Department of Veterans Affairs.
------------------------------------------------------------------------

II. Statutory Authority and Regulatory History

A. Statutory Authority and History

1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    In 1996, Congress enacted HIPAA \39\ to reform the health care 
delivery system. In so doing, Congress intended to make health 
insurance more portable and accessible for consumers, to improve its 
quality, and to simplify its administration.\40\ As noted by a leading 
proponent of the bill during final debate leading up to passage of the 
law, ``[o]ur objective, then, is to initiate fundamental reforms in 
access to health care without doing irreversible harm to quality, 
research and technology.'' \41\
---------------------------------------------------------------------------

    \39\ See HIPAA, supra note 1.
    \40\ See H. Rept. 104-736, 104th Cong. (1996) at 177. See also 
142 Cong. Rec. H3038 (daily ed. Mar. 28, 1996), (statement of Rep. 
McDermott) (speaking about how privacy protection is essential to 
improving health care quality, one of the purposes of the H.R. 3103, 
Health Coverage Availability and Affordability Act of 1996, the 
precursor to HIPAA); 142 Cong. Rec. H9568 (daily ed. Aug. 1, 1996) 
(statement of Rep. Ganske).
    \41\ See 142 Cong. Rec. S9505 (daily ed. Aug. 2, 1996) 
(statement of Sen. Roth).
---------------------------------------------------------------------------

    At the time, the health care system was moving from paper-based to 
electronic medical records. Congress recognized the need to reduce the 
burden of the transition on health care providers, encourage health 
care provider adoption of technology by addressing concerns for 
potential liability for use of new systems, and ensure patient 
confidentiality of electronic data to foster trust in health care 
providers and support patient access to health care.\42\ Congressional 
statements leading up to HIPAA's enactment demonstrate Congress' desire 
that the law enhance individuals' trust in health care providers: ``The 
bill would also establish strict security standards for health 
information because Americans clearly want to make sure that their 
health care records can only be used by the medical professionals that 
treat them. Often we assume that because doctors take an oath of 
confidentiality that in fact all who touch their records operate by the 
same standards. Clearly they do not.'' \43\
---------------------------------------------------------------------------

    \42\ See H.Rept. 104-736 at 177 and 264, supra note 40. See also 
142 Cong. Rec. H9780 (daily ed., No. 116 Part II, Aug. 1, 1996) 
(statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed. Aug. 1, 
1996) (statement of Rep. McDermott); and 142 Cong. Rec. S9515-16 
(daily ed. Aug. 2, 1996) (statement of Sen. Simon).
    \43\ 142 Cong. Rec. H9780 (statement of Rep. Sawyer), supra note 
42.
---------------------------------------------------------------------------

    To address these needs, Congress enacted HIPAA's Administrative 
Simplification provisions \44\ in subtitle F, sections 261 through 264, 
which contained requirements for standards to support the electronic 
exchange of health information. Section 261 states, in part, that 
``[i]t is the purpose of this subtitle to improve [ . . . ] the 
efficiency and effectiveness of the health care system, by encouraging 
the development of a health information system through the 
establishment of standards and requirements for the electronic 
transmission of certain health information [ . . . ].'' \45\
---------------------------------------------------------------------------

    \44\ See HIPAA, supra note 1.
    \45\ 42 U.S.C. 1320d note (Statutory Notes and Related 
Subsidiaries: Purpose). Subtitle F also amended related provisions 
of the SSA.
---------------------------------------------------------------------------

    HIPAA protects individuals' health information in various ways. 
Congress prohibited, among other things, the disclosure of 
``individually identifiable health information to another person'' \46\ 
and provided for severe penalties for violations, including prison 
sentences of up to 10 years and monetary fines of up to $250,000.\47\ 
Congress also put in place numerous protections for the privacy of 
individuals' health information and directed HHS to promulgate rules, 
recognizing the importance of standards for security and privacy in the 
developing electronic environment, when Congress did not enact detailed 
privacy requirements within a specified period.\48\
---------------------------------------------------------------------------

    \46\ 42 U.S.C. 1320d-6(a).
    \47\ 42 U.S.C. 1320d-6(b).
    \48\ See, e.g., 42 U.S.C. 1320a-7c(a)(3)(B)(ii) (creating a 
fraud and abuse control program with measures to protect, among 
other things, the confidentiality of the information and the privacy 
of individuals receiving health care services and items.); H.Rept. 
104-736 at 242, supra note 40 (explaining that such program ``would 
ensure the confidentiality of information [ . . . ] as well as the 
privacy of individuals receiving health care services''); 42 U.S.C. 
1320a-7e(b)(3) (creating a health care fraud and abuse data 
collection program with procedures to assure the protection of the 
privacy of individuals receiving health care services.); H.Rept. 
104-736 at 252, supra note 40 (explaining that such program would 
``protect the privacy of individuals receiving health care 
services''); section 264(a) of Public Law 104-191, (codified at 42 
U.S.C. 1320d-2 note) (requiring the Secretary of HHS to submit 
recommendations on privacy standards for individually identifiable 
health information); section 264(c) of Public Law 104-191, (codified 
at 42 U.S.C. 1320d-2 note) (requiring the Secretary to issue 
regulations containing such privacy standards if Congress does not); 
H.Rept. 104-736 at 265, supra note 40 (recognizing that ``certain 
uses of individually identifiable information are appropriate, and 
do not compromise the privacy of an individual[,]'' such as ``the 
transfer of information when making referrals from primary care to 
specialty care'').
---------------------------------------------------------------------------

    HIPAA's preemption provisions reflect Congress' intent to protect 
individuals' health care privacy. The statute provides a ``[g]eneral 
rule'' that, with certain exceptions, HIPAA's provisions ``supersede 
any contrary provision of State law.'' \49\ One exception to HIPAA's 
preemption provisions is for ``state privacy laws that are contrary to 
and more stringent than the corresponding federal standard, 
requirement, or implementation specification.'' \50\ ``The effect of 
these provisions is to let the law that is most protective of privacy 
control.'' \51\ Thus, HIPAA created privacy standards that safeguard 
the health information of all Americans, while respecting the ability

[[Page 23512]]

of states to provide individuals with additional privacy protection.
---------------------------------------------------------------------------

    \49\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that, 
with limited exceptions, a provision or requirement under HIPAA 
supersedes any contrary provision of state law.) See also section 
264(c)(2) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2 
note).
    \50\ 65 FR 82580 (the exception applies under section 
1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
    \51\ Id.
---------------------------------------------------------------------------

    The Conference Report resolving differences in House and Senate 
bill language provides further evidence that Congress gave great weight 
to the need for privacy standards that adequately protect individual 
health information privacy at a Federal level but allow for greater 
health information privacy protection by states. Congressional 
references to ``rapidly'' progressing technological innovation \52\ and 
the need to balance the privacy interests of individuals and the 
benefits of sharing data in certain circumstances (e.g., sharing IIHI 
for treatment or aggregated data for research \53\) demonstrate that 
Congress considered that health care reform would require a carefully 
calibrated and appropriate method for exchanging data. Similarly, 
congressional deliberations demonstrate that Congress viewed individual 
privacy, confidentiality, and data security as critical for orderly 
administrative simplification.\54\ As noted by one Member of Congress, 
privacy standards would add an additional layer of protection beyond 
the oath pledged by health care providers to keep information secure 
and, as described by another Member, would further protect information 
from being used in a ``malicious or discriminatory manner.'' \55\
---------------------------------------------------------------------------

    \52\ See H.Rept. 104-736 at 270, supra note 40. See also South 
Carolina Med. Ass'n v. Thompson, 327 F.3d 346, 354 (4th Cir. 2003) 
(``Recognizing the importance of protecting the privacy of health 
information in the midst of the rapid evolution of health 
information systems, Congress passed HIPAA in August 1996.''), cert. 
denied, 540 U.S. 981 (2003).
    \53\ See H.Rept. 104-736 at 265, supra note 40.
    \54\ On a resolution waiving points of order against the 
Conference Report to H.R. 3103, members debated an ``erosion of 
privacy'' balanced against the administrative simplification 
provisions. See 142 Cong. Rec. H9777 and H9780, supra note 42.
    \55\ See comment from Rep. Sawyer, supra note 42. See also 
statement of Sen. Simon, supra note 42.
---------------------------------------------------------------------------

    Congress applied the Administrative Simplification provisions 
directly to three types of entities known as ``covered entities''--
health plans, health care clearinghouses, and health care providers who 
transmit information electronically in connection with a transaction 
for which HHS has adopted a standard.\56\ Congress also required the 
Secretary, no later than 12 months from the date of enactment, to 
identify ``detailed'' recommendations for Federal standards to protect 
the privacy and security of IIHI nationwide addressing, at least, (1) 
the rights that an individual who is a subject of IIHI should have; (2) 
the procedures that should be established for the exercise of such 
rights; and (3) the uses and disclosures of such information that 
should be authorized or required. Congress further directed the 
Secretary to promulgate standards to govern the privacy of information 
no later than 42 months after HIPAA's enactment if Congress itself had 
not done so via additional legislation.\57\
---------------------------------------------------------------------------

    \56\ See section 262 of Public Law 104-191, adding section 1172 
to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404 
of the American Recovery and Reinvestment Act of 2009, Public Law 
111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934) 
(applying privacy provisions and penalties to business associates of 
covered entities).
    \57\ See section 264 of Public Law 104-191 (codified at 42 
U.S.C. 1320d-2 note). Although the original regulations were enacted 
in 2001, more than 42 months from HIPAA's enactment, ``HHS's delay 
in promulgating the final Privacy Rule did not deprive the agency of 
the power to act.'' Ass'n of Am. Physicians & Surgeons, Inc. v. HHS, 
224 F. Supp. 2d 1115, 1127 (S.D. Tex. 2002), aff'd, 67 F. App'x 253 
(5th Cir. 2003) (noting that HHS's delay, ``particularly in the face 
of huge administrative burdens . . . do[es] not result in the 
invalidation of HHS's authority to promulgate the Privacy Rule'') 
(citing Regions Hospital v. Shalala, 522 U.S. 448, 459 n.2 (1998); 
Brock v. Pierce Cnty., 476 U.S. 253, 260 (1986)).
---------------------------------------------------------------------------

    HIPAA section 264(d) required the Secretary to consult with the 
Department's National Committee on Vital and Health Statistics (NCVHS) 
\58\ in carrying out the requirements of section 264.\59\ Like 
Congress, NCVHS considered the appropriateness of permitting 
identifiable health information to be used for certain purposes and not 
others and requiring ``substantive and procedural barriers'' for still 
others. For example, NCVHS recommended that ``strong substantive and 
procedural protections'' be imposed if health information were to be 
disclosed to law enforcement, and, where identifiable health 
information would be made available for non-health purposes, 
individuals should be afforded assurances that their data would not be 
used against them.\60\ Ultimately, NCVHS ``unanimously'' believed, ``[ 
. . . ] the Secretary and the Administration [should] assign the 
highest priority to the development of a strong position on health 
privacy that provides the highest possible level of protection for the 
privacy rights of patients.'' \61\ NCVHS further noted that failure to 
do so would ``undermine public confidence in the health care system, 
expose patients to continuing invasions of privacy, subject record 
keepers to potentially significant legal liability, and interfere with 
the ability of health care providers and others to operate the health 
care delivery and payment system in an effective and efficient 
manner,'' which would undermine what Congress intended when it enacted 
HIPAA.\62\
---------------------------------------------------------------------------

    \58\ See section 264(a) and (d) of Public Law 104-191 (codified 
at 42 U.S.C. 1320d-2 note). The law also required the Secretary to 
consult with the U.S. Attorney General.
    \59\ 42 U.S.C. 242k(k) established the NCVHS as an 18-member 
committee within the Office of the Secretary. The statute requires 
the committee to include persons with expertise in the following 
fields: health statistics, electronic interchange of health care 
information, privacy and security of electronic information, 
population-based public health, purchasing or financing health care 
services, integrated computerized health information systems, health 
services research, consumer interests in health information, health 
data standards, epidemiology, and the provision of health services. 
NCVHS committee members are appointed to serve four-year terms. 
NCVHS serves as the statutory public advisory body to the Secretary 
``for health data, statistics, privacy, and national health 
information policy and the Health Insurance Portability and 
Accountability Act.'' In addition, the Committee advises the 
Secretary, ``reports regularly to Congress on HIPAA implementation, 
and serves as a forum for interaction between HHS and interested 
private sector groups on a range of health data issues.'' National 
Comm. on Vital and Health Statistics, About NCVHS, https://ncvhs.hhs.gov/.
    \60\ Letter from NCVHS Chair Don E. Detmer to HHS Secretary 
Donna E. Shalala (June 27, 1997) (forwarding NCVHS recommendations), 
https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
    \61\ Id. at Principal Findings and Recommendations.
    \62\ Id.
---------------------------------------------------------------------------

    The NCVHS explicitly stated that:

    The Committee strongly supports limiting use and disclosure of 
identifiable information to the minimum amount necessary to 
accomplish the purpose. The Committee also strongly believes that 
when identifiable health information is made available for non-
health uses, patients deserve a strong assurance that the data will 
not be used to harm them.\63\
---------------------------------------------------------------------------

    \63\ Id. at Executive Summary.

    NCVHS acknowledged that secondary uses of individuals' health 
information could provide benefits to society but recognized that these 
uses posed the potential for harm to individuals in certain 
circumstances. As NCVHS described it, ``[a] restriction prohibiting 
secondary use against the record subject is an essential part of the 
`bargain' that allows use of the data for socially beneficial purposes 
while protecting individual patients.'' \64\ Thus, NCVHS strongly 
recommended restrictions of the ability of third parties to use 
information against the individual for purposes unrelated to health, 
particularly for law enforcement and other governmental purposes.
---------------------------------------------------------------------------

    \64\ Id. at E.
---------------------------------------------------------------------------

    In its recommendations, NCVHS acknowledged that there might be 
difficulty in distinguishing between categories of users, but it also 
recognized the importance of doing so.\65\ NCVHS recommended that ``any 
rules

[[Page 23513]]

regulating disclosures of identifiable health information be as clear 
and as narrow as possible. Each group of users must be required to 
justify their need for health information and must accept reasonable 
substantive and procedural limitations on access.'' \66\ This would 
allow for the disclosures that society deemed necessary and appropriate 
while providing individuals with clear expectations regarding their 
health information privacy.
---------------------------------------------------------------------------

    \65\ Id. at F.
    \66\ Id.
---------------------------------------------------------------------------

2. The Health Information Technology for Economic and Clinical Health 
(HITECH) Act
    On February 17, 2009, Congress enacted the Health Information 
Technology for Economic and Clinical Health Act of 2009 (HITECH Act) 
\67\ to promote the widespread adoption and standardization of health 
information technology (health IT). In passing the law, Congress 
instructed that any new health IT standards take into account the 
privacy and security requirements of the HIPAA Rules.\68\
---------------------------------------------------------------------------

    \67\ Title XIII of Division A and Title IV of Division B of the 
American Recovery and Reinvestment Act of 2009, Public Law 111-5, 
123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
    \68\ Section 3009(a)(1)(B) of the HITECH Act (codified at 42 
U.S.C. 300jj-19(a)(1)) requires that the health IT standards and 
implementation specifications adopted under section 3004 take into 
account the requirements of HIPAA privacy and security law.
---------------------------------------------------------------------------

    Within the HITECH Act, Congress enacted new HIPAA privacy and 
security requirements for covered entities and business associates and 
expanded certain rights of individuals with respect to their PHI. The 
HITECH Act affirmed that ``[t]he standards governing the privacy and 
security of individually identifiable health information promulgated by 
the Secretary under sections 262(a) and 264'' of HIPAA ``shall remain 
in effect to the extent that they are consistent with this subtitle'' 
and directed the Secretary to ``amend such Federal regulations as 
required to make such regulations consistent with this subtitle.'' \69\ 
The HITECH Act further provided that ``[t]his title may not be 
construed as having any effect on the authorities of the Secretary 
under HIPAA privacy and security law,'' defined to include ``section 
264 of the [HIPAA]'' and ``regulations under [that] provision[ ].'' 
\70\
---------------------------------------------------------------------------

    \69\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C. 
17951).
    \70\ Section 3009(a) of the HITECH Act (codified at 42 U.S.C. 
300jj-19(a)), which, as stated above, preserves the Secretary's 
authority to modify the privacy regulations under 45 CFR 160.104(a).
---------------------------------------------------------------------------

    Congress understood the relationship between a connected health IT 
landscape, a necessary and vital component of health care reform,\71\ 
and privacy and security standards when it enacted the HITECH Act. The 
Purpose statement of an accompanying House of Representatives report 
\72\ on the Energy and Commerce Recovery and Reinvestment Act \73\ 
recognizes that ``[i]n addition to costs, concerns about the security 
and privacy of health information have also been regarded as an 
obstacle to the adoption of [health IT].'' The Senate Report for S. 336 
\74\ similarly acknowledges that ``[i]nformation technology systems 
linked securely and with strong privacy protections can improve the 
quality and efficiency of health care while producing significant cost 
savings.'' \75\ As the Department explained in the 2013 regulation 
referred to as the ``Omnibus Rule'' \76\ and discussed in greater 
detail below, the HITECH Act's new HIPAA privacy and security 
requirements \77\ supported Congress' goal to promote widespread 
adoption and interoperability of health IT by ``strengthen[ing] the 
privacy and security protections for health information established by 
HIPAA.'' \78\
---------------------------------------------------------------------------

    \71\ C. Stephen Redhead, ``The Health Information Technology for 
Economic and Clinical Health (HITECH) Act,'' Congressional Research 
Service (updated Apr. 27, 2009), https://crsreports.congress.gov/product/pdf/R/R40161/9 (``[Health IT], which generally refers to the 
use of computer applications in medical practice, is widely viewed 
as a necessary and vital component of health care reform.'').
    \72\ H.Rept. 111-7, accompanying H.R. 629, 111th Cong., at 74 
(2009).
    \73\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act 
of 2009, introduced in the House on January 22, 2009, contained 
nearly identical provisions to subtitle D of the HITECH Act.
    \74\ Congress enacted the American Recovery and Reinvestment Act 
of 2009, which included the HITECH Act, on February 17, 2009. While 
it was the House version of the bill, H.R. 1, that was enacted, the 
Senate version, S. 336, contained nearly identical provisions to 
subtitle D of the HITECH Act.
    \75\ S.Rept. 111-3, 111th Cong. accompanying S. 336, 111th 
Cong., at 59 (2009).
    \76\ 78 FR 5566.
    \77\ Subtitle D of title XIII of the HITECH Act (codified at 42 
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
    \78\ 78 FR 5568.
---------------------------------------------------------------------------

B. Rulemaking Authority and Regulatory History

1. The Department's Rulemaking Authority Under HIPAA
    In passing HIPAA, Congress recognized the importance of privacy for 
IIHI by requiring the Secretary to issue regulations on privacy in the 
event that Congress itself did not enact specific privacy 
legislation.\79\ That statutory directive complemented the Secretary's 
general rulemaking authority to ``make and publish such rules and 
regulations, not inconsistent with this chapter, as may be necessary to 
the efficient administration of the functions with which each is 
charged under this chapter.'' \80\
---------------------------------------------------------------------------

    \79\ See Section 264(c)(1) of Public Law 104-191 (codified at 42 
U.S.C. 1320d-2 note).
    \80\ Section 1102 of the SSA (codified at 42 U.S.C. 1302).
---------------------------------------------------------------------------

    Congress further contemplated that related rulemaking authorities 
would not be static. Indeed, in a closely analogous section of the 
HIPAA Administrative Simplification provisions--related to enabling the 
electronic exchange of health information--Congress built in a 
mechanism to adapt such regulations as technology and health care 
evolve, directing that the Secretary review and modify the 
Administrative Simplification standards as determined appropriate, but 
not more frequently than once every 12 months.\81\ The Department 
recognized how intertwined these particular Administrative 
Simplification standards would be with the standards for the privacy of 
individually identifiable health information, and thus promulgated a 
regulatory standard that limits modifications to all of the rules 
promulgated under the Administrative Simplification provisions to no 
more frequently than once every 12 months.\82\
---------------------------------------------------------------------------

    \81\ See Section 1174(b)(1) of Public Law 104-191 (codified at 
42 U.S.C. 1320d-3).
    \82\ 45 CFR 160.104.
---------------------------------------------------------------------------

    The Secretary exercised each of these rulemaking authorities in 
2000 to adopt 45 CFR 160.104(a), which reserves the Secretary's power 
to modify any ``standard or implementation specification adopted under 
this subchapter'' of these regulations, including the Administrative 
Simplification provisions. The Secretary invoked this modification 
authority to amend the Privacy Rule in 2002.\83\
---------------------------------------------------------------------------

    \83\ See 67 FR 53182 (Aug. 14, 2002).
---------------------------------------------------------------------------

    Subsequently, as discussed above, Congress affirmed that the HIPAA 
Rules--including 45 CFR 160.104(a)--are to remain in effect to the 
extent that they are consistent with the HITECH Act and directed the 
Secretary to revise the HIPAA Rules as necessary for consistency with 
the HITECH Act.\84\ At the same time, Congress also confirmed that the 
new law was not intended to have any effect on authorities already 
granted under HIPAA to the Department, including section 264 of that 
statute and the regulations issued under that provision. Congress' 
affirmation of the Secretary's rulemaking power, including the

[[Page 23514]]

authority to modify the Secretary's own regulations, thus confirms that 
the Secretary retains the authority to modify the Privacy Rule as often 
as every 12 months when appropriate, including to strengthen privacy 
and security protections for IIHI. In fact, after the enactment of the 
HITECH Act, the Secretary exercised this authority to modify the 
Privacy Rule again in 2013.\85\
---------------------------------------------------------------------------

    \84\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C. 
17951).
    \85\ See 78 FR 5566.
---------------------------------------------------------------------------

    To properly execute the HIPAA statutory mandate, and in accordance 
with the regulatory authority granted to it by Congress, the Department 
regularly evaluates the interaction of the Privacy Rule and state 
statutes and regulations governing the privacy of health information. 
In keeping with the Department's practice, this NPRM attempts to 
accommodate state autonomy to the extent consistent with the need to 
maintain rules for health information privacy that serve HIPAA's 
objectives. The proposed regulation, if finalized, would thus preempt 
state law only to the extent necessary to achieve the national 
objectives of HIPAA.
    The Secretary has delegated authority to administer the HIPAA Rules 
and to make decisions regarding their implementation, interpretation, 
and enforcement to the HHS Office for Civil Rights (OCR).\86\
---------------------------------------------------------------------------

    \86\ See U.S. Dep't of Health and Human Servs., Office of the 
Secretary, Office for Civil Rights; Statement of Delegation of 
Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and 
Human Servs., Office of the Secretary, Office for Civil Rights; 
Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep't of 
Health and Human Servs., Office of the Secretary, Statement of 
Organization, Functions and Delegations of Authority, 81 FR 95622 
(Dec. 28, 2016).
---------------------------------------------------------------------------

2. Regulatory History
The 2000 Privacy Rule
    As directed by HIPAA, the Department provided a series of 
recommendations to Congress for a potential new law that would address 
the confidentiality of individually identifiable health 
information.\87\ Congress did not act within its three-year self-
imposed deadline. As a result, the Department published a proposed rule 
setting forth the required standards on November 3, 1999,\88\ and 
issued the first final rule establishing ``Standards for Privacy of 
Individually Identifiable Health Information'' (``2000 Privacy Rule'') 
on December 28, 2000.\89\
---------------------------------------------------------------------------

    \87\ See Confidentiality of Individually Identifiable Health 
Information, U.S. Dep't of Health and Human Servs., Section I.A. 
(Sept. 1997), https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information.
    \88\ 64 FR 59918.
    \89\ 65 FR 82462.
---------------------------------------------------------------------------

    The final rule announced ``standards to protect the privacy of 
individually identifiable health information'' to ``begin to address 
growing public concerns that advances in electronic technology and 
evolution in the health care industry are resulting, or may result, in 
a substantial erosion of the privacy surrounding'' health 
information.\90\ On the eve of that rule's issuance, the President 
issued an Executive order recognizing the importance of protecting 
patient privacy, explaining that ``[p]rotecting the privacy of 
patients' protected health information promotes trust in the health 
care system. It improves the quality of health care by fostering an 
environment in which patients can feel more comfortable in providing 
health care professionals with accurate and detailed information about 
their personal health.'' \91\ Thus, the primary goal of the Privacy 
Rule was to provide greater protections to individuals' privacy and to 
engender a trusting relationship between individuals and health care 
providers.\92\
---------------------------------------------------------------------------

    \90\ 65 FR 82462.
    \91\ Executive Order 13181 (Dec. 20, 2000), 65 FR 81321.
    \92\ Id.
---------------------------------------------------------------------------

    The final rule announced ``standards to protect the privacy of 
individually identifiable health information'' to ``begin to address 
growing public concerns that advances in electronic technology and 
evolution in the health care industry are resulting, or may result, in 
a substantial erosion of the privacy surrounding'' health 
information.\93\
---------------------------------------------------------------------------

    \93\ 65 FR 82462.
---------------------------------------------------------------------------

    Since promulgation, the Privacy Rule has protected PHI \94\ by 
limiting the circumstances under which covered entities and their 
business associates (collectively, ``regulated entities'') are 
permitted or required to use or disclose PHI and by requiring covered 
entities to have safeguards in place to protect the privacy of PHI. In 
adopting these regulations, the Department acknowledged the need to 
balance several competing factors, including existing legal 
expectations, individuals' privacy expectations, and societal 
expectations.\95\ The Department noted ``the large number of comments 
from individuals and groups representing individuals demonstrate the 
deep public concern about the need to protect the privacy of 
individually identifiable health information'' and ``evidence about the 
importance of protecting privacy and the potential adverse consequences 
to individuals and their health if such protections are not extended.'' 
\96\ The Department struck a balance between the ``competing 
interests--the necessity of protecting privacy and the public interest 
in using identifiable health information for vital public and private 
purposes--in a way that is also workable for the varied 
stakeholders[.]'' \97\
---------------------------------------------------------------------------

    \94\ PHI includes individuals' IIHI transmitted by or maintained 
in electronic media or any other form or medium, with certain 
exceptions. See 45 CFR 160.103 (definition of ``Protected health 
information'').
    \95\ See 65 FR 82471.
    \96\ 65 FR 82472.
    \97\ Id.
---------------------------------------------------------------------------

    The Department established ``general rules'' for uses and 
disclosures of PHI, codified at 45 CFR 164.502, in the 2000 Privacy 
Rule.\98\ The 2000 Privacy Rule also specified the circumstances in 
which a covered entity was required to obtain an individual's 
consent,\99\ authorization,\100\ or the opportunity for the individual 
to agree or object.\101\ Additionally, it established rules for when a 
covered entity is permitted to use or disclose PHI without an 
individual's consent, authorization, or opportunity to agree or 
object.\102\ In particular, the Privacy Rule permits certain uses and 
disclosures of PHI, without the individual's authorization, for 
identified activities that benefit the community, such as public health 
activities, law enforcement purposes, judicial and administrative 
proceedings, and research.
---------------------------------------------------------------------------

    \98\ 65 FR 82462.
    \99\ 45 CFR 164.506 was originally titled ``Consent for uses or 
disclosures to carry out treatment, payment, or health care 
operations.''
    \100\ 45 CFR 164.508.
    \101\ 45 CFR 164.510.
    \102\ 45 CFR 164.512.
---------------------------------------------------------------------------

    The Privacy Rule also established the rights of individuals with 
respect to their PHI, including the right to receive adequate notice of 
a covered entity's privacy practices, the right to request restrictions 
of uses and disclosures, the right to access (i.e., to inspect and 
obtain a copy of) their PHI, the right to request an amendment of their 
PHI, and the right to receive an accounting of disclosures.\103\
---------------------------------------------------------------------------

    \103\ See 45 CFR 164.520, 164.522, 164.524, 164.526, and 
164.528.
---------------------------------------------------------------------------

    As part of the final rule, the Department provided that covered 
entities were to comply with the 2000 Privacy Rule no later than 24 
months following its effective date.\104\
---------------------------------------------------------------------------

    \104\ The effective date of the Privacy Rule was updated to 
April 14, 2001. A covered entity meeting the definition of a small 
health plan was given 36 months to comply with the Privacy Rule. The 
compliance date for most covered entities was April 14, 2003. See 66 
FR 12434 (Feb. 26, 2001).
---------------------------------------------------------------------------

The 2002 Privacy Rule
    After publication of the 2000 Privacy Rule, the Department received 
many

[[Page 23515]]

inquiries and unsolicited comments about the Rule's impact and 
operation. As a result, the Department opened the 2000 Privacy Rule for 
further comment in March 2001, less than one month before the effective 
date and 25 months before the compliance date, for most covered 
entities and issued clarifying guidance on the Rule's 
implementation.\105\ NCVHS' Subcommittee on Privacy, Confidentiality 
and Security held public hearings about the 2000 Privacy Rule. From 
those hearings, the Department learned more about concerns related to 
key provisions and their potential unintended consequences on health 
care quality and access.\106\ In March 2002, the Department proposed 
modifications to the 2000 Privacy Rule to clarify the requirements and 
correct potential problems that could threaten access to, or quality 
of, health care.\107\
---------------------------------------------------------------------------

    \105\ 66 FR 12738 (Feb. 28, 2001).
    \106\ 67 FR 53183.
    \107\ 67 FR 14775 (Mar. 27, 2002).
---------------------------------------------------------------------------

    In response to the comments on the proposed rule, the Department 
finalized modifications on August 14, 2002 (``2002 Privacy 
Rule'').\108\ This final rule clarified HIPAA's requirements while 
``maintain[ing] strong protections for the privacy of individually 
identifiable health information.'' \109\ These modifications addressed 
certain workability issues, including but not limited to clarifying 
distinctions between health care operations and marketing; modifying 
the minimum necessary standard to exclude disclosures authorized by 
individuals and clarify its operation; clarifying that consent is not 
required for treatment, payment, or health care operations, and to 
otherwise clarify the role of consent in the Privacy Rule; and making 
other modifications and conforming amendments consistent with the 
proposed rule. The Department also included modifications to the 
provisions permitting the use or disclosure of PHI for public health 
activities and for research activities without consent, authorization, 
or an opportunity to agree or object.
---------------------------------------------------------------------------

    \108\ 67 FR 53182. See the final rule for changes in the 
entirety. The 2002 Privacy Rule was issued before the compliance 
date for the 2000 Privacy Rule. Thus, covered entities never 
implemented the 2000 Privacy Rule. Instead, they implemented the 
2000 Privacy Rule as modified by the 2002 Privacy Rule.
    \109\ 67 FR 53182.
---------------------------------------------------------------------------

2013 Omnibus Final Rule
    Following the enactment of the HITECH Act, the Department issued an 
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and 
Enforcement Rules Under the Health Information Technology for Economic 
and Clinical Health [HITECH] Act'' (``2010 NPRM''),\110\ to propose 
implementation of certain HITECH Act requirements. In 2013, the 
Department issued the Modifications to the HIPAA Privacy, Security, 
Enforcement, and Breach Notification Rules Under the Health Information 
Technology for Economic and Clinical Health [HITECH] Act and the 
Genetic Information Nondiscrimination Act, and Other Modifications to 
the HIPAA Rules--Final Rule (``2013 Omnibus Rule''),\111\ which 
implemented many of the new HITECH Act requirements, including 
strengthening individuals' privacy rights as related to their PHI.
---------------------------------------------------------------------------

    \110\ 75 FR 40867 (July 14, 2010).
    \111\ 78 FR 5565. In addition to finalizing requirements of the 
HITECH Act that were proposed in the NPRM, the Department adopted 
modifications to the Enforcement Rule not previously adopted in an 
earlier interim final rule, 74 FR 56123 (Oct. 30, 2009), and to the 
Breach Notification Rule not previously adopted in an interim final 
rule, 74 FR 42739 (Aug. 24, 2009). The Department also finalized 
previously proposed Privacy Rule modifications as required by GINA, 
74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------

    The Department also finalized regulatory provisions not required by 
the HITECH Act, but necessary to address the ``workability and 
effectiveness'' of the HIPAA Rules and ``to increase flexibility for 
and decrease burden on regulated entities.'' \112\ In the 2010 NPRM, 
the Department noted that it had not amended the HIPAA Privacy and 
Security Rules since 2002 and 2003, respectively, other than to amend 
the Enforcement Rule through a 2009 interim final rule.\113\ It further 
explained that information gleaned from contact with the public since 
that time, enforcement experience, and technical corrections required 
to eliminate ambiguity provided the impetus for the Department's 
actions to make certain regulatory changes.\114\
---------------------------------------------------------------------------

    \112\ 78 FR 5566. The Department's general rulemaking authority 
is codified in HIPAA section 264(c), and OCR conducts rulemaking 
under HIPAA based on authority granted by the Secretary.
    \113\ See 75 FR 40871. See also 74 FR 56123. The Department 
issued an interim final rule on October 30, 2009, to implement 
HITECH Act statutory changes to the HIPAA Enforcement Rule.
    \114\ 75 FR 40871.
---------------------------------------------------------------------------

    For example, the Department modified its prior interpretation of 
the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a 
description of a research purpose must be ``study specific.'' The 
Department explained that, under its new interpretation, the research 
purposes need only be described adequately so that it would be 
``reasonable for the individual to expect that his or her protected 
health information could be used or disclosed for such future 
research.'' \115\ The Department attributed its changed interpretation 
to the expressed concerns from covered entities, researchers, and other 
commenters to the 2010 NPRM that the former requirement did not 
represent current research practices. The Department expressed a 
similar rationale for the Privacy Rule modifications permitting certain 
disclosures of student immunization records to schools without an 
authorization,\116\ and another provision redefining the definition of 
PHI to exclude information regarding an individual who has been 
deceased for more than 50 years.\117\ For the latter, the Department 
noted that it was balancing the privacy interests of decedents' living 
relatives and other affected individuals against the legitimate needs 
of public archivists to obtain records.
---------------------------------------------------------------------------

    \115\ 78 FR 5612.
    \116\ Id. at 5616-17. See also 45 CFR 164.512(b)(1).
    \117\ 78 FR 5614. See also 45 CFR 164.502(f) and the definition 
of ``Protected health information'' at 45 CFR 160.103, excluding 
IIHI regarding a person who has been deceased for more than 50 
years.
---------------------------------------------------------------------------

    None of the above-described changes were expressly required by the 
HITECH Act. Rather, the Department determined them to be necessary 
pursuant to its ongoing general rulemaking authority.\118\
---------------------------------------------------------------------------

    \118\ In addition to the rulemakings discussed here, the 
Department has modified the HIPAA Privacy Rule for workability 
purposes and in response to changes in circumstances on two other 
occasions, and it issued another notice of proposed rulemaking in 
2021 for the same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382 
(Jan. 6, 2016), and 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------

III. Justification for This Proposed Rulemaking

    HIPAA and the HIPAA Rules promote access to health care by 
establishing standards for the privacy of PHI in order to protect the 
confidentiality of individuals' health information. These protections 
promote the development and maintenance of confidence and trust between 
individuals and their health care providers and health plans, and help 
improve the completeness and accuracy of patient records.\119\ The 
Privacy Rule, as it has been amended over time, carefully balances the 
interests of individuals and society in identifiable health information 
by establishing conditions for when and how such information may be 
used and

[[Page 23516]]

disclosed--with and without the individual's permission.
---------------------------------------------------------------------------

    \119\ See 65 FR 82463. See also H. Rept. 104-736 at 177 and 264, 
supra note 40. See also 142 Cong. Rec. H9780 (statement of Rep. 
Sawyer), supra note 42; 142 Cong. Rec. H9792 (statement of Rep. 
McDermott), supra note 42; and 142 Cong. Rec. S9515-16 (statement of 
Sen. Simon), supra note 42.
---------------------------------------------------------------------------

    The Privacy Rule is balanced to protect an individual's privacy 
while allowing the use or disclosure of PHI for certain non-health care 
purposes, including in certain criminal, civil, and administrative 
investigations and proceedings. The Privacy Rule permits, but does not 
require, covered entities to disclose PHI to law enforcement officials, 
without the individual's written authorization, under specific 
circumstances.\120\ For example, a covered entity is permitted to 
disclose PHI to law enforcement in compliance with, and as limited by, 
the relevant requirements of a court order. A covered entity is also 
permitted to disclose certain limited types of PHI in response to a law 
enforcement official's request for such information for the limited 
purpose of identifying or locating a suspect, fugitive, material 
witness, or missing person. Such disclosures are also currently 
permitted, under certain circumstances, for health oversight 
purposes,\121\ judicial and administrative proceedings,\122\ or to 
coroners and medical examiners.\123\ Except when required by law, the 
disclosures summarized above are subject to a minimum necessary 
determination by the covered entity.\124\ When reasonable to do so, the 
covered entity may rely upon the representations of the public health 
authority, law enforcement official, or other public official as to 
what information is the minimum necessary for their lawful 
purpose.\125\ Moreover, if the law enforcement official making the 
request for information is not known to the covered entity, the covered 
entity must verify the identity and authority of such person prior to 
disclosing the information.\126\
---------------------------------------------------------------------------

    \120\ See 45 CFR 164.152(f).
    \121\ 45 CFR 164.512(d).
    \122\ 45 CFR 164.512(e).
    \123\ 45 CFR 164.512(g)(1).
    \124\ 45 CFR 164.502(b) and 164.514(d).
    \125\ 45 CFR 164.514(d)(3)(iii)(A).
    \126\ 45 CFR 164.514(h).
---------------------------------------------------------------------------

    However, the Department believes that developments in the legal 
environment have disrupted the balance. On one hand, there is the 
individual's interest in the privacy of their health information and 
that of society in fostering trust between individuals and health care 
providers to promote public health. On the other hand, there is the 
interest of others in using or disclosing that information to achieve 
certain public policy goals, in this case, for purposes of criminal, 
civil, and administrative investigations or proceedings. Those 
developments have made information related to reproductive health care, 
which has long been considered highly sensitive,\127\ more likely to be 
of interest for punitive non-health care purposes, and thus more likely 
to be disclosed if sought for a purpose permitted under the Privacy 
Rule today. The interest in this sensitive health information is likely 
to remain high, even where the reproductive health care has been 
provided under circumstances in which it was lawful to do so. The 
Department believes PHI will be increasingly targeted by those seeking 
evidence for criminal, civil, or administrative investigations into or 
proceedings against persons in connection with seeking, obtaining, 
providing, or facilitating reproductive health care--or identifying 
persons for such purposes, thereby jeopardizing the relationships 
between individuals and their health care providers, even when such 
health care is lawfully obtained.
---------------------------------------------------------------------------

    \127\ See Letter from NCVHS, supra note 14.
---------------------------------------------------------------------------

    To address these developments, the Department is proposing to 
protect this sensitive PHI and preserve that balance by establishing a 
new purpose for which disclosures are prohibited in certain 
circumstances--that is, the use or disclosure of PHI for the criminal, 
civil, or administrative investigation of or proceeding against an 
individual, regulated entity, or other person for seeking, obtaining, 
providing, or facilitating reproductive health care, as well as the 
identification of any person for the purpose of initiating such an 
investigation or proceeding. Such disclosures of PHI would be 
prohibited when the reproductive health care: (1) is provided outside 
of the state where the investigation or proceeding is authorized and 
where such health care is lawfully provided; (2) is protected, 
required, or authorized by Federal law, regardless of the state in 
which such health care is provided; or (3) is provided in the state in 
which the investigation or proceeding is authorized and that is 
permitted by the law of that state. In these circumstances, the state 
lacks any substantial interest in seeking the disclosure. Protecting 
against disclosures of PHI in these circumstances thus directly 
advances the long-understood purpose of the HIPAA privacy protections 
without unduly interfering with legitimate state prerogatives.
    To assist in effectuating this prohibition, the Department proposes 
to require covered entities in certain circumstances to obtain an 
attestation from the person requesting the use or disclosure that the 
use or disclosure is not for a prohibited purpose. Additionally, the 
Department proposes to clarify the definition of ``person'' and certain 
other terms that distinguish between state laws that are contrary to 
the Privacy Rule and are therefore preempted by it and those that are 
excepted from preemption. The Department also discusses its view of 
``child abuse'' for the purposes of the Privacy Rule and which persons 
a covered entity may decline to recognize as an individual's personal 
representative under particular circumstances. This NPRM contains 
proposals for minor technical corrections that reflect the Department's 
long-standing interpretation of the Privacy Rule. Lastly, the 
Department proposes to require modifications to the Notice of Privacy 
Practices (NPP) to ensure that individuals are aware of and understand 
the proposed prohibition.

A. HIPAA Encourages Trust by Carefully Balancing Individuals' Privacy 
Interests With Others' Interests in Using or Disclosing PHI

    It is well established that a functioning health care system 
depends in part on patients trusting their health care providers and 
health care systems.\128\ According to the American Medical Association 
(AMA), a key element of patient trust is privacy protection, ``a 
crucial element for honest health discussions.'' \129\ Privacy is the 
core foundation of the relationship between individuals and their 
health care providers.\130\ The original Hippocratic Oath required 
physicians to pledge to maintain the confidentiality of information 
they learn about their patients.\131\ Individuals' health privacy 
concerns affect their trust in health care providers, and thus, their 
willingness to provide complete and accurate information to health care 
providers.\132\

[[Page 23517]]

Individuals must disclose sensitive information to their health care 
providers to obtain appropriate health care.\133\ If individuals do not 
trust that the sensitive information they disclose to their health care 
providers will be kept private, they may be deterred from seeking or 
obtaining needed health care or withhold information from their health 
care providers, compromising the quality of the health care they 
receive.\134\ Similarly, if a health care provider does not trust that 
the information they include in an individual's medical records will 
not be kept private, the health care provider might leave gaps or 
include inaccuracies when preparing medical records, creating a risk 
that ongoing or future health care would be compromised. Thus, the 
Privacy Rule promotes access to higher quality health care by 
protecting the privacy of individuals' health information in order to 
engender trust between individuals and health care providers and to 
help improve the completeness and accuracy of individuals' medical 
records. The Federal Government has a strong interest in ensuring that 
individuals have access to high-quality health care,\135\ and from its 
inception, the Privacy Rule has recognized the importance of trust to 
health care quality.
---------------------------------------------------------------------------

    \128\ See Jennifer Richmond, Marcella H. Boynton, Sachiko Ozawa, 
et al., ``Development and Validation of the Trust in My Doctor, 
Trust in Doctors in General, and Trust in the Health Care Team 
Scales,'' Social Science & Medicine (Apr. 2022), https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub.
    \129\ See ``Patient Perspectives Around Data Privacy,'' American 
Medical Association (2022), https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf.
    \130\ Id.
    \131\ Warren T. Reich, editor. Vol. 5. Macmillan; New York, NY: 
1995. Oath of Hippocrates; p. 2632. (Encyclopedia of Bioethics).
    \132\ See ``Development and Validation of the Trust in My 
Doctor, Trust in Doctors in General, and Trust in the Health Care 
Team Scales,'' supra note 128; Bradley E. Iott, Celeste Campos-
Castillo, Denise L. Anthony, ``Trust and Privacy: How Patient Trust 
in Providers is Related to Privacy Behaviors and Attitudes,'' AMIA 
Annual Symposium Proceedings (Mar. 2020), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/; Pamela Sankar, Susan 
Mora, Jon F. Merz, et al., ``Patient perspectives of medical 
confidentiality: a review of the literature,'' Journal of General 
Internal Medicine (Aug. 2003), p. 659-69, https://pubmed.ncbi.nlm.nih.gov/12911650/.
    \133\ See ``Recommendations on Privacy and Confidentiality, 
2006-2008,'' Nat'l Comm. on Vital and Health Stats. (May 2009), p. 
4, https://ncvhs.hhs.gov/wp-content/uploads/2014/05/privacyreport0608.pdf; See also Letter from NCVHS (forwarding NCVHS 
recommendations) (``As a practical matter, it is often essential for 
individuals to disclose sensitive, even potentially embarrassing, 
information to a health care provider to obtain appropriate care''), 
supra note 18.
    \134\ See 64 FR 60019 (In the 1999 Privacy Rule NPRM, the 
Department discussed confidentiality as an important component of 
trust between individuals and health care providers and cited a 1994 
consumer privacy survey that indicated that a lack of privacy may 
deter patients from obtaining preventive care and treatment.); 
``Trust and Privacy: How Patient Trust in Providers is Related to 
Privacy Behaviors and Attitudes,'' supra note 132.
    \135\ See Testimony (transcribed) of Peter R. Orszag, Director, 
Congressional Budget Office, Hearing on Comparative Clinical 
Effectiveness before House of Representatives Committee on Ways and 
Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007) 
(``because federal health insurance programs play a large role in 
financing medical care and represent a significant expenditure, the 
federal government itself has an interest in evaluations of the 
effectiveness of different health care approaches''); Statement of 
Sen. Durenberger introducing S.1836, American Health Quality Act of 
1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991) 
(``[T]he Federal Government has a demonstrated interest in assessing 
the quality of care, access to care, and the costs of care through 
the evaluative activities of several Federal agencies.'').
---------------------------------------------------------------------------

    Of course, health information--and PHI in particular--can be useful 
for purposes other than an individual's own health care. Indeed, 
society also benefits when individuals trust their health care 
providers to keep highly sensitive information private for the same 
reasons that individuals benefit. After all, it is to society's benefit 
that individuals seek out necessary medical care, and that when they 
do, they receive high-quality health care based on information that is 
more likely to be complete and accurate when individuals trust their 
health care providers. Individuals' lack of trust in health care 
providers and the health care system can have serious consequences for 
society.\136\
---------------------------------------------------------------------------

    \136\ See Letter from NCVHS, supra note 18.
---------------------------------------------------------------------------

    There is also significant interest in using PHI to address non-
health care concerns, such as for research, law enforcement purposes, 
judicial and administrative proceedings, health oversight activities, 
and others. As the Department explained in the 1999 Privacy Rule NPRM, 
``The information may be sought well before a trial or hearing, to 
permit the party to discover the existence or nature of testimony or 
physical evidence, or in conjunction with the trial or hearing, in 
order to obtain the presentation of testimony or other evidence. These 
uses of health information are clearly necessary to allow the smooth 
functioning of the legal system.'' \137\ For example, in the absence of 
a permission to use or disclose PHI for judicial and administrative 
proceedings, a regulated entity would be dependent upon an individual's 
authorization to use or disclose PHI to defend itself against a medical 
malpractice claim brought by the individual, rendering the regulated 
entity dependent upon the very person bringing the claim against them. 
The Department believes that there is societal benefit to permitting 
such uses and disclosures where such uses and disclosures do not 
undermine the public policy goals set by Congress when it passed 
HIPAA--that is, where they do not undermine the trust of individuals in 
the health care system and the ability of individuals to receive high-
quality health care.\138\ The Department has long permitted uses and 
disclosures of PHI for non-health care purposes in such circumstances, 
subject to certain limitations because of the potential harm they could 
cause to individuals.
---------------------------------------------------------------------------

    \137\ 64 FR 59959.
    \138\ See Letter from NCVHS, at Executive Summary, supra note 60 
(with forwarded NCVHS recommendations, ``The importance of trust in 
the provider-patient relationship must be preserved. Health records 
are used to improve the quality of health care [ . . . ] protect the 
public health, and assure public accountability of the health care 
system.'').
---------------------------------------------------------------------------

    As discussed in section II of this preamble, the Privacy Rule 
represents the Department's careful balancing of individuals' interests 
and the interests of others in a way that engenders individuals' trust 
and enables high-quality health care, while also allowing others to use 
individuals' PHI for certain public policy purposes. The Department 
recognized the need for trust between patients and health care 
providers in the 2000 Privacy Rule, noting that ``[t]he provision of 
high-quality health care requires the exchange of personal, often-
sensitive information between an individual and a skilled practitioner. 
Vital to that interaction is the patient's ability to trust that the 
information shared will be protected and kept confidential.'' \139\ 
Further, if individuals do not trust that the sensitive information 
they give their health care providers will be kept private, they may be 
deterred from seeking needed health care.\140\ And when individuals do 
seek health care, they may be reluctant to be completely forthcoming 
with their health care providers, thus compromising the quality of the 
health care they receive. As the Department also stated, ``[h]ealth 
care professionals who lose the trust of their patients cannot deliver 
high-quality care.'' \141\ And when the trust of individuals is lost, 
the public's health as a whole is jeopardized.
---------------------------------------------------------------------------

    \139\ 65 FR 82463.
    \140\ See 64 FR 60019 (In the 1999 Privacy Rule NPRM, the 
Department discussed confidentiality as an important component of 
trust between individuals and health care providers and cited a 1994 
consumer privacy survey that indicated that a lack of privacy may 
deter patients from obtaining preventive care and treatment.).
    \141\ 65 FR 82468.
---------------------------------------------------------------------------

    Throughout the preamble to the 2000 Privacy Rule and the preambles 
to the rules revising the Privacy Rule, the Department described and 
explained its efforts to balance those interests. In the 2002 Privacy 
Rule, the Department discussed its re-evaluation of the balance 
established by the 2000 Privacy Rule and revised certain provisions 
because of concerns that arose as regulated entities prepared to 
implement its requirements. The Department made certain revisions to 
protect the privacy interests of individuals by strengthening the 
requirements for covered entities to inform individuals of their 
privacy practices through an NPP. These revisions afforded individuals 
the opportunity to engage in discussions

[[Page 23518]]

regarding the use and disclosure of their PHI, while protecting the 
interests of covered entities by allowing activities that are essential 
to the provision of high-quality health care to occur unimpeded, 
reducing the burden on such entities.\142\ The Department made other 
revisions to ``balance an individual's privacy expectations with a 
covered entity's need for information for reimbursement and quality 
purposes.'' \143\ In that same rulemaking, in addressing comments on 
still other revisions, the Department clearly stated, ``Patient privacy 
must be balanced against other public goods, such as research and the 
risk of compromising such research projects if researchers could not 
continue to use such data.'' \144\
---------------------------------------------------------------------------

    \142\ 67 FR 53209.
    \143\ 67 FR 53216.
    \144\ 67 FR 53226.
---------------------------------------------------------------------------

    In more recent rulemakings, the Department has continued its 
efforts to build and maintain individuals' trust in the health care 
system by balancing the interests of individuals with those of others 
as it further revised the Privacy Rule. For example, in explaining 
revisions made as part of the 2013 Omnibus Rule, the Department stated, 
``The Privacy Rule, at Sec.  164.512(b), recognizes that covered 
entities must balance protecting the privacy of health information with 
sharing health information with those responsible for ensuring public 
health and safety.'' \145\ As another example from that same rule, the 
Department revised the requirements for the distribution of the NPP 
because ``[w]e believe these distribution requirements best balance the 
right of individuals to be informed of their privacy rights with the 
burden on health plans to provide the revised [Notice of Privacy 
Practices].'' \146\ In the 2014 CLIA Program and HIPAA Privacy Rule; 
Patients' Access to Test Reports Final Rule, the Department further 
balanced the interests of individuals and those of others by providing 
individuals (or their personal representatives) with the right to 
access test reports directly from laboratories subject to HIPAA.\147\ 
This rulemaking afforded the Department with the opportunity to 
demonstrate the supremacy of the individual's right of access over the 
potential burden imposed on others, in this case, the laboratory. And 
still more recently, the primary focus of the 2016 HIPAA Privacy Rule 
and the National Instant Criminal Background Check System (NICS) Final 
Rule was to issue a narrowly tailored rule that appropriately balanced 
public safety goals with individuals' privacy interests to ensure that 
individuals are not discouraged from seeking voluntary treatment for 
mental health needs.\148\
---------------------------------------------------------------------------

    \145\ 78 FR 5616.
    \146\ 78 FR 5625.
    \147\ 79 FR 7290 (Feb. 6, 2014).
    \148\ 81 FR 382, 386 (Jan. 6, 2016).
---------------------------------------------------------------------------

    As part of balancing individuals' interests with those of society, 
the Department has recognized that it may be necessary to provide 
certain types of health information with special protection because 
they are particularly sensitive. For example, while the Department 
usually applies the same privacy standards to all PHI regardless of the 
type of health care at issue, it affords ``special protections'' to 
psychotherapy notes. These protections are afforded in part because of 
the ``particularly sensitive information'' those notes contain and in 
part because of the unique function of these records, which are by 
definition maintained separately from an individual's medical 
record.\149\ As the Department explained when it proposed these 
protections, ``[p]sychotherapy notes are of primary value to the 
specific provider and the promise of strict confidentiality helps to 
ensure that the patient will feel comfortable freely and completely 
disclosing very personal information essential to successful 
treatment.'' \150\ The Department elaborated that, ``[b]ecause of the 
sensitive nature of the problems for which individuals consult 
psychotherapists,'' and the ``embarrassment or disgrace'' engendered by 
``disclosure of confidential communications made during counseling 
sessions,'' even ``the mere possibility of disclosure may impede 
development of the confidential relationship necessary for successful 
treatment.'' \151\ To support the development and maintenance of an 
individual's trust and protect the relationship between an individual 
and their therapist, psychotherapy notes may be disclosed without an 
individual's authorization only in limited circumstances, such as to 
avert a serious and imminent threat to health or safety. Those limited 
circumstances do not include judicial and administrative proceedings or 
law enforcement purposes unless the disclosure is ``necessary to 
prevent or lessen a serious and imminent threat to the health or safety 
of a person or the public.'' \152\
---------------------------------------------------------------------------

    \149\ See 45 CFR 164.501 (definition of ``Psychotherapy notes'') 
(explicitly providing that psychotherapy notes are separated from 
the individual's medical record).
    \150\ 64 FR 59941.
    \151\ Id.
    \152\ 45 CFR 164.508(a)(2).
---------------------------------------------------------------------------

    Information related to an individual's reproductive health and 
associated health care is also especially sensitive and has long been 
recognized as such. As stated in the AMA's Principles of Medical 
Ethics, the ``decision to terminate a pregnancy should be made 
privately within the relationship of trust between patient and 
physician in keeping with the patient's unique values and needs and the 
physician's best professional judgment.\153\ NCVHS first noted it as an 
example of a category of health information commonly considered to 
contain sensitive information in 2008.\154\ From 2005-2010, NCVHS held 
nine hearings that addressed questions about sensitive information in 
medical records and identified additional categories of sensitive 
information beyond those addressed in Federal and state law, including 
``sexuality and reproductive health information,'' which NCVHS 
elaborated on in a 2010 letter to the Secretary:
---------------------------------------------------------------------------

    \153\ Amendment to Opinion 4.2.7, Abortion H-140.823, American 
Medical Association (2022), https://policysearch.amaassn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml.
    \154\ See Letter from NCVHS, supra note 14.

    Some reproductive issues may expose people to political 
controversy [ . . . ], and public knowledge of an individual's 
reproductive history may place [them] at risk of stigmatization. 
Additionally, individuals may wish to have their reproductive 
history segmented so that it is not viewed by family members who 
otherwise have access to their records. Parents may wish to delay 
telling their offspring about adoption, gamete donation, or the use 
of other forms of assisted reproduction technology in their 
conception, and, thus, it may be important to have the capacity to 
segment these records.\155\
---------------------------------------------------------------------------

    \155\ See Letter from NCVHS Chair Justine M. Carr to HHS 
Secretary Kathleen Sebelius (Nov. 10, 2010) (forwarding NCVHS 
recommendations).

    At that time, the general privacy standards promulgated under HIPAA 
adequately protected information related to reproductive health care. 
Based on settled Federal constitutional law in 2000, the Department did 
not see a need to treat uses or disclosures of PHI related to 
reproductive health care, such as information about a pregnancy 
termination, differently from other uses or disclosures of PHI related 
to other categories of health care when establishing the Federal 
standards for privacy as mandated by HIPAA.\156\ HHS knew that 
individuals generally could legally access reproductive health care 
nationwide. And because such health care generally was legal and 
constitutionally protected, HHS was confident that law enforcement or 
other

[[Page 23519]]

third parties typically would not seek individuals' health information 
for purposes of investigating violations of criminal or civil laws 
related to highly sensitive types of health care, such as the provision 
of or access to reproductive health care, except in certain limited 
circumstances aimed at ensuring the quality and safety of such health 
care. Therefore, until states' recent efforts to regulate and 
criminalize the provision of or access to reproductive health care, 
effectuating the purposes of HIPAA did not require regulatory 
provisions that restricted uses and disclosures of PHI related to those 
activities.
---------------------------------------------------------------------------

    \156\ See 65 FR 82464-70.
---------------------------------------------------------------------------

B. Developments in the Legal Environment Are Eroding Individuals' Trust 
in the Health Care System

    The Supreme Court's decision in Dobbs on June 24, 2022, created new 
concerns about the privacy of PHI related to reproductive health care. 
In that decision, the Court overruled Roe v. Wade \157\ and Planned 
Parenthood of Southeastern Pennsylvania v. Casey \158\ and held that 
constitutional challenges to state abortion regulations are subject to 
rational-basis review.\159\ But the Court's decision did not disturb 
other longstanding constitutional principles, such as those protecting 
the right of interstate travel or the right to use contraception.\160\ 
Nor did it displace Federal statutes, such as Emergency Medical 
Treatment and Active Labor Act \161\ (EMTALA), that protect access to 
reproductive health care in particular circumstances.
---------------------------------------------------------------------------

    \157\ 410 U.S. 113 (1973).
    \158\ 505 U.S. 833 (1992).
    \159\ Dobbs, 142 S. Ct. at 2283-2284.
    \160\ See id. at 2309 (Kavanaugh, J., concurring).
    \161\ Public Law 99-272, 100 Stat. 164 (Apr. 7, 1986) (codified 
at 42 U.S.C. 1395dd). For further discussion of a health care 
provider's obligations under the EMTALA statute, see https://www.hhs.gov/sites/default/files/emergency-medical-care-letter-to-health-care-providers.pdf.
---------------------------------------------------------------------------

    Following the Supreme Court's decision, states have taken actions, 
some tacitly and some explicitly, that could interfere with 
individuals' longstanding expectations created by HIPAA and the Privacy 
Rule with respect to the privacy of their PHI.\162\ The Department is 
aware of reports that persons or authorities have reached or intend to 
reach beyond their own states' borders to investigate reproductive 
health care that has been performed in other states where that health 
care is legal.\163\ These actions present new concerns nationwide for 
the protection of health information privacy mandated by HIPAA. Because 
the Privacy Rule currently permits uses and disclosures of PHI for 
certain purposes,\164\ including when another law requires a regulated 
entity to make the use or disclosure,\165\ regulated entities after 
Dobbs might be compelled to use or disclose PHI to law enforcement or 
other persons who may use that health information against an 
individual, a regulated entity, or another person who has sought, 
obtained, provided, or facilitated reproductive health care, even when 
such health care is lawful in the circumstances in which the health 
care is obtained.\166\
---------------------------------------------------------------------------

    \162\ See, e.g., Kayte Spector-Bagdady, Michelle M. Mello, 
``Protecting the Privacy of Reproductive Health Information After 
the Fall of Roe v Wade,'' JAMA Network (June 30, 2022), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032; Lisa 
G. Gill, ``What does the overturn of Roe v. Wade mean for you?,'' 
Consumer Reports (June 24, 2022), https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/.
    \163\ See, e.g., Giulia Carbonaro, ``Texas bill targeting 
internet abortion access `attacks individual liberty','' Newsweek 
(Mar. 3, 2023), https://www.newsweek.com/texas-bill-targeting-internet-abortion-access-attacks-individual-liberty-1785254; Alice 
Miranda Ollstein and Megan Messerly, ``Missouri wants to stop out-
of-state abortions. Other states could follow,'' Politico (Mar. 19, 
2022), https://www.politico.com/news/2022/03/19/travel-abortion-law-missouri-00018539. For pending bills that would impose limitations 
on the ability of individuals to travel to obtain reproductive 
health care, see, e.g., H.B. 2012, Missouri 101st General Assembly 
(2022) (would have permitted a private citizen to sue a person who 
provides or facilitates an abortion for a Missouri resident, 
including an out-of-state physician or person who transports an 
individual across state lines to a health care provider); H.B. No. 
787, Texas State Legislature (2023) (prohibiting the receipt of tax 
incentives by a business entity that assists an employee in 
obtaining an abortion, including through funding out-of-state travel 
for the procedure); and H.B. 90 and S.B. 600, Tennessee General 
Assembly (2023) (prohibiting local governments from spending money 
to assist ``a person in obtaining an abortion,'' including through 
funding out-of-state travel for the procedure).
    \164\ 45 CFR 164.502(a)(1).
    \165\ 45 CFR 164.512(a).
    \166\ See Eleanor Klibanoff, ``Lawyers preparing for abortion 
prosecutions warn about health care, data privacy,'' The Texas 
Tribune (July 25, 2022), https://www.texastribune.org/2022/07/25/abortion-prosecution-data-health-care/(discussing the fact that the 
most common way PHI is obtained by law enforcement is through health 
care provider disclosures).
---------------------------------------------------------------------------

    One significant consequence of the developments in Federal and 
state law is the erosion of individuals' trust in health care providers 
to protect their health information privacy, creating barriers or 
disincentives for individuals to obtain health care, including legal 
reproductive health care, and increasing the potential for health care 
providers to possess incomplete or inaccurate medical records. A 2023 
qualitative study of individuals who obtained abortions after the 
passage of a law significantly restricting abortion access in Texas 
highlighted the concerns of such individuals with respect to the 
privacy of PHI related to reproductive health care they received.\167\ 
In fact, a recently filed complaint details the decision made by the 
plaintiff's out-of-state health care provider to describe the 
plaintiff's condition as something other than an abortion, even though 
the abortion was lawful in the state in which it was provided because 
the health care provider was concerned about the ramifications of 
documenting the health care provided as an abortion.\168\ Another 
significant consequence is the risk that individual medical records 
will not be maintained with completeness and accuracy, including as 
they relate to legal reproductive health care. The developments 
discussed above have increased uncertainty nationwide for individuals, 
regulated entities, and other persons about the privacy of an 
individual's PHI. Recent state actions now place individuals and health 
care providers in potential civil or criminal jeopardy when PHI related 
to an individual's reproductive health is used and disclosed, 
regardless of whether the health care services are obtained or 
performed legally.
---------------------------------------------------------------------------

    \167\ Courtney C. Baker, Emma Smith, Mitchell D. Creinin, et 
al., ``Texas Senate Bill 8 and Abortion Experiences in Patients with 
Fetal Diagnoses: A Qualitative Analysis,'' Obstetrics & Gynecology 
(Mar. 2023), https://pubmed.ncbi.nlm.nih.gov/36735418 (citing a 
representative statement made by a study participant, `` `I would 
joke around and say, well don't sue me, but halfway mean it.' '').
    \168\ See Brief for Zurawski at p. 2 (One plaintiff had to 
travel out of state for an abortion to save the life of one of her 
twins, and afterwards, fearful of documenting her abortion, her 
health care provider instead described her condition as ``vanishing 
twin syndrome.'').
---------------------------------------------------------------------------

    In the past, some law enforcement officials exercised their 
authority under general criminal statutes to obtain PHI for use against 
pregnant individuals on the basis of their pregnancy status or 
pregnancy outcomes.\169\ But more recent developments in law have 
created an environment in which law enforcement and others are 
increasingly likely to request PHI from regulated entities for use 
against individuals,\170\ health care

[[Page 23520]]

providers, and others, solely because such persons sought, obtained, 
provided, or facilitated lawful reproductive health care.\171\ This 
environment of increased demand for PHI for these purposes is not 
limited to states in which those legal developments have occurred. 
Rather, these legal developments have nationwide implications because 
of the overall effects on the relationship between health care 
providers and individuals and the flow of health information across 
state lines. Examples of such cross-state health information flows 
include disclosures from health care providers to health plans with a 
multi-state presence or between health care providers in different 
states to treat individuals as they travel across the country.
---------------------------------------------------------------------------

    \169\ See ``Self-Care, Criminalized: August 2022 Preliminary 
Findings,*'' supra note 11; ``Confronting Pregnancy Criminalization: 
A Practical Guide for Healthcare Providers, Lawyers, Medical 
Examiners, Child Welfare Workers, and Policymakers,'' Pregnancy 
Justice (June 2022), https://www.pregnancyjusticeus.org/confronting-pregnancy-criminalization/.
    \170\ See, e.g., S.C. Code Ann. sec. 44-41-80(b) and NRS 
200.220. See also ``Self-Care, Criminalized: August 2022 Preliminary 
Findings,*'' supra note 11, p. 2-3 (From 2000 to 2020, out of 54 
cases, 74% of the adult cases involved the criminalization of the 
person for self-managing their own abortion, and 39% of the cases 
reported to law enforcement were by health care providers.); ``Talk 
of prosecuting women for abortion pills roils antiabortion 
movement,'' supra note 11.
    \171\ The Department believes that those investigating or 
bringing proceedings against individuals, health care providers, or 
other persons for seeking, obtaining, providing, or facilitating 
reproductive health care will increasingly seek to access PHI as 
part of their investigation or proceeding. See, e.g., Karen Brooks 
Harper, ``Texas abortion foes use legal threats and propose more 
laws to increase pressure on providers and their allies,'' The Texas 
Tribune (July 18, 2022), https://www.texastribune.org/2022/07/18/texas-abortion-laws-pressure-campaign/; Timothy Bella, ``Doctor in 
10-year-old rape victim's abortion faces AG inquiry, threats,'' The 
Washington Post (July 27, 2022), https://www.washingtonpost.com/politics/2022/07/27/abortion-doctor-girl-rape-caitlin-bernard-investigation/; ``Doctor says she shouldn't have to turn over 
patients' abortion records,'' supra note 13.
---------------------------------------------------------------------------

    This reality is in tension with many individuals' expectation that 
they have or should have the right to health information privacy, 
including the right to determine who has access to that information. In 
fact, in its most recent annual survey on patient privacy, the AMA 
found that, of 1,000 patients surveyed: (1) nearly 75% are concerned 
about protecting the privacy of their own health information; and (2) 
59% of patients worry about health data being used by companies to 
discriminate against them or their loved ones.\172\ In its report on 
the survey, the AMA opines that a lack of health information privacy 
raises many questions about circumstances that could put patients and 
physicians in legal peril, and that the ``primary purpose of increasing 
[health information] privacy is to build public trust, not inhibit data 
exchange.'' \173\ The mismatch between privacy expectations and current 
legal protections for health information privacy undermines trust 
between individuals and health care providers nationwide, thereby 
decreasing access to, and effectiveness of, health care for 
individuals.
---------------------------------------------------------------------------

    \172\ See ``Patient Perspectives Around Data Privacy,'' supra 
note 129.
    \173\ Id. at 2.
---------------------------------------------------------------------------

    The present situation also has resulted in ambiguity and confusion 
for individuals and health care providers, many of whom are uncertain 
about when health information is protected under the HIPAA Rules given 
recent legal developments.\174\ This confusion undermines access to 
health care and individual privacy--including for individuals seeking 
or obtaining health care that is lawful nationwide. For example, the 
Department is aware that some health care providers, both clinicians 
and pharmacies, are hesitant to prescribe or fill prescriptions for 
medications that can result in pregnancy loss, even when those 
prescriptions are intended to treat individuals for other health 
matters, because of fear of law enforcement action.\175\ As a result, 
these health care providers are either denying access to prescriptions 
that affect an individual's quality of life or requiring additional PHI 
to justify an individual's need for such prescriptions for purposes 
that are permissible under state law.\176\ Although most health care 
providers, including pharmacies, are subject to the HIPAA Rules, and 
thus, limited in the purposes for which they are permitted to use or 
disclose such PHI, an individual's privacy is necessarily reduced as an 
increasing number of persons have access to an increasing amount of 
their PHI. Additionally, individuals face an increasing risk to the 
security of their PHI as the number of information technology systems 
in which the PHI is stored increases. As the number of persons and 
information technology systems with access to this PHI increases, this 
expands the number and types of regulated entities from which law 
enforcement and others may try to seek disclosure of this highly 
sensitive information. Individual trust in regulated entities is eroded 
when individuals' access to health care is questioned and their PHI is 
subject to disclosures that previously were unnecessary.
---------------------------------------------------------------------------

    \174\ See Press Release, American Medical Association, American 
Pharmacists Association, American Society of Health-System 
Pharmacists, and National Community Pharmacists Association, 
``Statement on state laws impacting patient access to necessary 
medicine'' (Sept. 8, 2022), https://www.ama-assn.org/press-center/press-releases/statement-state-laws-impacting-patient-access-necessary-medicine. See also Abigail Higgins, ``Abortion rights 
advocates fear access to birth control could be curtailed,'' The 
Washington Post (June 24, 2022), https://www.washingtonpost.com/nation/2022/06/24/birth-control-access-supreme-court-abortion-ruling/.
    \175\ See Interview with Donald Miller, PharmD, ``Methotrexate 
access becomes challenging for some patients following Supreme Court 
decision on abortion,'' Pharmacy Times (July 20, 2022), https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion; Jamie 
Ducharme, ``Abortion restrictions may be making it harder for 
patients to get a cancer and arthritis drug,'' Time (July 6, 2022), 
https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/; Katie Shepherd and Frances Stead Sellers, ``Abortion 
bans complicate access to drugs for cancer, arthritis, even 
ulcers,'' The Washington Post (Aug. 8, 2022), https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/.
    \176\ See, e.g., Jen Christensen, ``Women with chronic 
conditions struggle to find medications after abortion laws limit 
access,'' CNN Health (July 22, 2022), https://www.cnn.com/2022/07/22/health/abortion-law-medications-methotrexate/; Brittni 
Frederiksen, Matthew Rae, Tatyana Roberts, et al., ``Abortion Bans 
May Limit Essential Medications for Women with Chronic Conditions,'' 
Kaiser Family Foundation (Nov. 17, 2022), https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/.
---------------------------------------------------------------------------

    Impingements on health information privacy related to reproductive 
health care are likely to have a disproportionately greater effect on 
women, individuals of reproductive age, and individuals from 
communities that have been historically underserved, marginalized, or 
subject to discrimination or systemic disadvantage by virtue of their 
race, disability, social or economic status, geographic location, or 
environment.\177\ Historically underserved and marginalized individuals 
are also more likely to be the subjects of investigations and 
proceedings about any suspected interest in, or obtaining of, 
reproductive health care, even where such health care is lawful under 
the circumstances in which it is provided.\178\ They are also less 
likely to have adequate access to legal counsel to defend themselves 
from

[[Page 23521]]

such actions.\179\ Such individuals are thus especially likely to be 
concerned that information they give to their health care providers 
regarding their reproductive health care will not remain private. This 
is particularly true in light of the historic lack of trust that 
members of marginalized communities have for the health care system; 
\180\ such individuals are more likely to be deterred from seeking or 
obtaining health care--or from giving their health care providers full 
information when they do obtain it.
---------------------------------------------------------------------------

    \177\ See Christine Dehlendorf, Lisa H. Harris, Tracy A. Weitz, 
``Disparities in Abortion Rates: A Public Health Approach,'' 
American Journal of Public Health. (Oct. 2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/. See also Kiara 
Alfonseca, ``Why Abortion Restrictions Disproportionately Impact 
People of Color, ABC News (June 24, 2022), https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809; Susan A. Cohen, ``Abortion and Women of Color: 
The Bigger Picture,'' Guttmacher Institute (Aug. 6, 2008), https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture; ``The Disproportionate Harm of Abortion Bans: Spotlight on 
Dobbs v. Jackson Women's Health,'' Center for Reproductive Rights 
(Nov. 29, 2021), https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/.
    \178\ See Brief of Amici Curiae for Organizations Dedicated to 
the Fight for Reproductive Justice--Mississippi in Action, et al. at 
*59-60, Dobbs, 142 S. Ct. (discussing the likelihood that those who 
terminate their pregnancies and anyone who assists them may face 
criminal investigation or arrest, exacerbating the mass 
incarceration of marginalized people in Mississippi and Louisiana, 
particularly in light of the states' disproportionate rates of 
incarceration for people of color).
    \179\ See ``Equal access to justice: ensuring meaningful access 
to counsel in civil cases, including immigration proceedings,'' 
Columbia Law School Human Rights Institute and Northeastern 
University School of Law Program on Human Rights and the Global 
Economy (July 2014), https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf. 
See also ``Report: State Abortion Bans Will Harm Women and Families' 
Economic Security Across the U.S.'' (Aug. 25, 2022), https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/.
    \180\ See Leslie Read, Heather Nelson, Leslie Korenda, The 
Deloitte Ctr. for Health Solutions, ``Rebuilding Trust in Health 
Care: What Do Consumers Want--and Need--Organizations to Do?'' (Aug. 
5, 2021), p. 3 (With focus groups of 525 individuals in the United 
States who identify as Black, Hispanic, Asian, or Native American, 
``Fifty-five percent reported a negative experience where they lost 
trust in a health care provider.''), https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html; 
Liz Hamel, Lunna Lopes, Cailey Mu[ntilde]ana, et al., Kaiser Family 
Foundation, The Undefeated Survey on Race and Health (Oct. 2020), p. 
23, (Percent who say they can trust the health care system to do 
what is right for them or their community almost all of the time or 
most of the time: Black adults: 44%; Hispanic adults: 50%; White 
adults: 55%), https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf; 
``Issue Brief: Health Insurance Coverage and Access to Care for 
LGBTQ+ Individuals: Current Trends and Key Challenges,'' U.S. Dep't 
of Health and Human Servs., Assistant Sec'y for Policy & Evaluation, 
Office of Health Policy (June 2021), p. 9 (``According to a recent 
survey, 18 percent of LGBTQ+ individuals reported avoiding going to 
a doctor or seeking healthcare out of concern that they would face 
discrimination or be treated poorly because of their sexual 
orientation or gender identity.''), https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf; Abigail A. Sewell, 
``Disaggregating Ethnoracial Disparities in Physician Trust,'' 
Social Science Research. (Nov. 2015), https://pubmed.ncbi.nlm.nih.gov/26463531/; Irena Stepanikova, Stefanie 
Mollborn, Karen S. Cook, et al., ``Patients' Race, Ethnicity, 
Language, and Trust in a Physician,'' Journal of Health and Social 
Behavior (Dec. 2006), https://pubmed.ncbi.nlm.nih.gov/17240927/.
---------------------------------------------------------------------------

    The recent legal landscape that increases the potential for 
disclosures of PHI to impose liability for seeking, obtaining, 
providing, or facilitating reproductive health care risks eroding 
health information privacy and trust in health care providers that has 
long been supported and advanced by the Privacy Rule. The Department 
issued guidance in 2022 to clarify its longstanding interpretation of 
the Privacy Rule's law enforcement provisions.\181\ In the guidance, 
the Department explained that disclosures for non-health care purposes, 
such as disclosures to law enforcement officials, are permitted only in 
narrow circumstances tailored to protect the individual's privacy and 
support their access to health care, including abortion care. The 
guidance specifically reminded regulated entities that they can use and 
disclose PHI, without an individual's signed authorization, only as 
expressly permitted or required by the Privacy Rule. Additionally, the 
guidance explained the Privacy Rule's restrictions on disclosures of 
PHI when required by law, for law enforcement purposes, and to avert a 
serious threat to health or safety. For example, where state law does 
not expressly require reporting of suspicions of self-managed 
reproductive health care, the Privacy Rule would not permit a 
disclosure by a hospital workforce member of such suspicions to law 
enforcement under the ``required by law'' permission.
---------------------------------------------------------------------------

    \181\ See ``HIPAA Privacy Rule and Disclosures of Information 
Relating to Reproductive Health Care,'' U.S. Dep't of Health and 
Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/.
---------------------------------------------------------------------------

    However, many questions remain with respect to the potential for 
this sensitive PHI to be disclosed and the effects of such disclosure 
on the individual. Thus, it is incumbent upon the Department to 
consider whether it should revise the Privacy Rule to ensure the 
privacy of health information related to an individual's use of lawful 
reproductive health care, consistent with Congress' intent to create 
standards for the privacy of IIHI that promote trust and support access 
to high-quality health care.\182\
---------------------------------------------------------------------------

    \182\ See FCC v. Fox Television Stations, Inc., 556 U.S. 502, 
515 (2009) (holding ``[ . . . ] the agency must show that there are 
good reasons for the new policy. [ . . . ][I]t suffices that the new 
policy is permissible under the statute, that there are good reasons 
for it, and that the agency believes it to be better, which the 
conscious change of course adequately indicates.'' (emphasis in 
original)).
---------------------------------------------------------------------------

C. To Protect the Trust Between Individuals and Health Care Providers, 
the Department Proposes To Restrict Certain Uses and Disclosures of PHI 
for Non-Health Care Purposes

    The Federal Government seeks to ensure that individuals have access 
to high-quality health care.\183\ This proposed rule would further that 
goal by restricting the use and disclosure of certain PHI for non-
health care purposes.
---------------------------------------------------------------------------

    \183\ See Testimony (transcribed) of Peter R. Orszag and 
statement of Sen. Durenberger, supra note 135.
---------------------------------------------------------------------------

    The Department acknowledges that the Privacy Rule has not 
previously conditioned uses and disclosures for certain purposes on the 
specific type of health care about which the disclosure relates, as it 
does herein with reproductive health care. However, the primary reasons 
behind this rulemaking are the risks to privacy, patient trust, and 
health care quality that occur when it is the very act of obtaining 
health care that subjects an individual to an investigation or 
proceeding, potentially disincentivizing the individual from obtaining 
medically necessary health care.
    As discussed above, the Department has long provided special 
protections for psychotherapy notes when they are not included as part 
of the medical record because of the sensitivity around this 
information. Given the particularly sensitive nature of information 
related to an individual's reproductive health, the Department is 
proposing to create new, special safeguards for this information. 
However, unlike psychotherapy notes, which by their very nature are 
easily defined and segregated, reproductive health information is not 
easily defined or segregated. This is in part because many types of PHI 
may not initially appear to be related to an individual's reproductive 
health but may in fact reveal information about an individual's 
reproductive health or reproductive health care an individual has 
received. For example, in a pregnant individual, a high blood pressure 
reading may be a sign of preeclampsia, and glucose found in a urine 
test may indicate gestational diabetes. Additionally, it is the 
Department's understanding that today's clinical documentation and 
health IT do not provide regulated entities with the ability to segment 
certain PHI such that regulated entities could afford specific 
categories of PHI special protections, or at least do so in a manner 
that is not overly burdensome and cost prohibitive.\184\ Instead, as is 
consistent

[[Page 23522]]

with the Privacy Rule's overall approach,\185\ the Department proposes 
a purpose-based prohibition on certain uses and disclosures to protect 
individuals' privacy interests in their PHI. The Department believes 
that this proposed purpose-based prohibition, in concert with the 
proposed attestation, will restrict the use and disclosure of PHI that 
could harm HIPAA's overall goals of increasing trust in the health care 
system, improving health care quality, and protecting individual 
privacy, while continuing to allow PHI uses and disclosures that either 
provide support for those goals or do not interfere with their 
achievement.
---------------------------------------------------------------------------

    \184\ See, e.g., 87 FR 74216, 74221 (Dec. 2, 2022) (noting that 
42 CFR part 2 previously resulted in the separation of substance use 
disorder (SUD) treatment records previous from other health records, 
which led to the creation of data ``silos'' that hampered the 
integration of SUD treatment records into covered entities' 
electronic record systems and billing processes. When considering 
amendments to the relevant statute, some lawmakers argued that the 
silos perpetuated negative stereotypes about persons with SUD and 
inhibited coordination of care during the opioid epidemic. See also 
``Health Information Technology Advisory Committee (HITAC) Annual 
Report for Fiscal Year 2019,'' Health Information Technology 
Advisory Committee (Feb. 19, 2020), p. 37, https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf (``The new 
certification criteria that support the sharing of data via third-
party apps will help advance the use of data segmentation, but 
adoption of this capability by the industry is not yet 
widespread.'').
    \185\ See 64 FR 59924, 59939, and 59955.
---------------------------------------------------------------------------

    Also, consistent with the Privacy Rule's approach, the Department 
proposes a Rule of Applicability for the purpose-based prohibition that 
recognizes the interests of the Federal Government and states in 
protecting the privacy of persons who seek, obtain, provide, or 
facilitate lawful reproductive health care. This Rule of Applicability 
would limit the new prohibition to certain categories of instances in 
which the state lacks any substantial interest in seeking the 
disclosure. The Department believes that the proposals described in 
greater detail later in this NPRM could benefit health care providers 
and individuals. Although many benefits are not quantifiable, the 
Department believes the proposals would increase the likelihood that 
individuals would seek lawful health care by improving their confidence 
in the confidentiality of their PHI; improve access to high quality and 
continuous health care by increasing the accuracy and completeness of 
individuals' medical records; improve population health by encouraging 
individuals to receive disease screenings; safeguard the mental health 
of pregnant individuals; prevent increases in maternal mortality and 
morbidity; enhance support for victims of rape, incest, and sex 
trafficking; and maintain family economic stability. Similarly, the 
proposals are expected to increase certainty for, and therefore reduce 
the burden on, regulated entities implementing the Privacy Rule.
    The Department's proposed modifications are consistent with its 
existing authority to modify the Privacy Rule. As discussed above, 
Congress expressly authorized the Department to develop standards for 
the privacy of IIHI. The Department has consistently exercised its 
rulemaking authority to establish, implement, and modify the HIPAA 
Rules pursuant to this statutory authority, including when necessary to 
maintain their effectiveness, address workability issues for regulated 
entities including clarifying amendments, and respond to changed 
circumstances.\186\ The proposed changes would effectuate HIPAA's goals 
of setting standards with respect to the privacy of IIHI, thereby 
increasing the quality of and access to health care by fostering trust 
in the health care system and buttressing continuity of health 
care.\187\ Moreover, Congress expressly provided in HIPAA that the 
Department's regulations in this area ``shall supersede any contrary 
provision of State law,'' absent an explicit exception.\188\ As 
discussed below, various state laws that might conflict with the rules 
proposed herein, such as those that require disclosure of PHI for 
purposes of criminal, civil, or administrative investigations or 
proceedings based on seeking, obtaining, providing, or facilitating 
lawful reproductive health care, are not excepted from this general 
rule of preemption.
---------------------------------------------------------------------------

    \186\ See, e.g., 67 FR 53182 (modifying the 2000 Privacy Rule in 
response to stakeholder implementation concerns and to clarify key 
provisions), 78 FR 5566 (modifying the HIPAA Rules to address HITECH 
requirements and improve workability and flexibility for covered 
entities), 79 FR 7289 (modifying the Privacy Rule to address 
requirements in the Clinical Laboratory Improvement Amendments of 
1988 and to improve patient access), and 81 FR 382 (modifying the 
Privacy Rule to permit certain disclosures to the National Instant 
Criminal Background Check System).
    \187\ See section III of this rulemaking for a full discussion 
of HIPAA and congressional intent.
    \188\ 42 U.S.C. 1320d-7 and section 264(c)(2) of Public Law 104-
191 (codified at 42 U.S.C. 1320d-2 note).
---------------------------------------------------------------------------

    In accordance with section 264(d) of HIPAA, the Department has 
consulted with the Attorney General in the formulation of this proposed 
rule and intends to continue to engage in these consultations before 
finalizing the rule. The Department invites NCVHS to review this 
proposed rule and to provide comments to the Department.

IV. Section-by-Section Description of Proposed Amendments to the 
Privacy Rule

    The Department proposes to modify the Privacy Rule to strengthen 
privacy protections for individuals' PHI by adding a new category of 
prohibited uses and disclosures. This modification would prohibit a 
regulated entity from using or disclosing an individual's PHI for the 
purpose of conducting a criminal, civil, or administrative 
investigation into or proceeding against the individual, a health care 
provider, or other person in connection with seeking, obtaining, 
providing, or facilitating reproductive health care that: (1) is 
provided outside of the state where the investigation or proceeding is 
authorized and such health care is lawful in the state in which it is 
provided; (2) is protected, required, or authorized by Federal law, 
regardless of the state in which such health care is provided; or (3) 
is provided in the state in which the investigation or proceeding is 
authorized and that is permitted by the law of that state. In these 
three circumstances, the state lacks any substantial interest in 
seeking the disclosure. To operationalize this proposed modification, 
the Department also proposes to revise or clarify certain definitions 
and terms that apply to the Privacy Rule, as well as other HIPAA Rules. 
The NPRM would also prohibit a regulated entity from using or 
disclosing an individual's PHI for the purpose of identifying \189\ an 
individual, health care provider, or other person for the purpose of 
initiating such an investigation or proceeding against the individual, 
a health care provider, or other person in connection with seeking, 
obtaining, providing, or facilitating reproductive health care that is 
lawful under the circumstances in which it is provided.
---------------------------------------------------------------------------

    \189\ Section 164.514(h) of 45 CFR requires a covered entity, in 
most cases, to take reasonable steps to verify the identify and 
authority of a person requesting PHI before disclosing the PHI, 
including in the case of public officials. The proposed restriction 
against using or disclosing PHI in connection with the proposals in 
this NPRM would not modify 45 CFR 164.514(h) but would address only 
those circumstances in which a regulated entity would use or 
disclose PHI to identify an individual for a purpose that would be 
restricted herein. Further, the Department believes the attestation 
requirement proposed in this NPRM would provide a regulated entity 
the assurance it needs to make disclosures for identity purposes 
that are consistent with the Privacy Rule.
---------------------------------------------------------------------------

    To effectuate these proposals, the Department proposes conforming 
and clarifying changes to the HIPAA Rules. These proposed changes 
include, but are not limited to, clarifying the definition of 
``person'' to reflect long-standing statutory language defining the 
term; adopting new definitions of ``public health'' surveillance, 
investigation, or intervention, and ``reproductive health care''; 
clarifying that a regulated entity may not decline to recognize a 
person as a personal representative for the purposes of the Privacy 
Rule solely because they provide or facilitate reproductive health care 
for an individual; a new requirement that, in certain

[[Page 23523]]

circumstances, regulated entities must first obtain an attestation that 
a requested use or disclosure is not for a prohibited purpose; and 
modifications to the NPP for PHI to inform individuals that their PHI 
may not be used or disclosed for a prohibited purpose.
    The Department's proposals are discussed in greater detail below.

A. Section 160.103--Definitions

1. Clarifying the Definition of ``Person''
Current Provision and Issues To Address
    HIPAA does not define the term ``person.'' \190\ By regulation, the 
Department has long defined ``person'' for purposes of the HIPAA Rules 
to mean ``a natural person, trust or estate, partnership, corporation, 
professional association or corporation, or other entity, public or 
private.'' \191\ This definition was based on the meaning of ``person'' 
that Congress adopted in the original Social Security Act of 1935 
(SSA), defined as an ``individual, a trust or estate, a partnership, or 
a corporation.'' \192\
---------------------------------------------------------------------------

    \190\ See 42 U.S.C. 1320d-1320d-8.
    \191\ 45 CFR 160.103.
    \192\ See section 1101(3) of Public Law 74-271, 49 Stat. 620 
(Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
---------------------------------------------------------------------------

    In 2002, Congress enacted 1 U.S.C. 8, which defines ``person,'' 
``human being,'' ``child,'' and ``individual.'' \193\ The statute 
specifies that this definition shall apply when ``determining the 
meaning of any Act of Congress, or of any ruling, regulation, or 
interpretation of the various administrative bureaus and agencies of 
the United States.'' \194\ The Department understands 1 U.S.C. 8 to 
provide a definition of ``person'' and ``child'' that is consistent 
with the Department's understanding of that term, as it is used in the 
SSA, HIPAA, and the HIPAA Rules and does not include a fertilized egg, 
embryo, or fetus.
---------------------------------------------------------------------------

    \193\ 1 U.S.C. 8(a). The Department is not opining on whether 
any state law confers a particular legal status upon a fetus. The 
Department instead cites to this statute to define the scope of the 
right of privacy that attaches pursuant to HIPAA.
    \194\ Id.
---------------------------------------------------------------------------

Proposal
    Thus, the Department proposes to clarify the definition of 
``natural person'' in a manner consistent with 1 U.S.C. 8. In so doing, 
the Department would make clear that all terms subsumed within the 
definition of ``natural person,'' such as ``individual,'' \195\ which 
refers to a ``person'' who is the subject of PHI under the HIPAA Rules, 
is limited to the confines of the term ``person.'' \196\ The Department 
would also make clear that ``natural person,'' as used in the 
definition of ``person'' under the HIPAA Rules, is limited to the 
definition at 1 U.S.C. 8.
---------------------------------------------------------------------------

    \195\ 45 CFR 160.103 (definition of ``Individual'').
    \196\ See The Prenatal Record and the Initial Prenatal Visit, 
The Global Library of Women's Medicine (last updated Jan. 2008) (PHI 
about the fetus is included in the mother's PHI), https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl.
---------------------------------------------------------------------------

    The Department believes it would be beneficial to clarify the 
definition of ``person'' to ensure that there is an understanding among 
stakeholders as to its meaning for Privacy Rule purposes. As such, the 
Department believes the proposed clarification of the definition of 
person better explains to regulated entities and other stakeholders the 
parameters of who is an ``individual'' whose PHI is protected by the 
HIPAA Rules.
2. Interpreting Terms Used in Section 1178(b) of the Social Security 
Act \197\
---------------------------------------------------------------------------

    \197\ 42 U.S.C. 1320d-7(b).
---------------------------------------------------------------------------

    HIPAA includes a rule of construction for certain laws generally 
concerning ``[p]ublic health.'' \198\ Specifically, section 1178(b) of 
the SSA provides that nothing in HIPAA ``shall be construed to 
invalidate or limit'' laws ``providing for the reporting of disease or 
injury, child abuse, birth, or death, public health surveillance, or 
public health investigation or intervention.'' \199\ Accordingly, the 
Privacy Rule permits a regulated entity to use and disclose PHI for 
certain public health purposes, treating the uses and disclosures 
covered by section 1178(b) as permitted uses and disclosures to public 
health authorities or other appropriate government authorities for the 
listed activities.\200\
---------------------------------------------------------------------------

    \198\ Id.
    \199\ Id. The Department incorporated this limitation on Federal 
preemption of state laws in the HIPAA Rules at 45 CFR 160.203(c).
    \200\ 45 CFR 164.512(b). The Privacy Rule addresses its 
interactions with laws governing excepted public health activities 
in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures 
required by law, and 45 CFR 164.512(b), Standard: Uses and 
disclosures for public health activities.
---------------------------------------------------------------------------

    A regulated entity may use or disclose PHI to public health 
authorities for the full range of activities described above, including 
reporting of diseases and injuries, reporting of birth and death to 
vital statistics agencies, and activities covered by the terms public 
health surveillance, public health investigation, and public health 
intervention. A ``public health authority'' means an agency or 
authority of the United States, a State, a territory, a political 
subdivision of a State or territory, or an Indian tribe, or a person or 
entity acting under a grant of authority from, or contract with, such 
public agency, including the employees or agents of such public agency 
or its contractors or persons or entities to whom it has granted 
authority, that is responsible for public health matters as part of its 
official mandate.\201\
---------------------------------------------------------------------------

    \201\ See 45 CFR 164.501 (definition of ``Public health 
authority'').
---------------------------------------------------------------------------

    HIPAA does not define the terms in section 1178(b) that govern the 
scope of the ``public health'' exceptions to preemption and the 
Department declines to do so here. The Department believes it necessary 
to define only ``public health'' surveillance, investigation, or 
intervention and to make clear the Department's interpretation of key 
terms used in section 1178(b) to clarify when HIPAA preempts contrary 
state laws. The Department believes that state laws that require the 
use or disclosure of highly sensitive PHI for non-public health 
purposes, such as criminal, civil, or administrative investigations or 
proceedings based on whether a person sought, obtained, provided, or 
facilitated reproductive health care, are not exempt from HIPAA's 
general rule of preemption.
Reporting of Disease or Injury, Birth, or Death
    The Privacy Rule permits regulated entities to use or disclose PHI 
without authorization for the public health purposes of reporting 
``disease or injury,'' ``birth,'' or ``death.'' \202\ Similarly, 
section 1178(b) exempts state laws requiring such reporting from 
HIPAA's general preemption provision. The Department recognizes that 
such public health reporting activities are an important means of 
identifying threats to the health and safety of the public. The 
Department does not propose to define ``disease or injury,'' ``birth,'' 
or ``death,'' because the Department believes that these terms, when 
read with the definition of ``person'' as discussed above and in the 
broader context of HIPAA as discussed in greater detail below, exclude 
information about abortion or other reproductive health care. But the 
Department invites comment on whether it would be beneficial to clarify 
that these terms exclude information about reproductive health care.
---------------------------------------------------------------------------

    \202\ See U.S. Dep't of Health and Human Servs., Office for 
Civil Rights, Public Health (Dec. 18, 2020), https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/.

---------------------------------------------------------------------------

[[Page 23524]]

    At the time of HIPAA's enactment, state laws provided for the 
reporting of disease or injury, birth, or death by covered health care 
providers and other persons.\203\ These state public health reporting 
systems were well established and involved close collaboration between 
the state, local, or territorial jurisdiction and the Federal 
Government.\204\ Reports generally were made to public health 
authorities or, in some specific cases, law enforcement (e.g., 
reporting of gunshot wounds).\205\ Similar public health reporting 
systems continue to exist today.
---------------------------------------------------------------------------

    \203\ The 1996-98 Report of the NCVHS to the Secretary describes 
various types of activities considered to be public health during 
the era in which HIPAA was enacted, such as the collection of public 
health surveillance data on health status and health outcomes and 
vital statistics information. See Report of ``The National Committee 
on Vital and Health Statistics, 1996-98,'' Nat'l Comm. on Vital and 
Health Stats. (Dec. 1999), https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf.
    \204\ Id.
    \205\ Id.
---------------------------------------------------------------------------

    Reporting of ``disease or injury'' commonly refers to diagnosable 
health conditions reported for limited purposes such as workers' 
compensation, tort claims, or health tracking efforts. All states, 
territories, and Tribal governments require covered health care 
providers (e.g., physicians and laboratories) and others to report 
cases of certain diseases or conditions that affect public health, such 
as coronavirus disease 2019 (COVID-19), malaria, and foodborne 
illnesses.\206\ Such reporting enables public health practitioners to 
study and explain diseases and their spread, along with determining 
appropriate actions to prevent and respond to outbreaks.\207\ States 
also require health care providers to report incidents of certain types 
of injuries, such as those caused by gunshots, knives, or burns.\208\ 
Various Federal statutes use the phrase ``disease or injury'' similarly 
to refer to events such as workplace injuries for purposes of 
compensation.\209\
---------------------------------------------------------------------------

    \206\ See ``Reportable diseases,'' in National Institutes of 
Health, National Library of Medicine, MedlinePlus, https://medlineplus.gov/ency/article/001929.htm (accessed Oct. 19, 2022). 
See also ``What is Case Surveillance?'' Centers for Disease Control 
and Prevention, National Notifiable Diseases Surveillance Sys. (July 
20, 2022), https://www.cdc.gov/nndss/about/.
    \207\ See ``Reportable diseases,'' supra note 206. Such 
reporting is a type of public health surveillance activity.
    \208\ See Victims Rights Law Center, ``Mandatory Reporting of 
Non-Accidental Injuries: A State-by-State Guide'' (May 2014), https://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf.
    \209\ See, e.g., 38 U.S.C. 1110 (referring to an ``injury 
suffered or disease contracted''); 10 U.S.C. 972 (discussing time 
lost as a result of ``disease or injury''); 38 U.S.C. 3500 
(providing education for certain children whose parent suffered ``a 
disease or injury'' incurred or aggravated in the Armed Forces); see 
also 5 U.S.C. 8707 (insurance provision discussing compensation as a 
result of ``disease or injury''); 33 U.S.C. 765 (discussing 
retirement for disability as a result of ``disease or injury''); 15 
U.S.C. 2607(c) (requiring chemical manufacturers to maintain records 
of ``occupational disease or injury'').
---------------------------------------------------------------------------

    The limited meaning given to the terms ``disease'' and ``injury'' 
is clear from HIPAA's broader context. For instance, interpreting 
``injury'' to include reporting of any criminal abuse would render the 
specific exception for ``child abuse'' superfluous. And interpreting 
``disease'' to include reporting of any disease for any purpose would 
eviscerate HIPAA's general provisions protecting PHI. ``[D]isease 
management activities'' constitute ``health care'' under the Privacy 
Rule, and a broad interpretation of ``disease or injury'' would make 
even information about cancer treatment disclosable.\210\ Consequently, 
the Department has long understood ``disease or injury'' to narrowly 
refer to diagnosable health conditions reported for limited purposes 
such as workers' compensation, tort claims, or health tracking 
efforts.\211\
---------------------------------------------------------------------------

    \210\ See 65 FR 82571 (recognizing that ``disease management 
activities'' often constitute ``health care'' under HIPAA); 65 FR 
82777 (discussing the importance of privacy for information about 
cancer, a ``disease'' that causes an ``indisputable'' ``societal 
burden''); 65 FR 82778 (discussing the importance of privacy for 
information about sexually transmitted diseases, including Human 
Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/
AIDS)); 65 FR 82463-64 (noting that numerous states adopted laws 
protecting health information relating to certain health conditions 
such as communicable diseases, cancer, HIV/AIDS, and other 
stigmatized conditions.); 65 FR 82731 (finding that there are no 
persuasive reasons to provide information contained within disease 
registries with special treatment as compared with other information 
that may be used to make decisions about an individual).
    \211\ See, e.g., 65 FR 82517 (discussing tort litigation as 
information that could implicate IIHI); 65 FR 82542 (discussing 
workers' compensation); 65 FR 82527 (separately addressing 
disclosures about ``abuse, neglect or domestic violence'' and 
limiting such disclosures to only two circumstances, even if 
expressly authorized by state statute or regulation).
---------------------------------------------------------------------------

    With respect to reporting of ``births'' and ``deaths,'' such vital 
statistics are reported by covered health care providers to the vital 
registration systems operated in various jurisdictions \212\ legally 
responsible for the registration of vital events.\213\ State laws 
require birth certificates to be completed for all births, and Federal 
law mandates the national collection and publication of births and 
other vital statistics data.\214\ Tracking and reporting death is a 
complex and decentralized process with a variety of systems used by 
more than 6,000 local vital registrars.\215\ When HIPAA was enacted, 
the Model State Vital Statistics Act and Regulations, which is followed 
by most states,\216\ included distinct categories for ``live births,'' 
``fetal deaths,'' and ``induced terminations of pregnancy,'' with 
instructions that abortions ``shall not be reported as fetal deaths.'' 
\217\ In light of that common understanding at the time of HIPAA's 
enactment, it is clear that the reporting of abortions is not included 
in the category of reporting of deaths for the purposes of HIPAA and 
does not fall within the scope of state activities Congress 
specifically designated as excepted from preemption by HIPAA.
---------------------------------------------------------------------------

    \212\ See ``Health Department Governance,'' Centers for Disease 
Control and Prevention, Public Health Professionals Gateway (Nov. 
25, 2022), https://www.cdc.gov/publichealthgateway/sitesgovernance/.
    \213\ See the list of events included in vital events ``vital 
events--births, deaths, marriages, divorces, and fetal deaths,'' 
National Center for Health Statistics, Centers for Disease Control 
and Prevention, About the National Vital Statistics System (Jan. 4, 
2016), https://www.cdc.gov/nchs/nvss/about_nvss.htm.
    \214\ See ``Birth Data,'' National Center for Health Statistics, 
Centers for Disease Control and Prevention, National Vital 
Statistics (Dec. 6, 2022), https://www.cdc.gov/nchs/nvss/births.htm.
    \215\ See ``How Tracking Deaths Protects Health,'' Centers for 
Disease Control and Prevention, Public Health and Surveillance Data 
(July 2018), https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf.
    \216\ See ``State Definitions and Reporting Requirements: For 
Live Births, Fetal Deaths, and Induced Terminations of Pregnancy,'' 
Centers for Disease Control and Prevention, National Center for 
Health Statistics (1997), p. 5, https://www.cdc.gov/nchs/data/misc/itop97.pdf.
    \217\ ``Model State Vital Statistics Act and Regulations,'' 
Centers for Disease Control and Prevention, National Center for 
Health Statistics (1992), p. 8, https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf.
---------------------------------------------------------------------------

    More generally, while Congress exempted certain ``[p]ublic health'' 
laws from preemption,\218\ Congress chose not to create a general 
exception for criminal laws or other laws that address the disclosure 
of information about similar types of activities outside of the public 
health context. Thus, the Privacy Rule's exceptions for reporting of 
disease or injury, birth, or death do not allow the use or disclosure 
of PHI for investigating or punishing a person for seeking, obtaining, 
providing, or facilitating reproductive health care. Similarly, state 
laws requiring disclosure for such purposes are not exempt under 
section 1178(b) from HIPAA's general preemption provision.
---------------------------------------------------------------------------

    \218\ 42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d-
7).

---------------------------------------------------------------------------

[[Page 23525]]

Public Health Surveillance, Investigation, or Intervention
    The Privacy Rule also permits a regulated entity to use or disclose 
PHI to conduct ``public health'' surveillance, investigation, or 
intervention.\219\ Section 1178(b) similarly exempts state laws 
providing for ``public health'' surveillance, investigation, or 
intervention from HIPAA's general preemption rule. Neither HIPAA nor 
the Privacy Rule currently defines these terms. To clarify their 
meaning, the Department proposes to define public health \220\ 
surveillance, investigation, or intervention to mean population-based 
activities to prevent disease and promote health of populations.\221\ 
The Department also proposes to clarify that such public health 
activities do not include uses and disclosures for the criminal, civil, 
or administrative investigation into or proceeding against any person 
in connection with seeking, obtaining, providing, or facilitating 
reproductive health care, or to identify any person for the purpose of 
initiating such an investigation or proceeding.\222\
---------------------------------------------------------------------------

    \219\ See 45 CFR 164.512(b)(1)(i); U.S. Dep't of Health and 
Human Servs., Office for Civil Rights, Disclosures for Public Health 
Activities, (accessed Oct. 19, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/.
    \220\ See ``Ten Essential Public Health Services,'' Centers for 
Disease Control and Prevention, Public Health Professionals Gateway 
(Dec. 1, 2022), https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html and ``What is 
Public Health?'' in CDC Foundation, Public Health in Action (2023), 
https://www.cdcfoundation.org/what-public-health?gclid=Cj0KCQjw_viWBhD8ARIsAH1mCd7ME0r94gapt8Qh48LjdQO3Sto101snekpI94auuahRs7LizEkh7OwaAiKxEALw_wcB. See also ``HIPAA Privacy Rule 
and Public Health,'' Centers for Disease Control and Prevention, 
MMWR (Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm.
    \221\ See Report of ``The National Committee on Vital and Health 
Statistics, 1996-98,'' supra note 203. These activities are 
consistent with the definition proposed herein.
    \222\ See Report of ``The National Committee on Vital and Health 
Statistics, 1996-98,'' supra note 203, for descriptions of public 
health activities in 1996-98.
---------------------------------------------------------------------------

    Since the time of HIPAA's enactment, public health activities 
related to surveillance, investigation, or intervention have been 
widely understood to refer to activities aimed at improving the health 
of a population. For example, legal dictionaries define ``public 
health'' as ``[t]he health of the community at large,'' or ``[t]he 
healthful or sanitary condition of the general body of people or the 
community en masse; esp., the methods of maintaining the health of the 
community, as by preventive medicine or organized care for the sick.'' 
\223\ Stedman's Medical Dictionary defines ``public health'' as ``the 
art and science of community health, concerned with statistics, 
epidemiology, hygiene, and the prevention and eradication of epidemic 
diseases; an effort organized by society to promote, protect, and 
restore the people's health; public health is a social institution, a 
service, and a practice.'' \224\ The Centers for Disease Control and 
Prevention's (CDC) Agency for Toxic Substances and Disease Registry 
commonly defines ``public health surveillance'' as ``the ongoing 
systematic collection, analysis and interpretation of outcome-specific 
data for use in the planning, implementation, and evaluation of public 
health practice.'' \225\ And many states similarly define ``public 
health'' to mean population-level activities.\226\ The Department 
likewise has used public health in this way since it first adopted the 
Privacy Rule.\227\
---------------------------------------------------------------------------

    \223\ ``Health,'' ``public health,'' Black's Law Dictionary 
(11th ed. 2019).
    \224\ ``Public health,'' Stedman's Medical Dictionary 394520.
    \225\ Jonathan Weinstein, ``In Re Miguel M.,'' 55 N.Y.L. Sch. L. 
Rev. 389, 390 (2010) (citing Stephen B. Thacker, ``Historical 
Development,'' in Principles and Practice of Public Health 
Surveillance 1 (Steven M. Teutsch & R. Elliott Churchill eds., 2d 
ed., 2000)), https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review.
    \226\ See, e.g., Richard A. Goodman, Judith W. Munson, Kim 
Dammers, et al., ``Forensic Epidemiology: Law at the Intersection of 
Public Health and Criminal Investigations,'' 31 The Journal of Law, 
Medicine & Ethics 684, 689-90 (2003); La. Rev. Stat. Ann. sec. 
40:3.1 (2011) (defining threats to public health as nuisances 
``including but not limited to communicable, contagious, and 
infectious diseases, as well as illnesses, diseases, and genetic 
disorders or abnormalities''); N.C. Gen. Stat. sec. 130A-141.1(a) 
(2010) (defining public health investigations as the ``surveillance 
of an illness, condition, or symptoms that may indicate the 
existence of a communicable disease or condition'').
    \227\ See, e.g., 65 FR 82464 (noting that reporting of public 
health information on communicable diseases is not prevented by 
individuals' right to information privacy); id. at 82467 (discussing 
the importance of accurate medical records in recognizing troubling 
public health trends and in assessing the effectiveness of public 
health efforts); id. at 82473 (discussing disclosure to ``a 
department of public health''); id. at 82525 (recognizing that it 
may be necessary to disclose PHI about communicable diseases when 
conducting a public health intervention or investigation); id. at 
82526 (recognizing that an entity acts as a ``public health 
authority'' when, in its role as a component of the public health 
department, it conducts infectious disease surveillance); ``HIPAA 
Privacy Rule and Public Health,'' supra note 220 (describing what 
traditionally are considered to be ``public health activities'' that 
require PHI).
---------------------------------------------------------------------------

    There is also a widely recognized distinction between public health 
activities, which primarily focus on improving the health of 
populations, and criminal investigations, which primarily focus on 
identifying and imposing liability on persons who have violated the 
law. States and other local governing authorities maintain criminal 
codes that are distinct and separate from public health reporting 
laws,\228\ although some jurisdictions enforce required reporting 
through criminal statutes. Different governmental bodies are 
responsible for enforcing these separate codes, and public health 
officials do not typically investigate criminal activity.\229\ When 
states intend for public health information to be shared with law 
enforcement for criminal investigation purposes, they typically pass 
specific laws to permit that sharing.\230\ Other Federal laws also 
treat public health investigations as distinct from criminal 
investigations.\231\ Maintaining a clear distinction between public 
health investigations and criminal investigations serves HIPAA's 
broader purposes, as well, by safeguarding privacy to ensure quality 
health care.\232\
---------------------------------------------------------------------------

    \228\ For example, traditional public health reporting laws grew 
from colonial requirements that physicians report disease. These 
requirements transitioned to state regulatory requirements imposed 
by public health departments on authority granted to them by states. 
See Public Health Law 101, Disease Reporting and Public Health 
Surveillance, Centers for Disease Control and Prevention, p. 12 and 
14, https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf. See also, e.g., Code of Georgia 31-12-2 (2021), 
authority to require disease reporting.
    \229\ See ``Public Health,'' supra note 223 (``Many cities have 
a `public health department' or other agency responsible for 
maintaining the public health; Federal laws dealing with health are 
administered by the Department of Health and Human Services.''); See 
also ``Forensic Epidemiology: Law at the Intersection of Public 
Health and Criminal Investigations,'' supra note 226, at 689.
    \230\ See ``Forensic Epidemiology: Law at the Intersection of 
Public Health and Criminal Investigations,'' supra note 226, at 687 
(discussing South Dakota Statutes sec. 22-18-31, a law allowing HIV 
test results to be released to a prosecutor for criminal 
investigation purposes); id. at 693 (discussing North Carolina 
General Statute (N.C.G.S.) sec. 130A-476, a law allowing 
confidential medical information to be shared with law enforcement 
in certain circumstances related to communicable diseases or 
terrorism).
    \231\ See Camara v. Municipal Ct. of City & Cty. of S.F., 387 
U.S. 523, 535-37 (1967) (discussing administrative inspections under 
the Fourth Amendment, such as those aimed at addressing ``conditions 
which are hazardous to public health and safety,'' and not ``aimed 
at the discovery of evidence of crime''); 42 U.S.C. 241(d)(D) 
(prohibiting disclosure of private information from research 
subjects in ``criminal'' and other proceedings); 42 U.S.C. 290dd-
2(c) (prohibiting substance abuse records from being used in 
criminal proceedings).
    \232\ See ``Forensic Epidemiology: Law at the Intersection of 
Public Health and Criminal Investigations,'' supra note 226, at 687 
(discussing reasons why ``an association of public health with law 
enforcement'' may be ``to the detriment of routine public health 
practice''). See also 45 CFR 164.512(b)(1)(i) (including ``public 
health investigations'' as an activity carried out by a public 
health authority that is authorized by law to carry out public 
health activities).

---------------------------------------------------------------------------

[[Page 23526]]

    The Department concludes that the Privacy Rule's permissions to use 
and disclose PHI for the ``public health'' activities of surveillance, 
investigation, or intervention do not include criminal, civil, or 
administrative investigations into, or proceedings against, any person 
in connection with seeking, obtaining, providing, or facilitating 
reproductive health care, nor do they include identifying any person 
for the purpose of initiating such investigations or proceedings. Such 
actions are not public health activities. Public health surveillance, 
investigations, or interventions ensure the health of the community as 
a whole by addressing population-level issues such as the spread of 
communicable diseases, even where they involve individual-level 
interventions. Such surveillance systems provide data necessary to 
examine and potentially develop interventions to improve the public's 
health, such as providing education or resources to support 
individuals' access to health care and improve health outcomes.\233\ 
U.S. states, territories, and Tribal governments participate in 
bilateral agreements with the Federal Government to share data on 
conditions that affect public health.\234\ The CDC's Division of 
Reproductive Health presently collects reproductive health data in 
support of national and state-based population surveillance systems to 
assess maternal complications, mortality and pregnancy-related 
disparities, and the numbers and characteristics of individuals who 
obtain legal induced abortions.\235\ Importantly, disclosures to public 
health authorities permitted by the Privacy Rule are limited to the 
``minimum necessary'' to accomplish the public health purpose.\236\ In 
many cases, regulated entities need disclose only de-identified data 
\237\ to meet the public health purpose. By contrast, criminal, civil, 
and administrative investigations and proceedings generally target 
specific persons; they are not designed to address population-level 
health concerns and are not limited to information authorized to be 
collected by a public health or similar government authority for a 
public health activity. Thus, the exceptions in section 1178(b) for 
``public health'' investigations, interventions, or surveillance do not 
limit the Department's ability to prohibit uses or disclosures of PHI 
for other purposes, such as judicial and administrative proceedings or 
law enforcement purposes. While the Department has chosen as a policy 
matter to permit uses or disclosures of PHI for law enforcement and 
other purposes in other contexts, it believes, as discussed above, that 
a different balance is appropriate in the context of highly sensitive 
information related to reproductive health care.
---------------------------------------------------------------------------

    \233\ See ``Improving the Role of Health Departments in 
Activities Related to Abortion,'' American Public Health Association 
(Oct. 26, 2021), https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion.
    \234\ See ``Reportable diseases,'' supra note 206. See also 
``What is Case Surveillance?'' supra note 206.
    \235\ See ``Reproductive Health,'' Centers for Disease Control 
and Prevention (Apr. 20, 2022), https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm; and ``Reproductive 
Health--CDCs Abortion Surveillance System FAQs,'' Centers for 
Disease Control and Prevention, Reproductive Health (Nov. 17, 2022), 
https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm.
    \236\ See 45 CFR 164.502(b).
    \237\ See 45 CFR 164.514(a).
---------------------------------------------------------------------------

    In light of the proposed definition of ``public health'' in this 
context, the Department does not propose to additionally define the 
terms ``investigation,'' ``intervention,'' or ``surveillance,'' because 
it believes these terms are commonly understood. Specifically, the 
Department believes public health investigation or intervention 
includes monitoring real-time health status and identifying patterns to 
develop strategies to address chronic diseases and injuries, as well as 
using real-time data to identify and respond to acute outbreaks, 
emergencies, and other health hazards.\238\ The Department also 
believes public health surveillance refers to the ongoing, systematic 
collection, analysis, and interpretation of health-related data 
essential to planning, implementation, and evaluation of public health 
practice.\239\ Nevertheless, the Department invites comment on whether 
it would be beneficial to specifically define these terms.
---------------------------------------------------------------------------

    \238\ See ``Ten Essential Public Health Services,'' supra note 
220.
    \239\ See ``Introduction to Public Health Surveillance,'' 
Centers for Disease Control and Prevention (Nov. 15, 2018), https://www.cdc.gov/training/publichealth101/surveillance.html.
---------------------------------------------------------------------------

Child Abuse Reporting
    In accordance with section 1178(b) of HIPAA, the Privacy Rule 
permits a regulated entity to use or disclose PHI to report known or 
suspected child abuse or neglect if the report is made to a public 
health authority or other appropriate government authority that is 
authorized by law to receive such reports,\240\ which primarily are 
state or local child protective services agencies.\241\ This Privacy 
Rule provision does not include permission for the covered entity to 
disclose PHI in response to a request for PHI for a criminal, civil, or 
administrative investigation into or proceeding against a person based 
on suspected child abuse. Rather, the Privacy Rule only permits the 
disclosure of information for the purpose of making a report. We also 
note that the permission limits such disclosures to the minimum 
necessary to make the report.\242\ Any disclosure of PHI in response to 
a request from an investigator, whether in follow up to the report made 
by the covered entity (other than to clarify the PHI provided on the 
report) or as part of an investigation initiated based on an allegation 
or report made by a person other than the covered entity, would be 
required to meet the conditions of disclosures to law enforcement or 
for other investigations or legal proceedings.\243\
---------------------------------------------------------------------------

    \240\ See 45 CFR 164.512(b)(1)(ii).
    \241\ State laws require certain persons, such as health care 
providers, to report known or suspected child abuse or neglect; such 
persons are often called ``mandatory reporters.'' See ``Mandatory 
Reporters of Child Abuse and Neglect,'' U.S. Dep't of Health and 
Human Servs., Administration for Children and Families, Children's 
Bureau, Child Welfare Information Gateway (Apr. 2019), https://www.childwelfare.gov/pubPDFs/manda.pdf. See also ``Factsheet: How 
the Child Welfare System Works,'' U.S. Dep't of Health and Human 
Servs., Administration for Children and Families, Children's Bureau, 
Child Welfare Information Gateway (Oct. 2020), https://www.childwelfare.gov/pubPDFs/cpswork.pdf.
    \242\ See 45 CFR 164.502(b) and 164.514(d).
    \243\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------

    As discussed above, the Department understands the term ``person'' 
as it is used in the SSA, HIPAA, and the HIPAA Rules to be consistent 
with 1 U.S.C. 8. Congress also defined the term ``child'' in 1 U.S.C. 
8, and the Department similarly understands the term ``child'' in the 
Privacy Rule to be consistent with that definition. Further, at the 
time HIPAA was enacted, ``most, if not all, states had laws that 
mandated reporting of child abuse or neglect to the appropriate 
authorities.'' \244\ As such, the Department believes that to the 
extent its proposal would prohibit a regulated entity from disclosing 
PHI in order to report ``child abuse'' where the alleged victim does 
not meet the definition of ``person,'' the proposal is consistent with 
both 1 U.S.C. 8 and 1178(b).
---------------------------------------------------------------------------

    \244\ 65 FR 82527.
---------------------------------------------------------------------------

    At the time HIPAA was enacted, ``most, if not all, states had laws 
that mandated reporting of child abuse or neglect to the appropriate

[[Page 23527]]

authorities.'' \245\ Additionally, when Congress enacted HIPAA, it had 
already addressed child abuse reporting in other laws, such as the 
Victims of Child Abuse Act of 1990 \246\ and the Child Abuse Prevention 
and Treatment Act.\247\ For example, 34 U.S.C. 20341(a)(1), a provision 
of the original Victims of Child Abuse Act of 1990 still in place 
today, requires certain professionals to report suspected abuse when 
working on Federal land or in a federally operated (or contracted) 
facility.\248\ As used in these statutes, the term ``child abuse'' does 
not include activities related to reproductive health care, such as 
abortion.
---------------------------------------------------------------------------

    \245\ Id.
    \246\ Public Law 101-647, 104 Stat. 4789 (codified at 18 U.S.C. 
3509).
    \247\ Public Law 93-247, 88 Stat. (codified at 42 U.S.C. 5101 
note).
    \248\ See 34 U.S.C. 20341(a)(1), originally enacted as part of 
the Victims of Child Abuse Act of 1990 and codified at 42 U.S.C. 
13031, which was editorially reclassified as 34 U.S.C. 20341, Crime 
Control and Law Enforcement. For the purposes of such mandated 
reporting, see 34 U.S.C. 20341(c)(1) for definition of ``child 
abuse.''
---------------------------------------------------------------------------

    For the reasons just stated, the Department believes that ``child 
abuse'' as used in the Privacy Rule and section 1178(b) is best 
interpreted to exclude conduct based solely on seeking, obtaining, 
providing, or facilitating reproductive health care. This 
interpretation is consistent with the public health aims of improving 
access to health care, including reproductive health care, for 
individuals and with congressional intent when HIPAA was enacted. 
Additionally, as the Department has stated in previous rulemakings, we 
do not intend to disrupt longstanding state or Federal child abuse 
reporting requirements that apply to regulated entities.\249\ Thus, the 
Department believes this interpretation of ``child abuse'' supports the 
protection of children while also serving HIPAA's objectives of 
protecting the privacy of PHI to promote individuals' trust in the 
health care system and preserving the relationship between individuals 
and their health care providers. The Department requests comment on its 
interpretation of ``child abuse'' as that term is used in the Privacy 
Rule.
---------------------------------------------------------------------------

    \249\ 65 FR 82527.
---------------------------------------------------------------------------

3. Adding a Definition of ``Reproductive Health Care''
    The HIPAA Rules define ``health care'' as ``care, services, or 
supplies related to the health of an individual.'' \250\ The definition 
clarifies that the term specifically ``includes but is not limited'' to 
certain types of care, services, or supplies related to the health of 
the individual. These groupings are ``[p]reventive, diagnostic, 
therapeutic, rehabilitative, maintenance, or palliative care, and 
counseling, service, assessment, or procedure with respect to the 
physical or mental condition, or functional status, of an individual or 
that affects the structure or function of the body'' \251\ and ``[the 
s]ale or dispensing of a drug, device, equipment, or other item in 
accordance with a prescription.'' \252\ As indicated by ``includes, but 
is not limited to,'' this is not an exclusive list of the types of 
services or supplies that constitute health care for the purposes of 
the HIPAA Rules. Indeed, ``health care'' also includes supplies 
purchased over the counter or furnished to the individual by a person 
that does not meet the definition of a health care provider under the 
HIPAA Rules.\253\
---------------------------------------------------------------------------

    \250\ 45 CFR 160.103 (definition of ``Health care'').
    \251\ Id.
    \252\ Id.
    \253\ 45 CFR 164.103 (definition of ``Health care provider'').
---------------------------------------------------------------------------

    The Department proposes to add and define a new term, 
``reproductive health care,'' that is a subcategory of the existing 
term ``health care.'' Specifically, the Department proposes to define 
``reproductive health care'' as ``care, services, or supplies related 
to the reproductive health of the individual.'' As with ``health 
care,'' ``reproductive health care'' applies broadly and includes not 
only reproductive health care and services furnished by a health care 
provider and supplies furnished in accordance with a prescription, but 
also care, services, or supplies furnished by other persons and non-
prescription supplies purchased in connection with an individual's 
reproductive health. The Department proposes defining reproductive 
health care based on the underlying activities, consistent with its 
approach to defining ``health care'' in the 2000 Privacy Rule.\254\ 
Under this proposal, such care, services, or supplies would be 
considered ``reproductive health care'' to the extent that they meet 
this functional definition.
---------------------------------------------------------------------------

    \254\ 65 FR 82571.
---------------------------------------------------------------------------

    Elsewhere, Congress and the Department have defined similar terms 
like ``reproductive health services'' and ``reproductive health care 
services'' to mean ``reproductive health services provided in a 
hospital, clinic, physician's office, or other facility, and includes 
medical, surgical, counselling or referral services relating to the 
human reproductive system, including services relating to pregnancy or 
the termination of a pregnancy.'' \255\ The Department proposes to use 
the term ``reproductive health care'' rather than ``reproductive health 
services'' to ensure that the term is interpreted broadly to capture 
all health care that could be furnished to address reproductive health, 
including the provision of supplies such as medications and devices, 
whether prescription or over-the-counter. The Department also proposes 
to define ``reproductive health care'' to include all specified 
services regardless of where they are provided, rather than only when 
provided in particular locations, and all types of reproductive health 
care services, rather than only certain types of services listed within 
the definition. The Department believes that services meeting the 
definition of these similar terms would generally be included within 
the proposed definition of ``reproductive health care.'' Additionally, 
the Department believes that basing the proposed term and definition of 
``reproductive health care'' on the existing HIPAA term and definition 
of ``health care'' would be easier and less burdensome for regulated 
entities and other stakeholders to understand and implement.
---------------------------------------------------------------------------

    \255\ 18 U.S.C. 248(e)(5) uses the term ``reproductive health 
services,'' while E.O. 14076, 87 FR 42053 (July 8, 2022), and 14079, 
87 FR 49505 (Aug. 3, 2022), use the term ``reproductive healthcare 
services.'' The definitions are essentially the same, with the only 
difference being ``health'' as opposed to ``healthcare.''
---------------------------------------------------------------------------

    In keeping with the Department's intention for ``reproductive 
health care'' to be interpreted broadly and inclusive of all types of 
health care related to an individual's reproductive system, the 
Department would interpret ``reproductive health care'' to include, but 
not be limited to: contraception, including emergency contraception; 
pregnancy-related health care; fertility or infertility-related health 
care; and other types of care, services, or supplies used for the 
diagnosis and treatment of conditions related to the reproductive 
system. Pregnancy-related health care includes, but is not limited to, 
miscarriage management, molar or ectopic pregnancy treatment, pregnancy 
termination, pregnancy screening, products related to pregnancy, 
prenatal care, and similar or related care. Other types of care, 
services, or supplies used for the diagnosis and treatment of 
conditions related to the reproductive system includes health care 
related to reproductive organs, regardless of whether the health care 
is related to an individual's pregnancy or whether the individual is of 
reproductive age. The Department would interpret fertility or 
infertility-related health care to include services such as assisted 
reproductive

[[Page 23528]]

technology and its components,\256\ as well as other care, services, or 
supplies used for the diagnosis and treatment of infertility.
---------------------------------------------------------------------------

    \256\ See ``What is Assisted Reproductive Technology?'' Centers 
for Disease Control and Prevention (Oct. 8, 2019), https://
www.cdc.gov/art/
whatis.html#:~:text=According%20to%20this%20definition%2C%20ART,donat
ing%20them%20to%20another%20woman.
---------------------------------------------------------------------------

    The Department is not proposing a specific definition of 
``reproductive health'' at this time. Various definitions of the term 
have been included in literature. The Department recognizes that it may 
be helpful to stakeholders if ``reproductive health'' were to be 
defined in the final rule and invites comment on whether including a 
particular definition of ``reproductive health'' would be beneficial.
4. Request for Comment
    The Department requests comment on the forgoing definitions and 
proposals, including any benefits, drawbacks, or unintended 
consequences. The Department also requests comment on the following 
considerations in particular:
    a. Whether the definitions the Department proposes to adopt are 
appropriate. If not, please provide an alternative definition(s) and 
support for the definition(s).
    b. Whether it is necessary for the Department to define 
``reproductive health.'' If so, please provide a definition and support 
for the definition.
    c. Whether the Department should provide examples of ``reproductive 
health care'' in regulatory text, or it is sufficient to provide 
extensive discussion of the examples in preamble?
    d. Whether it would be helpful for the Department to define any 
additional terms. If so, please propose a definition and support for 
the definition and rationale.

B. Section 164.502--Uses and Disclosures of Protected Health 
Information: General Rules

1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities
    Section 164.502 of the Privacy Rule contains the general rules 
governing uses and disclosures of PHI, including that a covered entity 
or business associate may use or disclose PHI only as permitted or 
required by the Privacy Rule.\257\ Section 164.502(a)(1) lists 
permitted uses and disclosures.
---------------------------------------------------------------------------

    \257\ 45 CFR 164.502(a)(1).
---------------------------------------------------------------------------

    In this NPRM, the Department proposes several modifications to the 
Privacy Rule to prohibit regulated entities from using or disclosing an 
individual's PHI for use against any individual, regulated entity, or 
other person for the purpose of a criminal, civil, or administrative 
investigation into or proceeding against such person in connection with 
seeking, obtaining, providing, or facilitating reproductive health care 
that is lawful under the circumstances in which it is provided. The 
Department also proposes to prohibit regulated entities from using or 
disclosing PHI for identifying an individual, a regulated entity, or 
other person for the purpose of initiating such an investigation or 
proceeding. These changes are proposed to continue safeguarding the 
privacy of PHI to ensure trust in the health care system and to enable 
individuals' access to high-quality health care. The proposed 
prohibition in 45 CFR 164.502 is three-fold: paragraph (a)(5)(iii) 
outlines the activity the Department proposes to prohibit; paragraph 
(a)(1)(iv) specifies that an authorization cannot be used to bypass the 
proposed prohibition in paragraph (a)(5)(iii); and paragraph (a)(1)(vi) 
clarifies that the permissions at 45 CFR 164.512 cannot be used to 
circumvent the proposed prohibition.
    The Department proposes to modify the general rules in 45 CFR 
164.502 by adding a clause to paragraph (a)(1)(iv) and adding a new 
requirement in paragraph (a)(1)(vi). Existing paragraph (a)(1)(iv) 
permits disclosures based on a valid authorization and, in a prefatory 
clause, provides an exception to that general permission such that a 
health plan cannot use or disclose PHI that is genetic information for 
underwriting purposes, even with an individual's authorization. Thus, 
an authorization that purports to allow a use or disclosure of PHI for 
that prohibited purpose is not valid under the Privacy Rule. Similarly, 
the Department proposes to add the new prohibition proposed in 45 CFR 
164.502(a)(5)(iii) to the types of uses and disclosures that would not 
be permitted even with an authorization. By adding an exception to 
paragraph (a)(1)(iv) for uses and disclosures prohibited by paragraph 
(a)(5)(iii), the Department seeks to fully protect individuals' privacy 
by precluding any possibility that a third party, such as a law 
enforcement official, could obtain an individual's PHI for a prohibited 
purpose by coercing the individual to sign an authorization.
    In addition, the new proposed requirement in paragraph (a)(5)(iii) 
would expressly permit certain uses and disclosures made under 45 CFR 
164.512 only when an applicable attestation has been obtained pursuant 
to proposed 45 CFR 164.509, discussed below in section IV.D. For 
clarity, this proposal would also revise paragraph (a)(5)(vi) to 
replace the sentence containing the conditions for certain permitted 
uses and disclosures with a lettered list.
2. Adding a New Category of Prohibited Uses and Disclosures
Issues To Address
    Generally, the Privacy Rule prohibits uses or disclosures of PHI 
except as permitted or required by the Rule. The Privacy Rule 
explicitly prohibits uses and disclosures of PHI in two circumstances: 
(1) a health plan generally is prohibited from using or disclosing PHI 
that is genetic health information for underwriting purposes; \258\ and 
(2) a regulated entity is prohibited from selling PHI except when they 
have obtained a valid authorization from the individual who is the 
subject of the PHI.\259\
---------------------------------------------------------------------------

    \258\ 45 CFR 164.502(a)(5)(i).
    \259\ 45 CFR 164.502(a)(5)(ii).
---------------------------------------------------------------------------

    As discussed in section III of this preamble, the Department issued 
its prior iterations of the Privacy Rule at a time when individuals, as 
a practical matter, generally would not have expected their highly 
sensitive health care information to be used or disclosed for criminal, 
civil, or administrative investigations into or proceedings about that 
health care. The current regulatory and legal environment is in tension 
with that expectation and threatens to erode the trust that is 
essential to access to and quality of health care. The Department has 
received letters from the public, indicating confusion and concern as 
to the ability of regulated entities to use or disclose PHI for the 
purposes described above. These sentiments have been echoed by 
stakeholders in listening sessions and in media reports. Letters sent 
to the Department by Members of Congress further reinforce that 
confusion and concern exist about the privacy of individuals' PHI, in 
addition to supporting the Department's position that it has the 
ongoing authority under HIPAA and the HITECH Act to modify the Privacy 
Rule to ensure the privacy of PHI.\260\ These developments and 
communications bolster the

[[Page 23529]]

Department's decision to propose certain regulatory changes and 
technical corrections that are necessary to eliminate ambiguity and 
promote trust in the health care system. Therefore, the Department 
proposes to modify 45 CFR 164.502 by adding a new paragraph (a)(5)(iii) 
that will protect the privacy of individuals who obtain reproductive 
health care that is lawful under the circumstances in which it is 
provided, as well as their health care providers, and others who assist 
them in obtaining such health care.
---------------------------------------------------------------------------

    \260\ See, e.g., Letter from United States Congress Senators 
Tammy Baldwin, Elizabeth Warren, and Ron Wyden, et al., to HHS 
Secretary Xavier Becerra (March 7, 2023); Letter from United States 
Congress Senators Patty Murray, Kirsten Gillibrand, and Martin 
Heinrich, et al., to HHS Secretary Xavier Becerra (Sept. 13, 2022); 
Letter from United States Congress House Representatives Earl 
Blumenauer, Diana DeGette, Barbara Lee, et al., to HHS Secretary 
Xavier Becerra (Aug. 30, 2022); and Letter from United States 
Congress Senators Michael F. Bennet and Catherine Cortez Masto to 
HHS Secretary Xavier Becerra (July 1, 2022).
---------------------------------------------------------------------------

Proposed Prohibition
    In keeping with the Privacy Rule's purpose-based approach to 
specifying uses or disclosures that are required, permitted, or 
prohibited, proposed 45 CFR 164.502(a)(5)(iii) would prohibit a 
regulated entity from using or disclosing PHI where the PHI would be 
used for a criminal, civil, or administrative investigation into or 
proceeding against any person in connection with seeking, obtaining, 
providing, or facilitating lawful reproductive health care, or 
identifying any person for the purpose of initiating such an 
investigation or proceeding, subject to the Rule of Applicability and 
Rule of Construction set forth in 45 CFR 164.502(a)(5)(iii)(C) and (D). 
Furthermore, the Department proposes that ``seeking, obtaining, 
providing, or facilitating'' would include, but not be limited to, 
expressing interest in, inducing, using, performing, furnishing, paying 
for, disseminating information about, arranging, insuring, assisting, 
or otherwise taking action to engage in reproductive health care, as 
well as attempting to engage in any of the same.
    This proposed prohibition addresses efforts to investigate or bring 
proceedings against any person in connection with seeking, obtaining, 
providing, or facilitating reproductive health care that is lawful 
under the circumstances in which it is provided, or to identify any 
person for the purpose of initiating such investigation or proceeding. 
As discussed above, it would be contrary to the Congressional intent of 
protecting the privacy of an individual's PHI and access to health care 
if the Privacy Rule were to permit a regulated entity to use or 
disclose PHI to investigate and bring proceedings against persons for 
seeking, obtaining, providing or facilitating reproductive health care, 
or to identify any person for such purposes, where such health care is 
lawful under state or Federal law. Permitting such uses and disclosures 
would also be inconsistent with longstanding individual privacy 
expectations and could especially chill access to lawful health care, 
including by high-risk individuals who may have already experienced a 
miscarriage, ectopic pregnancy, stillbirth, or infertility. If such 
uses and disclosures are permitted, individuals may delay obtaining 
lawful health care or withhold information about their condition or 
medical history because they may not trust their health care providers 
to use the information only to provide appropriate health care, rather 
than report them to law enforcement authorities or others.\261\ 
Delaying health care may negatively affect an individual's health, 
including increasing the risk of death. In fact, a recent report from 
the Texas Maternal Mortality and Morbidity Review Committee and 
Department of State Health Services found that the most common 
contributing factors to a woman's pregnancy-related death in Texas were 
delay or failure to seek care, lack of knowledge regarding importance 
of treatment or follow-up, and lack of access and financial 
resources.\262\ Similarly, if such uses and disclosures are permitted, 
a health care provider might leave gaps in or include inaccuracies in 
the individual's medical records, creating a risk that ongoing or 
future health care would be compromised, because they may not trust 
that the information would not be obtained by law enforcement 
authorities or others.\263\
---------------------------------------------------------------------------

    \261\ See ``In a doctor's suspicion after a miscarriage, a 
glimpse of expanding medical mistrust,'' supra note 13. ``[A health 
care provider's] ability to take care of patients relies on trust, 
and that will be impossible moving forward [. . .] [abortion 
restrictions] are really going to put a damper on people seeking 
care, even in very normal, very legal situations.''; See also Lucy 
Ogbu-Nwobodo, Ruth S. Shim, Sarah Y. Vinson, et al., ``Mental Health 
Implications of Abortion Restrictions for Historically Marginalized 
Populations,'' The New England Journal of Medicine (Oct. 27, 2022), 
https://www.nejm.org/doi/full/10.1056/NEJMms2211124 (``With the 
elimination of the right to privacy guaranteed by Roe v. Wade and 
the criminalization of abortion in many states, the risk of punitive 
involvement by the criminal legal system as a consequence of 
reproductive decisions, and potentially even in cases of 
miscarriage, is likely to be especially high for members of 
historically marginalized groups with mental illness--a population 
that is already overrepresented in the criminal legal system.'').
    \262\ See Texas Maternal Mortality and Morbidity Review 
Committee and Department of State Health Services Joint Biennial 
Report 2022, supra note 16, p. 41.
    \263\ See, e.g., Brief for Zurawski.
---------------------------------------------------------------------------

    Further, even where investigations cannot lawfully result in 
proceedings against a person, investigations themselves can reduce the 
health information privacy of the individual whose PHI is sought for 
the investigation, thereby harming that individual. For example, 
permitting a covered entity to disclose a sexual assault survivor's PHI 
to law enforcement or others to enable them to investigate that 
individual for obtaining lawful reproductive health care as a result of 
the assault compounds the harm experienced by the individual by 
violating their privacy. Additionally, allowing the disclosure makes 
that individual and others in similar circumstances less likely to 
obtain lawful reproductive health care if they believe their privacy 
will be violated in this manner. Thus, the Department proposes to 
prohibit the use or disclosure of PHI where the purpose of the use or 
disclosure is for a criminal, civil, or administrative investigation 
into or proceeding against any person in connection with seeking, 
obtaining, providing, or facilitating reproductive health care that is 
lawful under the circumstances in which it is provided, or identifying 
any person for the purpose of initiating such an investigation or 
proceeding.
    Importantly, and as further discussed below, this proposal is 
narrowly tailored to address only uses and disclosures for specified 
prohibited purposes. It does not otherwise alter a regulated entity's 
responsibility to comply with the conditions imposed on the use or 
disclosure of PHI for other criminal, civil, or administrative 
investigations or proceedings. For example, the proposed rule would not 
broadly preempt state or other laws that would require the disclosure 
of information about an individual's reproductive health to support 
claims for criminal or civil liability unrelated to the prohibited 
purposes, assuming such laws meet the requirements of other provisions 
of the Privacy Rule, e.g., the permission to use or disclose PHI where 
required by law.\264\
---------------------------------------------------------------------------

    \264\ 45 CFR 164.512(a).
---------------------------------------------------------------------------

Purpose-Based Prohibition
    As discussed above and consistent with the general approach and 
structure of the Privacy Rule, the proposed prohibition focuses on the 
purpose of the use or disclosure, rather than the type of PHI requested 
or the type of regulated entity that receives the use or disclosure 
request. The Department acknowledges that in most cases, information 
about an individual's reproductive health care includes the kind of 
highly sensitive information that could chill patients from obtaining 
lawful health care if they knew it could be disclosed. However, the 
Department is not proposing a rule that would provide a blanket 
protection for this category of information. Enforcing such

[[Page 23530]]

a blanket protection would require regulated entities to restrict the 
flow of this category of information, possibly disrupting existing 
health care delivery models. For example, implementing differing rules 
for a newly designated category of PHI would require costly updates to 
electronic record systems to allow for segmenting of certain data 
elements for extra protection and create barriers for care 
coordination. Providing routine treatments for conditions such as 
hormonal imbalances, miscarriage, pregnancy complications, or 
gynecological emergencies would be problematic for health care 
providers attempting to navigate a blanket prohibition against 
disclosure of the category of information related to reproductive 
health care. Thus, this proposal does not limit the prohibition to the 
use or disclosure of certain types of PHI or to PHI that is held or 
maintained by certain types of covered health care providers, such as a 
gynecologist or endocrinologist.
    A purpose-based prohibition as proposed by the Department would 
also permit health plans and many other different types of health care 
providers to continue to disclose PHI for treatment or payment for 
reproductive health care or other health care conditions that are 
affected by or affect an individual's reproductive health. For example, 
pregnancy can place a significant strain on the heart of an individual 
with certain cardiovascular conditions. It is essential that the 
individual's cardiologist be informed of and able to monitor the 
individual's pregnancy for potential complications without barriers to 
access that information. As another example, pregnancy tests are 
routinely administered before a surgical procedure to ensure that 
surgeons, anesthesiologists, and individuals are aware of a pregnancy 
and have the opportunity to discuss the benefits and risks of 
proceeding or to identify alternative treatment options.\265\ And an 
earlier example related to hormonal imbalances illustrates why 
endocrinologists may require access to reproductive health information. 
For similar reasons, it is important that a health care provider 
maintain complete and accurate patient medical records to ensure 
subsequent health care providers are adequately informed in making 
diagnoses or recommending courses of treatment.
---------------------------------------------------------------------------

    \265\ See Trisha Pasricha, ``Pregnancy tests are routine before 
many surgical procedures. But Dobbs has raised the stakes of a 
positive result,'' STAT News (Aug. 16, 2022), https://
www.statnews.com/2022/08/16/pregnancy-tests-are-routine-before-many-
surgical-procedures-but-dobbs-has-raised-the-stakes-of-a-positive-
result/
#:~:text=The%20Supreme%20Court's%20h9568%20decision,making%20testing%
20anything%20but%20routine.
---------------------------------------------------------------------------

    Thus, to avoid the potential for disruption to health care and 
ensure the provision of appropriate health care, the Department 
proposes to limit the prohibition's application to uses and disclosures 
of PHI where the purpose is to use the information against any person 
for seeking, obtaining, providing, or facilitating reproductive health 
care that is lawful under the circumstances in which it is provided, or 
to identify any person for doing so. The Department believes the 
narrowly crafted prohibition, as proposed, would avoid deterring 
individuals from obtaining lawful health care or providing full 
information to their health care providers out of fear that highly 
sensitive health information could be disclosed in connection with a 
criminal, civil, or administrative investigation or proceeding. At the 
same time, the proposal would facilitate the ability of health care 
providers to navigate the new medical-legal landscape in cooperation 
with their patients. The proposed prohibition also would serve as a 
disincentive to health care providers considering leaving gaps or 
including inaccuracies in medical records or taking other action to 
protect individuals or avoid liability under laws prosecuting provision 
of reproductive health care. Such disincentives, rooted in the ability 
to keep PHI private when sought for certain purposes, are properly 
within the Department's authority to regulate under HIPAA.
Preemption of State Laws
    The Privacy Rule generally preempts contrary provisions of state 
laws.\266\ Thus, if this NPRM were to be finalized, provisions of state 
law that are contrary to these proposals would be preempted. The 
Department recognizes that the proposal to prohibit uses and 
disclosures of PHI for a criminal, civil, or administrative 
investigation into or proceeding against any person, or to identify any 
person for the purpose of initiating such an investigation or 
proceeding, may create a conflict between the Privacy Rule and some 
state laws--though we have carefully crafted the proposed prohibition 
to apply only in circumstances in which the state lacks any substantial 
interest in seeking the disclosure. In such cases, regulated entities 
would be required to comply with the Privacy Rule, if modified as 
proposed. For example, the Privacy Rule, if modified as proposed, would 
prohibit the disclosure of PHI to law enforcement in furtherance of a 
law enforcement investigation of an individual for obtaining 
reproductive health care that is lawful under the circumstances in 
which it is provided. It would also prohibit the disclosure of PHI for 
a law enforcement investigation of a health clinic for providing 
reproductive health care that is lawful under the circumstances in 
which it is provided, even in response to a court order, such as a 
search warrant.\267\ Such disclosure, despite the court order, would be 
a violation of the Privacy Rule and would subject the regulated entity 
to a potential OCR investigation and civil money penalty. Additionally, 
if a regulated entity chose to comply with the court order in the 
example above, there would be a presumption that a breach of unsecured 
PHI had occurred because there was a disclosure of PHI in a manner not 
permitted under the Privacy Rule which compromises the privacy of the 
PHI. Thus, breach notification would be required unless the entity 
could demonstrate that there was a low probability that the PHI had 
been compromised.\268\ Where an entity determines that a breach has 
occurred, the entity would need to provide notification to the affected 
individual(s), the Secretary, and, when applicable, the media.\269\
---------------------------------------------------------------------------

    \266\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that, 
with limited exceptions, a provision or requirement under HIPAA 
supersedes any contrary provision of state law).
    \267\ In contrast, the current Privacy Rule would permit such a 
disclosure based on a court order requiring the disclosure. See 45 
CFR 164.512(a); see also 45 CFR 164.103 (definition of ``Required by 
law'').
    \268\ 45 CFR 164.402 (definition of ``Breach'').
    \269\ See 45 CFR 164.400 through 164.414. The HIPAA Breach 
Notification Rule requires covered entities and their business 
associates to provide certain notifications following a breach of 
unsecured PHI.
---------------------------------------------------------------------------

Application of Proposed Prohibition
    The Department proposes a Rule of Applicability to apply the 
prohibition where the relevant criminal, civil, or administrative 
investigation or proceeding is in connection with any person seeking, 
obtaining, providing, or facilitating reproductive health care that: 
(1) is provided outside of the state where the investigation or 
proceeding is authorized and that is lawful in the state in which such 
health care is provided; (2) is protected, required, or authorized by 
Federal law, regardless of the state in which such health care is 
provided; or (3) is provided in the state in which the investigation or 
proceeding is authorized and that is permitted by the law of that 
state. This proposed Rule of Applicability would limit the application 
of the prohibition to

[[Page 23531]]

circumstances in which the care is lawful under the circumstances in 
which such health care is provided.
    As described above, all three prongs of the proposed Rule of 
Applicability require the reproductive health care at issue to be 
provided under circumstances in which the provision of such health care 
is lawful. Thus, in order to determine whether the proposed rule would 
permit the use or disclosure of PHI, the regulated entity would need to 
determine whether the reproductive health care was provided under 
circumstances in which it was lawful to do so. Where the regulated 
entity determines that the reproductive health care was provided under 
circumstances where it was unlawful, the proposed prohibition would not 
apply, and the regulated entity would be permitted to use or disclose 
the PHI for a criminal, civil, or administrative investigation into or 
proceeding against a person in connection with seeking, obtaining, 
providing, or facilitating reproductive health care. For example, where 
the regulated entity determines that reproductive health care was 
provided in a state where it was unlawful to do so and under 
circumstances in which Federal law does not protect the provision of 
such health care, a regulated entity would be permitted to use or 
disclose PHI for a criminal, civil, or administrative investigation 
against a health care provider that provided the unlawful reproductive 
health care. However, the regulated entity would be prohibited from 
disclosing PHI for the same purpose where it determined that the 
reproductive health care was provided in a state where it was lawful to 
do so, subject to the proposed Rule of Construction, discussed below.
    Under the Constitution, an individual cannot be barred from 
traveling from one state to another to obtain reproductive health 
care.\270\ Accordingly, the Department proposes to prohibit uses and 
disclosures of PHI where it is sought for use in an investigation into 
or proceeding against a person for seeking, obtaining, providing or 
facilitating reproductive health care outside of the state in which 
investigation or proceeding is authorized and where such health care is 
lawful under the circumstances in which it was provided. The proposal 
is not limited to circumstances in which the health care has not yet 
been obtained, provided, or facilitated. It also includes situations 
where the health care is ongoing or has been completed. For example, 
under this proposal, a covered entity that provides lawful reproductive 
health care to an out-of-state resident generally would not be 
permitted to use or disclose PHI to law enforcement from the 
individual's home state for use in an investigation or proceeding in 
connection with the individual's receipt of or the covered entity's 
provision of that reproductive health care. In addition, a covered 
health care provider in the state of the individual's residence that 
may receive PHI concerning such reproductive health care provided out 
of state (e.g., a hospital in the home state that receives records from 
an out-of-state clinic) would be subject to the same restriction. In 
these circumstances under the Constitution, administrative, civil, or 
criminal liability may not be imposed for the receipt or provision of 
the out-of-state care. The Department also notes that generally, states 
do not have the ability to permit or limit actors in another state from 
engaging in certain activities. For example, states determine the 
requirements for licensure of health care providers that furnish health 
care within their borders; they do not have the ability to set such 
requirements for health care providers that furnish health care 
elsewhere. Thus, it would be inconsistent to permit states to impose 
liability on health care providers who furnish health care in another 
state in accordance with the laws of that state.
---------------------------------------------------------------------------

    \270\ Dobbs, 142 S. Ct. at 2309 (Kavanaugh, J., concurring) 
(addressing whether a state can ``bar a resident of that State from 
traveling to another State to obtain an abortion? [ . . . ] [T]he 
answer is not based on the constitutional right to interstate 
travel.''); see also ``Application of the Comstock Act to the 
Mailing of Prescription Drugs That Can Be Used for Abortions,'' 
Department of Justice, 46 Op. O.L.C. __, at *19 (Dec. 23, 2022), 
https://www.justice.gov/olc/opinion/file/1560596/download.
---------------------------------------------------------------------------

    The proposed prohibition would also apply where the use or 
disclosure of PHI is sought for use in an investigation into or 
proceeding against a person where the reproductive health care is 
protected, required, or authorized by Federal law, regardless of the 
state in which such care is provided. For example, the proposed 
prohibition would prohibit the use or disclosure of PHI for use in an 
investigation into or proceeding against a covered entity that provided 
reproductive health care in a situation where EMTALA requires offering 
such health care. Additionally, the Department's proposal would 
prohibit the use or disclosure of PHI for use in an investigation into 
or proceeding against employees of the Department of Veterans Affairs 
(VA) who provide or facilitate reproductive health care in a manner 
authorized by Federal law, including VA regulations.\271\ And it would 
apply where the investigation or proceeding is against any person in 
connection with seeking, obtaining, providing, or facilitating 
reproductive health care--such as contraception--that remains protected 
by the Constitution after Dobbs.\272\ In these circumstances, Federal 
law bars the imposition of administrative, civil, or criminal liability 
on such care.
---------------------------------------------------------------------------

    \271\ See ``Intergovernmental Immunity for the Department of 
Veterans Affairs and Its Employees When Providing Certain Abortion 
Services,'' Department of Justice, 46 Op. O.L.C. __ (Sept. 21, 
2022), https://www.justice.gov/d9/2022-11/2022-09-21-va_immunity_for_abortion_services.pdf.
    \272\ See Griswold v. Connecticut, 381 U.S. 479 (1965); 
Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 142 S. Ct. at 2309 
(Kavanaugh, J., concurring) (Dobbs ``does not threaten or cast doubt 
on'' the precedents providing constitutional protection for 
contraception).
---------------------------------------------------------------------------

    Finally, the prohibition would apply when the relevant criminal, 
civil, or administrative investigation or proceeding is in connection 
with any person seeking, obtaining, providing, or facilitating 
reproductive health care that is provided in the state in which the 
investigation or proceeding is authorized and that is permitted by the 
law of that state. Under this proposal, a regulated entity would not be 
permitted to use or disclose PHI in response to an investigation or 
proceeding occurring in a state where the reproductive health care is 
lawful. The proposal would also prohibit the use or disclosure of PHI 
where the health care meets the requirements of an exception to a law 
limiting the provision of reproductive health care (e.g., for pregnancy 
termination when the pregnancy is the result of rape or incest or 
because the life of the pregnant individual is endangered). It would 
also prohibit the use or disclosure of PHI where the health care 
occurred at a point in pregnancy at which such health care is permitted 
by state law. If a state has not made the relevant reproductive health 
care unlawful, it lacks a legitimate interest in conducting a criminal, 
civil, or administrative investigation or proceeding into such health 
care where the investigation is centered on the mere fact that 
reproductive health care was or is being provided.
Scope of Proposed Prohibition
    The proposed prohibition would apply to any request for PHI to 
facilitate a criminal, civil, or administrative investigation or 
proceeding against any person, or to identify any person in order to 
initiate an investigation or proceeding, where the basis for the 
investigation, proceeding, or identification is that the person sought,

[[Page 23532]]

obtained, provided, or facilitated reproductive health care that is 
lawful under the circumstances in which such health care is provided. 
As discussed above, the proposal would preempt state or other law 
requiring a regulated entity to use or disclose PHI in response to a 
court order or other type of legal process for a purpose prohibited by 
this proposed rule where the prohibition applies. It would not preempt 
laws that require use or disclosure of PHI for other purposes, 
including public health purposes.\273\ The proposal also would not 
prohibit a regulated entity from disclosing an individual's PHI to law 
enforcement where the purpose of the disclosure is to investigate a 
sexual assault committed against the individual, provided the 
attestation described later in this preamble is obtained, or where such 
health care is not lawfully obtained in the state in which it is 
provided.
---------------------------------------------------------------------------

    \273\ While this proposal does not affect reporting to a public 
health authority or other appropriate government authority 
authorized by law to receive reports of child abuse or neglect as 
permitted under 45 CFR 164.512(b)(1)(ii), the proposed definitions 
of ``person'' and ``child abuse'' would make clear that seeking, 
obtaining, providing, or facilitating the provision of an abortion, 
products related to pregnancy, or fertilized egg or embryo disposal 
would not constitute child abuse as addressed therein.
---------------------------------------------------------------------------

    The Department intends ``criminal, civil, or administrative 
investigation into or proceeding against'' to encompass any type of 
legal or administrative investigation or proceeding. This includes, but 
is not limited to, law enforcement investigations, third party 
investigations in furtherance of civil proceedings, state licensure 
proceedings, criminal prosecutions, and family law proceedings. 
Examples of criminal, civil, or administrative investigations or 
proceedings for which regulated entities would be prohibited from using 
or disclosing PHI would also include a civil suit brought by a person 
exercising a private right of action provided for under state law 
against an individual or health care provider who obtained, provided, 
or facilitated a lawful abortion, or a law enforcement investigation 
into a health care provider for lawfully providing or facilitating the 
disposal of an embryo at the direction of the individual.
    The proposal would prohibit a regulated entity from using or 
disclosing PHI for a criminal, civil, or administrative investigation 
into or proceeding against ``any person'' in connection with seeking, 
obtaining, providing, or facilitating reproductive health care that is 
lawful under the circumstances in which it is provided, or for 
identifying ``any person'' for the purpose of initiating such an 
investigation or proceeding. ``Against any person'' means, based on the 
HIPAA Rules' definition of ``person,'' \274\ that the proposed 
prohibition would not be limited to use or disclosure of PHI for use 
against the individual; rather, the prohibition would apply to the use 
or disclosure of PHI against a regulated entity, or any other person, 
including an individual or entity, who may have obtained, provided, or 
facilitated lawful reproductive health care.\275\
---------------------------------------------------------------------------

    \274\ 45 CFR 160.103 (definition of ``Person'').
    \275\ Note that in section IV.A.1., the Department proposes to 
modify the definition of ``person,'' although that proposed 
modification would not have an effect here.
---------------------------------------------------------------------------

Rule of Construction
    The Department does not intend for this proposed prohibition to 
prevent a regulated entity from using or disclosing PHI for other 
permissible purposes under the Privacy Rule where the request is not 
made primarily for the purpose of investigating or imposing liability 
on any person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care that is lawful under the 
circumstances in which it is provided, and proposes to clarify that 
through a Rule of Construction. In so doing, the Department clarifies 
that it does not intend for the prohibition to prevent certain uses or 
disclosures of PHI where they are permitted by other provisions of the 
Privacy Rule as discussed below.
    For example, just as an individual would be able to obtain their 
own PHI to initiate a claim against a covered health care provider for 
professional misconduct or negligence under the Privacy Rule's right of 
access,\276\ the proposed Rule of Construction would make clear that 
the proposed prohibition does not inhibit the ability of a covered 
health care provider to use or disclose that same PHI to defend 
themselves in an investigation or proceeding related to professional 
misconduct or negligence where the alleged professional misconduct or 
negligence involved reproductive health care. In such instance, there 
would be due process concerns that could ultimately prevent the covered 
health care provider from being held liable for the professional 
misconduct or negligence. Thus, the Department proposes to limit the 
Rule of Construction to applying only in circumstances in which the 
health care provider would not be using or disclosing such PHI for the 
purpose of ``investigating or conducting a legal proceeding against a 
person,'' but rather for the purpose of defending itself against such 
an investigation or a proceeding. In addition, such an investigation or 
proceeding would not be based on the mere act of seeking, obtaining, 
providing, or facilitating reproductive health care. Instead, the 
investigation or proceeding would be based on allegations of 
professional misconduct or negligence in providing reproductive health 
care. The use or disclosure of PHI would be permitted under such 
circumstances. The Federal government could similarly use PHI (obtained 
with an attestation) to defend itself against claims brought by 
individuals where professional misconduct based on a health care 
provider's failure to meet an applicable standard of care, as described 
herein, may not be the primary focus of the claim, but where the 
provision of such care is central to the claim.
---------------------------------------------------------------------------

    \276\ 45 CFR 164.524.
---------------------------------------------------------------------------

    As discussed above, under the Rule of Applicability, the proposed 
prohibition on the use or disclosure of PHI for the purposes of a 
criminal, civil, or administrative investigation or proceeding against 
any person in connection with seeking, obtaining, providing, or 
facilitating reproductive health care, or the identification of any 
person for such investigations or proceedings, would apply only when 
such reproductive health care is provided under circumstances in which 
it is lawful to do so. When read in isolation, this would seemingly 
prevent regulated entities from using or disclosing PHI for the purpose 
of defending themselves or others against allegations that they sought, 
obtained, provided, or facilitated unlawful care. To address this 
potential misreading, the proposed Rule of Construction limits the 
proposed prohibition to circumstances in which the PHI is sought for 
the purpose of investigating or imposing liability on any person for 
the mere act of seeking, obtaining, providing, or facilitating 
reproductive health care. Thus, under the proposal, a regulated entity 
could not use or disclose PHI as part of an investigation into any 
person for allegedly seeking, obtaining, providing, or facilitating 
reproductive health care; in contrast, the regulated entity could use 
or disclose PHI to defend any person in a criminal, civil, or 
administrative proceeding where liability could be imposed on that 
person for providing such health care.
    Additionally, the proposed Rule of Construction would clarify that 
the proposed prohibition does not prohibit uses or disclosures to a 
health oversight agency for health oversight activities, such as for 
the purpose of investigating

[[Page 23533]]

whether reproductive health care was actually provided or appropriately 
billed in connection with a claim for such services.\277\ For example, 
the proposed Rule of Construction would not prohibit the use or 
disclosure of PHI where the PHI is sought to investigate or pursue 
proceedings against a person for knowingly submitting a claim for 
reproductive health care for payment to the government where the 
reproductive health care was not provided or improperly billed. In this 
case, the request would not be made primarily for the purpose of 
investigating or imposing liability on any person for the mere act of 
seeking, obtaining, providing, or facilitating reproductive health 
care; instead, the request would be primarily for the purpose of 
investigating or imposing liability on a person for, in this particular 
scenario, an alleged violation of the Federal False Claims Act or a 
state equivalent.\278\ As another example, the proposed Rule of 
Construction also would not prohibit the use or disclosure of PHI to an 
Inspector General where the PHI is sought to conduct an audit aimed at 
protecting the integrity of the Medicare or Medicaid program. The 
proposed Rule of Construction also would make clear that the proposed 
prohibition does not prevent uses or disclosures for the purpose of 
investigating alleged violations of Federal nondiscrimination laws or 
abusive conduct, such as sexual assault, that occur in connection with 
reproductive health care.
---------------------------------------------------------------------------

    \277\ See 45 CFR 164.512(d)(1)(i) through (iv) for health 
oversight activities for which the Privacy Rule permits uses and 
disclosures of PHI. The proposal would permit these uses and 
disclosures of PHI to effectuate Federal agencies' health oversight 
activities.
    \278\ 31 U.S.C. 3729-3733.
---------------------------------------------------------------------------

    The proposed Rule of Construction would also clarify that the 
proposed prohibition would not prohibit a regulated entity from 
responding to a request for relevant records in a criminal or civil 
investigation or proceeding pursuant to 18 U.S.C. 248 regarding freedom 
of access to clinic entrances. Investigations under this provision are 
conducted for the purpose of determining whether a person physically 
obstructed, intimidated, or interfered with persons providing 
``reproductive health services,'' \279\ or attempted to do so. They 
therefore do not involve investigations or proceedings against a person 
in connection with the mere act of ``seeking, obtaining, providing, or 
facilitating of reproductive health care'' under circumstances in which 
it was lawful to do so.
---------------------------------------------------------------------------

    \279\ 18 U.S.C. 248(e)(5) (definition of ``Reproductive health 
services'').
---------------------------------------------------------------------------

Disclosures Required by the Privacy Rule
    Regulated entities are expected to continue to comply with and 
disclose PHI in response to an individual's request for access to their 
own PHI,\280\ or a request from the Secretary to disclose PHI as part 
of an investigation into a regulated entity's compliance with the HIPAA 
Rules. These requirements to disclose PHI at 45 CFR 164.502(a)(2) and 
(4) are unlikely to come into conflict with the proposed prohibition 
because neither an individual's request for their own PHI nor a HIPAA 
compliance investigation are disclosures sought primarily because a 
person sought, obtained, provided, or facilitated reproductive health 
care.
---------------------------------------------------------------------------

    \280\ Under 45 CFR 164.502(a)(2)(i), covered entities are 
primarily responsible for compliance with the Privacy Rule's 
individual right of access provisions. The Privacy Rule imposes 
narrow direct liability on business associates for compliance with 
the individual right of access at 45 CFR 164.502(a)(4)(ii). However, 
it is the Department's understanding that many covered entities 
engage business associates, such as release-of-information vendors, 
to accept and respond to such requests. For additional information 
on business associates and their obligations under the HIPAA Rules, 
visit https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/.
---------------------------------------------------------------------------

    The Department also reaffirms that an individual's right of access 
to their own PHI cannot be denied based on their intended use of the 
PHI.\281\ Thus, an individual would retain their current ability to 
obtain a copy of their own PHI in a designated record set from a 
covered entity, as well as to direct a covered entity to transmit to 
another person (which could be a law enforcement official if the 
individual so chooses) an electronic copy of their PHI in an electronic 
health record (EHR). The Department is concerned that a law enforcement 
official or other person could potentially coerce an individual into 
exercising their right of access for the purpose of circumventing the 
prohibition. However, the Department also views the right of access as 
paramount to an individual's ability to make decisions regarding their 
own health care and does not intend to impede an individual's ability 
to exercise this right. Therefore, the Department does not propose to 
modify the right of access to address this specific concern.
---------------------------------------------------------------------------

    \281\ As explained in the preamble to the 2000 Privacy Rule, 
covered entities may only deny access for the reasons specifically 
provided in the rule. 65 FR 82556.
---------------------------------------------------------------------------

3. Clarifying Personal Representative Status in the Context of 
Reproductive Health Care
Current Provision and Issues To Address
    Section 164.502(g) of the Privacy Rule contains the standard for 
personal representatives and generally requires a regulated entity to 
treat an individual's personal representative as the individual when 
consistent with state law.\282\ For example, the Privacy Rule would 
treat a legal guardian of an individual who has been declared 
incompetent by a court as the personal representative of that 
individual, if consistent with applicable law (e.g., state law).\283\ 
In this and certain other provisions, the Department seeks to maintain 
the balance between the interest of a state or others to regulate 
health and safety and protect vulnerable individuals \284\ with the 
goal of maintaining the privacy protections established in the Privacy 
Rule.\285\
---------------------------------------------------------------------------

    \282\ See 45 CFR 164.502(g)(1).
    \283\ See 45 CFR 164.502(g)(3)(i). See also ``Personal 
Representatives,'' U.S. Dep't of Health and Human Servs., Office for 
Civil Rights, https://www.hhs.gov/hipaa/for-individuals/personal-representatives/.
    \284\ See, e.g., 45 CFR 164.510(b)(3) and 164.512(j)(1)(i)(A).
    \285\ See 65 FR 82471.
---------------------------------------------------------------------------

    The Department is concerned that some regulated entities may 
interpret the Privacy Rule as providing them with the ability to refuse 
to recognize as an individual's personal representative a person who 
makes reproductive health care decisions, on behalf of the individual, 
with which the regulated entity disagrees. Under these circumstances, 
current section 502(g)(5) of the Privacy Rule could be interpreted to 
permit a regulated entity to assert that, by virtue of the personal 
representative's involvement in the reproductive health care of the 
individual, the regulated entity believes that the personal 
representative is subjecting the individual to abuse. Further, in the 
absence of clarification as proposed in this NPRM, this regulated 
entity could exercise professional judgment to decide that it is in the 
best interest of the individual not to recognize the personal 
representative's authority to make medical decisions for that 
individual.
Proposal
    To protect the balance of interests struck by the Privacy Rule, the 
Department proposes to modify 45 CFR 164.502 by adding a new paragraph 
(g)(5)(iii). Proposed 45 CFR 164.502(g)(5)(iii) would ensure that a

[[Page 23534]]

regulated entity could not deny personal representative status to a 
person, where such status would otherwise be consistent with state and 
other applicable law, primarily because that person facilitates or 
facilitated or provided reproductive health care for an individual. The 
Department believes this proposal is narrowly tailored and respects the 
interests of states and the Department by not unduly interfering with 
the ability of states to define the nature of the relationship between 
an individual and another person, including between a minor and a 
parent, upon whom the state deems it appropriate to bestow personal 
representative status. This proposal would, however, maintain the 
existing HIPAA standard by ensuring personal representative status, 
when otherwise consistent with state law, is not affected by the type 
of underlying health care sought.
4. Request for Comment
    The Department requests comment on the foregoing proposals, 
including any benefits, drawbacks, or unintended consequences. The 
Department also requests comment on the following considerations in 
particular:
    e. Whether the proposed prohibition in section IV.B.2. is 
sufficiently narrow so as to limit harmful uses or disclosures (such as 
for investigating individuals who have obtained, or health care 
providers who have provided, lawful health care primarily because they 
obtained or provided the lawful health care) and to permit beneficial 
uses or disclosures (such as for conducting investigations into health 
care fraud or audits examining general compliance with claims billing 
requirements). If not, please explain and provide examples.
    f. The effects of individuals' concerns about the potential 
disclosure of their PHI to law enforcement or others on their 
willingness to confide in their health care providers.
    g. The effects of individuals' withholding information about their 
health from their health care providers.
    h. The effects of health care providers' concerns about potential 
criminal, civil, or administrative investigations into or proceedings 
against them or their patients in connection with the provision of 
lawful reproductive health care on the completeness and accuracy of 
medical records and continuity of care.
    i. Whether it would be beneficial to further clarify or provide 
additional examples of instances in which the use or disclosure of PHI 
would be permitted under the proposal, such as examples of type of 
investigations or proceedings that are focused on health care fraud and 
for which PHI is necessary.
    j. Whether the Department should permit the use and disclosure of 
an individual's PHI for the purpose described in section IV.B.2. with a 
valid authorization from the individual.
    i. If so, please provide recommendations for how the Department 
could ensure that individuals are adequately protected from coercive 
tactics to provide such authorization. For example, should the 
Department permit such use or disclosure based on an authorization only 
if a regulated entity also obtains some form of attestation or 
assurance from the recipient of the PHI?
    ii. Whether third parties might circumvent the prohibition by 
coercing individuals to exercise their right to direct a covered entity 
to transmit to a third party an electronic copy of their PHI in an EHR. 
If so, please suggest ways the Department could address this problem 
without curtailing an individual's right of access or increasing the 
burden on regulated entities.
    k. Whether the Department should apply the proposed prohibition 
broadly to any health care, rather than limiting it to reproductive 
health care. Please explain.
    l. Whether the Department should prohibit or limit uses or 
disclosures of ``highly sensitive PHI'' for certain purposes. If so:
    i. How should the Department define ``highly sensitive PHI''? 
Please explain and provide reference materials to support any suggested 
definition.
    ii. What additional protections should ``highly sensitive PHI'' be 
accorded?
    iii. Do regulated entities have the technical ability to 
differentiate between types of PHI in their electronic record systems 
and apply special protections to a new category of ``highly sensitive 
PHI''?
    iv. What would be the estimated burden on regulated entities of 
providing additional protections for ``highly sensitive PHI''?
    m. Whether in addition to, or instead of, the proposed prohibition, 
the Department should:
    i. Require a regulated entity to obtain an individual's 
authorization for certain uses and disclosures of PHI that currently 
are permitted without an authorization.
    ii. Require a regulated entity to obtain an individual's 
authorization for any uses and disclosures of a defined category of PHI 
(e.g., ``highly sensitive PHI'').
    iii. Require a regulated entity to accept and comply with an 
individual's request for restrictions of uses and disclosures of 
``highly sensitive PHI.''
    iv. Eliminate or narrow any existing permissions to use or disclose 
``highly sensitive PHI'' (e.g., permissions to report crime on the 
premises or report crime in emergencies).
    n. What are the practices and procedures that a regulated entity 
currently uses to determine what actions they will take when faced with 
a conflict of state and Federal laws regarding uses and disclosures of 
PHI?
    o. Whether the scope of the proposed rule of applicability will be 
sufficiently clear to individuals and covered entities, and whether the 
provision should be made more specific or otherwise modified to ensure 
individuals and covered entities know when disclosures of PHI will be 
permitted.
    p. Whether the proposed Rule of Construction is sufficient, or 
whether the Rule of Construction should be expanded, narrowed, or 
otherwise modified. Please explain and provide support for this 
response.
    q. Whether the proposed clarification to personal representative 
status in the context of reproductive health care is sufficient to 
clarify that personal representatives who provide or facilitate 
reproductive health care have not committed an act of ``child abuse.'' 
Please explain and provide support for this response.

C. Section 164.509--Uses and Disclosures for Which an Attestation Is 
Required (Proposed Heading)

1. Current Provision and Issues To Address
    The Privacy Rule currently separates uses and disclosures into 
three categories: required, permitted, and prohibited. Permitted uses 
and disclosures are further subdivided into those to carry out 
treatment, payment, or health care operations; \286\ those for which an 
individual's authorization is required; \287\ those requiring an 
opportunity for the individual to agree or object; \288\ and those for 
which an authorization or opportunity to agree or object is not 
required.\289\ For an individual's authorization to be valid, the 
Privacy Rule requires that it contain certain specific information to 
ensure that an individual authorizing a regulated entity to use or 
disclose their PHI to another person knows and

[[Page 23535]]

understands to what it is they are agreeing.\290\
---------------------------------------------------------------------------

    \286\ 45 CFR 164.506.
    \287\ 45 CFR 164.508.
    \288\ 45 CFR 164.510.
    \289\ 45 CFR 164.512.
    \290\ 45 CFR 164.508(b).
---------------------------------------------------------------------------

    Pursuant to proposals in this NPRM, a regulated entity presented 
with a request for PHI that is potentially related to reproductive 
health care would need to discern whether using or disclosing PHI in 
response to the request would be prohibited by the proposed 45 CFR 
164.502(a)(5)(iii). Without a mechanism for assisting regulated 
entities in determining the purpose of a use or disclosure request from 
certain persons, the Department believes it would be difficult for 
regulated entities to distinguish between use and disclosure requests 
for permitted and prohibited purposes, potentially leading regulated 
entities to deny use or disclosure requests for permitted purposes. 
Additionally, absent an enforcement mechanism, the Department believes 
requesters of PHI could seek to use existing Privacy Rule permissions 
for purposes that would be prohibited under 45 CFR 164.502(a)(5)(iii).
2. Proposal
    To facilitate compliance with the proposed prohibition while also 
providing a pathway to disclose PHI for permitted purposes for which 
authorization is not required and an opportunity to agree or object is 
not required, the Department proposes to add a requirement to obtain an 
attestation from the person requesting the use and disclosure as a 
condition for certain permitted uses and disclosures.
    Specifically, the Department proposes to add a new section 45 CFR 
164.509: ``Uses and disclosures for which an attestation is required.'' 
This proposed condition would require a regulated entity to obtain 
assurances from the person requesting the PHI, in the form of a signed 
and dated written statement attesting that the use or disclosure would 
not be for a purpose prohibited under 45 CFR 164.502(a)(5)(iii), where 
the person is making the request under the Privacy Rule permissions at 
45 CFR 164.512(d) (disclosures for health oversight activities), (e) 
(disclosures for judicial and administrative proceedings), (f) 
(disclosures for law enforcement purposes), or (g)(1) (disclosures 
about decedents to coroners and medical examiners). This proposed 
condition would apply when the request is for PHI that is potentially 
related to reproductive health care, as defined in proposed 45 CFR 
160.103. Thus, an attestation would not be required when the person 
making the request does not seek PHI potentially related to 
reproductive health care. If, however, the request would require a 
regulated entity to disclose PHI potentially related to reproductive 
health care, a regulated entity would have to first obtain an 
attestation from the person making the request to ensure that the PHI 
would not be used or disclosed for a prohibited purpose.
    Additionally, where one of these permissions applies, the 
attestation must include a statement that the use or disclosure is not 
prohibited as described at 45 CFR 164.502(a)(5)(iii). Thus, the 
Department proposes to limit the attestation requirement to the Privacy 
Rule provisions that have the greatest potential to result in use or 
disclosure of an individual's PHI for a criminal, civil, or 
administrative investigation into or proceeding against, any person for 
seeking, obtaining, providing, or facilitating reproductive health care 
or to identify any person for the purpose of initiating such an 
investigation or proceeding.
    The attestation proposal is intended both to ensure that the 
existing Privacy Rule permissions could not be used to circumvent the 
new proposed prohibition at 45 CFR 164.502(a)(5)(iii) and to continue 
permitting essential disclosures. The proposed attestation requirement 
also would limit the additional burden on the regulated entity 
receiving requests for such uses and disclosures by providing a 
standard mechanism by which the regulated entity would ascertain 
whether a requested use or disclosure would be prohibited under the 
proposal.
    The Department's attestation proposal is modeled after the 
authorization requirement at 45 CFR 164.508.\291\ Modeling the proposed 
attestation provision after the authorization provision would ensure 
that a person requesting the PHI provides a regulated entity with the 
information needed to ascertain whether the request is for a prohibited 
purpose because the proposed attestation requirement would require the 
person requesting the disclosure to confirm the types of PHI that they 
are requesting; to clearly identify the name of the individual whose 
PHI is being requested, if practicable, or if not practicable, the 
class of individuals whose PHI is being requested, and to confirm, in 
writing, that the use or disclosure is not for a purpose prohibited 
under 45 CFR 164.502(a)(5)(iii). For purposes of the ``class of 
individuals'' described in 45 CFR 164.509(c)(1)(i)(B), the requesting 
entity may describe such a class in general terms--for example, as all 
individuals who were treated by a certain health care provider or for 
whom a certain health care provider submitted claims, all individuals 
who received a certain procedure, or all individuals with given health 
insurance coverage. Similar to the authorization provision, the 
proposed attestation provision would also include the general 
requirements for a valid attestation, and defects of an invalid 
attestation. The provision would also include the attestation's content 
requirements and would apply to both uses and disclosures for the 
specified purposes.\292\ In addition, the attestation must be written 
in plain language.\293\
---------------------------------------------------------------------------

    \291\ Section 164.508 of title 45 CFR details the general rules 
for authorizations, such as the rules specific to types of PHI or 
purposes for disclosure, compound authorizations, the elements 
required for a valid authorization, and how authorizations may be 
revoked.
    \292\ Pursuant to 45 CFR 164.530(j), regulated entities would be 
required to maintain a written or electronic copy of the 
attestation.
    \293\ The Federal plain language guidelines under the Plain 
Writing Act of 2010 only applies to Federal agencies, but it serves 
as a helpful resource. See .
---------------------------------------------------------------------------

    The proposed attestation provision would also include a prohibition 
on compound attestations. Specifically, the proposal would prohibit the 
attestation from being ``combined with'' any other document. The 
Department intends this prohibition to mean that an attestation must be 
clearly labeled and distinct from any surrounding text. For example, an 
attestation would not be impermissibly ``combined with'' a subpoena if 
it is attached to it, provided that the attestation is clearly labeled 
as such. As another example, an electronic attestation would not to be 
impermissibly ``combined with'' another document where the attestation 
is on the same screen as the other document, provided that the 
attestation is clearly and distinctly labeled as such.
    Further, the attestation proposal would explicitly permit the 
attestation document to be in electronic format, as well as 
electronically signed by the person requesting the disclosure.\294\ At 
this time, the Department declines to propose mandating a specific 
electronic format for the attestation. The attestation would be 
facially valid when the document meets the required elements of the 
attestation proposal and includes an electronic signature that is valid 
under applicable Federal and state law.\295\
---------------------------------------------------------------------------

    \294\ Proposed 45 CFR 164.509(b)(1)(iv) and (c)(1)(v).
    \295\ While not explicitly stated in the Privacy Rule, the 
Department previously issued guidance clarifying that authorizations 
are permitted to be submitted and signed electronically. See HIPAA 
FAQ #475, and HIPAA FAQ #554, https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/.

---------------------------------------------------------------------------

[[Page 23536]]

    Unlike the authorization provision, the proposed attestation would 
be limited to the specific use or disclosure. Generally, when a 
regulated entity receives a valid authorization, they may continue to 
use or disclose PHI to such requestor pursuant to that authorization 
after the initial disclosure, provided that such subsequent uses and 
disclosures are valid and related to that authorization. Under the 
proposal, the Department anticipates that each use or disclosure 
request would require a new attestation.
    The Department is explicitly declining to propose a new exception 
to the minimum necessary standard for uses and disclosures made 
pursuant to an attestation under 45 CFR 164.509.\296\ Thus, a regulated 
entity would have to limit a use or disclosure to the minimum necessary 
when provided in response to a request that would be subject to the 
proposed attestation requirement. Where the person requesting the PHI 
is also a regulated entity, that person would also need to make 
reasonable efforts to limit their request to the minimum necessary to 
accomplish the intended purpose of the use, disclosure, or 
request.\297\
---------------------------------------------------------------------------

    \296\ See 45 CFR 164.502(b). The minimum necessary standard of 
the Privacy Rule applies to all uses and disclosures where a request 
does not meet one of the specified exceptions in paragraph (b)(2).
    \297\ 45 CFR 164.502(b)(1).
---------------------------------------------------------------------------

    The Department does not propose to require a regulated entity to 
investigate the validity of an attestation provided by a person 
requesting a use or disclosure of PHI; rather, a regulated entity would 
be able to rely on the attestation provided that it is objectively 
reasonable under the circumstances for the regulated entity to believe 
the statement required by 45 CFR 164.509(c)(1)(iv) that the requested 
disclosure of PHI is not for a purpose prohibited by 45 CFR 
164.502(a)(5)(iii).\298\ If such reliance is not objectively 
reasonable, then the regulated entity may not rely on the attestation. 
Under the proposal, it would not be objectively reasonable for a 
regulated entity to rely on a requester's representation as to whether 
the reproductive health care was provided under circumstances in which 
it was lawful to provide such care. This is because the regulated 
entity, and not the requester, has the information about the provision 
of such care that is necessary to make this determination. Therefore, 
this determination would need to be made by the regulated entity prior 
to using or disclosing PHI in response to a request for a use or 
disclosure of PHI that would require an attestation under the proposal.
---------------------------------------------------------------------------

    \298\ This approach is consistent with 45 CFR 
164.514(h)(2)(iii), which permits a covered entity to rely on 
certain statements or requests to meet the requirement to verify the 
legal authority of a public official or a person acting on behalf of 
the public official if such reliance is reasonable under the 
circumstances.
---------------------------------------------------------------------------

    The proposed attestation also would require a regulated entity to 
cease use or disclosure of PHI if the regulated entity developed reason 
to believe, during the course of the use or disclosure, that the 
representations contained within the attestation were materially false, 
leading to uses or disclosures for a prohibited purpose.\299\ The 
Department notes that pursuant to HIPAA, a person who knowingly and in 
violation of the Administrative Simplification provisions obtains or 
discloses IIHI relating to another individual or discloses IIHI to 
another person would be subject to criminal liability.\300\ Thus, a 
requester who knowingly falsifies an attestation (e.g., makes material 
misrepresentations as to the intended uses of the PHI requested) to 
obtain (or cause to be disclosed) an individual's IIHI would be in 
violation of HIPAA and could be subject to criminal penalties as 
outlined in the statute.\301\ Additionally, the Department notes that a 
disclosure made based on an attestation that contains material 
misrepresentations after the regulated entity becomes aware of such 
misrepresentations would constitute an impermissible disclosure, which 
may require notifications of a breach to the individual, the Secretary, 
and in some cases, the media.\302\
---------------------------------------------------------------------------

    \299\ Proposed 45 CFR 164.509(d).
    \300\ See 42 U.S.C. 1320d-6(a).
    \301\ See 42 U.S.C. 1320d-6(b).
    \302\ 45 CFR 164.400 et seq. The HIPAA Breach Notification Rule, 
45 CFR 164.400-414, requires HIPAA covered entities and their 
business associates to provide notification following a breach of 
unsecured PHI.
---------------------------------------------------------------------------

    The proposed attestation does not replace the requirements of the 
Privacy Rule's permissions for a regulated entity to disclose PHI in 
response to a subpoena, discovery request, or other lawful process 
\303\ or administrative request; \304\ instead, it is designed to work 
with these permissions and their requirements. Under this proposal, for 
PHI to be disclosed pursuant to 45 CFR 164.512(e)(1)(ii) and 
(f)(1)(ii)(C), a regulated entity would need to verify that the 
requirements of each provision are met and also satisfy the 
requirements of the new attestation provision under the proposed 45 CFR 
164.509. In addition, the requirements of 45 CFR 164.528, the right to 
an accounting of disclosures of PHI made by a covered entity, would not 
be affected by the proposed attestation. Therefore, disclosures made 
pursuant to a permission under 45 CFR 164.512(d), (e), (f), or (g) must 
be included in the accounting, including when they are made pursuant to 
an attestation.\305\
---------------------------------------------------------------------------

    \303\ 45 CFR 165.512(e)(1)(ii).
    \304\ 45 CFR 164.512(f)(1)(ii)(C).
    \305\ See also 45 CFR 164.528(a)(2) regarding when the covered 
entity must temporarily suspend an individual's right to receive an 
accounting of disclosures to a health oversight agency or law 
enforcement official.
---------------------------------------------------------------------------

    To reduce the burden on regulated entities implementing this 
proposed attestation, the Department is considering developing a model 
attestation that a regulated entity may use when developing its own 
attestation templates. The Department does not anticipate requiring 
regulated entities to use the model attestation at this time, thereby 
leaving a regulated entity free to draft an attestation that meets the 
specific needs of their organization. However, we do note that under 
the proposal, an attestation would be defective if it contained 
anything beyond the elements and statements required by paragraphs 
(c)(1) of Sec.  164.509.
3. Request for Comment
    The Department requests comment on the foregoing proposals, 
including any benefits, drawbacks, or unintended consequences. The 
Department also requests comment on the following considerations in 
particular:
    r. Whether the proposed attestation requirement in section IV.C. 
would address all relevant types of permitted uses and disclosures 
under the Privacy Rule. That is, should the proposed requirement apply 
as a condition of any additional permitted uses and disclosures that 
could be used to request uses and disclosures of PHI for a prohibited 
purpose?
    i. Conversely, would the proposed requirement be overinclusive, 
placing unreasonable barriers to disclosures for beneficial purposes 
such that the Department should narrow the scope of the proposed 
requirement?
    ii. The Department requests comment on specific examples of 
unreasonable barriers and recommended alternatives.
    s. Whether requesters of PHI should be required to name the 
individuals whose PHI they are requesting, or if describing a class of 
individuals whose PHI is requested is sufficient. Please explain how 
the Department can further protect the privacy of individuals from 
requests for large amounts of PHI ostensibly sought for a non-
prohibited

[[Page 23537]]

purpose if requesters of PHI are permitted to describe a class of 
individuals whose PHI is requested.
    t. How the Department should interpret the terms ``practicable'' 
and ``class of individuals.''
    u. Whether a model attestation would be useful for regulated 
entities.
    i. If so, what other information should be included within such 
model attestation to improve regulated entities' understanding of the 
proposed attestation requirements, if adopted?
    ii. What should be the format of a model attestation?
    v. Whether the Department should require a particular attestation 
format, rather than providing a model attestation.
    w. How the Department should interpret ``combined with'' at 
proposed 45 CFR 164.509(b)(3) with respect to both paper and electronic 
attestations to minimize the burden on regulated entities of 
understanding and responding to requests that require an attestation.
    x. Whether the Department should consider permitting the 
attestation to be combined with other types of documents.
    i. If so, which types of documents should regulated entities be 
permitted to combine with the attestation?
    ii. What potential negative impacts could this have on the clarity 
of the attestation?
    y. Whether the Department should require the attestation to include 
a signed declaration made under penalty of perjury that the requester 
is not making the request for a purpose prohibited by this proposal and 
any ramifications, positive or negative, of such a requirement.
    z. Whether there are any other elements that should be included 
within the proposed attestation that are not currently listed.
    aa. Whether the Department should consider it a material 
misrepresentation if a person who signs an attestation does not have an 
objectively reasonable basis to suspect that the reproductive health 
care was provided under circumstances in which it was unlawful. If so, 
what should the Department consider a reasonable basis for suspicion?
    bb. How the proposed attestation requirement would affect a 
regulated entity's process for responding to regular or routine 
requests from certain requestors, such as government agencies that 
request PHI for purposes of health oversight activities. For such 
requests, what information should such requestors provide to reduce 
regulated entities' compliance burden associated with the proposed 
attestation requirements?
    cc. Whether there is alternative documentation that a requestor 
could provide, instead of an attestation, to assist a regulated entity 
in complying with 45 CFR 164.502(a)(5)(iii). For example, would a 
notice from a health oversight agency that identifies the objective of 
an audit, information sought, and the requesting agency provide 
sufficient information to assure the regulated entity that the audit is 
not subject to the prohibition at proposed 45 CFR 164.502(a)(5)(iii)? 
Please provide examples of documentation that may be helpful.

D. Section 164.512--Uses and Disclosures for Which an Authorization or 
Opportunity To Agree or Object Is Not Required

1. Applying the Proposed Prohibition and Attestation Requirement to 
Certain Permitted Uses and Disclosures
Current Provision and Issues To Address
    Section 164.512 of the Privacy Rule contains the standards for uses 
and disclosures for which an authorization or opportunity to agree or 
object is not required. Many of the uses and disclosures addressed by 
45 CFR 164.512 relate to government or administrative functions,\306\ 
or as described in the 2000 Privacy Rule preamble, ``national priority 
purposes.'' \307\ These permissions for uses and disclosures were not 
required by HIPAA but instead represented the Secretary's previous 
balancing of the privacy interests and expectations of individuals and 
the interests of communities in making certain information available 
for community purposes, such as for certain public health, health care 
oversight, and research purposes.\308\ As discussed previously, the 
regulations implementing HIPAA have sought to ensure that individuals 
do not forgo health care when needed--or withhold important information 
from their health care providers that may affect the quality of health 
care they receive--out of a fear that their sensitive information would 
be revealed outside of their relationships with their health care 
providers.
---------------------------------------------------------------------------

    \306\ See, e.g., 45 CFR 164.512(a), Uses and disclosures 
required by law; 45 CFR 164.512(b), Uses and disclosures for public 
health activities; 45 CFR 164.512(c), Disclosures about victims of 
abuse, neglect or domestic violence; 45 CFR 164.512(d) Uses and 
disclosures for health oversight activities; 45 CFR 164.512(e), 
Disclosures for judicial and administrative proceedings; 45 CFR 
164.512(f), Disclosures for law enforcement purposes; 45 CFR 
164.512(g) Uses and disclosures about decedents; 45 CFR 164.512(h), 
Uses and disclosures for cadaveric organ, eye or tissue donation 
purposes; 45 CFR 164.512(i), Uses and disclosures for research 
purposes; 45 CFR 164.512(j), Uses and disclosures to avert a serious 
threat to health or safety; 45 CFR 164.512(k), Uses and disclosures 
for specialized government functions; and 45 CFR 164.512(l), 
Disclosures for workers' compensation.
    \307\ 65 FR 82524.
    \308\ See 65 FR 82471.
---------------------------------------------------------------------------

    The changes proposed in this NPRM attempt to address the need to 
ensure that PHI continues to be used and disclosed only in a manner 
consistent with the standard established in the Privacy Rule, given 
recent developments in Federal and state law that may undermine the 
privacy protections for PHI.
    As discussed above, the proposed 45 CFR 164.502(a)(5)(iii) may 
prohibit uses and disclosures of PHI in some circumstances that are 
currently permitted. To clarify that this proposal is inclusive of 
purposes currently permitted under 45 CFR 164.512, the Department 
believes it is necessary to modify the general rule for such permitted 
uses and disclosures. In addition, the Department believes it is 
necessary to modify the general rule to reflect the new condition that 
would be imposed upon certain uses and disclosures permitted under 45 
CFR 164.512 through the proposed attestation requirement at 45 CFR 
164.509.
Proposal
    The Department proposes to modify the introductory text of 45 CFR 
164.512 by citing the proposed prohibition at the beginning of the 
first sentence and conditioning certain disclosures on the receipt of 
the attestation proposed at 45 CFR 164.509. The proposed modification 
would add the clause ``Except as provided by 45 CFR 164.502(a)(5)(iii), 
[ . . . ]'' and ``and 45 CFR 164.509'' to ``subject to the applicable 
requirements of this section.''
    As discussed above, the proposed change would create a new 
requirement to obtain an attestation from the person requesting the use 
and disclosure of PHI potentially related to reproductive health care 
as a condition for certain types of permitted uses and disclosures of 
PHI. For example, the Privacy Rule currently permits uses and 
disclosures for health care oversight,\309\ judicial and administrative 
proceedings,\310\ law enforcement purposes,\311\ and coroners and 
medical examiners,\312\ provided specified conditions are met. If 
paragraph (a)(5)(iii) of 45 CFR 164.502

[[Page 23538]]

is finalized, uses and disclosures of PHI for these purposes would be 
subject to an additional condition; that is, such uses and disclosures 
would be prohibited unless a regulated entity first obtained an 
attestation from the person requesting the use and disclosure under 
proposed 45 CFR 164.509.
---------------------------------------------------------------------------

    \309\ 45 CFR 164.512(d).
    \310\ 45 CFR 164.512(e).
    \311\ 45 CFR 164.512(f).
    \312\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------

    The Department assumes that there would be instances in which a 
state or other law requires a regulated entity to use or disclose PHI 
for health care oversight, judicial and administrative proceedings, law 
enforcement purposes, or coroners and medical examiners for a purpose 
not related to one of the prohibited purposes in proposed 45 CFR 
164.502(a)(5)(iii). The Department believes that a regulated entity 
would be able to comply with such laws, as well as the proposed 
attestation requirement if the PHI is potentially related to 
reproductive health care. For example, a regulated entity may continue 
to disclose PHI without an authorization to a state medical board, a 
prosecutor, or a coroner, in accordance with the Privacy Rule, when the 
request is for PHI that is not potentially related to reproductive 
health care or accompanied by the required attestation. As a result, a 
regulated entity may continue to assist the state in carrying out its 
health care oversight, judicial and administrative functions, law 
enforcement, and coroner duties with the use or disclosure of PHI that 
is potentially related to reproductive health care once a facially 
valid attestation has been provided to the regulated entity from whom 
PHI is sought, except in matters involving restrictions on seeking, 
obtaining, providing, or facilitating reproductive health care. In such 
cases, the state would need to obtain information about an individual's 
reproductive health or reproductive health care received by the 
individual from an entity not regulated under the Privacy Rule. As a 
reminder, the Privacy Rule only applies to PHI, which is IIHI that is 
maintained or transmitted by, for, or on behalf of a covered entity. 
Thus, it does not apply to individuals' health information when it is 
in the possession of a person that is not a covered entity or business 
associate, such as a friend, family member, or is stored on a personal 
cellular telephone or tablet.\313\
---------------------------------------------------------------------------

    \313\ See Guidance on ``Protecting the Privacy and Security of 
Your Health Information When Using Your Personal Cell Phone or 
Tablet,'' U.S. Dep't of Health and Human Servs. (June 29, 2022), 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/.
---------------------------------------------------------------------------

    Additionally, for clarity, the Department proposes to change the 
word ``orally'' at the end of the introductory paragraph to 
``verbally.'' No substantive change is intended.
2. Making a Technical Correction to the Heading of 45 CFR 164.512(c) 
and Clarifying That Providing or Facilitating Reproductive Health Care 
Is Not Abuse, Neglect, or Domestic Violence
Current Provisions and Issues to Address
    Paragraph (c) of 45 CFR 164.512 permits disclosures of PHI about 
victims of abuse, neglect, or domestic violence under specified 
conditions. While the regulatory text includes the serial comma, 
clearly indicating that the provision addresses victims of three 
different types of crimes, the standard heading is less clear.
    This section permits a regulated entity to disclose an individual's 
PHI under certain conditions to an authorized government agency where 
the regulated entity reasonably believes the individual to be a victim 
of abuse, neglect, or domestic violence. The Department is concerned 
that recent state actions may lead regulated entities to think that 
they are permitted to make such disclosures of PHI when they believe 
that persons who provide or facilitate access to reproductive health 
care are perpetrators of such crimes. Thus, the Department believes it 
is necessary to clarify that providing or facilitating access to 
appropriate reproductive health care is not abuse, neglect, or domestic 
violence.
Proposals
    For grammatical clarity, the Department proposes to add the serial 
comma after the word ``neglect'' in the heading of the standard 
contained at 45 CFR 164.512(c), so it would read ``Standard: 
Disclosures about victims of abuse, neglect, or domestic violence.''
    The Department also proposes to add a new paragraph (c)(3) to 45 
CFR 164.512(c), with the heading ``Rules of construction,'' that would 
read, ``Nothing in this section shall be construed to permit uses or 
disclosures prohibited by Sec.  164.502(a)(5)(iii).'' This new 
paragraph would clarify that the permission to use or disclose PHI in 
reports of abuse, neglect, or domestic violence does not permit uses or 
disclosures based primarily on the provision or facilitation of 
reproductive health care to the individual. The proposed provision is 
intended to safeguard the privacy of individuals' PHI against claims 
that uses and disclosures of that PHI are warranted because the 
provision or facilitation of reproductive health care, in and of 
itself, may constitute abuse, neglect, or domestic violence. Similar to 
the discussion above in section IV.D.1, the Department also does not 
intend for this proposal to obstruct oversight related to professional 
conduct or similar legal proceedings for which PHI related to 
reproductive health care is needed.
3. Clarifying the Permission for Disclosures Based on Administrative 
Processes
Current Provision and Issues To Address
    Under 45 CFR 164.512(f)(1), a regulated entity may disclose PHI 
pursuant to an administrative request, provided that: (1) the 
information sought is relevant and material to a legitimate law 
enforcement inquiry; (2) the request is specific and limited in scope 
to the extent reasonably practicable in light of the purpose for which 
the information is sought; and (3) de-identified information could not 
reasonably be used.\314\ Examples of administrative requests include 
administrative subpoena or summons, a civil or an authorized 
investigative demand, or similar process authorized under law.\315\ The 
examples of administrative requests provided in the existing regulatory 
text include only those requests that are enforceable in a court of 
law, and the catchall ``or similar process authorized by law'' 
similarly is intended to include only requests that, by law, require a 
response. This interpretation is consistent with the Privacy Rule's 
definition of ``required by law,'' which enumerates these and other 
examples of administrative requests that constitute ``a mandate 
contained in law that compels an entity to make a use or disclosure of 
protected health information and that is enforceable in a court of 
law.'' \316\ However, the Department has become aware that some 
regulated entities may be interpreting this provision in a manner that 
is inconsistent with the Department's intent. Therefore, the Department 
is taking this opportunity to clarify the types of administrative 
processes that this provision was intended to address.
---------------------------------------------------------------------------

    \314\ 45 CFR 164.512(f)(1)(ii)(C).
    \315\ Id.
    \316\ See 45 CFR 164.103. The Privacy Rule's definition of 
``Required by law'' includes administrative requests and lists the 
examples of processes that are enumerated under 45 CFR 
164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------

Proposal
    Specifically, the Department proposes to insert language to clarify 
that the administrative processes that give rise to a permitted 
disclosure include only those that, by law, require a regulated

[[Page 23539]]

entity to respond. Accordingly, the proposal would specify that PHI may 
be disclosed pursuant to an administrative request ``for which a 
response is required by law.'' This is not intended to be a substantive 
change, as the proposal is consistent with preamble discussion on this 
topic in the 2000 Privacy Rule.\317\
---------------------------------------------------------------------------

    \317\ See 65 FR 82531.
---------------------------------------------------------------------------

4. Request for Comment
    The Department requests comment on the forgoing proposals, 
including any benefits, drawbacks, or unintended consequences. The 
Department also requests comment on the following considerations in 
particular:
    dd. The way in which regulated entities currently receive and 
address requests for PHI when requested pursuant to the Privacy Rule 
permissions at 45 CFR 164.512(d) (uses and disclosures for health 
oversight activities), (e) (disclosures for judicial and administrative 
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) 
(uses and disclosures about decedents to coroners and medical 
examiners). Specifically:
    i. How are such requests currently submitted (e.g., hard copy 
letter, electronically via email, an online form)?
    ii. For requests under 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C):
    i. When using or disclosing information after receiving the 
required assurances,\318\ does the entity choose to obtain assurances 
for every subsequent related request, or does the entity continue to 
disclose PHI to such entity after receiving the initial assurance, 
provided that subsequent requests are related to the initial request in 
which the initial assurance was received?
---------------------------------------------------------------------------

    \318\ See 45 CFR 164.512(e)(1)(iii) and (f)(1)(ii)(C).
---------------------------------------------------------------------------

    ii. How do regulated entities accept assurances (e.g., hard copy 
letter, electronically via email, uploading to an online portal)?
    ee. Examples, if any, of uses or disclosures of PHI that are 
required by law and are not for prohibited purposes but may no longer 
be permitted under this proposal.
    ff. The effect expanding the scope of the proposed prohibition to 
include any health care would have on the proposed attestation 
requirement and the ability of regulated entities to implement it.
    gg. Whether the phrase ``based primarily'' is sufficient to clarify 
that the proposed rule of construction is only intended to address 
situations where the purpose is to investigate or impose liability 
because reproductive health care was provided, rather than, for 
example, the quality of the health care provided or whether claims 
submitted for that health care were appropriate.
    hh. Whether there are disclosures currently made under Federal 
agencies' interpretations of the Privacy Act that would not be 
permitted under the proposal. If so, what would they be, and should the 
Department permit them?

E. Section 164.520--Notice of Privacy Practices for Protected Health 
Information

1. Current Provision and Issues To Address
    The Privacy Rule generally requires that a covered entity provide 
individuals with an NPP to ensure that they understand how a covered 
entity may use and disclose their PHI, as well as their rights and the 
covered entity's legal duties with respect to PHI.\319\ Section 
164.520(b)(1)(ii) of the Privacy Rule describes the required contents 
of the NPP, including descriptions of the types of permitted uses and 
disclosures of their PHI. It does not, however, currently require a 
covered entity to provide information about prohibited uses and 
disclosures of PHI. The Department is concerned that the current NPP 
requirements might not provide individuals with adequate assurances 
that a revised Privacy Rule would prohibit the use or disclosure of 
their PHI in certain circumstances. Without such assurances, the 
Department is concerned that individuals may avoid accessing crucial 
health care.
---------------------------------------------------------------------------

    \319\ 45 CFR 164.520. Unlike many provisions of the Privacy 
Rule, 45 CFR 164.520 applies only to covered entities, as opposed to 
both covered entities and their business associates.
---------------------------------------------------------------------------

2. Proposal
    The Department proposes to modify 45 CFR 164.520(b)(1)(ii) to 
require that a covered entity add two types of uses and disclosures to 
those already described in the NPP, putting individuals on notice about 
how their PHI may or may not be used. Specifically, the Department 
proposes at 45 CFR 164.520(b)(1)(ii)(F) to add to the NPP's list of 
required elements two that address the proposed use and disclosure 
prohibition at 45 CFR 164.502(a)(5)(iii). Under this proposal, a 
covered entity must separately describe each type of use or disclosure 
prohibited by 45 CFR 164.502(a)(5)(iii) and must do so in sufficient 
detail for an individual to understand this prohibition and the 
proposed attestation requirement.
    By modifying the NPP, a covered entity would continue to provide an 
individual with information the individual needs to make decisions 
about their health care, as well as information about how the covered 
entity will treat PHI the individual chooses to disclose to the covered 
entity, and about how to exercise their rights of access \320\ and to 
request restrictions.\321\ The modification would also enable the 
covered entity to provide the individual with reassurance about their 
privacy rights and their ability to discuss their reproductive health 
and related care with any health care provider without fear of harm 
because it would inform an individual that their PHI may not be used or 
disclosed for the purposes the Department proposes to prohibit.
---------------------------------------------------------------------------

    \320\ With certain exceptions, an individual has a right of 
access to inspect and obtain a copy of PHI about the individual in a 
designated record set for as long as the PHI is maintained in the 
designated record set. See 45 CFR 164.524.
    \321\ A covered entity must permit an individual to request that 
the covered entity restrict uses or disclosures of PHI for certain 
purposes. While the covered entity is not required to agree to the 
restriction, they may not use or disclose PHI if they agree to do 
so, except in limited circumstances. Additionally, a covered health 
care provider must permit an individual to request and must 
accommodate a reasonable request by an individual to receive 
communications of PHI from the covered entity by alternative means 
or at alternative locations. A health plan must do the same in 
certain circumstances. See 45 CFR 164.522.
---------------------------------------------------------------------------

3. Request for Comment
    The Department requests comment on the foregoing proposals, 
including any benefits, drawbacks, or unintended consequences. The 
Department also requests comment on the following considerations in 
particular:
    ii. Whether it would benefit individuals for the Department to 
require that covered entities include a statement in the NPP explaining 
that when PHI is disclosed for a permitted purpose to an entity other 
than a covered entity (e.g., disclosed to a non-covered health care 
provider for treatment purposes), the recipient of the PHI would not be 
bound by the proposed prohibition because the Privacy Rule would no 
longer apply.

V. Executive Order 12866 and Related Executive Orders on Regulatory 
Review

A. Regulatory Impact Analysis

    The Department of Health and Human Services (HHS or Department) has 
examined the effects of the proposed rule under Executive Order (E.O.) 
12866, Regulatory Planning and Review,\322\ E.O. 13563, Improving 
Regulation and Regulatory Review,\323\

[[Page 23540]]

the Regulatory Flexibility Act \324\ (RFA), and the Unfunded Mandates 
Reform Act of 1995 \325\ (UMRA). E.O.s 12866 and 13563 direct the 
Department to assess all costs and benefits of available regulatory 
alternatives and, when regulation is necessary, to select regulatory 
approaches that maximize net benefits (including potential economic, 
environmental, public health and safety, and other advantages; 
distributive effects; and equity). This proposed rule is significant 
under section 3(f)(1) of E.O. 12866.
---------------------------------------------------------------------------

    \322\ 58 FR 51735 (Oct. 4, 1993).
    \323\ 76 FR 3821 (Jan. 21, 2011).
    \324\ Public Law 96-354, 94 Stat. 1164 (codified at 5 U.S.C. 
601-612).
    \325\ Pubic Law 104-4, 109 Stat. 48 (codified at 2 U.S.C. 1501).
---------------------------------------------------------------------------

    The RFA requires us to analyze regulatory options that would 
minimize any significant effect of a rule on small entities. As 
discussed in greater detail below, this analysis concludes, and the 
Secretary proposes to certify, that the proposed rule, if finalized, 
would not result in a significant economic effect on a substantial 
number of small entities.
    The UMRA (section 202(a)) generally requires us to prepare a 
written statement, which includes an assessment of anticipated costs 
and benefits, before proposing ``any rule that includes any Federal 
mandate that may result in the expenditure by State, local, and tribal 
governments, in the aggregate, or by the private sector, of 
$100,000,000 or more (adjusted annually for inflation) in any one 
year.'' The current threshold after adjustment for inflation is $165 
million, using the most current (2021) Implicit Price Deflator for the 
Gross Domestic Product. UMRA does not address the total cost of a rule. 
Rather, it focuses on certain categories of cost, mainly Federal 
mandate costs resulting from imposing enforceable duties on state, 
local, or Tribal governments, or on the private sector; or increasing 
the stringency of conditions in, or decreasing the funding of, state, 
local, or Tribal governments under entitlement programs. This proposed 
rule would impose mandates that would result in the expenditure by 
state, local, and Tribal governments, in the aggregate, or by the 
private sector, of more than $165 million in any one year. The impact 
analysis in this proposed rule addresses those impacts both 
qualitatively and quantitatively. In general, each regulated entity, 
including government entities such as state Medicaid agencies that meet 
the definition of covered entity, would be required to ensure it adopts 
new policies and procedures for handling requests for PHI for which an 
attestation is required and train its workforce members on the new 
requirements. Additionally, although the Department has not quantified 
the costs, state, local, and Tribal investigative agencies would need 
to analyze requests that they initiate for PHI and provide regulated 
entities with an attestation that the request is not for a prohibited 
purpose where the request is for PHI that is potentially related to 
reproductive health care. One-time costs for all regulated entities to 
make these policy changes would result in costs over the UMRA threshold 
in one year. The Department has initially estimated that ongoing 
expenses for the new attestation requirement would not rise 
significantly; however, it seeks additional data to inform its 
estimates. Although Medicaid has funds available for states for certain 
administrative costs, these are limited to costs specific to operating 
the Medicaid program. There are no Federal funds directed at HIPAA 
compliance activities.
    The Summary of Major Proposals and Need for Rulemaking sections at 
the beginning of this preamble contain a summary of this proposed rule 
and describe the reasons it is needed. The Department presents a 
detailed analysis below.
1. Summary of Costs and Benefits
    The Department has identified six general categories of 
quantifiable costs arising from these proposals: (1) creating an 
attestation form and handling requests for disclosures for which an 
attestation is required; (2) revising business associate agreements; 
(3) updating the Notice of Privacy Practices (NPP) and posting it 
online; (4) developing new or modified policies and procedures; (5) 
revising training programs for workforce members; and (6) requesting an 
exception from preemption of state law. The first five categories apply 
primarily to covered entities such as health care providers and health 
plans, while the sixth category applies to states and other interested 
persons.
    The Department estimates that the first-year costs attributable to 
the proposed rule would total approximately $612 million. These costs 
are associated with covered entities creating an attestation form and 
responding to requests for protected health information (PHI) that may 
require an attestation; revising business associate agreements; 
revising policies and procedures; updating, posting, and mailing the 
NPP; and revising training programs for workforce members, and with 
states or other persons requesting exceptions from preemption. These 
costs also include increased estimates for wages, postage, and the 
number of NPPs distributed by health plans. For years two through five, 
estimated annual costs of approximately $68 million are attributable to 
ongoing costs related to the proposed attestation requirement. Table 1 
reports the present value and annualized estimates of the costs of the 
proposed rule covering a 5-year time horizon. Using a 7% discount rate, 
the Department estimates the proposed rule would result in annualized 
costs of $192 million; and using a 3% discount rate, these annualized 
costs are $183 million.

                        Table 1--Accounting Table, Costs of the Proposed Rule, $ Millions
----------------------------------------------------------------------------------------------------------------
                                            Primary                                                   Period
                 Costs                     estimate      Year dollars         Discount rate           covered
----------------------------------------------------------------------------------------------------------------
Present Value.........................          $883.4            2021  Undiscounted............       2023-2027
Present Value.........................           786.8            2021  7%......................       2023-2027
Present Value.........................           839.1            2021  3%......................       2023-2027
Annualized............................           191.9            2021  7%......................       2023-2027
Annualized............................           183.2            2021  3%......................       2023-2027
----------------------------------------------------------------------------------------------------------------

    The proposed changes to the Privacy Rule would likely result in 
important benefits that the Department is unable to fully quantify at 
this time. As explained further below, unquantified benefits include 
improved trust between individuals and health care providers; enhanced 
privacy and improved access to reproductive health care and 
information, which may prevent increases in maternal mortality and 
morbidity; increased accuracy and

[[Page 23541]]

completeness in patient medical records, which may prevent poor health 
outcomes; enhanced support for victims of rape, incest, and sex 
trafficking; and maintenance of family economic stability. 
Additionally, the Department believes that allowing regulated entities 
to accept an attestation from a requester of PHI that is potentially 
related to reproductive health care will reduce potential liability for 
regulated entities by providing some assurance that the requested 
disclosure is not prohibited.

   Table 2--Potential Non-Quantified Benefits for Covered Entities and
                               Individuals
------------------------------------------------------------------------
                                Benefits
-------------------------------------------------------------------------
Improve access to complete information about lawful reproductive health
 care options for individuals who are pregnant or considering a
 pregnancy (i.e., health literacy).
Maintain or reduce levels of maternal mortality and morbidity by
 ensuring that individuals and their clinicians can freely communicate
 and have access to complete information needed for quality health care,
 including coordination of care.
Decrease barriers to accessing prenatal health care by maintaining
 privacy for individuals who seek a complete range of reproductive
 health care options.
Enhance mental health and emotional well-being of pregnant individuals
 by reducing fear of prosecution based on potential disclosures of their
 PHI.
Improve or maintain trust between individuals and health care providers
 by reducing the potential for health care providers reporting PHI in a
 manner that could harm the individuals' interests.
Prevent or reduce re-victimization of pregnant individuals who have
 survived rape or incest by protecting their PHI from undue scrutiny.
Improve or maintain families' economic well-being by not exposing
 individuals to costly criminal, civil, or administrative investigations
 or proceedings for engaging in lawful activities if their PHI or a
 family member's PHI is disclosed.
Maintain the economic well-being of regulated entities by not exposing
 regulated entities or workforce members to costly civil litigation,
 investigation, or prosecution for engaging in lawful activities.
Ensure individuals' ability to obtain full and complete information and
 make lawful decisions concerning fertility- or infertility-related
 health care that may include selection or disposal of embryos without
 risk of criminal, civil, or administrative investigation or proceedings
 based on the disclosure of their PHI.
------------------------------------------------------------------------

2. Baseline Conditions
    The Privacy Rule, in conjunction with the Security and Breach 
Notification Rules, protects the privacy and security of individuals' 
PHI, that is, individually identifiable health information (IIHI) 
transmitted by or maintained in electronic media or any other form or 
medium, with certain exceptions. It limits the circumstances under 
which regulated entities are permitted or required to use or disclose 
PHI and requires covered entities to have safeguards in place to 
protect the privacy of PHI. The Privacy Rule also establishes certain 
rights for individuals with respect to their PHI. The Rule requires 
appropriate safeguards to protect the privacy of PHI and sets limits 
and conditions on the uses and disclosures that may be made of such 
information without an individual's authorization.
    As explained in the preamble, the Department has the authority 
under the Health Insurance Portability and Accountability Act of 1996 
(HIPAA) to modify the Privacy Rule to prohibit the use or disclosure of 
PHI for a criminal, civil, or administrative investigation into or 
proceeding against any person in connection with obtaining, providing, 
or facilitating reproductive health care, as well as to identify any 
person for the purpose of initiating such an investigation or 
proceeding. The Privacy Rule has been modified several times since it 
was first issued in 2000 to address statutory requirements, changed 
circumstances, and concerns and issues raised by stakeholders regarding 
the effects of the Privacy Rule on regulated entities, individuals, and 
others. Recently, as the preamble discusses, changed circumstances 
resulting from new inconsistencies in the regulation of reproductive 
health care nationwide and the negative effects on individuals' 
expectations for privacy and their relationships with their health care 
providers, as well as the additional burdens imposed on regulated 
entities, necessitate consideration of additional modifications.
    For purposes of this Regulatory Impact Analysis (RIA), the proposed 
rule adopts the list of covered entities and cost assumptions 
identified in the Department's 2019 Information Collection Request 
(ICR).\326\ The Department also relies on certain estimates and 
assumptions from the 1999 Privacy Rule NPRM \327\ that remain relevant, 
and the 2013 Omnibus Rule,\328\ as referenced in the analysis that 
follows.
---------------------------------------------------------------------------

    \326\ 84 FR 34905 (July 19, 2019).
    \327\ 64 FR 59918 (Nov. 3, 1999).
    \328\ 78 FR 5566 (Jan. 25, 2013).
---------------------------------------------------------------------------

    The Department quantitatively analyzes and monetizes the effect 
that this proposed rule may have on regulated entities' actions to: 
revise business associate agreements between covered entities and their 
business associates, including release-of-information contractors; 
create new forms; respond to certain types of requests for PHI that is 
potentially related to reproductive health care; update their NPP; 
adopt policies and procedures to implement the legal requirements of 
this proposed rule, and train their employees on the updated policies 
and procedures. The Department analyzes the remaining benefits and 
burdens qualitatively because of the uncertainty inherent in predicting 
other concrete actions that such a diverse scope of regulated entities 
might take in response to this proposed rule.
Analytic Assumptions
    The Department bases its assumptions for calculating estimated 
costs and benefits on a number of publicly available datasets, 
including data from the U.S. Census, the U.S. Department of Labor, 
Bureau of Labor Statistics (BLS), Centers for Medicare & Medicaid 
Services, and the Agency for Healthcare Research and Quality.
    Implementing the proposed regulatory changes likely would require 
covered entities to engage workforce members or consultants for certain 
activities. The Department assumes that an attorney would draft or 
review the new attestation form, revisions to business associate 
agreements, revisions to the NPP, and required changes to HIPAA 
policies and procedures. The Department expects that a training 
specialist would revise the necessary HIPAA training and a web designer 
would post the updated NPP. The Department further anticipates that a 
workforce member at the pay level of general health care practitioner 
would

[[Page 23542]]

confirm receipt of required attestations. To the extent that these 
assumptions would affect the Department's estimate of costs, the 
Department welcomes comment on its assumptions, particularly those in 
which the Department identifies the level of workforce member (i.e., 
clerical staff, professional) that would be engaged in activities, and 
the amount of time that particular types of workforce members spend 
conducting activities related to this NPRM as further described below. 
Table 3 also lists pay rates for occupations referenced in the 
explanation of estimated information collection burdens in section F of 
this RIA and related tables.
    For changes in time use for on-the-job activities considered in 
this analysis, the Department adopts an hourly value of time based on 
the cost of labor, including wages and benefits, and also indirect 
costs, which ``reflect resources necessary for the administrative 
oversight of employees and generally include time spent on 
administrative personnel issues (e.g., human resources activities such 
as hiring, performance reviews, personnel transfers, affirmative action 
programs), writing administrative guidance documents, office expenses 
(e.g., space rental, utilities, equipment costs), and outreach and 
general training (e.g., employee development).'' \329\ For each 
occupation performing activities as a result of the proposed rule, the 
Department identifies a pre-tax hourly wage using a database maintained 
by the BLS.\330\ For the purposes of this analysis, the Department 
assumes that benefits plus indirect costs equal approximately 100 
percent of pre-tax wages, and adjusts the hourly wage rates by 
multiplying by two, for a fully loaded hourly wage rate. The Department 
adopts this as the estimate of the hourly value of time for changes in 
time use for on-the-job activities.
---------------------------------------------------------------------------

    \329\ See ``Valuing Time in U.S. Department of Health and Human 
Services Regulatory Impact Analyses: Conceptual Framework and Best 
Practices,'' U.S. Dep't of Health and Human Servs., Office of the 
Assistant Secretary for Planning and Evaluation (2017), p. v, 
https://aspe.hhs.gov/reports/valuing-time-us-department-health-human-services-regulatory-impact-analyses-conceptual-framework.
    \330\ See ``Occupational Employment and Wages,'' Bureau of Labor 
Statistics, U.S. Dep't of Labor (May 2021), https://www.bls.gov/oes/current/oes_nat.htm.

                     Table 3--Occupational Pay Rates
------------------------------------------------------------------------
                                            Mean hourly    Fully loaded
        Occupation code and title              wage         hourly wage
------------------------------------------------------------------------
00-0000 All Occupations.................          $28.01          $56.02
43-3021 Billing and Posting Clerks......           20.55           41.10
29-0000 Healthcare Practitioners and               43.80           87.60
 Technical Occupations..................
29-9021 Health Information Technologists           29.53           59.06
 and Medical Registrars.................
29-9099 Healthcare Practitioners and               31.19           62.38
 Technical Workers, All Other...........
15-1212 Information Security Analysts...           54.46          108.92
23-1011 Lawyers.........................           71.17          142.34
13-1111 Management Analysts.............           48.33           96.66
11-9111 Medical and Health Services                57.61          115.22
 Manager................................
29-2072 Medical Records Specialist......           23.23           46.46
43-0000 Office and Administrative                  20.88           41.76
 Support Occupations....................
11-2030 Public Relations and Fundraising           63.85          127.70
 Managers...............................
13-1151 Training and Development                   32.51           65.02
 Specialist.............................
43-4171 Receptionists and Information              15.82           31.64
 Clerks.................................
15-1255 Web and Digital Interface                  45.90           91.80
 Designers..............................
Composite Wage for Breach Notice........           38.33           76.66
------------------------------------------------------------------------

    The Department assumes that the vast majority of covered entities 
would be able to incorporate changes to their workforce training into 
existing HIPAA training programs because the total time frame for 
compliance from date of finalization would be 240 days.\331\
---------------------------------------------------------------------------

    \331\ This includes 60 days from publication of a final rule to 
the effective date and an additional 180 days until the compliance 
date.
---------------------------------------------------------------------------

Covered Entities Affected
    This proposed rule would apply to HIPAA covered entities, including 
health care providers \332\ that conduct covered electronic 
transactions, health plans, and in certain circumstances, health care 
clearinghouses.\333\ The Department estimates that there are 774,331 
business establishments that meet the definition of a covered entity 
(see Table 4). By calculating costs for establishments, rather than 
firms (which may be an umbrella organization over multiple 
establishments), there is a tendency toward overestimating some 
burdens, because certain costs would be borne by a parent organization 
rather than each separate facility. However, the level of an 
organization that is financially responsible for covering costs to 
implement Privacy Rule requirements may vary across the health care 
industry. The Department requests data on the extent to which certain 
burdens of the proposed rule would be borne by each facility versus an 
umbrella organization. Unless otherwise indicated, the Department 
relies on data about the number of firms and establishments from the 
U.S. Census.\334\
---------------------------------------------------------------------------

    \332\ The Department notes that pharmacies, discussed later in 
the preamble, are a type of health care provider under HIPAA. HIPAA 
defines the term health care provider for the purposes of the 
Administrative Simplification provisions at section 262: ``The term 
`health care provider' includes a provider of services (as defined 
in section 1861(u)), a provider of medical or other health services 
(as defined in section 1861(s)), and any other person furnishing 
health care services or supplies.''
    \333\ Only certain provisions of the Privacy Rule apply to 
clearinghouses as covered entities. In addition, certain provisions 
apply to clearinghouses in their role as business associates of 
other covered entities. See 45 CFR 164.500(b) and (c). Because the 
provisions addressed in this proposed rule generally do not apply 
directly to clearinghouses, the Department does not anticipate that 
these entities would experience costs associated with this proposed 
rule.
    \334\ See ``2015 Statistics of U.S. Businesses (SUSB) Annual 
Data Tables by Establishment Industry'' (Jan. 2018), https://www.census.gov/data/tables/2015/econ/susb/2015-susb-annual.html.
---------------------------------------------------------------------------

    The Department expects that the proposed rule will have varying 
effects on different covered entities and would have the most direct 
effect on covered health care providers and health plans. However, all 
affected covered entities would at least need to adopt or change some 
policies and procedures and re-train some employees. Affected covered 
entities would include many Federal, state, local, Tribal, and private 
sector health care providers.

[[Page 23543]]

    Census data for businesses in the category of Third Party 
Administration of Insurance and Pension Funds does not separately 
enumerate those that service health and medical insurance. However, the 
Department is able to extrapolate from data about insurance carriers 
the percentage of businesses that service health and medical insurance. 
According to Census data, there are 880 Direct Health and Medical 
Insurance Carrier firms compared to 5,350 Insurance Carrier firms, such 
that health and medical insurance firms make up 16.4% of insurance 
firms. Thus, the Department assumes for purposes of this analysis that 
16.4% of Third Party Administration of Insurance and Pension Funds 
firms and establishments service health and medical insurance. Applying 
this percentage to the 2,773 firms and 4,772 establishments in the 
category Third Party Administration of Insurance and Pension Funds, the 
Department estimates that 455 of these firms and 783 establishments are 
affected by this proposed rule.\335\ See Table 4 below.
---------------------------------------------------------------------------

    \335\ [2,773 x .164 = 454.7; 4,772 x .164 = 782.6].
---------------------------------------------------------------------------

    Covered pharmacies would also be affected by the proposed rule. 
There were 67,753 community pharmacies (including 19,500 pharmacy and 
drug store firms and 44,130 establishments identified in U.S. Census 
data) operating in the U.S. in 2015.\336\ Small pharmacies largely use 
pharmacy services administration organizations (PSAOs) to provide 
administrative services, such as negotiations, on their behalf.\337\ A 
2013 study identified 22 PSAOs and notes there may be more in 
operation.\338\ Based on information received from industry, the 
Department adjusts this number upward and estimates that the proposed 
rule would affect 40 PSAOs. The Department assumes that costs affecting 
pharmacies are incurred at each pharmacy and drug store establishment 
and each PSAO.
---------------------------------------------------------------------------

    \336\ See Dima Mazen Qato, Shannon Zenk, Jocelyn Wilder, et al., 
``The availability of pharmacies in the United States: 2007-2015,'' 
PLOS ONE (Aug. 2017), https://doi.org/10.1371/journal.pone.0183172.
    \337\ Discussing generally that small and independent pharmacies 
often lack internal resources to support these services. See 
``Prescription Drugs: The Number, Role, and Ownership of Pharmacy 
Services Administrative Organizations,'' U.S. Government 
Accountability Office, GAO-13-176 (Jan. 29, 2013), https://www.gao.gov/products/GAO-13-176.
    \338\ Id.
---------------------------------------------------------------------------

    The Department has not separately calculated the effect of the 
proposed rule on business associates because the primary effect is on 
the covered entities for which they provide services. To the extent 
that covered entities engage business associates to perform activities 
under the proposed rule, the Department assumes that any additional 
costs will be borne by the covered entities through their contractual 
agreements with business associates. The Department's estimate that 
each revised business associate agreement would require no more than 1 
hour of a lawyer's labor assumes that the hourly burden could be split 
between the covered entity and the business associate. Thus, the 
Department has calculated estimated costs based on the potential number 
of business associate agreements that are revised rather than the 
number of covered entities or business associates with revised 
agreements. The Department requests data on the number of business 
associates (which may include health care clearinghouses acting in 
their role as business associates of other covered entities) that would 
be affected by the proposed rule and the extent to which they may 
experience costs or other burdens not already accounted for in the 
estimates of burdens for revising business associate agreements. The 
Department also requests comment on the number of business associate 
agreements that would need to be revised, if any.
    The Department requests public comment on these estimates, 
including those for third party administrators and pharmacies where the 
Department has provided additional explanation. The Department 
additionally requests detailed comment on any situations in which 
covered entities other than those identified here would be affected by 
this rulemaking.

                             Table 4--Estimated Number and Type of Covered Entities
----------------------------------------------------------------------------------------------------------------
                                                Covered Entities
-----------------------------------------------------------------------------------------------------------------
                 NAICS code                            Type of entity               Firms        Establishments
----------------------------------------------------------------------------------------------------------------
524114......................................  Health and Medical Insurance                880              5,379
                                               Carriers.
524292......................................  Third Party Administrators.....             456                783
622.........................................  Hospitals......................           3,293              7,012
44611.......................................  Pharmacies.....................          19,540         \a\ 67,753
6211-6213...................................  Office of Drs. & Other                  433,267            505,863
                                               Professionals.
6215........................................  Medical Diagnostic & Imaging...           7,863             17,265
6214........................................  Outpatient Care................          16,896             39,387
6219........................................  Other Ambulatory Care..........           6,623             10,059
623.........................................  Skilled Nursing & Residential            38,455             86,653
                                               Facilities.
6216........................................  Home Health Agencies...........          21,829             30,980
532291......................................  Home Health Equipment Rental...             611              3,197
                                                                              ----------------------------------
    Total...................................  ...............................         549,713            774,331
----------------------------------------------------------------------------------------------------------------
\a\ Number of pharmacy establishments is taken from industry statistics.

Individuals Affected
    The Department believes that the population of individuals 
potentially affected by the proposed rule is approximately 74 million 
overall,\339\ representing nearly one-fourth of the U.S. population, 
including approximately 6 million pregnant women and girls annually and 
an unknown number of individuals facing a potential pregnancy or 
pregnancy risk due to sexual activity, contraceptive avoidance or 
failure, rape (including statutory rape), and incest. According to 
Federal data, 78 percent of sexually active females received 
reproductive health care in 2015-2017.\340\
---------------------------------------------------------------------------

    \339\ See females aged 10-44, American Community Survey S0101 
AGE AND SEX 2020: ACS 5-Year Estimates Subject Tables, https://data.census.gov/cedsci/table?q=United%20States%20females&t=Populations%20and%20People&g=0100000US&tid=ACSST5Y2020.S0101.
    \340\ See Sexually active females who received reproductive 
health services (FP-7.1), Healthypeople.gov, https://wayback.archive-it.org/5774/20220415172039/https:/www.healthypeople.gov/2020/leading-health-indicators/2020-lhi-topics/Reproductive-and-Sexual-Health/data.

[[Page 23544]]



            Table 5--Estimated Number of Individuals Affected
------------------------------------------------------------------------
 Females of potentially childbearing     Population      Number of 2017
                 age                      estimate     Pregnancies \341\
------------------------------------------------------------------------
Females Aged 10--14 \342\............      10,310,162              4,460
Females 15--44 \343\.................      64,130,037          5,575,150
                                      ----------------------------------
    Total............................      74,440,199          5,579,610
------------------------------------------------------------------------

3. Costs of the Proposed Rule
---------------------------------------------------------------------------

    \341\ See Isaac Maddow[hyphen]Zimet and Kathryn Kost, 
``Pregnancies, Births and Abortions in the United States, 1973-2017: 
National and State Trends by Age Appendix Tables,'' Guttmacher 
Institute, https://www.guttmacher.org/sites/default/files/report_downloads/pregnancies-births-abortions-us-1973-2017-appendix-tables.pdf.
    \342\ See American Community Survey S0101 AGE AND SEX 2020: ACS 
5-Year Estimates Subject Tables, https://data.census.gov/cedsci/table?q=United%20States%20females&t=Populations%20and%20People&g=0100000US&tid=ACSST5Y2020.S0101.
    \343\ Id.
---------------------------------------------------------------------------

    Below, the Department provides the basis for its estimated 
quantifiable costs resulting from the proposed changes to specific 
provisions of the Privacy Rule and invites comments on the Department's 
assumptions, data, and calculations, as well as any additional 
considerations that the Department has not identified here. Many of the 
estimates are based on assumptions formed through the Office for Civil 
Rights' (OCR's) experience in its compliance and enforcement program 
and accounts from stakeholders received at outreach events. The 
Department has not quantified recurring burdens for the proposed rule 
beyond that of obtaining a required attestation from the requester for 
health oversight, legal proceedings, law enforcement, and coroners or 
medical examiners.
    The Department welcomes information or data points from commenters 
to further refine its estimates and assumptions.
a. Costs Associated With Requests for Exception From Preemption
    The Department anticipates that states that restrict access to 
reproductive health care are likely to seek an exception to the 
proposed requirements of this rule that would preempt state law. Given 
the fast-developing status of state laws governing access to 
reproductive health care, the Department estimates a potential increase 
of 26 states \344\ incurring costs to develop an exception request to 
submit to the Secretary. Based on existing burden estimates for this 
activity,\345\ the Department estimates that each exception request 
would require approximately 16 hours of labor at the rate of a general 
health care practitioner and that approximately 26 states would make 
such requests. Thus, the Department estimates that states will spend a 
total of 416 hours requesting exception from preemption and monetize 
this as a one-time cost of $36,442 [= 16 x 26 x $87.60].
---------------------------------------------------------------------------

    \344\ See Elizabeth Nash, Lauren Cross, ``26 States Are Certain 
or Likely to Ban Abortion Without Roe: Here's Which Ones and Why,'' 
Guttmacher Institute (published Oct. 28, 2021; updated Apr. 19, 
2022; an updated analysis was published on Jan. 10, 2023), https://www.guttmacher.org/article/2021/10/26-states-are-certain-or-likely-ban-abortion-without-roe-heres-which-ones-and-why. The number of 
states identified dropped to 24 in 2023; however, due to the pace of 
change in this area the Department relies on the higher number as a 
basis for its cost estimates.
    \345\ Information Collection, Process for Requesting Exception 
Determinations (states or persons), https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201909-0945-001&icID=10428.
---------------------------------------------------------------------------

b. Estimated Costs From Adding a Requirement for an Attestation for 
Disclosures for Certain Purposes
    The Department analyzed the costs of the proposed attestation 
requirement in comparison to the estimated costs of complying with the 
existing authorization requirement because both activities involve 
reviewing requests for disclosures and required documentation. The 
Department estimates that the annual costs of implementing a 
requirement to obtain an attestation that certain types of requests for 
PHI that is potentially related to reproductive health care are not for 
a prohibited purpose would be similar to the costs associated with uses 
and disclosures for which an authorization is required because the 
number of attestation-based requests likely would be lower even if the 
handling of such requests were more burdensome. For purposes of this 
analysis, the Department adopts the cost estimates already approved for 
documenting disclosures based on an authorization because those 
estimates provide an established baseline. The Department draws this 
estimate from its approved ICR for 45 CFR 164.508, which allows for one 
burden hour per covered entity based on the hourly wage of a general 
health care practitioner.\346\ For 774,331 covered entities, this would 
amount to a total annual cost of $67,831,396 [= 774,331 x 1 x $87.60]. 
The quantified burden is associated with the requirement to keep 
records of attestations received. The Department anticipates an 
increase in time needed by regulated entities to process each request 
for PHI under 45 CFR 164.512(d), (e), (f), or (g)(1) that is not 
accompanied by an attestation. The Department believes that the 
regulated entity would likely need to determine whether the requested 
PHI includes PHI potentially related to reproductive health care. 
However, the Department lacks sufficient information to estimate the 
amount such a burden would vary from the burden of processing requests 
for PHI with an authorization. Additionally, the Department believes 
that regulated entities may need to evaluate whether the reproductive 
health care encompassed within the scope of a request under 45 CFR 
164.512(d) through (f) and (g)(1) was lawful under the circumstances in 
which it was provided, and solicits comments on data about the 
associated costs of such reviews.
---------------------------------------------------------------------------

    \346\ See Section F. of this RIA, Paperwork Reduction Act of 
1995.
---------------------------------------------------------------------------

    In addition to the recurring costs of responding to requests for 
PHI under the proposed revisions, the Department estimates that covered 
entities would incur a one-time cost for creating a new attestation 
form for a total of $55,109,137 [= 774,331 x (30/60) x $142.34]. This 
would be based on 30 minutes of labor by a lawyer using the 
Department's sample form.
c. Costs Arising From Revised Business Associate Agreements
    The Department anticipates that a certain percentage of business 
associate agreements would likely need to be updated to reflect a 
determination made by covered entities and business associates that, 
where the business associate receives requests for disclosures of PHI 
under proposed 45 CFR 164.512(d), (e), (f), or (g)(1), the covered 
entity will bear the burden of determining whether a requested 
disclosure would include PHI that is potentially related to 
reproductive health care. Based on estimates in previous HIPAA 
rulemaking, the

[[Page 23545]]

Department estimates that each new or significantly modified contract 
between a business associate and its subcontractors would require, at 
most, one hour of labor by a lawyer at the wage reported in Table 3. We 
believe that approximately 35 percent of 1 million business associates, 
or 350,000 entities, would decide to create or significantly modify 
subcontracts, resulting in total costs of $49,819,000 [= 350,000 x 
$142.34]. The Department invites comments on these assumptions and the 
number of business associate agreements likely to be revised due to the 
proposed regulatory changes.
d. Costs Arising From Changes to the Notice of Privacy Practices
    The Department proposes to modify the NPP to notify individuals 
that covered entities cannot use or disclose PHI for certain purposes 
and that in certain circumstances, covered entities must obtain an 
attestation from the person requesting the use or disclosure affirming 
that the request is not for a prohibited purpose, and where applicable, 
that the use or disclosure is primarily for a purpose described at 45 
CFR 164.502(a)(5)(iii)(C).
    The Department believes the burden associated with revising the NPP 
consists of costs related to developing and drafting the revised NPP 
for covered entities. The Department estimates that the proposal to 
update and revise the language in the NPP would require 30 minutes of 
professional legal services at the wage reported in Table 3. Across all 
covered entities, the Department estimates a cost of $55,109,137 [= 
774,331 x (30/60) x $142.34]. The Department does not anticipate any 
new costs for health care providers associated with distribution of the 
revised notice other than posting it on the entity's website (if it has 
one) because health care providers have an ongoing obligation to 
provide the notice to first-time patients that is already accounted for 
in cost estimates for the HIPAA Rules. Health plans that post their NPP 
online would incur minimal costs by posting the updated notice, and 
then, including the updated NPP in the next annual mailing to 
subscribers.\347\ Health plans that do not provide an annual mailing 
would potentially incur an additional $12,743,700 in capital expenses 
for mailing the revised NPP to an estimated 10 percent of the 
150,000,000 health plan subscribers who receive a mailed, paper copy of 
the notice, as well as the labor expense for an administrative support 
staff member at the rate shown in Table 3 to complete the mailing, for 
approximately $2,610,000 [= 62,500 hours x $41.76]. The Department 
further estimates the cost of posting the revised NPP on the covered 
entity's website would be 15 minutes of a web designer's time at the 
wage reported in Table 3. Across all covered entities, the Department 
estimates a cost of online posting as $17,770,896 [= 774,331 x (15/60) 
x $91.80].
---------------------------------------------------------------------------

    \347\ 45 CFR 164.520(c)(1)(v)(A).
---------------------------------------------------------------------------

e. Estimated Costs for Developing New or Modified Policies and 
Procedures
    The Department anticipates that covered entities would need to 
develop new or modified policies and procedures related to new 
requirements for attestations, prohibited uses and disclosures, certain 
uses and disclosures permitted under 45 CFR 164.512, and clarification 
of personal representative qualifications. The Department estimates 
that the costs associated with developing policies and procedures would 
be the labor of a lawyer for 2.5 hours and that this expense would 
represent the largest area of cost for compliance with the rule once 
finalized, for a total of $275,545,686 [= 774,331 x 2.5 x $142.34].
f. Costs Associated With Training Workforce Members
    The Department anticipates that covered entities would be able to 
incorporate new content into existing HIPAA training requirements and 
that the costs associated with doing so would be attributed to the 
labor of a training specialist for an estimated 90 minutes for a total 
of $75,543,732 [= 774,331 x (90/60) x $65.04].
    The Department invites comments on all aspects of its estimates and 
assumptions, including the time spent on the identified activities and 
the occupations or professions of persons designated to perform those 
tasks.
g. Total Quantifiable Costs
    The Department summarizes in Table 6 the estimated nonrecurring 
costs that covered entities and states would experience in the first 
year of implementing the proposed regulatory changes. The Department 
anticipates that these costs would be for requesting exceptions from 
preemption of state law, implementing the attestation requirement, 
revising business associate agreements, revising the NPP, mailing it, 
and posting it online, revising policies and procedures, and updating 
HIPAA training programs.

                      Table 6--New Nonrecurring Costs of Compliance With the Proposed Rule
----------------------------------------------------------------------------------------------------------------
                                             Burden hours/action x                                  Total costs
           Nonrecurring costs                     hourly wage                 Respondents           (millions)
----------------------------------------------------------------------------------------------------------------
Exception Requests......................  16 x $87.60...............  26 States.................           $0.04
Attestations, New Form..................  30/60 x $142.34...........  774,331 Covered entities..              55
BAAs, Revising..........................  1 x $142.34...............  350,000 BAAs..............              50
NPP, Updating...........................  30/60 x $142.34...........  774,331 Covered entities..              55
NPP, Mailing............................  0.25/60 x $41.76..........  15,000,000 Subscribers....               3
NPP, Posting Online.....................  15/60 x $91.80............  774,331 Covered entities..              18
Policies & Procedures...................  150/60 x $142.34..........  774,331 Covered entities..             276
Training................................  90/60 x $65.04............  774,331 Covered entities..              76
Capital Expenses, Mailing NPPs--Health    $.85/NPP..................  15,000,000 Subscribers....              13
 Plans.
                                                                                                 ---------------
    Total Nonrecurring Burden...........  ..........................  ..........................         \a\ 544
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.

    Table 7 summarizes the recurring costs that the Department 
anticipates covered entities would incur annually as a result of the 
proposed regulatory changes. These new costs would be based on 
responding to requests for disclosures for which an attestation is 
required.

[[Page 23546]]



                    Table 7--Recurring Annual Costs of Compliance With the Proposed Rule \a\
----------------------------------------------------------------------------------------------------------------
                                                                                                   Total annual
             Recurring costs                Burden hours/CE x wage            Respondents              cost
                                                                                                    (millions)
----------------------------------------------------------------------------------------------------------------
Disclosures for which an attestation is   1 x $87.60................  774,331 Covered entities..     $67,831,396
 required.
                                                                                                 ---------------
    Total Recurring Annual Burden.......  ..........................  ..........................      67,831,396
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.

Costs Borne by the Department
    The covered entities that are operated by the Department would be 
affected by the proposed changes in a similar manner to other covered 
entities, and those costs have been factored into the estimates above.
    The Department expects that it would incur costs related to 
drafting and disseminating information about the proposed regulatory 
changes to covered entities, including health care providers and health 
plans. In addition, the Department anticipates that it may incur a 26-
fold increase in the number of requests for exceptions from state law 
preemption in the first year after a final rule becomes effective, at 
an estimated total cost of approximately $146,319 to analyze and 
develop responses for an average cost of $7,410 per request. This 
increase is based on the number of states that have or are likely to 
pass more restrictive abortion laws \348\ and may seek to use or 
disclose individuals' PHI to enforce those laws. This estimate assumes 
that the Department receives and reviews exception requests from each 
of those 26 states, that half of those require a more complex analysis, 
and that all requests result in a written response within one year of 
the final rule's publication.
---------------------------------------------------------------------------

    \348\ See Elizabeth Nash, Lauren Cross, ``26 States Are Certain 
or Likely to Ban Abortion Without Roe: Here's Which Ones and Why,'' 
Guttmacher Institute (published Oct. 28, 2021; updated Apr. 19, 2022 
and Jan. 10, 2023), https://www.guttmacher.org/article/2021/10/26-states-are-certain-or-likely-ban-abortion-without-roe-heres-which-ones-and-why. In January 2023, the number of projected states 
dropped to 24.
---------------------------------------------------------------------------

Benefits of the Proposed Rule
    The benefits of the proposed rule to individuals and families are 
likely substantial, and yet are not fully quantifiable because the area 
of health care the proposed rule addresses is among the most sensitive 
and life-altering if privacy is violated. Additionally, the value of 
privacy, which cannot be recovered once lost, and trust that privacy 
will be protected by others, is difficult to quantify fully. Notably, 
matters of reproductive health may include circumstances resulting in a 
pregnancy, considerations concerning maternal and fetal health, family 
genetic conditions, information concerning sexually transmitted 
infections, and the relationship between prospective parents (including 
victimization due to rape, incest, or sex trafficking). Involuntary or 
poorly-timed disclosures can irreparably harm relationships and 
reputations, and even result in job loss or other negative consequences 
in the workplace,\349\ as well as investigation, civil litigation or 
proceedings, and prosecution for lawful activities.\350\Additionally, 
fear of potential penalties or liability that may result from 
disclosing information to a health care provider related to accessing 
abortion or other reproductive health care may cast a long shadow, 
decreasing trust between individuals and health care providers, 
discouraging and deterring access to other valuable and necessary 
health care, or compromising ongoing or subsequent care if patient 
medical records are not accurate or complete.\351\ The proposed rule 
would prevent or reduce the harms discussed here, resulting in non-
quantifiable benefits to individuals and their families, friends, and 
health care providers. In particular, the role of trust in the health 
care system and its importance to the provision of high-quality health 
care is discussed extensively in section III of this preamble.
---------------------------------------------------------------------------

    \349\ See Danielle Keats Citron and Daniel J. Solove, ``Privacy 
Harms,'' GWU Legal Studies Research Paper No. 2021-11, GWU Law 
School Public Law Research Paper No. 2021-11, 102 Boston University 
Law Review 793, 830--861 (Feb. 9, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222.
    \350\ See ``Lawyers preparing for abortion prosecutions warn 
about health care, data privacy,'' supra note 166.
    \351\ See ``Women with chronic conditions struggle to find 
medications after abortion laws limit access,'' Centers for Disease 
Control and Prevention, Division of Reproductive Health, National 
Center for Chronic Disease Prevention and Health Promotion (Jan. 4, 
2023), https://www.cdc.gov/teenpregnancy/health-care-providers/index.htm; and ``Abortion Bans May Limit Essential Medications for 
Women with Chronic Conditions,'' supra note 176.
---------------------------------------------------------------------------

    The Department believes the proposed rule would increase health 
literacy by improving access to complete information about health care 
options for individuals.\352\ For example, the proposal to prohibit use 
and disclosure of PHI for purposes of prosecuting an individual, a 
person assisting them, or their health care provider would enable 
health care providers to obtain and provide complete and accurate 
medical information about reproductive health care without undue fear 
of serious and costly repercussions.
---------------------------------------------------------------------------

    \352\ See Lynn M. Yee, Robert Silver, David M. Haas, et al., 
``Association of Health Literacy Among Nulliparous Individuals and 
Maternal and Neonatal Outcomes,'' JAMA Network Open (Sept. 1, 2021), 
https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2783674.
---------------------------------------------------------------------------

    The Department believes that the proposed rule would also 
contribute to increased access to prenatal health care at the critical 
early stages of pregnancy by affording individuals the assurance that 
they may obtain reproductive health care without fearing that records 
related to that care would be subject to disclosure. For example, if a 
sexually active individual fears they or their health care providers 
could be subject to prosecution as a result of disclosure of their PHI, 
the individual may avoid informing health care providers about symptoms 
or asking questions of medical experts and may consequently fail to 
receive the support and health care they need to obtain a pregnancy 
diagnosis and receive appropriate, lawful health care.\353\ Similarly, 
the proposed rule would likely contribute to decreasing the rate of 
maternal mortality and morbidity by improving access to information 
about health services.\354\
---------------------------------------------------------------------------

    \353\ See Texas Maternal Mortality and Morbidity Review 
Committee and Department of State Health Services Joint Biennial 
Report 2022, supra note 16.
    \354\ See Helen Levy, Alex Janke, ``Health Literacy and Access 
to Care,'' Journal of Health Communication (2016), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/; see also Brief for 
Zurawski.
---------------------------------------------------------------------------

    The Department believes that the proposed rule would contribute to 
enhancing the mental health and emotional well-being of individuals 
seeking or obtaining reproductive health care by reducing fear that 
their PHI would be disclosed for an investigation

[[Page 23547]]

of or proceeding against, or prosecution of the individual, their 
health care provider, or any persons facilitating the individual's 
access to reproductive health care. This is especially important for 
individuals who need access to reproductive health care because they 
are survivors of rape, incest, or sex trafficking. For at least some 
such individuals, certain types of reproductive health care, including 
abortion, generally remain legal even if the option to terminate a 
pregnancy is no longer available to the broader population under state 
laws. The proposed rule is projected to prevent or reduce re-
victimization of pregnant individuals who have been subject to rape, 
incest, or sex trafficking by protecting their PHI from disclosure.
    Investigations and prosecutions that rely on that information may 
be costly to defend against and thus financially draining for the 
target of the investigation or prosecution and for persons who are not 
the target of the investigation or prosecution but whose information 
may be used as evidence against others. Witnesses or targets of an 
investigation or prosecution may lose time from work and incur steep 
legal bills that create unmanageable debt or otherwise harm the 
economic stability of the individual, their family, and their health 
care provider. In the absence of the proposal, much of those costs may 
be for defending against the disclosure or use of PHI. Thus, the 
Department expects that the proposed rule would contribute to families' 
economic well-being by reducing the risk of exposure to costly 
investigation or prosecution for lawful activities as a result of 
disclosures of PHI.
    The Department believes that the proposed rule would also 
contribute to improved continuity of care and ongoing and subsequent 
health care for individuals, thereby improving health outcomes. If a 
health care provider believes that the patient's PHI is likely to be 
disclosed without the patient's or the health care provider's knowledge 
or consent, possibly to initiate or be used in criminal or civil 
proceedings against the patient, their health care provider, or others, 
the health care provider is more likely to omit information about a 
patient's medical history or condition, or leave gaps or include 
inaccuracies, when preparing patient medical records. And if an 
individual's medical records lack complete information about the 
individual's health history, a subsequent health care provider may not 
be able to conduct an appropriate health assessment to reach a sound 
diagnosis and recommend the best course of action for the individual. 
Alternatively, health care providers may withhold from the individual 
full and complete information about their treatment options because of 
liability concerns stemming from fears about the privacy of an 
individual's PHI.\355\ Heightened confidentiality and privacy 
protections enable a health care provider to feel confident maintaining 
full and complete patient records. Without complete patient records, an 
individual is less likely to receive appropriate ongoing or future 
health care, including correct diagnoses, and will be impeded in making 
informed treatment decisions.
---------------------------------------------------------------------------

    \355\ See Brief for Zurawski at p. 10.
---------------------------------------------------------------------------

Comparison of Benefits and Costs
    The Department expects the totality of the benefits of the proposed 
rule to outweigh the costs because the rule would create a net benefit 
to society, particularly for the significant number of individuals who 
could become pregnant (nearly one-fourth of the population of the U.S.) 
and who need access to lawful health care without the risk of their PHI 
being used or disclosed in furtherance of criminal, civil, or 
administrative investigations or proceedings. The Department expects 
covered entities and individuals to benefit from covered entities' 
increased flexibility and confidence to be able to provide health care 
according to professional standards.
    The Department's benefit-cost analysis asserts that the proposed 
regulatory changes would help support individuals' right to access 
health care and information about their health care options free of 
government intrusion, enhance the relationship between health care 
professionals and individuals, strengthen maternal well-being and 
family stability, and support victims of rape, incest, and sex 
trafficking. The regulatory proposals would also aid health care 
providers in developing and maintaining a high level of trust between 
health care professionals and individuals and maintaining complete and 
accurate patient medical records to aid ongoing and subsequent health 
care. Greater levels of trust would further enable individuals to 
develop and maintain relationships with health care professionals, 
which would enhance continuity of health care for all individuals 
receiving care from the health care provider, not only those in need of 
reproductive health care.
    The financial costs of the proposed rule would accrue primarily to 
covered entities, particularly health care providers and health plans 
in the first year after implementation of a final rule, with recurring 
costs accruing annually at a lower rate.
4. Request for Comment
    jj. The Department requests comment on all the estimates, 
assumptions, and analyses within the cost-benefits analysis, including 
the costs to regulated entities and individuals.
    kk. The Department also requests comments on any relevant 
information or data that would inform a quantitative analysis of 
proposed reforms that the Department qualitatively addresses in this 
RIA. Specifically, the Department requests comment on the following:
    i. Whether this proposed rule would affect other activities of 
regulated entities, including their ability to comply with other laws, 
and, if so, how.
    ii. Whether the proposed prohibition on the use or disclosure of 
PHI for a criminal, civil, or administrative investigation or 
proceeding against any person in connection with seeking, obtaining, 
providing, or facilitating reproductive health care that is lawful 
under the circumstances in which it is provided would affect the 
disclosure of PHI between health care providers or between health care 
providers and health plans for treatment purposes.
    iii. Whether the proposed prohibition on the use or disclosure of 
PHI for a criminal, civil, or administrative investigation or 
proceeding against any person in connection with seeking obtaining, 
providing, or facilitating reproductive health care that is lawful 
under the circumstances in which it is provided would affect the 
provision of access to individuals who request copies of their own PHI.
    iv. Data about the costs to regulated entities of determining 
whether reproductive health care revealed in PHI that is the subject of 
a request under 45 CFR 164.512(d) through (f) and (g)(1) was lawful 
under the circumstances in which it was provided.
    v. Data about the costs to regulated entities of determining 
whether a request for the use or disclosure of PHI is for a prohibited 
purpose where an attestation is not provided.
    vi. Whether the ongoing cost associated with the burden of 
responding to requests for PHI with an authorization is an appropriate 
comparator for the ongoing cost associated with the burden of 
responding to requests for PHI that may require an attestation.
    vii. The number of requests regulated entities receive annually for 
uses and disclosures under 45 CFR 164.512(d) through (f) and (g)(1), 
and the number of individuals' records encompassed by those requests.

[[Page 23548]]

    viii. Data about the costs and any other burdens for regulated 
entities associated with determining that a request is for PHI that is 
potentially related to reproductive health care.
    ix. Whether the lack of an attestation for some requests received 
under 45 CFR 164.512(d) through (f) and (g)(1) would increase the time 
needed to process each request.
    ll. The Department also requests comments on whether there may be 
other indirect costs and benefits resulting from the changes in the 
proposed rule and welcomes additional information that may help 
quantify those costs and benefits.

B. Regulatory Alternatives to the Proposed Rule

    The Department welcomes public comment on any benefits or drawbacks 
of the following alternatives it considered, but did not propose, while 
developing this proposed rule. The Department also requests comment on 
whether the Department should reconsider any of the alternatives 
considered, and if so, why.
No Regulatory Changes
    The Department carefully considered several alternatives to issuing 
this NPRM, including the option of not pursuing any regulatory changes, 
but rejected that approach for several reasons. Recent developments in 
state law that impose greater restrictions on access to reproductive 
health care are generating significant confusion for individuals, 
health care providers, and family, friends, and caregivers regarding 
their ability to privately seek, obtain, provide, or facilitate lawful 
reproductive health care. In light of these developments, there is 
significant confusion about the extent to which reproductive health 
care information is protected by the Privacy Rule. Perhaps most 
importantly, the current regulatory environment is diminishing the 
ability of individuals to receive medically appropriate health care 
that remains legal under the circumstances in which it is provided--
including in a wide range of contexts beyond reproductive care--thus 
putting their health at increased risk.\356\ The Department believes 
that the Privacy Rule should be modified to protect the privacy of PHI 
to better support the provision of appropriate, timely, and lawful 
reproductive health care and other health care for pregnant individuals 
in the current environment. The proposed regulatory changes would 
further Congressional intent to protect the privacy of IIHI and bolster 
patient-provider confidentiality. Revising the Privacy Rule would 
clarify covered entities' obligations and flexibilities, protect the 
privacy of individuals' PHI, and improve the quality of individuals' 
health care.
---------------------------------------------------------------------------

    \356\ See ``Methotrexate access becomes challenging for some 
patients following Supreme Court decision on abortion,'' ``Abortion 
restrictions may be making it harder for patients to get a cancer 
and arthritis drug,'' ``Abortion bans complicate access to drugs for 
cancer, arthritis, even ulcers,'' supra note 175. See also, e.g., 
``Women with chronic conditions struggle to find medications after 
abortion laws limit access,'' ``Abortion Bans May Limit Essential 
Medications for Women with Chronic Conditions,'' supra note 176.
---------------------------------------------------------------------------

Modify Privacy Rule Without Preempting State Law
    The Department also considered whether to remove the Privacy Rule 
permissions for a covered entity to comply with certain other legal 
requirements to use or disclose PHI, such as the terms of a court order 
or other judicial or administrative process without preempting statutes 
or regulations that specifically require regulated entities to make 
uses and disclosures of PHI about an individual's reproductive health. 
The Department believes that this approach would not protect an 
individual from having their PHI disclosed and used against them when 
another law requires the disclosure. As discussed in the preamble, the 
Department believes that this result would undermine trust in the 
health care system and thereby decrease access to quality health care, 
as well as interfere with continuity of care by compromising the 
accuracy and completeness of patient medical records, contrary to 
Congress' intent in enacting HIPAA. The Department believes that these 
harms outweigh the states' interests in this context. The Department 
therefore proposes to preempt state law that would require use or 
disclosure of PHI about an individual's reproductive health for 
prohibited purposes, as discussed herein.
Modify the Privacy Rule To Align With 42 CFR Part 2 for Uses and 
Disclosures of PHI for Certain Criminal and Noncriminal Proceedings 
Against an Individual
    The Department also considered proposing to apply requirements 
equivalent to 42 CFR part 2 (referred to as ``part 2'') for uses and 
disclosures of PHI for certain criminal and noncriminal proceedings 
against an individual based on their alleged decision to obtain, or 
attempt to obtain, reproductive health care. However, the Department 
believes this approach also would not protect an individual from having 
their PHI disclosed and potentially used against them pursuant to a 
court order, and thus it also would not prevent regulated entities from 
disclosing an individual's PHI for purposes of imposing criminal or 
civil liability on an individual, health care provider, or other 
person, for obtaining, providing, or facilitating lawful reproductive 
health care. Part 2 affords some discretion to courts to order 
disclosures of part 2 records in certain circumstances; however, part 2 
also expressly prohibits further use or disclosure of those records by 
any recipient for a proceeding against a patient. The Privacy Rule only 
regulates uses and disclosures by regulated entities; the Privacy Rule 
cannot limit further uses or disclosures by other persons who receive 
an individual's health information from a regulated entity. Therefore, 
an approach similar to part 2 would not sufficiently strengthen privacy 
protections with respect to the purposes for which this proposal would 
prohibit the use or disclosure of PHI.
Require a Valid Authorization Before Using or Disclosing PHI for 
Certain Purposes
    As an alternative to prohibiting certain uses and disclosures as 
proposed in this NPRM, the Department considered proposing to permit 
regulated entities to make such uses or disclosures of PHI only after 
obtaining a valid authorization. However, the Department has concerns 
regarding the potential for coercion or harassment of individuals to 
pressure them into providing authorization for access to their PHI by 
persons requesting the disclosure, such as law enforcement. In such a 
scenario, covered entities would be forced to choose between their 
obligations under state law and their Privacy Rule compliance 
responsibilities in the event that an individual declined to provide an 
authorization, undermining health information privacy protections for 
individuals. As a result, the Department's current view is that an 
authorization approach would not adequately ensure trust in the 
relationship between health care professionals and individuals.
Require Covered Entities To Agree to Requests for Restrictions on 
Disclosures of PHI for Treatment, Payment, and Health Care Operations
    Concerns have arisen that some states may attempt to criminalize or 
otherwise penalize individuals for traveling out of state to obtain 
reproductive health care, or other persons for assisting individuals 
who do, notwithstanding

[[Page 23549]]

relevant constitutional protections. The Department thus considered 
including a proposal that would have required regulated entities to 
agree to requests from individuals to restrict disclosures of PHI 
related to reproductive health care for treatment, payment, or health 
care operations. This may lower the risk of PHI being disclosed to 
covered entities in states that may seek to obtain it pursuant to a 
criminal, civil, or administrative investigation or proceeding related 
to the receipt or facilitation of reproductive health care. However, 
the Department has concerns about the ability of regulated entities to 
operationalize such a requirement. Further, the requirement would 
likely be overly restrictive for regulated entities and may not improve 
the quality of health care. Additionally, this approach would be 
dependent on individuals' awareness of their right to make a request 
for restrictions and confidence that such requests would be granted. 
The Privacy Rule permits regulated entities to accept requests for 
restrictions from individuals, although they are only mandated to 
accept such requests to prevent disclosures to an individual's health 
plan for health care that has been paid in full by the individual.
Prohibit Uses and Disclosures of PHI Related to Reproductive Health 
Care
    The Department considered limiting the prohibition to uses and 
disclosures of PHI related to reproductive health care for certain 
purposes. However, as discussed in the preamble, this would have 
required the Department to define what constitutes ``related to'' 
reproductive health care. Given the connection between reproductive 
health care and other types of health care, the Department believes 
that it would not be possible to create such a definition at this time 
without being both under- and over-inclusive. The difficulty of 
defining this category could make it impossible for electronic health 
records to reliably segregate the information.
    In addition, requiring regulated entities to take actions that 
necessitate treating one category of PHI differently than other PHI 
(e.g., imposing conditions on uses and disclosures that would require 
such entities to label or segment certain PHI within medical records) 
would hinder coordinated care and potentially result in negative health 
outcomes if treating clinicians are unaware of an individual's complete 
medical history. As a result, the Department believes that this 
approach would not enhance access to quality health care.
    Under the current proposal, regulated entities would be required to 
obtain an attestation from persons requesting PHI that is ``potentially 
related to reproductive health care'' when the request is made pursuant 
to the use and disclosure permissions at 45 CFR 164.512(d) through (f) 
or (g)(1). While the language itself is similar, the Department 
believes using it in this instance would not create the same 
operational challenges described above. For example, because the 
proposed attestation requirement would apply only to certain 
permissions that are not used by covered health care providers to 
disclose PHI to other health care providers for treatment purposes, 
care coordination would not be hindered. Additionally, we do not 
believe that this approach would implicate the segmentation concerns 
described above because ``potentially related to reproductive health 
care'' is broader than ``related to reproductive health care.'' This 
would require regulated entities to consider the full scope and context 
of the PHI requested to determine whether it could reveal information 
about the individual's reproductive health.
Prohibit the Uses and Disclosures of PHI Proposed in This Rule Without 
the Rule of Applicability
    The Department considered prohibiting the use or disclosure of PHI 
for the purpose of investigating or conducting a proceeding against any 
person for seeking, obtaining, providing, or facilitating reproductive 
care, regardless of whether the care was lawful under state or Federal 
law. However, the Department is concerned that this uniform approach 
would have placed significant burdens on states' abilities to enforce 
their laws. The Department has therefore proposed the more tailored 
approach in this proposed rule.
Require Attestations for Requests for Any PHI Under 45 CFR 164.512(d) 
Through (f) and (g)(1)
    The Department considered requiring that regulated entities obtain 
an attestation before using or disclosing any PHI under 45 CFR 
164.512(d) through (f) and (g)(1). However, this could have placed an 
unnecessary burden on regulated entities and persons requesting PHI by 
requiring attestations even under circumstances in which the requested 
disclosure would be unlikely to implicate the prohibition. Thus, the 
Department has taken a narrower approach to the proposed attestation 
requirement.
Require Attestations To Include Names of Individuals Whose PHI Is Being 
Sought for All Requests
    The Department considered requiring that an attestation include the 
name of any individual whose PHI is being requested, without providing 
an option for the requestor to identify a class of individuals if it is 
not practicable to provide the individuals' names. However, this could 
have impeded investigations of health care fraud, for example, where 
health oversight agencies and law enforcement authorities know the name 
of a suspected health care provider, but may not know the names of 
individuals before the request is made. Therefore, where providing the 
names of individuals is not practicable, the Department has proposed an 
option for identifying a class of individuals.

C. Regulatory Flexibility Act--Small Entity Analysis

    The Department has examined the economic implications of this 
proposed rule as required by the RFA. This analysis, as well as other 
sections in this RIA, serves as the Initial Regulatory Flexibility 
Analysis, as required under the RFA.
    For purposes of the RFA, small entities include small businesses, 
nonprofit organizations, and small governmental jurisdictions. The Act 
defines ``small entities'' as (1) a proprietary firm meeting the size 
standards of the Small Business Administration (SBA), (2) a nonprofit 
organization that is not dominant in its field, and (3) a small 
government jurisdiction of less than 50,000 population. Because 90 
percent or more of all health care providers meet the SBA size standard 
for a small business or are a nonprofit organization, the Department 
generally treats all health care providers as small entities for 
purposes of performing a regulatory flexibility analysis. The SBA size 
standard for health care providers ranges between a maximum of $8 
million and $41.5 million in annual receipts, depending upon the type 
of entity.\357\
---------------------------------------------------------------------------

    \357\ See ``Table of Small Business Size Standards,'' U.S. Small 
Business Administration (July 14, 2022), https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf.
---------------------------------------------------------------------------

    With respect to health insurers, the SBA size standard is a maximum 
of $41.5 million in annual receipts, and for third party administrators 
it is $40 million.\358\ While some insurers are classified as 
nonprofit, it is possible

[[Page 23550]]

they are dominant in their market. For example, a number of Blue Cross/
Blue Shield insurers are organized as nonprofit entities; yet they 
dominate the health insurance market in the states where they are 
licensed.
---------------------------------------------------------------------------

    \358\ Id.
---------------------------------------------------------------------------

    For the reasons stated below, it is not expected that the cost of 
compliance would be significant for small entities. Nor is it expected 
that the cost of compliance would fall disproportionately on small 
entities. Although many of the covered entities affected by the 
proposed rule are small entities, they would not bear a 
disproportionate cost burden compared to the other entities subject to 
the proposed rule.
    The projected total costs are discussed in detail in the RIA. The 
Department does not view this as a burden because the result of the 
changes would be annualized costs per covered entity of approximately 
$236 [= $183 million \359\/774,331 covered entities]. Thus, this 
analysis concludes, and the Secretary proposes to certify, that the 
proposed rule, if finalized, would not result in a significant economic 
effect on a substantial number of small entities.
---------------------------------------------------------------------------

    \359\ This figure represents annualized costs discounted at a 3% 
rate.
---------------------------------------------------------------------------

D. Executive Order 13132--Federalism

    As required by E.O. 13132 on Federalism, the Department has 
examined the effects of provisions in the proposed regulation on the 
relationship between the Federal Government and the states. In the 
Department's view, this proposed regulation would have federalism 
implications because it would have direct effects on the states, the 
relationship between the National Government and states, and on the 
distribution of power and responsibilities among various levels of 
government relating to the disclosure of PHI.
    Any federalism implications of the rule, however, flow from and are 
consistent with the underlying statute--and the proposed Rule of 
Applicability would limit the proposed regulation to those 
circumstances in which the state lacks any substantial interest in 
seeking the disclosure. The statute allows the Department to preempt 
state or local rules that provide less stringent privacy protection 
requirements than Federal law.\360\ Section 3(b) of E.O. 13132 
recognizes that national action limiting the policymaking discretion of 
states will be imposed only where there is constitutional and statutory 
authority for the action and the national activity is appropriate in 
light of the presence of a problem of national significance. The 
privacy of PHI is of national concern by virtue of the scope of 
interstate health commerce. As described in the preamble, recent state 
actions on reproductive health care have undermined the longstanding 
expectation among individuals in all states that their highly sensitive 
reproductive health information will remain private. These state 
actions thus directly threaten the trust that is essential to ensuring 
access to, and quality of, lawful health care. HIPAA's provisions 
reflect this position by authorizing the Secretary to promulgate 
regulations to implement the Privacy Rule.
---------------------------------------------------------------------------

    \360\ 42 U.S.C. 1320d-7(a)(1).
---------------------------------------------------------------------------

    Section 4(a) of E.O. 13132 expressly contemplates preemption when 
there is a conflict between exercising state and Federal authority 
under a Federal statute. Section 4(b) of the E.O. authorizes preemption 
of state law in the Federal rulemaking context when ``the exercise of 
State authority directly conflicts with the exercise of Federal 
authority under the Federal statute.'' The approach in this regulation 
is consistent with these standards in the Executive order in 
superseding state authority only when such authority is inconsistent 
with standards established pursuant to the grant of Federal authority 
under the statute. State and local laws that impose less stringent 
requirements for the protection of reproductive health information 
undermine Congress' intent to ensure that all individuals who receive 
health care are assured a minimum level of privacy for their PHI. Both 
the personal and public interest is served by protecting PHI so as not 
to undermine an individual's access to and quality of health care 
services and their trust in the health care system.
    Section 6(b) of E.O. 13132 includes some qualitative discussion of 
substantial direct compliance costs that state and local governments 
would incur as a result of a proposed regulation. The Department 
anticipates that the most significant direct costs on state and local 
governments would be the cost for state and local government-operated 
covered entities to revise business associate agreements, revise 
policies and procedures, create a new form for attestations, update the 
NPP, update training programs, and process requests for disclosures for 
which an attestation is required. In addition, the Department 
anticipates that approximately half of the states may choose to file a 
request for an exception to preemption. The longstanding regulatory 
provisions that govern preemption exception requests under the HIPAA 
Rules would remain undisturbed by this proposed rule.\361\ However, 
based on the legal developments in some states that are described 
elsewhere in this preamble, the Department believes it is likely that, 
in the first year of implementation of a final rule, more states will 
submit requests for exceptions from preemption than have done so in the 
past. The RIA above addresses these costs in detail.
---------------------------------------------------------------------------

    \361\ 45 CFR 160.201 through 160.205.
---------------------------------------------------------------------------

    The Department requests comment from local and state governments on 
provisions in the proposed rule that would preempt state and local laws 
and on whether state and local governments are likely to incur 
additional costs, such as those associated with the effects of the 
prohibited disclosures on law enforcement's access to information.

E. Assessment of Federal Regulation and Policies on Families

    Section 654 of the Treasury and General Government Appropriations 
Act of 1999 \362\ requires Federal departments and agencies to 
determine whether a proposed policy or regulation could affect family 
well-being. If the determination is affirmative, then the Department or 
agency must prepare an impact assessment to address criteria specified 
in the law.
---------------------------------------------------------------------------

    \362\ Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
---------------------------------------------------------------------------

    The proposed rule would strengthen the stability of the family and 
marital commitment because it enables individuals and families to have 
access to the full range of reproductive health care information and 
access to options for consideration when making sensitive decisions 
about family planning. The proposed rule may be carried out only by the 
Federal Government because it would modify Federal health privacy law, 
ensuring that American families have access to reproductive health care 
information and can freely discuss their reproductive health, 
regardless of the state where they are located when health care is 
accessed. Access to reproductive health care and information about the 
full range of reproductive health care is vital for individuals who may 
become pregnant or who are capable of becoming pregnant.

F. Paperwork Reduction Act of 1995

    Under the Paperwork Reduction Act of 1995 \363\ (PRA), agencies are 
required to submit to the Office of Management and Budget (OMB) for 
review and approval any reporting or record-keeping requirements 
inherent in a

[[Page 23551]]

proposed or final rule, and are required to publish such proposed 
requirements for public comment. The PRA requires agencies to provide a 
60-day notice in the Federal Register and solicit public comment on a 
proposed collection of information before it is submitted to OMB for 
review and approval. To fairly evaluate whether an information 
collection should be approved by the OMB, section 3506(c)(2)(A) of the 
PRA requires that the Department solicit comment on the following 
issues:
---------------------------------------------------------------------------

    \363\ Public Law 104-13, 109 Stat. 163 (May 22, 1995).
---------------------------------------------------------------------------

    1. Whether the information collection is necessary and useful to 
carry out the proper functions of the agency;
    2. The accuracy of the agency's estimate of the information 
collection burden;
    3. The quality, utility, and clarity of the information to be 
collected; and
    4. Recommendations to minimize the information collection burden on 
the affected public, including automated collection techniques.
    The PRA requires consideration of the time, effort, and financial 
resources necessary to meet the information collection requirements 
referenced in this section. The Department explicitly seeks, and will 
consider, public comment on its assumptions as they relate to the PRA 
requirements summarized in this section. To comment on the collection 
of information or to obtain copies of the supporting statements and any 
related forms for the proposed paperwork collections referenced in this 
section, email your comment or request, including your address and 
phone number to [email protected], or call the Reports Clearance 
Office at (202) 690-6162. Written comments and recommendations for the 
proposed information collections must be directed to the OS Paperwork 
Clearance Officer at the above email address within 60 days.
    In this NPRM, the Department is revising certain information 
collection requirements and, as such, is revising the information 
collection last prepared in 2019 and previously approved under OMB 
control # 0945-0003. The revised information collection describes all 
new and adjusted information collection requirements for covered 
entities pursuant to the implementing regulation for HIPAA at 45 CFR 
parts 160 and 164, the HIPAA Privacy, Security, Breach Notification, 
and Enforcement Rules.
    The estimated annual labor burden presented by the proposed 
regulatory modifications in the first year of implementation, including 
nonrecurring and recurring burdens, is 5,189,569 burden hours at a cost 
of $596,728,985 \364\ and $67,831,396 of estimated annual labor costs 
in years two through five. The overall total burden for respondents to 
comply with the information collection requirements of all of the HIPAA 
Privacy, Security, and Breach Notification Rules, including 
nonrecurring and recurring burdens presented by proposed program 
changes, is 955,098,062 burden hours at a cost of $101,685,085,101, 
plus $188,873,438 in capital costs for a total estimated annual burden 
of $101,873,958,539 in the first year following the effective date of 
the final rule, assuming all changes are adopted as proposed. Details 
describing the burden analysis for the proposals associated with this 
NPRM are presented below.
---------------------------------------------------------------------------

    \364\ This includes an increase of 416 burden hours and $36,442 
in costs added to the existing information collection for requesting 
exemption determinations under 45 CFR 160.204.
---------------------------------------------------------------------------

1. Explanation of Estimated Annualized Burden Hours
    Below is a summary of the significant program changes and 
adjustments made since the 2019 information collection. These program 
changes and adjustments form the bases for the burden estimates 
presented in information collection request associated with this NPRM.
Adjusted Estimated Annual Burdens of Compliance
    (1) Increasing the number of covered entities from 700,000 to 
774,331 based on program change;
    (2) Increasing the number of respondents requesting exceptions to 
state law preemption from 1 to 27 based on an expected reaction by 
states that have enacted restrictions on reproductive health care 
access;
    (3) Increasing the burden hours by a factor of two for responding 
to individuals' requests for restrictions on disclosures of their PHI 
under 45 CFR 164.522 to represent a doubling of the expected requests; 
and
    (4) Increasing the total number of NPPs distributed by health plans 
by 50% to total 300,000,000 due to the increase in number of Americans 
with health coverage.
New Burdens Resulting From Program Changes
    In addition to these changes, the Department added new annual 
burdens as a result of program changes:
    (1) A nonrecurring burden of 30 minutes per covered entity to 
create a new attestation form using the sample provided by the 
Department;
    (2) A recurring burden of 1 hour per covered entity for uses and 
disclosures for which an attestation must be obtained from the person 
requesting the use and disclosure;
    (3) A nonrecurring burden of 1 hour per business associate 
agreement that is revised as a result of the proposed changes to 
handling requests under 45 CFR 164.512(d), (e), (f), and (g)(1), to 
allocate responsibilities between covered entities and their release-
of-information contractors;
    (4) A nonrecurring burden of 30 minutes per covered entity to 
update the required content of its NPP;
    (5) A nonrecurring burden of 15 minutes per covered entity for 
posting an updated NPP online;
    (6) A nonrecurring burden of 2.5 hours for each covered entity to 
update its policies and procedures; and
    (7) A nonrecurring burden of 90 minutes for each covered entity to 
update the content of its HIPAA training program.

VI. Request for Comment

    In addition to the questions posed above, the Department also seeks 
comment on the following questions:
    mm. Whether individuals who are members of historically underserved 
and minority communities are more likely to be subjects of 
investigations into or proceedings against persons in connection with 
obtaining, providing, or facilitating lawful reproductive health care. 
If so, please explain the relationship to and effects on the health 
information privacy of community members, including data and citations 
to relevant literature.
    nn. Whether individuals who are members of historically underserved 
and minority communities are less likely to have access to legal 
counsel when facing investigations into or proceedings against persons 
in connection with obtaining, providing, or facilitating lawful 
reproductive health care. If so, please explain the relationship to and 
effects on the health information privacy of community members, 
including data and citations to relevant literature.
    oo. With respect to an individual's right to restrict uses and 
disclosures of their PHI under 45 CFR 164.522(a)(1):
    i. Whether individuals are generally aware of this right.
    ii. Whether covered entities have experienced an increase in 
requests from individuals to exercise this right.
    iii. Whether regulated entities have been or are more likely to 
grant individuals such requests considering the recent developments in 
the legal environment.

[[Page 23552]]

VII. Public Participation

    The Department seeks comment on all issues raised by the proposed 
regulation, including any unintended adverse consequences. Because of 
the large number of public comments normally received on Federal 
Register documents, the Department is not able to acknowledge or 
respond to them individually. In developing the final rule, the 
Department will consider the public comments that are received by the 
date and time specified in the DATES section of the Preamble, in 
accordance with the agency practices described in the section labeled 
ADDRESSES.

List of Subjects

45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health professions, Health records, Hospitals, Investigations, 
Medicaid, Medical research, Medicare, Penalties, Preemption, Privacy, 
Public health, Reporting and recordkeeping requirements, Reproductive 
health care, Security.

45 CFR Part 164

    Administrative practice and procedure, Computer technology, Drug 
abuse, Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health professions, Health records, Hospitals, Medicaid, Medical 
research, Privacy, Public health, Reporting and recordkeeping 
requirements, Reproductive health care, Security.

Proposed Rule

    For the reasons stated in the preamble, the Department of Health 
and Human Services proposes to amend 45 CFR subtitle A, subchapter C, 
parts 160 and 164 as set forth below:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 continues to read as follows:

    Authority:  42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 
(note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 
258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.

0
2. Amend Sec.  160.103 by:
0
a. Revising the definition of ``Person''; and
0
b. Adding in alphabetical order the definitions of ``Public health'' 
and ``Reproductive health care''.
    The revision and additions read as follows:


Sec.  160.103  Definitions.

* * * * *
    Person means a natural person (meaning a human being who is born 
alive), trust or estate, partnership, corporation, professional 
association or corporation, or other entity, public or private.
* * * * *
    Public health, as used in the terms ``public health surveillance,'' 
``public health investigation,'' and ``public health intervention,'' 
means population-level activities to prevent disease and promote health 
of populations. Such activities do not include uses and disclosures for 
the criminal, civil, or administrative investigation into or proceeding 
against a person in connection with obtaining, providing, or 
facilitating reproductive health care, or for the identification of any 
person in connection with a criminal, civil, or administrative 
investigation into or proceeding against a person in connection with 
obtaining, providing, or facilitating reproductive health care.
    Reproductive health care means care, services, or supplies related 
to the reproductive health of the individual.
* * * * *

PART 164--SECURITY AND PRIVACY

0
3. The authority citation for part 164 continues to read as follows:

    Authority:  42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)); 
and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.

0
4. Amend Sec.  164.502 by revising paragraphs (a)(1)(iv) and (vi) and 
adding paragraphs (a)(5)(iii) and (g)(5)(iii) to read as follows:


Sec.  164.502  Uses and disclosures of protected health information: 
General rules.

    (a) * * *
    (1) * * *
    (iv) Except for uses and disclosures prohibited under paragraph 
(a)(5)(i) or (iii) of this section, pursuant to and in compliance with 
a valid authorization under Sec.  164.508;
* * * * *
    (vi) As permitted by and in compliance with any of the following:
    (A) This section.
    (B) Section 164.512 and, where applicable, Sec.  164.509.
    (C) Section 164.514(e).
    (D) Section 164.514(f).
    (E) Section 164.514(g).
* * * * *
    (5) * * *
    (iii) Reproductive health care--(A) Prohibition. Subject to 
paragraphs (a)(5)(iii)(C) and (D) of this section, a covered entity or 
business associate may not use or disclose protected health information 
for either of the following purposes.
    (1) Where the use or disclosure is for a criminal, civil, or 
administrative investigation into or proceeding against any person in 
connection with seeking, obtaining, providing, or facilitating 
reproductive health care.
    (2) To identify any person for the purpose of initiating an 
activity described at paragraph (a)(5)(iii)(A)(1) of this section.
    (B) Scope of prohibition. For the purposes of this subpart, 
seeking, obtaining, providing, or facilitating reproductive health care 
includes, but is not limited to, any of the following: expressing 
interest in, inducing, using, performing, furnishing, paying for, 
disseminating information about, arranging, insuring, assisting, or 
otherwise taking action to engage in reproductive health care; or 
attempting any of the same.
    (C) Rule of applicability. The prohibition at paragraph (a)(5)(iii) 
of this section applies where one or more of the following conditions 
exists.
    (1) The relevant criminal, civil, or administrative investigation 
or proceeding is in connection with any person seeking, obtaining, 
providing, or facilitating reproductive health care outside of the 
state where the investigation or proceeding is authorized and where 
such health care is lawful in the state in which it is provided.
    (2) The relevant criminal, civil, or administrative investigation 
or proceeding is in connection with any person seeking, obtaining, 
providing, or facilitating reproductive health care that is protected, 
required, or authorized by Federal law, regardless of the state in 
which such health care is provided.
    (3) The relevant criminal, civil, or administrative investigation 
or proceeding is in connection with any person seeking, obtaining, 
providing, or facilitating reproductive health care that is provided in 
the state in which the investigation or proceeding is authorized and 
that is permitted by the law of that state.
    (D) Rule of construction. Nothing in this section shall be 
construed to prohibit a use or disclosure of protected health 
information otherwise permitted by this subpart unless such use or

[[Page 23553]]

disclosure is primarily for the purpose of investigating or imposing 
liability on any person for the mere act of seeking, obtaining, 
providing, or facilitating reproductive health care.
* * * * *
    (g) * * *
    (5) * * *
    (iii) Paragraph (g)(5) of this section does not apply where the 
primary basis for the covered entity's belief is the facilitation or 
provision of reproductive health care by such person for and at the 
request of the individual.
* * * * *
0
5. Add Sec.  164.509 to read as follows:


Sec.  164.509  Uses and disclosures for which an attestation is 
required.

    (a) Standard: Attestations for certain uses and disclosures of 
protected health information to persons other than covered entities. A 
covered entity may not use or disclose protected health information 
potentially related to reproductive health care for purposes specified 
in Sec.  164.512(d), (e), (f), or (g)(1), without obtaining an 
attestation that is valid under this section from the person requesting 
the use or disclosure.
    (b) Implementation specifications: General requirements--(1) Valid 
attestations. (i) A valid attestation is a document that meets the 
requirements of paragraph (c)(1) of this section.
    (ii) A valid attestation verifies that the use or disclosure is not 
otherwise prohibited by Sec.  164.502(a)(5)(iii).
    (iii) A valid attestation may be electronic, provided that it meets 
the requirements in paragraph (c)(1) of this section, as applicable.
    (2) Defective attestations. An attestation is not valid if the 
document submitted has any of the following defects:
    (i) The attestation lacks an element or statement required by 
paragraph (c) of this section.
    (ii) The attestation contains an element or statement not required 
by paragraph (c) of this section.
    (iii) The attestation violates paragraph (b)(3) of this section.
    (iv) The covered entity has actual knowledge that material 
information in the attestation is false.
    (v) It is objectively unreasonable for the covered entity to 
believe that the attestation is true with respect to the requirement at 
paragraph (c)(1)(iv) of this section.
    (3) Compound attestation. An attestation may not be combined with 
any other document.
    (c) Implementation specifications: Content requirements and other 
obligations--(1) Required elements. A valid attestation under this 
section must contain the following elements:
    (i) A description of the information requested that identifies the 
information in a specific fashion, including one of the following:
    (A) The name of any individual(s) whose protected health 
information is sought, if practicable.
    (B) If including the name(s) of any individual(s) whose protected 
health information is sought is not practicable, a description of the 
class of individuals whose protected health information is sought.
    (ii) The name or other specific identification of the person(s), or 
class of persons, who are requested to make the use or disclosure.
    (iii) The name or other specific identification of the person(s), 
or class of persons, to whom the covered entity is to make the 
requested use or disclosure.
    (iv) A clear statement that the use or disclosure is not for a 
purpose prohibited under Sec.  164.502(a)(5)(iii).
    (v) Signature of the person requesting the protected health 
information, which may be an electronic signature, and date. If the 
attestation is signed by a representative of the person requesting the 
information, a description of such representative's authority to act 
for the person must also be provided.
    (2) Plain language requirement. The attestation must be written in 
plain language.
    (d) Material misrepresentations. If, during the course of using or 
disclosing protected health information in reasonable reliance on a 
facially valid attestation, a covered entity discovers information 
reasonably showing that the representations in the attestation were 
materially false, leading to uses or disclosures for a prohibited 
purpose, the covered entity must cease such use or disclosure.
0
6. Amend Sec.  164.512 by:
0
a. Revising the introductory text and the heading of paragraph (c);
0
b. Adding paragraph (c)(3); and
0
c. Revising paragraph (f)(1)(ii)(C) introductory text.
    The revisions and addition read as follows:


Sec.  164.512  Uses and disclosures for which an authorization or 
opportunity to agree or object is not required.

    Except as provided by Sec.  164.502(a)(5)(iii), a covered entity 
may use or disclose protected health information without the written 
authorization of the individual, as described in Sec.  164.508, or the 
opportunity for the individual to agree or object as described in Sec.  
164.510, in the situations covered by this section, subject to the 
applicable requirements of this section and Sec.  164.509. When the 
covered entity is required by this section to inform the individual of, 
or when the individual may agree to, a use or disclosure permitted by 
this section, the covered entity's information and the individual's 
agreement may be given verbally.
* * * * *
    (c) Standard: Disclosures about victims of abuse, neglect, or 
domestic violence. * * *
    (3) Rule of construction. Nothing in this section shall be 
construed to permit disclosures prohibited by Sec.  164.502(a)(5)(iii) 
when the report of abuse, neglect, or domestic violence is based 
primarily on the provision of reproductive health care.
* * * * *
    (f) * * *
    (1) * * *
    (ii) * * *
    (C) An administrative request for which response is required by 
law, including an administrative subpoena or summons, a civil or an 
authorized investigative demand, or similar process authorized under 
law, provided that:
* * * * *
0
7. Amend Sec.  164.520 by adding paragraphs (b)(1)(ii)(F) and (G) to 
read as follows:


Sec.  164.520  Notice of privacy practices for protected health 
information.

* * * * *
    (b) * * *
    (1) * * *
    (ii) * * *
    (F) A description, including at least one example, of the types of 
uses and disclosures prohibited under Sec.  164.502(a)(5)(iii) in 
sufficient detail for an individual to understand the prohibition.
    (G) A description, including at least one example, of the types of 
uses and disclosures for which an attestation is required under Sec.  
164.509.
* * * * *

    Dated: April 5, 2023.
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2023-07517 Filed 4-12-23; 8:45 am]
BILLING CODE 4153-01-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.